1
2 #ifdef SYSLOG
3 #undef SYSLOG
4 #endif
5
6 #include "includes.h"
7
8 extern int DEBUGLEVEL;
9 extern pstring username;
10 extern pstring smb_login_passwd;
11 extern pstring workgroup;
12
13 #define CLIENT_TIMEOUT (30*1000)
14
15 #ifdef NTDOMAIN
16
17
18 /****************************************************************************
19 experimental nt login.
20 ****************************************************************************/
do_nt_login(char * desthost,char * myhostname,int Client,int cnum)21 BOOL do_nt_login(char *desthost, char *myhostname,
22 int Client, int cnum)
23 {
24 DOM_CHAL clnt_chal;
25 DOM_CHAL srv_chal;
26
27 DOM_CRED clnt_cred;
28
29 DOM_CHAL auth2_srv_chal;
30
31 DOM_CRED sam_logon_clnt_cred;
32 DOM_CRED sam_logon_rtn_cred;
33 DOM_CRED sam_logon_srv_cred;
34
35 DOM_CRED sam_logoff_clnt_cred;
36 DOM_CRED sam_logoff_rtn_cred;
37 DOM_CRED sam_logoff_srv_cred;
38
39 DOM_ID_INFO_1 id1;
40 LSA_USER_INFO user_info1;
41 LSA_POL_HND pol;
42 int i;
43
44 UTIME zerotime;
45
46 uchar sess_key[8];
47 char nt_owf_mach_pwd[16];
48 fstring mach_acct;
49 fstring mach_pwd;
50 fstring server_name;
51
52 RPC_IFACE abstract;
53 RPC_IFACE transfer;
54
55 static char abs_data[16];
56 static char trn_data[16];
57
58 /* received from LSA Query Info Policy, level 5 */
59 fstring level5_domain_name;
60 pstring level5_domain_sid;
61
62 /* received from LSA Query Info Policy, level 3 */
63 fstring level3_domain_name;
64 pstring level3_domain_sid;
65
66 uint16 fnum;
67 uint32 call_id = 0;
68 char *inbuf,*outbuf;
69
70 zerotime.time = 0;
71
72 inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
73 outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
74
75 if (!inbuf || !outbuf)
76 {
77 DEBUG(0,("out of memory\n"));
78 return False;
79 }
80
81 /******************* open the \PIPE\lsarpc file *****************/
82
83 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
84 {
85 free(inbuf); free(outbuf);
86 return False;
87 }
88
89 /**************** Set Named Pipe State ***************/
90 if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
91 {
92 free(inbuf); free(outbuf);
93 return False;
94 }
95
96 /******************* bind request on \PIPE\lsarpc *****************/
97
98 /* create and send a MSRPC command with api LSA_OPENPOLICY */
99
100 DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
101
102 for (i = 0; i < sizeof(trn_data); i++)
103 {
104 trn_data[i] = 2 * i;
105 }
106
107 for (i = 0; i < sizeof(abs_data); i++)
108 {
109 abs_data[i] = i;
110 }
111
112 /* create interface UUIDs. */
113 make_rpc_iface(&abstract, abs_data, 0x0);
114 make_rpc_iface(&transfer, trn_data, 0x2);
115
116 if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
117 {
118 free(inbuf); free(outbuf);
119 return False;
120 }
121
122 /******************* Open Policy ********************/
123
124 fstrcpy(server_name, ("\\\\"));
125 fstrcpy(&server_name[2], myhostname);
126
127 /* send an open policy request; receive a policy handle */
128 if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
129 {
130 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
131 free(inbuf); free(outbuf);
132 return False;
133 }
134
135 /**************** Query Info Policy, level 3 ********************/
136
137 /* send a query info policy at level 3; receive an info policy */
138 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
139 level3_domain_name, level3_domain_sid))
140 {
141 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
142 free(inbuf); free(outbuf);
143 return False;
144 }
145
146 /**************** Query Info Policy, level 5 ********************/
147
148 /* send a query info policy at level 5; receive an info policy */
149 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
150 level5_domain_name, level5_domain_sid))
151 {
152 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
153 free(inbuf); free(outbuf);
154 return False;
155 }
156
157 /******************* Open Policy ********************/
158
159 /* send a close policy request; receive a close pol response */
160 if (!do_lsa_close(fnum, ++call_id, &pol))
161 {
162 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
163 free(inbuf); free(outbuf);
164 return False;
165 }
166
167 /******************* close the \PIPE\lsarpc file *******************/
168
169 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
170
171
172
173 /******************* open the \PIPE\NETLOGON file *****************/
174
175 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
176 {
177 free(inbuf); free(outbuf);
178 return False;
179 }
180
181 /**************** Set Named Pipe State ***************/
182 if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
183 {
184 free(inbuf); free(outbuf);
185 return False;
186 }
187
188 /******************* bind request on \PIPE\NETLOGON *****************/
189
190 if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
191 {
192 free(inbuf); free(outbuf);
193 return False;
194 }
195
196 /******************* Request Challenge ********************/
197
198 fstrcpy(mach_acct, myhostname);
199 strlower(mach_pwd);
200
201 fstrcpy(mach_pwd , myhostname);
202 fstrcat(mach_acct, "$");
203
204 SIVAL(clnt_chal.data, 0, 0x11111111);
205 SIVAL(clnt_chal.data, 4, 0x22222222);
206
207 /* send a client challenge; receive a server challenge */
208 if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
209 {
210 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
211 free(inbuf); free(outbuf);
212 return False;
213 }
214
215 /************ Long-term Session key (default) **********/
216
217 #if 0
218 /* DAMN! can't get the machine password - need become_root() to do it! */
219 /* get the machine password */
220 if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
221 {
222 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
223 free(inbuf); free(outbuf);
224 return False;
225 }
226
227 DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
228 #else
229
230 {
231 char lm_owf_mach_pwd[16];
232 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
233 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
234 }
235
236 #endif
237
238 dump_data(6, nt_owf_mach_pwd, 16);
239
240 /* calculate the session key */
241 cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
242
243
244 /******************* Authenticate 2 ********************/
245
246 /* calculate auth-2 credentials */
247 cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
248
249 /* send client auth-2 challenge; receive an auth-2 challenge */
250 if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
251 &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
252 {
253 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
254 free(inbuf); free(outbuf);
255 return False;
256 }
257
258
259 /*********************** SAM Info ***********************/
260
261 {
262 char lm_owf_user_pwd[16];
263 char nt_owf_user_pwd[16];
264 nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
265
266 #ifdef DEBUG_PASSWORD
267
268 DEBUG(100,("nt owf of user password: "));
269 dump_data(100, lm_owf_user_pwd, 16);
270
271 DEBUG(100,("nt owf of user password: "));
272 dump_data(100, nt_owf_user_pwd, 16);
273
274 #endif
275
276 /* this is used in both the SAM Logon and the SAM Logoff */
277 make_id_info1(&id1, workgroup, 0,
278 getuid(), 0,
279 username, myhostname,
280 sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
281 }
282
283 /*********************** SAM Logon **********************/
284
285 clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
286
287 /* calculate sam logon credentials, using the auth2 client challenge */
288 cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
289 &(sam_logon_clnt_cred.challenge));
290
291 /* send client sam-logon challenge; receive a sam-logon challenge */
292 if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
293 desthost, mach_acct,
294 &sam_logon_clnt_cred, &sam_logon_rtn_cred,
295 1, 1, &id1, &user_info1,
296 &sam_logon_srv_cred))
297 {
298 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
299 free(inbuf); free(outbuf);
300 return False;
301 }
302
303 /*********************** SAM Logoff *********************/
304
305 clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
306
307 /* calculate sam logoff credentials, using the sam logon return challenge */
308 cred_create(sess_key, &(clnt_cred.challenge),
309 sam_logoff_clnt_cred.timestamp,
310 &(sam_logoff_clnt_cred.challenge));
311
312 /* send client sam-logoff challenge; receive a sam-logoff challenge */
313 if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
314 desthost, mach_acct,
315 &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
316 1, 1, &id1,
317 &sam_logoff_srv_cred))
318 {
319 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
320 free(inbuf); free(outbuf);
321 return False;
322 }
323
324 /******************** close the \PIPE\NETLOGON file **************/
325
326 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
327
328 /* free memory used in all rpc transactions, above */
329 free(inbuf); free(outbuf);
330
331 return True;
332 }
333 #endif /* NTDOMAIN */
334