1 
2 #ifdef SYSLOG
3 #undef SYSLOG
4 #endif
5 
6 #include "includes.h"
7 
8 extern int DEBUGLEVEL;
9 extern pstring username;
10 extern pstring smb_login_passwd;
11 extern pstring workgroup;
12 
13 #define CLIENT_TIMEOUT (30*1000)
14 
15 #ifdef NTDOMAIN
16 
17 
18 /****************************************************************************
19 experimental nt login.
20 ****************************************************************************/
do_nt_login(char * desthost,char * myhostname,int Client,int cnum)21 BOOL do_nt_login(char *desthost, char *myhostname,
22 				int Client, int cnum)
23 {
24 	DOM_CHAL clnt_chal;
25 	DOM_CHAL srv_chal;
26 
27 	DOM_CRED clnt_cred;
28 
29 	DOM_CHAL auth2_srv_chal;
30 
31 	DOM_CRED sam_logon_clnt_cred;
32 	DOM_CRED sam_logon_rtn_cred;
33 	DOM_CRED sam_logon_srv_cred;
34 
35 	DOM_CRED sam_logoff_clnt_cred;
36 	DOM_CRED sam_logoff_rtn_cred;
37 	DOM_CRED sam_logoff_srv_cred;
38 
39 	DOM_ID_INFO_1 id1;
40 	LSA_USER_INFO user_info1;
41 	LSA_POL_HND pol;
42 	int i;
43 
44 	UTIME zerotime;
45 
46 	uchar sess_key[8];
47 	char nt_owf_mach_pwd[16];
48 	fstring mach_acct;
49 	fstring mach_pwd;
50 	fstring server_name;
51 
52 	RPC_IFACE abstract;
53 	RPC_IFACE transfer;
54 
55 	static char abs_data[16];
56 	static char trn_data[16];
57 
58 	/* received from LSA Query Info Policy, level 5 */
59 	fstring level5_domain_name;
60 	pstring level5_domain_sid;
61 
62 	/* received from LSA Query Info Policy, level 3 */
63 	fstring level3_domain_name;
64 	pstring level3_domain_sid;
65 
66 	uint16 fnum;
67 	uint32 call_id = 0;
68 	char *inbuf,*outbuf;
69 
70 	zerotime.time = 0;
71 
72 	inbuf  = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
73 	outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
74 
75 	if (!inbuf || !outbuf)
76 	{
77 		DEBUG(0,("out of memory\n"));
78 		return False;
79 	}
80 
81 	/******************* open the \PIPE\lsarpc file *****************/
82 
83 	if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
84 	{
85 		free(inbuf); free(outbuf);
86 		return False;
87 	}
88 
89 	/**************** Set Named Pipe State ***************/
90 	if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
91 	{
92 		free(inbuf); free(outbuf);
93 		return False;
94 	}
95 
96 	/******************* bind request on \PIPE\lsarpc *****************/
97 
98 	/* create and send a MSRPC command with api LSA_OPENPOLICY */
99 
100 	DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
101 
102 	for (i = 0; i < sizeof(trn_data); i++)
103 	{
104 		trn_data[i] = 2 * i;
105 	}
106 
107 	for (i = 0; i < sizeof(abs_data); i++)
108 	{
109 		abs_data[i] = i;
110 	}
111 
112 	/* create interface UUIDs. */
113 	make_rpc_iface(&abstract, abs_data, 0x0);
114 	make_rpc_iface(&transfer, trn_data, 0x2);
115 
116 	if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
117 	{
118 		free(inbuf); free(outbuf);
119 		return False;
120 	}
121 
122 	/******************* Open Policy ********************/
123 
124 	fstrcpy(server_name, ("\\\\"));
125 	fstrcpy(&server_name[2], myhostname);
126 
127 	/* send an open policy request; receive a policy handle */
128 	if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
129 	{
130 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
131 		free(inbuf); free(outbuf);
132 		return False;
133 	}
134 
135 	/**************** Query Info Policy, level 3 ********************/
136 
137 	/* send a query info policy at level 3; receive an info policy */
138 	if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
139 	                           level3_domain_name, level3_domain_sid))
140 	{
141 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
142 		free(inbuf); free(outbuf);
143 		return False;
144 	}
145 
146 	/**************** Query Info Policy, level 5 ********************/
147 
148 	/* send a query info policy at level 5; receive an info policy */
149 	if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
150 	                           level5_domain_name, level5_domain_sid))
151 	{
152 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
153 		free(inbuf); free(outbuf);
154 		return False;
155 	}
156 
157 	/******************* Open Policy ********************/
158 
159 	/* send a close policy request; receive a close pol response */
160 	if (!do_lsa_close(fnum, ++call_id, &pol))
161 	{
162 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
163 		free(inbuf); free(outbuf);
164 		return False;
165 	}
166 
167 	/******************* close the \PIPE\lsarpc file *******************/
168 
169 	cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
170 
171 
172 
173 	/******************* open the \PIPE\NETLOGON file *****************/
174 
175 	if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
176 	{
177 		free(inbuf); free(outbuf);
178 		return False;
179 	}
180 
181 	/**************** Set Named Pipe State ***************/
182 	if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
183 	{
184 		free(inbuf); free(outbuf);
185 		return False;
186 	}
187 
188 	/******************* bind request on \PIPE\NETLOGON *****************/
189 
190 	if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
191 	{
192 		free(inbuf); free(outbuf);
193 		return False;
194 	}
195 
196 	/******************* Request Challenge ********************/
197 
198 	fstrcpy(mach_acct, myhostname);
199 	strlower(mach_pwd);
200 
201 	fstrcpy(mach_pwd , myhostname);
202 	fstrcat(mach_acct, "$");
203 
204 	SIVAL(clnt_chal.data, 0, 0x11111111);
205 	SIVAL(clnt_chal.data, 4, 0x22222222);
206 
207 	/* send a client challenge; receive a server challenge */
208 	if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
209 	{
210 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
211 		free(inbuf); free(outbuf);
212 		return False;
213 	}
214 
215 	/************ Long-term Session key (default) **********/
216 
217 #if 0
218 	/* DAMN!  can't get the machine password - need become_root() to do it! */
219 	/* get the machine password */
220 	if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
221 	{
222 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
223 		free(inbuf); free(outbuf);
224 		return False;
225 	}
226 
227 	DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
228 #else
229 
230 	{
231 		char lm_owf_mach_pwd[16];
232 		nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
233 		DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
234 	}
235 
236 #endif
237 
238 	dump_data(6, nt_owf_mach_pwd, 16);
239 
240 	/* calculate the session key */
241 	cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
242 
243 
244 	/******************* Authenticate 2 ********************/
245 
246 	/* calculate auth-2 credentials */
247 	cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
248 
249 	/* send client auth-2 challenge; receive an auth-2 challenge */
250 	if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
251 	                  &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
252 	{
253 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
254 		free(inbuf); free(outbuf);
255 		return False;
256 	}
257 
258 
259 	/*********************** SAM Info ***********************/
260 
261 	{
262 		char lm_owf_user_pwd[16];
263 		char nt_owf_user_pwd[16];
264 		nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
265 
266 #ifdef DEBUG_PASSWORD
267 
268 		DEBUG(100,("nt owf of user password: "));
269 		dump_data(100, lm_owf_user_pwd, 16);
270 
271 		DEBUG(100,("nt owf of user password: "));
272 		dump_data(100, nt_owf_user_pwd, 16);
273 
274 #endif
275 
276 		/* this is used in both the SAM Logon and the SAM Logoff */
277 		make_id_info1(&id1, workgroup, 0,
278 	              getuid(), 0,
279 	              username, myhostname,
280 	              sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
281 	}
282 
283 	/*********************** SAM Logon **********************/
284 
285 	clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
286 
287 	/* calculate sam logon credentials, using the auth2 client challenge */
288 	cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
289 	                                  &(sam_logon_clnt_cred.challenge));
290 
291 	/* send client sam-logon challenge; receive a sam-logon challenge */
292 	if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
293 	                  desthost, mach_acct,
294 	                  &sam_logon_clnt_cred, &sam_logon_rtn_cred,
295 	                  1, 1, &id1, &user_info1,
296 	                  &sam_logon_srv_cred))
297 	{
298 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
299 		free(inbuf); free(outbuf);
300 		return False;
301 	}
302 
303 	/*********************** SAM Logoff *********************/
304 
305 	clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
306 
307 	/* calculate sam logoff credentials, using the sam logon return challenge */
308 	cred_create(sess_key, &(clnt_cred.challenge),
309 	                        sam_logoff_clnt_cred.timestamp,
310 	                      &(sam_logoff_clnt_cred.challenge));
311 
312 	/* send client sam-logoff challenge; receive a sam-logoff challenge */
313 	if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
314 	                  desthost, mach_acct,
315 	                  &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
316 	                  1, 1, &id1,
317 	                  &sam_logoff_srv_cred))
318 	{
319 		cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
320 		free(inbuf); free(outbuf);
321 		return False;
322 	}
323 
324 	/******************** close the \PIPE\NETLOGON file **************/
325 
326 	cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
327 
328 	/* free memory used in all rpc transactions, above */
329 	free(inbuf); free(outbuf);
330 
331 	return True;
332 }
333 #endif /* NTDOMAIN */
334