2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1994-1997
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
6 Copyright (C) Jeremy Allison 1999.
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 extern fstring global_myworkgroup;
26 extern pstring global_myname;
28 /****************************************************************************
29 Initialize domain session credentials.
30 ****************************************************************************/
32 NTSTATUS cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16])
40 /******************* Request Challenge ********************/
42 generate_random_buffer( clnt_chal.data, 8, False);
44 /* send a client challenge; receive a server challenge */
45 if (!cli_net_req_chal(cli, &clnt_chal, &srv_chal))
47 DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
48 return NT_STATUS_UNSUCCESSFUL;
51 /**************** Long-term Session key **************/
53 /* calculate the session key */
54 cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd, cli->sess_key);
55 memset((char *)cli->sess_key+8, '\0', 8);
57 /******************* Authenticate 2 ********************/
59 /* calculate auth-2 credentials */
61 cred_create(cli->sess_key, &clnt_chal, zerotime, &(cli->clnt_cred.challenge));
64 * Send client auth-2 challenge.
65 * Receive an auth-2 challenge response and check it.
68 result = cli_net_auth2(cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
69 SEC_CHAN_WKSTA : SEC_CHAN_BDC, 0x000001ff, &srv_chal);
71 if (!NT_STATUS_IS_OK(result))
73 DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed\n"));
80 /****************************************************************************
81 NT login - interactive.
82 *NEVER* use this code. This method of doing a logon (sending the cleartext
83 password equivalents, protected by the session key) is inherently insecure
84 given the current design of the NT Domain system. JRA.
85 ****************************************************************************/
86 NTSTATUS cli_nt_login_interactive(struct cli_state *cli, char *domain, char *username,
87 uint32 smb_userid_low, char *password,
88 NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
90 uchar lm_owf_user_pwd[16];
91 uchar nt_owf_user_pwd[16];
94 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
96 nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
100 DEBUG(100,("nt owf of user password: "));
101 dump_data(100, (char *)lm_owf_user_pwd, 16);
103 DEBUG(100,("nt owf of user password: "));
104 dump_data(100, (char *)nt_owf_user_pwd, 16);
108 DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
110 /* indicate an "interactive" login */
111 ctr->switch_value = INTERACTIVE_LOGON_TYPE;
113 /* Create the structure needed for SAM logon. */
114 init_id_info1(&ctr->auth.id1, domain, 0,
116 username, cli->clnt_name_slash,
117 (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
119 /* Ensure we overwrite all the plaintext password
121 memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd));
122 memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd));
124 /* Send client sam-logon request - update credentials on success. */
125 ret = cli_net_sam_logon(cli, ctr, user_info3);
127 memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd));
128 memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd));
133 /****************************************************************************
135 *ALWAYS* use this call to validate a user as it does not expose plaintext
136 password equivalents over the network. JRA.
137 ****************************************************************************/
139 NTSTATUS cli_nt_login_network(struct cli_state *cli,
140 const auth_usersupplied_info *user_info,
142 uint32 smb_userid_low, NET_ID_INFO_CTR *ctr,
143 NET_USER_INFO_3 *user_info3)
145 DEBUG(5,("cli_nt_login_network: %d\n", __LINE__));
146 /* indicate a "network" login */
147 ctr->switch_value = NET_LOGON_TYPE;
149 /* Create the structure needed for SAM logon. */
150 init_id_info2(&ctr->auth.id2, user_info->domain.str, 0, smb_userid_low, 0,
151 user_info->smb_name.str,
152 /* Send our cleint's workstaion name if we have it, otherwise ours */
153 ((user_info->wksta_name.len > 0) ?
154 user_info->wksta_name.str :
155 cli->clnt_name_slash),
157 user_info->lm_resp.data, user_info->lm_resp.length,
158 user_info->nt_resp.data, user_info->nt_resp.length);
160 /* Send client sam-logon request - update credentials on success. */
161 return cli_net_sam_logon(cli, ctr, user_info3);
164 /****************************************************************************
166 ****************************************************************************/
167 BOOL cli_nt_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr)
169 DEBUG(5,("cli_nt_logoff: %d\n", __LINE__));
171 /* Send client sam-logoff request - update credentials on success. */
172 return cli_net_sam_logoff(cli, ctr);