2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
7 Copyright (C) Jeremy Allison 1999.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern int DEBUGLEVEL;
27 extern fstring global_myworkgroup;
28 extern pstring global_myname;
30 /****************************************************************************
31 Initialize domain session credentials.
32 ****************************************************************************/
34 BOOL cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16])
41 /******************* Request Challenge ********************/
43 generate_random_buffer( clnt_chal.data, 8, False);
45 /* send a client challenge; receive a server challenge */
46 if (!cli_net_req_chal(cli, &clnt_chal, &srv_chal))
48 DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
52 /**************** Long-term Session key **************/
54 /* calculate the session key */
55 cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd, cli->sess_key);
56 memset((char *)cli->sess_key+8, '\0', 8);
58 /******************* Authenticate 2 ********************/
60 /* calculate auth-2 credentials */
62 cred_create(cli->sess_key, &clnt_chal, zerotime, &(cli->clnt_cred.challenge));
65 * Send client auth-2 challenge.
66 * Receive an auth-2 challenge response and check it.
69 if (!cli_net_auth2(cli, SEC_CHAN_WKSTA, 0x000001ff, &srv_chal))
71 DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed\n"));
78 /****************************************************************************
80 ****************************************************************************/
82 BOOL cli_nt_srv_pwset(struct cli_state *cli, unsigned char *new_hashof_mach_pwd)
84 unsigned char processed_new_pwd[16];
86 DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__));
89 dump_data(6, (char *)new_hashof_mach_pwd, 16);
92 /* Process the new password. */
93 cred_hash3( processed_new_pwd, new_hashof_mach_pwd, cli->sess_key, 1);
95 /* send client srv_pwset challenge */
96 return cli_net_srv_pwset(cli, processed_new_pwd);
99 /****************************************************************************
100 NT login - interactive.
101 *NEVER* use this code. This method of doing a logon (sending the cleartext
102 password equivalents, protected by the session key) is inherently insecure
103 given the current design of the NT Domain system. JRA.
104 ****************************************************************************/
105 BOOL cli_nt_login_interactive(struct cli_state *cli, char *domain, char *username,
106 uint32 smb_userid_low, char *password,
107 NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
109 uchar lm_owf_user_pwd[16];
110 uchar nt_owf_user_pwd[16];
113 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
115 nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
117 #ifdef DEBUG_PASSWORD
119 DEBUG(100,("nt owf of user password: "));
120 dump_data(100, (char *)lm_owf_user_pwd, 16);
122 DEBUG(100,("nt owf of user password: "));
123 dump_data(100, (char *)nt_owf_user_pwd, 16);
127 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
129 /* indicate an "interactive" login */
130 ctr->switch_value = INTERACTIVE_LOGON_TYPE;
132 /* Create the structure needed for SAM logon. */
133 init_id_info1(&ctr->auth.id1, domain, 0,
135 username, cli->clnt_name_slash,
136 (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
138 /* Ensure we overwrite all the plaintext password
140 memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd));
141 memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd));
143 /* Send client sam-logon request - update credentials on success. */
144 ret = cli_net_sam_logon(cli, ctr, user_info3);
146 memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd));
147 memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd));
152 /****************************************************************************
154 *ALWAYS* use this call to validate a user as it does not expose plaintext
155 password equivalents over the network. JRA.
156 ****************************************************************************/
158 BOOL cli_nt_login_network(struct cli_state *cli, char *domain, char *username,
159 uint32 smb_userid_low, char lm_chal[8],
160 char *lm_chal_resp, char *nt_chal_resp,
161 NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
163 DEBUG(5,("cli_nt_login_network: %d\n", __LINE__));
165 /* indicate a "network" login */
166 ctr->switch_value = NET_LOGON_TYPE;
168 /* Create the structure needed for SAM logon. */
169 init_id_info2(&ctr->auth.id2, domain, 0,
171 username, cli->clnt_name_slash,
172 (uchar *)lm_chal, (uchar *)lm_chal_resp, (uchar *)nt_chal_resp);
174 /* Send client sam-logon request - update credentials on success. */
175 return cli_net_sam_logon(cli, ctr, user_info3);
178 /****************************************************************************
180 ****************************************************************************/
181 BOOL cli_nt_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr)
183 DEBUG(5,("cli_nt_logoff: %d\n", __LINE__));
185 /* Send client sam-logoff request - update credentials on success. */
186 return cli_net_sam_logoff(cli, ctr);