2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 extern int DEBUGLEVEL;
35 extern struct cli_state *smb_cli;
40 /****************************************************************************
42 ****************************************************************************/
43 void cmd_sam_ntchange_pwd(struct client_info *info)
59 sid_to_string(sid, &info->dom.level5_sid);
60 fstrcpy(domain, info->dom.level5_dom);
62 fstrcpy(srv_name, "\\\\");
63 fstrcat(srv_name, info->dest_host);
66 fprintf(out_hnd, "SAM NT Password Change\n");
69 struct pwd_info new_pwd;
70 pwd_read(&new_pwd, "New Password (ONCE: this is test code!):", True);
72 new_passwd = (char*)getpass("New Password (ONCE ONLY - get it right :-)");
74 nt_lm_owf_gen(new_passwd, lm_newhash, nt_newhash);
75 pwd_get_lm_nt_16(&(smb_cli->pwd), lm_oldhash, nt_oldhash );
76 make_oem_passwd_hash(nt_newpass, new_passwd, nt_oldhash, True);
77 make_oem_passwd_hash(lm_newpass, new_passwd, lm_oldhash, True);
78 E_old_pw_hash(lm_newhash, lm_oldhash, lm_hshhash);
79 E_old_pw_hash(lm_newhash, nt_oldhash, nt_hshhash);
81 cli_nt_set_ntlmssp_flgs(smb_cli,
82 NTLMSSP_NEGOTIATE_UNICODE |
83 NTLMSSP_NEGOTIATE_OEM |
84 NTLMSSP_NEGOTIATE_SIGN |
85 NTLMSSP_NEGOTIATE_SEAL |
86 NTLMSSP_NEGOTIATE_LM_KEY |
87 NTLMSSP_NEGOTIATE_NTLM |
88 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
89 NTLMSSP_NEGOTIATE_00001000 |
90 NTLMSSP_NEGOTIATE_00002000);
92 /* open SAMR session. */
93 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
95 /* establish a connection. */
96 res = res ? do_samr_get_dom_pwinfo(smb_cli, srv_name) : False;
98 /* establish a connection. */
99 res = res ? do_samr_chgpasswd_user(smb_cli,
100 srv_name, smb_cli->user_name,
101 nt_newpass, nt_hshhash,
102 lm_newpass, lm_hshhash) : False;
103 /* close the session */
104 cli_nt_session_close(smb_cli);
108 fprintf(out_hnd, "NT Password changed OK\n");
112 fprintf(out_hnd, "NT Password change FAILED\n");
117 /****************************************************************************
118 experimental SAM encryted rpc test connection
119 ****************************************************************************/
120 void cmd_sam_test(struct client_info *info)
127 sid_to_string(sid, &info->dom.level5_sid);
128 fstrcpy(domain, info->dom.level5_dom);
131 if (strlen(sid) == 0)
133 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
137 fstrcpy(srv_name, "\\\\");
138 fstrcat(srv_name, info->dest_host);
141 fprintf(out_hnd, "SAM Encryption Test\n");
143 cli_nt_set_ntlmssp_flgs(smb_cli,
144 NTLMSSP_NEGOTIATE_UNICODE |
145 NTLMSSP_NEGOTIATE_OEM |
146 NTLMSSP_NEGOTIATE_SIGN |
147 NTLMSSP_NEGOTIATE_SEAL |
148 NTLMSSP_NEGOTIATE_LM_KEY |
149 NTLMSSP_NEGOTIATE_NTLM |
150 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
151 NTLMSSP_NEGOTIATE_00001000 |
152 NTLMSSP_NEGOTIATE_00002000);
154 /* open SAMR session. */
155 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
157 /* establish a connection. */
158 res = res ? do_samr_get_dom_pwinfo(smb_cli, srv_name) : False;
160 /* close the session */
161 cli_nt_session_close(smb_cli);
165 DEBUG(5,("cmd_sam_test: succeeded\n"));
169 DEBUG(5,("cmd_sam_test: failed\n"));
174 /****************************************************************************
175 experimental SAM users enum.
176 ****************************************************************************/
177 void cmd_sam_enum_users(struct client_info *info)
185 BOOL request_user_info = False;
186 BOOL request_group_info = False;
187 uint16 num_entries = 0;
191 uint32 admin_rid = 0x304; /* absolutely no idea. */
194 sid_to_string(sid, &info->dom.level5_sid);
195 fstrcpy(domain, info->dom.level5_dom);
197 if (strlen(sid) == 0)
199 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
203 init_dom_sid(&sid1, sid);
205 fstrcpy(srv_name, "\\\\");
206 fstrcat(srv_name, info->dest_host);
209 /* a bad way to do token parsing... */
210 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
212 request_user_info |= strequal(tmp, "-u");
213 request_group_info |= strequal(tmp, "-g");
216 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
218 request_user_info |= strequal(tmp, "-u");
219 request_group_info |= strequal(tmp, "-g");
223 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
225 num_entries = (uint16)strtol(tmp, (char**)NULL, 16);
228 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
230 unk_0 = (uint16)strtol(tmp, (char**)NULL, 16);
233 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
235 acb_mask = (uint16)strtol(tmp, (char**)NULL, 16);
238 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
240 unk_1 = (uint16)strtol(tmp, (char**)NULL, 16);
244 fprintf(out_hnd, "SAM Enumerate Users\n");
245 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
246 info->myhostname, srv_name, domain, sid);
249 DEBUG(5,("Number of entries:%d unk_0:%04x acb_mask:%04x unk_1:%04x\n",
250 num_entries, unk_0, acb_mask, unk_1));
253 /* open SAMR session. negotiate credentials */
254 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
256 /* establish a connection. */
257 res = res ? do_samr_connect(smb_cli,
258 srv_name, 0x00000020,
259 &info->dom.samr_pol_connect) : False;
261 /* connect to the domain */
262 res = res ? do_samr_open_domain(smb_cli,
263 &info->dom.samr_pol_connect, admin_rid, &sid1,
264 &info->dom.samr_pol_open_domain) : False;
266 /* read some users */
267 res = res ? do_samr_enum_dom_users(smb_cli,
268 &info->dom.samr_pol_open_domain,
269 num_entries, unk_0, acb_mask, unk_1, 0xffff,
270 &info->dom.sam, &info->dom.num_sam_entries) : False;
272 if (res && info->dom.num_sam_entries == 0)
274 fprintf(out_hnd, "No users\n");
277 if (request_user_info || request_group_info)
279 /* query all the users */
282 while (res && user_idx < info->dom.num_sam_entries)
284 uint32 user_rid = info->dom.sam[user_idx].smb_userid;
285 SAM_USER_INFO_21 usr;
287 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
289 info->dom.sam[user_idx].acct_name);
291 if (request_user_info)
293 /* send user info query, level 0x15 */
294 if (get_samr_query_userinfo(smb_cli,
295 &info->dom.samr_pol_open_domain,
296 0x15, user_rid, &usr))
298 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
299 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
300 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
304 if (request_group_info)
307 DOM_GID gid[LSA_MAX_GROUPS];
309 /* send user group query */
310 if (get_samr_query_usergroups(smb_cli,
311 &info->dom.samr_pol_open_domain,
312 user_rid, &num_groups, gid))
314 display_group_rid_info(out_hnd, ACTION_HEADER , num_groups, gid);
315 display_group_rid_info(out_hnd, ACTION_ENUMERATE, num_groups, gid);
316 display_group_rid_info(out_hnd, ACTION_FOOTER , num_groups, gid);
324 res = res ? do_samr_close(smb_cli,
325 &info->dom.samr_pol_open_domain) : False;
327 res = res ? do_samr_close(smb_cli,
328 &info->dom.samr_pol_connect) : False;
330 /* close the session */
331 cli_nt_session_close(smb_cli);
333 if (info->dom.sam != NULL)
340 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
344 DEBUG(5,("cmd_sam_enum_users: failed\n"));
349 /****************************************************************************
350 experimental SAM user query.
351 ****************************************************************************/
352 void cmd_sam_query_user(struct client_info *info)
358 int user_idx = 0; /* FIXME maybe ... */
360 uint32 admin_rid = 0x304; /* absolutely no idea. */
364 uint32 info_level = 0x15;
366 SAM_USER_INFO_21 usr;
368 sid_to_string(sid, &info->dom.level5_sid);
369 fstrcpy(domain, info->dom.level5_dom);
371 if (strlen(sid) == 0)
373 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
377 init_dom_sid(&sid1, sid);
379 fstrcpy(srv_name, "\\\\");
380 fstrcat(srv_name, info->dest_host);
383 if (next_token(NULL, rid_str , NULL, sizeof(rid_str )) &&
384 next_token(NULL, info_str, NULL, sizeof(info_str)))
386 user_rid = (uint32)strtol(rid_str , (char**)NULL, 16);
387 info_level = (uint32)strtol(info_str, (char**)NULL, 10);
390 fprintf(out_hnd, "SAM Query User: rid %x info level %d\n",
391 user_rid, info_level);
392 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
393 info->myhostname, srv_name, domain, sid);
395 /* open SAMR session. negotiate credentials */
396 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
398 /* establish a connection. */
399 res = res ? do_samr_connect(smb_cli,
400 srv_name, 0x00000020,
401 &info->dom.samr_pol_connect) : False;
403 /* connect to the domain */
404 res = res ? do_samr_open_domain(smb_cli,
405 &info->dom.samr_pol_connect, admin_rid, &sid1,
406 &info->dom.samr_pol_open_domain) : False;
408 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
410 info->dom.sam[user_idx].acct_name);
412 /* send user info query, level */
413 if (get_samr_query_userinfo(smb_cli,
414 &info->dom.samr_pol_open_domain,
415 info_level, user_rid, &usr))
417 if (info_level == 0x15)
419 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
420 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
421 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
425 res = res ? do_samr_close(smb_cli,
426 &info->dom.samr_pol_connect) : False;
428 res = res ? do_samr_close(smb_cli,
429 &info->dom.samr_pol_open_domain) : False;
431 /* close the session */
432 cli_nt_session_close(smb_cli);
436 DEBUG(5,("cmd_sam_query_user: succeeded\n"));
440 DEBUG(5,("cmd_sam_query_user: failed\n"));
445 /****************************************************************************
446 experimental SAM groups query.
447 ****************************************************************************/
448 void cmd_sam_query_groups(struct client_info *info)
456 uint32 switch_value = 2;
457 uint32 admin_rid = 0x304; /* absolutely no idea. */
459 sid_to_string(sid, &info->dom.level5_sid);
460 fstrcpy(domain, info->dom.level5_dom);
462 if (strlen(sid) == 0)
464 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
468 init_dom_sid(&sid1, sid);
470 fstrcpy(srv_name, "\\\\");
471 fstrcat(srv_name, info->dest_host);
474 if (next_token(NULL, info_str, NULL, sizeof(info_str)))
476 switch_value = (uint32)strtol(info_str, (char**)NULL, 10);
479 fprintf(out_hnd, "SAM Query Groups: info level %d\n", switch_value);
480 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
481 info->myhostname, srv_name, domain, sid);
483 /* open SAMR session. negotiate credentials */
484 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
486 /* establish a connection. */
487 res = res ? do_samr_connect(smb_cli,
488 srv_name, 0x00000020,
489 &info->dom.samr_pol_connect) : False;
491 /* connect to the domain */
492 res = res ? do_samr_open_domain(smb_cli,
493 &info->dom.samr_pol_connect, admin_rid, &sid1,
494 &info->dom.samr_pol_open_domain) : False;
496 /* send a samr 0x8 command */
497 res = res ? do_samr_query_dom_info(smb_cli,
498 &info->dom.samr_pol_open_domain, switch_value) : False;
500 res = res ? do_samr_close(smb_cli,
501 &info->dom.samr_pol_connect) : False;
503 res = res ? do_samr_close(smb_cli,
504 &info->dom.samr_pol_open_domain) : False;
506 /* close the session */
507 cli_nt_session_close(smb_cli);
511 DEBUG(5,("cmd_sam_query_groups: succeeded\n"));
515 DEBUG(5,("cmd_sam_query_groups: failed\n"));
520 /****************************************************************************
521 experimental SAM aliases query.
522 ****************************************************************************/
523 void cmd_sam_enum_aliases(struct client_info *info)
530 BOOL request_user_info = False;
531 BOOL request_alias_info = False;
532 uint32 admin_rid = 0x304; /* absolutely no idea. */
535 uint32 num_aliases = 3;
536 uint32 alias_rid[3] = { DOMAIN_GROUP_RID_ADMINS, DOMAIN_GROUP_RID_USERS, DOMAIN_GROUP_RID_GUESTS };
537 fstring alias_names [3];
538 uint32 num_als_usrs[3];
540 sid_to_string(sid, &info->dom.level3_sid);
541 fstrcpy(domain, info->dom.level3_dom);
543 fstrcpy(sid , "S-1-5-20");
545 if (strlen(sid) == 0)
547 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
551 init_dom_sid(&sid1, sid);
553 fstrcpy(srv_name, "\\\\");
554 fstrcat(srv_name, info->dest_host);
557 /* a bad way to do token parsing... */
558 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
560 request_user_info |= strequal(tmp, "-u");
561 request_alias_info |= strequal(tmp, "-g");
564 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
566 request_user_info |= strequal(tmp, "-u");
567 request_alias_info |= strequal(tmp, "-g");
570 fprintf(out_hnd, "SAM Enumerate Aliases\n");
571 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
572 info->myhostname, srv_name, domain, sid);
574 /* open SAMR session. negotiate credentials */
575 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
577 /* establish a connection. */
578 res = res ? do_samr_connect(smb_cli,
579 srv_name, 0x00000020,
580 &info->dom.samr_pol_connect) : False;
582 /* connect to the domain */
583 res = res ? do_samr_open_domain(smb_cli,
584 &info->dom.samr_pol_connect, admin_rid, &sid1,
585 &info->dom.samr_pol_open_domain) : False;
587 /* send a query on the aliase */
588 res = res ? do_samr_query_lookup_rids(smb_cli,
589 &info->dom.samr_pol_open_domain, admin_rid, num_aliases, alias_rid,
590 &num_aliases, alias_names, num_als_usrs) : False;
594 display_alias_name_info(out_hnd, ACTION_HEADER , num_aliases, alias_names, num_als_usrs);
595 display_alias_name_info(out_hnd, ACTION_ENUMERATE, num_aliases, alias_names, num_als_usrs);
596 display_alias_name_info(out_hnd, ACTION_FOOTER , num_aliases, alias_names, num_als_usrs);
601 /* read some users */
602 res = res ? do_samr_enum_dom_users(smb_cli,
603 &info->dom.samr_pol_open_domain,
604 num_entries, unk_0, acb_mask, unk_1, 0xffff,
605 info->dom.sam, &info->dom.num_sam_entries) : False;
607 if (res && info->dom.num_sam_entries == 0)
609 fprintf(out_hnd, "No users\n");
612 if (request_user_info || request_alias_info)
614 /* query all the users */
617 while (res && user_idx < info->dom.num_sam_entries)
619 uint32 user_rid = info->dom.sam[user_idx].smb_userid;
620 SAM_USER_INFO_21 usr;
622 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
624 info->dom.sam[user_idx].acct_name);
626 if (request_user_info)
628 /* send user info query, level 0x15 */
629 if (get_samr_query_userinfo(smb_cli,
630 &info->dom.samr_pol_open_domain,
631 0x15, user_rid, &usr))
633 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
634 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
635 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
639 if (request_alias_info)
642 DOM_GID gid[LSA_MAX_GROUPS];
644 /* send user aliase query */
645 if (get_samr_query_useraliases(smb_cli,
646 &info->dom.samr_pol_open_domain,
647 user_rid, &num_aliases, gid))
649 display_alias_info(out_hnd, ACTION_HEADER , num_aliases, gid);
650 display_alias_info(out_hnd, ACTION_ENUMERATE, num_aliases, gid);
651 display_alias_info(out_hnd, ACTION_FOOTER , num_aliases, gid);
660 res = res ? do_samr_close(smb_cli,
661 &info->dom.samr_pol_connect) : False;
663 res = res ? do_samr_close(smb_cli,
664 &info->dom.samr_pol_open_domain) : False;
666 /* close the session */
667 cli_nt_session_close(smb_cli);
671 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
675 DEBUG(5,("cmd_sam_enum_users: failed\n"));