2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
7 Copyright (C) Jeremy Allison 1999.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern fstring global_myworkgroup
;
27 extern pstring global_myname
;
29 /****************************************************************************
30 Initialize domain session credentials.
31 ****************************************************************************/
33 NTSTATUS
cli_nt_setup_creds(struct cli_state
*cli
, unsigned char mach_pwd
[16])
41 /******************* Request Challenge ********************/
43 generate_random_buffer( clnt_chal
.data
, 8, False
);
45 /* Send a client challenge; receive a server challenge */
46 if (!cli_net_req_chal(cli
, &clnt_chal
, &srv_chal
)) {
47 DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
48 return NT_STATUS_UNSUCCESSFUL
;
51 /**************** Long-term Session key **************/
53 /* calculate the session key */
54 cred_session_key(&clnt_chal
, &srv_chal
, (uchar
*)mach_pwd
, cli
->sess_key
);
55 memset((char *)cli
->sess_key
+8, '\0', 8);
57 /******************* Authenticate 2 ********************/
59 /* Calculate auth-2 credentials */
61 cred_create(cli
->sess_key
, &clnt_chal
, zerotime
, &(cli
->clnt_cred
.challenge
));
64 * Send client auth-2 challenge.
65 * Receive an auth-2 challenge response and check it.
68 result
= cli_net_auth2(cli
, (lp_server_role() == ROLE_DOMAIN_MEMBER
) ?
69 SEC_CHAN_WKSTA
: SEC_CHAN_BDC
, 0x000001ff, &srv_chal
);
71 if (!NT_STATUS_IS_OK(result
)) {
72 DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed\n"));
79 /****************************************************************************
81 ****************************************************************************/
83 BOOL
cli_nt_srv_pwset(struct cli_state
*cli
, unsigned char *new_hashof_mach_pwd
)
85 unsigned char processed_new_pwd
[16];
87 DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__
));
90 dump_data(6, (char *)new_hashof_mach_pwd
, 16);
93 /* Process the new password. */
94 cred_hash3( processed_new_pwd
, new_hashof_mach_pwd
, cli
->sess_key
, 1);
96 /* Send client srv_pwset challenge */
97 return cli_net_srv_pwset(cli
, processed_new_pwd
);
100 /****************************************************************************
101 NT login - interactive.
102 *NEVER* use this code. This method of doing a logon (sending the cleartext
103 password equivalents, protected by the session key) is inherently insecure
104 given the current design of the NT Domain system. JRA.
105 ****************************************************************************/
107 NTSTATUS
cli_nt_login_interactive(struct cli_state
*cli
, char *unix_domain
, char *unix_username
,
108 uint32 smb_userid_low
, char *unix_password
,
109 NET_ID_INFO_CTR
*ctr
, NET_USER_INFO_3
*user_info3
)
111 fstring dos_password
, dos_username
, dos_domain
;
112 uchar lm_owf_user_pwd
[16];
113 uchar nt_owf_user_pwd
[16];
116 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__
));
118 fstrcpy(dos_password
, unix_password
);
119 unix_to_dos(dos_password
);
120 fstrcpy(dos_username
, unix_username
);
121 unix_to_dos(dos_username
);
122 fstrcpy(dos_domain
, unix_domain
);
123 unix_to_dos(dos_domain
);
125 nt_lm_owf_gen(dos_password
, nt_owf_user_pwd
, lm_owf_user_pwd
);
127 #ifdef DEBUG_PASSWORD
129 DEBUG(100,("nt owf of user password: "));
130 dump_data(100, (char *)lm_owf_user_pwd
, 16);
132 DEBUG(100,("nt owf of user password: "));
133 dump_data(100, (char *)nt_owf_user_pwd
, 16);
137 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__
));
139 /* indicate an "interactive" login */
140 ctr
->switch_value
= INTERACTIVE_LOGON_TYPE
;
142 /* Create the structure needed for SAM logon. */
143 init_id_info1(&ctr
->auth
.id1
, dos_domain
, 0,
145 dos_username
, cli
->clnt_name_slash
,
146 (char *)cli
->sess_key
, lm_owf_user_pwd
, nt_owf_user_pwd
);
148 /* Ensure we overwrite all the plaintext password equivalents. */
149 memset(lm_owf_user_pwd
, '\0', sizeof(lm_owf_user_pwd
));
150 memset(nt_owf_user_pwd
, '\0', sizeof(nt_owf_user_pwd
));
152 /* Send client sam-logon request - update credentials on success. */
153 ret
= cli_net_sam_logon(cli
, ctr
, user_info3
);
155 memset(ctr
->auth
.id1
.lm_owf
.data
, '\0', sizeof(lm_owf_user_pwd
));
156 memset(ctr
->auth
.id1
.nt_owf
.data
, '\0', sizeof(nt_owf_user_pwd
));
161 /****************************************************************************
163 *ALWAYS* use this call to validate a user as it does not expose plaintext
164 password equivalents over the network. JRA.
165 ****************************************************************************/
167 NTSTATUS
cli_nt_login_network(struct cli_state
*cli
, char *unix_domain
, char *unix_username
,
168 uint32 smb_userid_low
, const char lm_chal
[8],
169 const char *lm_chal_resp
, const char *nt_chal_resp
,
170 NET_ID_INFO_CTR
*ctr
, NET_USER_INFO_3
*user_info3
)
172 fstring dos_wksta_name
, dos_username
, dos_domain
;
173 DEBUG(5,("cli_nt_login_network: %d\n", __LINE__
));
174 /* indicate a "network" login */
175 ctr
->switch_value
= NET_LOGON_TYPE
;
177 fstrcpy(dos_wksta_name
, cli
->clnt_name_slash
);
178 unix_to_dos(dos_wksta_name
);
180 fstrcpy(dos_username
, unix_username
);
181 unix_to_dos(dos_username
);
183 fstrcpy(dos_domain
, unix_domain
);
184 unix_to_dos(dos_domain
);
186 /* Create the structure needed for SAM logon. */
187 init_id_info2(&ctr
->auth
.id2
, dos_domain
, 0, smb_userid_low
, 0,
188 dos_username
, dos_wksta_name
,
189 (const uchar
*)lm_chal
, (const uchar
*)lm_chal_resp
, lm_chal_resp
? 24 : 0,
190 (const uchar
*)nt_chal_resp
, nt_chal_resp
? 24 : 0 );
192 /* Send client sam-logon request - update credentials on success. */
193 return cli_net_sam_logon(cli
, ctr
, user_info3
);
196 /****************************************************************************
198 ****************************************************************************/
200 BOOL
cli_nt_logoff(struct cli_state
*cli
, NET_ID_INFO_CTR
*ctr
)
202 DEBUG(5,("cli_nt_logoff: %d\n", __LINE__
));
204 /* Send client sam-logoff request - update credentials on success. */
205 return cli_net_sam_logoff(cli
, ctr
);