2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern int DEBUGLEVEL;
28 /****************************************************************************
29 Initialize domain session credentials.
30 ****************************************************************************/
32 BOOL cli_nt_setup_creds(struct cli_state *cli, uint16 fnum,
33 const char* trust_acct,
34 unsigned char trust_pwd[16],
42 /******************* Request Challenge ********************/
44 generate_random_buffer( clnt_chal.data, 8, False);
46 /* send a client challenge; receive a server challenge */
47 if (!cli_net_req_chal(cli, fnum, &clnt_chal, &srv_chal))
49 DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
53 /**************** Long-term Session key **************/
55 /* calculate the session key */
56 cred_session_key(&clnt_chal, &srv_chal, (char *)trust_pwd, cli->sess_key);
57 bzero(cli->sess_key+8, 8);
59 /******************* Authenticate 2 ********************/
61 /* calculate auth-2 credentials */
63 cred_create(cli->sess_key, &clnt_chal, zerotime, &(cli->clnt_cred.challenge));
66 * Send client auth-2 challenge.
67 * Receive an auth-2 challenge response and check it.
70 if (!cli_net_auth2(cli, fnum, trust_acct, sec_chan, 0x000001ff, &srv_chal))
72 DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed\n"));
79 /****************************************************************************
81 ****************************************************************************/
83 BOOL cli_nt_srv_pwset(struct cli_state *cli, uint16 fnum, unsigned char *new_hashof_trust_pwd)
85 unsigned char processed_new_pwd[16];
87 DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__));
90 dump_data(6, new_hashof_trust_pwd, 16);
93 /* Process the new password. */
94 cred_hash3( processed_new_pwd, new_hashof_trust_pwd, cli->sess_key, 1);
96 /* send client srv_pwset challenge */
97 return cli_net_srv_pwset(cli, fnum, processed_new_pwd);
100 /****************************************************************************
101 NT login - interactive.
102 *NEVER* use this code. This method of doing a logon (sending the cleartext
103 password equivalents, protected by the session key) is inherently insecure
104 given the current design of the NT Domain system. JRA.
105 ****************************************************************************/
106 BOOL cli_nt_login_interactive(struct cli_state *cli, uint16 fnum, char *domain, char *username,
107 uint32 luid_low, char *password,
108 NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
110 uchar lm_owf_user_pwd[16];
111 uchar nt_owf_user_pwd[16];
114 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
116 nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
118 #ifdef DEBUG_PASSWORD
120 DEBUG(100,("nt owf of user password: "));
121 dump_data(100, lm_owf_user_pwd, 16);
123 DEBUG(100,("nt owf of user password: "));
124 dump_data(100, nt_owf_user_pwd, 16);
128 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
130 /* indicate an "interactive" login */
131 ctr->switch_value = INTERACTIVE_LOGON_TYPE;
133 /* Create the structure needed for SAM logon. */
134 make_id_info1(&ctr->auth.id1, domain, 0,
136 username, cli->clnt_name_slash,
137 (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
139 /* Ensure we overwrite all the plaintext password
141 memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd));
142 memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd));
144 /* Send client sam-logon request - update credentials on success. */
145 ret = cli_net_sam_logon(cli, fnum, ctr, user_info3);
147 memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd));
148 memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd));
153 /****************************************************************************
155 *ALWAYS* use this call to validate a user as it does not expose plaintext
156 password equivalents over the network. JRA.
157 ****************************************************************************/
159 BOOL cli_nt_login_network(struct cli_state *cli, uint16 fnum, char *domain, char *username,
160 uint32 luid_low, char lm_chal[8], char lm_chal_resp[24],
161 char nt_chal_resp[24],
162 NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
164 DEBUG(5,("cli_nt_login_network: %d\n", __LINE__));
166 /* indicate a "network" login */
167 ctr->switch_value = NET_LOGON_TYPE;
169 /* Create the structure needed for SAM logon. */
170 make_id_info2(&ctr->auth.id2, domain, 0,
172 username, cli->clnt_name_slash,
173 (uchar *)lm_chal, (uchar *)lm_chal_resp, (uchar *)nt_chal_resp);
175 /* Send client sam-logon request - update credentials on success. */
176 return cli_net_sam_logon(cli, fnum, ctr, user_info3);
179 /****************************************************************************
181 ****************************************************************************/
182 BOOL cli_nt_logoff(struct cli_state *cli, uint16 fnum, NET_ID_INFO_CTR *ctr)
184 DEBUG(5,("cli_nt_logoff: %d\n", __LINE__));
186 /* Send client sam-logoff request - update credentials on success. */
187 return cli_net_sam_logoff(cli, fnum, ctr);