source3/client/ntclient.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    NT Domain Authentication SMB / MSRPC client
   5    Copyright (C) Andrew Tridgell 1994-1997
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-1998
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #ifdef SYSLOG
  24 #undef SYSLOG
  25 #endif
  26
  27 #include "includes.h"
  28
  29 extern int DEBUGLEVEL;
  30 extern pstring username;
  31 extern pstring smb_login_passwd;
  32 extern pstring workgroup;
  33
  34 #define CLIENT_TIMEOUT (30*1000)
  35
  36 /****************************************************************************
  37 experimental nt login.
  38 ****************************************************************************/
  39 BOOL client_do_nt_login(char *desthost, char *myhostname,
  40                                 int Client, int cnum)
  41 {
  42         DOM_CHAL clnt_chal;
  43         DOM_CHAL srv_chal;
  44
  45         DOM_CRED clnt_cred;
  46
  47         DOM_CHAL auth2_srv_chal;
  48
  49         DOM_CRED sam_logon_clnt_cred;
  50         DOM_CRED sam_logon_rtn_cred;
  51         DOM_CRED sam_logon_srv_cred;
  52
  53         DOM_CRED sam_logoff_clnt_cred;
  54         DOM_CRED sam_logoff_rtn_cred;
  55         DOM_CRED sam_logoff_srv_cred;
  56
  57         DOM_ID_INFO_1 id1;
  58         LSA_USER_INFO user_info1;
  59         LSA_POL_HND pol;
  60         int i;
  61
  62         UTIME zerotime;
  63
  64         uchar sess_key[8];
  65         char nt_owf_mach_pwd[16];
  66         fstring mach_acct;
  67         fstring mach_pwd;
  68         fstring server_name;
  69
  70         RPC_IFACE abstract;
  71         RPC_IFACE transfer;
  72
  73         static char abs_data[16];
  74         static char trn_data[16];
  75
  76         /* received from LSA Query Info Policy, level 5 */
  77         fstring level5_domain_name;
  78         pstring level5_domain_sid;
  79
  80         /* received from LSA Query Info Policy, level 3 */
  81         fstring level3_domain_name;
  82         pstring level3_domain_sid;
  83
  84         uint16 fnum;
  85         uint32 call_id = 0;
  86         char *inbuf,*outbuf;
  87
  88         zerotime.time = 0;
  89
  90         inbuf  = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
  91         outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
  92
  93         if (!inbuf || !outbuf)
  94         {
  95                 DEBUG(0,("out of memory\n"));
  96                 return False;
  97         }
  98
  99         /******************* open the \PIPE\lsarpc file *****************/
 100
 101         if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
 102         {
 103                 free(inbuf); free(outbuf);
 104                 return False;
 105         }
 106
 107         /**************** Set Named Pipe State ***************/
 108         if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
 109         {
 110                 free(inbuf); free(outbuf);
 111                 return False;
 112         }
 113
 114         /******************* bind request on \PIPE\lsarpc *****************/
 115
 116         /* create and send a MSRPC command with api LSA_OPENPOLICY */
 117
 118         DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
 119
 120         for (i = 0; i < sizeof(trn_data); i++)
 121         {
 122                 trn_data[i] = 2 * i;
 123         }
 124
 125         for (i = 0; i < sizeof(abs_data); i++)
 126         {
 127                 abs_data[i] = i;
 128         }
 129
 130         /* create interface UUIDs. */
 131         make_rpc_iface(&abstract, abs_data, 0x0);
 132         make_rpc_iface(&transfer, trn_data, 0x2);
 133
 134         if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
 135         {
 136                 free(inbuf); free(outbuf);
 137                 return False;
 138         }
 139
 140         /******************* Open Policy ********************/
 141
 142         fstrcpy(server_name, ("\\\\"));
 143         fstrcpy(&server_name[2], myhostname);
 144
 145         /* send an open policy request; receive a policy handle */
 146         if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
 147         {
 148                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 149                 free(inbuf); free(outbuf);
 150                 return False;
 151         }
 152
 153         /**************** Query Info Policy, level 3 ********************/
 154
 155         /* send a query info policy at level 3; receive an info policy */
 156         if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
 157                                    level3_domain_name, level3_domain_sid))
 158         {
 159                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 160                 free(inbuf); free(outbuf);
 161                 return False;
 162         }
 163
 164         /**************** Query Info Policy, level 5 ********************/
 165
 166         /* send a query info policy at level 5; receive an info policy */
 167         if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
 168                                    level5_domain_name, level5_domain_sid))
 169         {
 170                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 171                 free(inbuf); free(outbuf);
 172                 return False;
 173         }
 174
 175         /******************* Open Policy ********************/
 176
 177         /* send a close policy request; receive a close pol response */
 178         if (!do_lsa_close(fnum, ++call_id, &pol))
 179         {
 180                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 181                 free(inbuf); free(outbuf);
 182                 return False;
 183         }
 184
 185         /******************* close the \PIPE\lsarpc file *******************/
 186
 187         cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 188
 189
 190
 191         /******************* open the \PIPE\NETLOGON file *****************/
 192
 193         if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
 194         {
 195                 free(inbuf); free(outbuf);
 196                 return False;
 197         }
 198
 199         /**************** Set Named Pipe State ***************/
 200         if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
 201         {
 202                 free(inbuf); free(outbuf);
 203                 return False;
 204         }
 205
 206         /******************* bind request on \PIPE\NETLOGON *****************/
 207
 208         if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
 209         {
 210                 free(inbuf); free(outbuf);
 211                 return False;
 212         }
 213
 214         /******************* Request Challenge ********************/
 215
 216         fstrcpy(mach_acct, myhostname);
 217         strlower(mach_pwd);
 218
 219         fstrcpy(mach_pwd , myhostname);
 220         fstrcat(mach_acct, "$");
 221
 222         SIVAL(clnt_chal.data, 0, 0x11111111);
 223         SIVAL(clnt_chal.data, 4, 0x22222222);
 224
 225         /* send a client challenge; receive a server challenge */
 226         if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
 227         {
 228                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 229                 free(inbuf); free(outbuf);
 230                 return False;
 231         }
 232
 233         /************ Long-term Session key (default) **********/
 234
 235 #if 0
 236         /* DAMN!  can't get the machine password - need become_root() to do it! */
 237         /* get the machine password */
 238         if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
 239         {
 240                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 241                 free(inbuf); free(outbuf);
 242                 return False;
 243         }
 244
 245         DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
 246 #else
 247
 248         {
 249                 char lm_owf_mach_pwd[16];
 250                 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
 251                 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
 252         }
 253
 254 #endif
 255
 256         dump_data(6, nt_owf_mach_pwd, 16);
 257
 258         /* calculate the session key */
 259         cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
 260
 261
 262         /******************* Authenticate 2 ********************/
 263
 264         /* calculate auth-2 credentials */
 265         cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
 266
 267         /* send client auth-2 challenge; receive an auth-2 challenge */
 268         if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
 269                           &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
 270         {
 271                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 272                 free(inbuf); free(outbuf);
 273                 return False;
 274         }
 275
 276
 277         /*********************** SAM Info ***********************/
 278
 279         {
 280                 char lm_owf_user_pwd[16];
 281                 char nt_owf_user_pwd[16];
 282                 nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
 283
 284 #ifdef DEBUG_PASSWORD
 285
 286                 DEBUG(100,("nt owf of user password: "));
 287                 dump_data(100, lm_owf_user_pwd, 16);
 288
 289                 DEBUG(100,("nt owf of user password: "));
 290                 dump_data(100, nt_owf_user_pwd, 16);
 291
 292 #endif
 293
 294                 /* this is used in both the SAM Logon and the SAM Logoff */
 295                 make_id_info1(&id1, workgroup, 0,
 296                       getuid(), 0,
 297                       username, myhostname,
 298                       sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
 299         }
 300
 301         /*********************** SAM Logon **********************/
 302
 303         clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
 304
 305         /* calculate sam logon credentials, using the auth2 client challenge */
 306         cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
 307                                           &(sam_logon_clnt_cred.challenge));
 308
 309         /* send client sam-logon challenge; receive a sam-logon challenge */
 310         if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
 311                           desthost, mach_acct,
 312                           &sam_logon_clnt_cred, &sam_logon_rtn_cred,
 313                           1, 1, &id1, &user_info1,
 314                           &sam_logon_srv_cred))
 315         {
 316                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 317                 free(inbuf); free(outbuf);
 318                 return False;
 319         }
 320
 321         /*********************** SAM Logoff *********************/
 322
 323         clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
 324
 325         /* calculate sam logoff credentials, using the sam logon return challenge */
 326         cred_create(sess_key, &(clnt_cred.challenge),
 327                                 sam_logoff_clnt_cred.timestamp,
 328                               &(sam_logoff_clnt_cred.challenge));
 329
 330         /* send client sam-logoff challenge; receive a sam-logoff challenge */
 331         if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
 332                           desthost, mach_acct,
 333                           &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
 334                           1, 1, &id1,
 335                           &sam_logoff_srv_cred))
 336         {
 337                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 338                 free(inbuf); free(outbuf);
 339                 return False;
 340         }
 341
 342         /******************** close the \PIPE\NETLOGON file **************/
 343
 344         cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 345
 346         /* free memory used in all rpc transactions, above */
 347         free(inbuf); free(outbuf);
 348
 349         return True;
 350 }