source/rpc_client/cli_login.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    NT Domain Authentication SMB / MSRPC client
   5    Copyright (C) Andrew Tridgell 1994-1997
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-1997
   7    Copyright (C) Jeremy Allison  1999.
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25
  26 extern fstring global_myworkgroup;
  27 extern pstring global_myname;
  28
  29 /****************************************************************************
  30 Initialize domain session credentials.
  31 ****************************************************************************/
  32
  33 NTSTATUS cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16])
  34 {
  35   NTSTATUS result;
  36   DOM_CHAL clnt_chal;
  37   DOM_CHAL srv_chal;
  38
  39   UTIME zerotime;
  40
  41   /******************* Request Challenge ********************/
  42
  43   generate_random_buffer( clnt_chal.data, 8, False);
  44
  45   /* send a client challenge; receive a server challenge */
  46   if (!cli_net_req_chal(cli, &clnt_chal, &srv_chal))
  47   {
  48     DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
  49     return NT_STATUS_UNSUCCESSFUL;
  50   }
  51
  52   /**************** Long-term Session key **************/
  53
  54   /* calculate the session key */
  55   cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd, cli->sess_key);
  56   memset((char *)cli->sess_key+8, '\0', 8);
  57
  58   /******************* Authenticate 2 ********************/
  59
  60   /* calculate auth-2 credentials */
  61   zerotime.time = 0;
  62   cred_create(cli->sess_key, &clnt_chal, zerotime, &(cli->clnt_cred.challenge));
  63
  64   /*
  65    * Send client auth-2 challenge.
  66    * Receive an auth-2 challenge response and check it.
  67    */
  68
  69   result = cli_net_auth2(cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
  70                          SEC_CHAN_WKSTA : SEC_CHAN_BDC, 0x000001ff, &srv_chal);
  71
  72   if (!NT_STATUS_IS_OK(result))
  73   {
  74     DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed\n"));
  75     return result;
  76   }
  77
  78   return NT_STATUS_OK;
  79 }
  80
  81 /****************************************************************************
  82  Set machine password.
  83  ****************************************************************************/
  84
  85 BOOL cli_nt_srv_pwset(struct cli_state *cli, unsigned char *new_hashof_mach_pwd)
  86 {
  87   unsigned char processed_new_pwd[16];
  88
  89   DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__));
  90
  91 #ifdef DEBUG_PASSWORD
  92   dump_data(6, (char *)new_hashof_mach_pwd, 16);
  93 #endif
  94
  95   /* Process the new password. */
  96   cred_hash3( processed_new_pwd, new_hashof_mach_pwd, cli->sess_key, 1);
  97
  98   /* send client srv_pwset challenge */
  99   return cli_net_srv_pwset(cli, processed_new_pwd);
 100 }
 101
 102 /****************************************************************************
 103 NT login - interactive.
 104 *NEVER* use this code. This method of doing a logon (sending the cleartext
 105 password equivalents, protected by the session key) is inherently insecure
 106 given the current design of the NT Domain system. JRA.
 107  ****************************************************************************/
 108 NTSTATUS cli_nt_login_interactive(struct cli_state *cli, char *domain, char *username,
 109                               uint32 smb_userid_low, char *password,
 110                               NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
 111 {
 112   uchar lm_owf_user_pwd[16];
 113   uchar nt_owf_user_pwd[16];
 114   NTSTATUS ret;
 115
 116   DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
 117
 118   nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
 119
 120 #ifdef DEBUG_PASSWORD
 121
 122   DEBUG(100,("nt owf of user password: "));
 123   dump_data(100, (char *)lm_owf_user_pwd, 16);
 124
 125   DEBUG(100,("nt owf of user password: "));
 126   dump_data(100, (char *)nt_owf_user_pwd, 16);
 127
 128 #endif
 129
 130   DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
 131
 132   /* indicate an "interactive" login */
 133   ctr->switch_value = INTERACTIVE_LOGON_TYPE;
 134
 135   /* Create the structure needed for SAM logon. */
 136   init_id_info1(&ctr->auth.id1, domain, 0,
 137                 smb_userid_low, 0,
 138                 username, cli->clnt_name_slash,
 139                 (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
 140
 141   /* Ensure we overwrite all the plaintext password
 142      equivalents. */
 143   memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd));
 144   memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd));
 145
 146   /* Send client sam-logon request - update credentials on success. */
 147   ret = cli_net_sam_logon(cli, ctr, user_info3);
 148
 149   memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd));
 150   memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd));
 151
 152   return ret;
 153 }
 154
 155 /****************************************************************************
 156 NT login - network.
 157 *ALWAYS* use this call to validate a user as it does not expose plaintext
 158 password equivalents over the network. JRA.
 159 ****************************************************************************/
 160
 161 NTSTATUS cli_nt_login_network(struct cli_state *cli, char *domain, char *username,
 162                                                         uint32 smb_userid_low, const char lm_chal[8],
 163                                                         const char *lm_chal_resp, const char *nt_chal_resp,
 164                                                         NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
 165 {
 166         fstring dos_wksta_name, dos_username, dos_domain;
 167         DEBUG(5,("cli_nt_login_network: %d\n", __LINE__));
 168         /* indicate a "network" login */
 169         ctr->switch_value = NET_LOGON_TYPE;
 170
 171         fstrcpy(dos_wksta_name, cli->clnt_name_slash);
 172         unix_to_dos(dos_wksta_name, True);
 173
 174         fstrcpy(dos_username, username);
 175         unix_to_dos(dos_username, True);
 176
 177         fstrcpy(dos_domain, domain);
 178         unix_to_dos(dos_domain, True);
 179
 180         /* Create the structure needed for SAM logon. */
 181         init_id_info2(&ctr->auth.id2, dos_domain, 0, smb_userid_low, 0,
 182                 dos_username, dos_wksta_name,
 183                 (const uchar *)lm_chal, (const uchar *)lm_chal_resp, lm_chal_resp ? 24 : 0,
 184                 (const uchar *)nt_chal_resp, nt_chal_resp ? 24 : 0 );
 185
 186         /* Send client sam-logon request - update credentials on success. */
 187         return cli_net_sam_logon(cli, ctr, user_info3);
 188 }
 189
 190 /****************************************************************************
 191 NT Logoff.
 192 ****************************************************************************/
 193 BOOL cli_nt_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr)
 194 {
 195   DEBUG(5,("cli_nt_logoff: %d\n", __LINE__));
 196
 197   /* Send client sam-logoff request - update credentials on success. */
 198   return cli_net_sam_logoff(cli, ctr);
 199 }