2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 extern int DEBUGLEVEL;
30 extern pstring username;
31 extern pstring smb_login_passwd;
32 extern pstring workgroup;
34 #define CLIENT_TIMEOUT (30*1000)
36 /****************************************************************************
37 experimental nt login.
38 ****************************************************************************/
39 BOOL client_do_nt_login(char *desthost, char *myhostname,
47 DOM_CHAL auth2_srv_chal;
49 DOM_CRED sam_logon_clnt_cred;
50 DOM_CRED sam_logon_rtn_cred;
51 DOM_CRED sam_logon_srv_cred;
53 DOM_CRED sam_logoff_clnt_cred;
54 DOM_CRED sam_logoff_rtn_cred;
55 DOM_CRED sam_logoff_srv_cred;
58 LSA_USER_INFO user_info1;
65 char nt_owf_mach_pwd[16];
73 static char abs_data[16];
74 static char trn_data[16];
76 /* received from LSA Query Info Policy, level 5 */
77 fstring level5_domain_name;
78 pstring level5_domain_sid;
80 /* received from LSA Query Info Policy, level 3 */
81 fstring level3_domain_name;
82 pstring level3_domain_sid;
90 inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
91 outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
93 if (!inbuf || !outbuf)
95 DEBUG(0,("out of memory\n"));
99 /******************* open the \PIPE\lsarpc file *****************/
101 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
103 free(inbuf); free(outbuf);
107 /**************** Set Named Pipe State ***************/
108 if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
110 free(inbuf); free(outbuf);
114 /******************* bind request on \PIPE\lsarpc *****************/
116 /* create and send a MSRPC command with api LSA_OPENPOLICY */
118 DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
120 for (i = 0; i < sizeof(trn_data); i++)
125 for (i = 0; i < sizeof(abs_data); i++)
130 /* create interface UUIDs. */
131 make_rpc_iface(&abstract, abs_data, 0x0);
132 make_rpc_iface(&transfer, trn_data, 0x2);
134 if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
136 free(inbuf); free(outbuf);
140 /******************* Open Policy ********************/
142 fstrcpy(server_name, ("\\\\"));
143 fstrcpy(&server_name[2], myhostname);
145 /* send an open policy request; receive a policy handle */
146 if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
148 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
149 free(inbuf); free(outbuf);
153 /**************** Query Info Policy, level 3 ********************/
155 /* send a query info policy at level 3; receive an info policy */
156 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
157 level3_domain_name, level3_domain_sid))
159 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
160 free(inbuf); free(outbuf);
164 /**************** Query Info Policy, level 5 ********************/
166 /* send a query info policy at level 5; receive an info policy */
167 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
168 level5_domain_name, level5_domain_sid))
170 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
171 free(inbuf); free(outbuf);
175 /******************* Open Policy ********************/
177 /* send a close policy request; receive a close pol response */
178 if (!do_lsa_close(fnum, ++call_id, &pol))
180 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
181 free(inbuf); free(outbuf);
185 /******************* close the \PIPE\lsarpc file *******************/
187 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
191 /******************* open the \PIPE\NETLOGON file *****************/
193 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
195 free(inbuf); free(outbuf);
199 /**************** Set Named Pipe State ***************/
200 if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
202 free(inbuf); free(outbuf);
206 /******************* bind request on \PIPE\NETLOGON *****************/
208 if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
210 free(inbuf); free(outbuf);
214 /******************* Request Challenge ********************/
216 fstrcpy(mach_acct, myhostname);
219 fstrcpy(mach_pwd , myhostname);
220 fstrcat(mach_acct, "$");
222 SIVAL(clnt_chal.data, 0, 0x11111111);
223 SIVAL(clnt_chal.data, 4, 0x22222222);
225 /* send a client challenge; receive a server challenge */
226 if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
228 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
229 free(inbuf); free(outbuf);
233 /************ Long-term Session key (default) **********/
236 /* DAMN! can't get the machine password - need become_root() to do it! */
237 /* get the machine password */
238 if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
240 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
241 free(inbuf); free(outbuf);
245 DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
249 char lm_owf_mach_pwd[16];
250 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
251 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
256 dump_data(6, nt_owf_mach_pwd, 16);
258 /* calculate the session key */
259 cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
262 /******************* Authenticate 2 ********************/
264 /* calculate auth-2 credentials */
265 cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
267 /* send client auth-2 challenge; receive an auth-2 challenge */
268 if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
269 &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
271 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
272 free(inbuf); free(outbuf);
277 /*********************** SAM Info ***********************/
280 char lm_owf_user_pwd[16];
281 char nt_owf_user_pwd[16];
282 nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
284 #ifdef DEBUG_PASSWORD
286 DEBUG(100,("nt owf of user password: "));
287 dump_data(100, lm_owf_user_pwd, 16);
289 DEBUG(100,("nt owf of user password: "));
290 dump_data(100, nt_owf_user_pwd, 16);
294 /* this is used in both the SAM Logon and the SAM Logoff */
295 make_id_info1(&id1, workgroup, 0,
297 username, myhostname,
298 sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
301 /*********************** SAM Logon **********************/
303 clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
305 /* calculate sam logon credentials, using the auth2 client challenge */
306 cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
307 &(sam_logon_clnt_cred.challenge));
309 /* send client sam-logon challenge; receive a sam-logon challenge */
310 if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
312 &sam_logon_clnt_cred, &sam_logon_rtn_cred,
313 1, 1, &id1, &user_info1,
314 &sam_logon_srv_cred))
316 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
317 free(inbuf); free(outbuf);
321 /*********************** SAM Logoff *********************/
323 clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
325 /* calculate sam logoff credentials, using the sam logon return challenge */
326 cred_create(sess_key, &(clnt_cred.challenge),
327 sam_logoff_clnt_cred.timestamp,
328 &(sam_logoff_clnt_cred.challenge));
330 /* send client sam-logoff challenge; receive a sam-logoff challenge */
331 if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
333 &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
335 &sam_logoff_srv_cred))
337 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
338 free(inbuf); free(outbuf);
342 /******************** close the \PIPE\NETLOGON file **************/
344 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
346 /* free memory used in all rpc transactions, above */
347 free(inbuf); free(outbuf);