NTDOMAIN.txt:

	describes how to set up samba as an NT PDC.  it includes debugging
	assisting info.  it is expected that this document turn into a
	user's document, rather than a debugger's document.

cifsntdomain.txt :

	this is the "NT Domain Authentication (draft)" white paper, current
	version.  if anyone think it's a bad idea to put a copy of this in
	here, i'm quite happy to remove it.
(This used to be commit 8964b0ad56804b119d39ed3a72a6cf0fb578a22e)

2 files changed, 1186 insertions, 0 deletions

diff --git a/docs/textdocs/NTDOMAIN.txt b/docs/textdocs/NTDOMAIN.txt
new file mode 100644
index 0000000000..f0a43b6ba5
--- /dev/null
+++ b/docs/textdocs/NTDOMAIN.txt
@@ -0,0 +1,127 @@
+Contributor:	Luke Kenneth Casson Leighton
+Created:	October 20, 1997
+Updated:	October 20, 1997
+
+Subject:	NT Domain Logons
+===========================================================================
+
+As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without
+the need, use or intervention of NT 4.0 Server.  This document describes
+how to set this up.  Over the continued development of the 1.9.18alpha
+series, this process (and therefore this document) should become simpler.
+
+The support is still experimental, so should be used at your own risk.
+
+NT is not as robust as you might have been led to believe: during the
+development of the Domain Logon Support, one person reported having to
+reinstall NT from scratch: their workstation had become totally unuseable.
+
+This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
+
+
+Domain Logons using 1.9.18alpha1
+================================
+
+1) compile samba with -DNTDOMAIN
+
+2) carry out the following unix commands:
+
+	touch /tmp/netlogon
+	touch /tmp/srvsvc
+	chmod 666 /tmp/netlogon
+	chmod 666 /tmp/srvsvc
+
+3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
+   of date: you no longer need the DES libraries, but other than that,
+   ENCRYPTION.txt is current).
+
+4) for each workstation, add a line to smbpasswd with a username of MACHINE$
+   and a password of "machine".  this process will be automated in further
+   releases.
+
+5) if using NT server to log in, run the User Manager for Domains, and
+   add the capability to "Log in Locally" to the policies.
+
+6) set up the following parameters in smb.conf
+
+;	substitute your workgroup here
+	workgroup = SAMBA
+
+;	a description of domain sids can be found elsewhere.
+	domain sid = S-1-5-21-123-456-789-123
+
+;	tells workstations to use SAMBA as its Primary Domain Controller.
+	domain logons = yes
+
+7) make sure samba is running before the next step is carried out.  if
+   this is your first time, just for fun you might like to switch the
+   debug log level to about 10.  the NT pipes produces some very pretty
+   output when decoding requests and generating responses, which would
+   be particularly useful to see in tcpdump at some point.
+
+8) In the NT Network Settings, change the domain to SAMBA.  Do
+   not attempt to create an account using the other part of the dialog:
+   it will fail at present.
+
+   You should get a wonderful message saying "Welcome to the SAMBA Domain."
+
+   If you don't, then please first increase your debug log levels and also
+   get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
+   You should see a NETLOGON, a SAMLOGON on UDP port 138.  If you don't,
+   then you probably don't have "domain logons = yes" or there is some other
+   problem in resolving the NetBIOS name SAMBA<1c>.
+
+   On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
+   for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
+   or two.  If when you get a connection to the SMB pipe NETLOGON, if /netlogon
+   access is refused, then you probably haven't granted the correct access
+   permissions on the /tmp/netlogon file.  Likewise for the srvsvc file.
+
+   You may see a pipe connection to a wksta service being refused: this
+   is acceptable, we have found.  You may also see a "Net Server Get Info"
+   being issued on the srvsvc pipe.
+
+   Assuming you got the Welcome message, go through the obligatory reboot...
+
+9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
+   If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
+   and the appearance of this login dialog, then there might be a problem:
+   at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
+
+   The domain box should have two entries: the hostname and the SAMBA domain.
+   Any local accounts are under the hostname domain, from which you will be
+   able to shut down the machine etc.  At present, we do not specify that
+   the NT user logging in is a member of any groups, so will have no
+   priveleges, including the ability to shut down the machine.
+   
+   Select the SAMBA domain, and type in a valid username and password for
+   which there is a valid entry in the samba server's smbpasswd LM/NT OWF
+   database.
+
+   You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
+   and LSA_SAM_LOGON.  The SAM Logon will be particularly large (the response
+   can be approximately 600 bytes) as it contains user info.
+
+   Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
+   amongst this lot.  If the SAM Logon is successful, the dialog should
+   disappear, and a standard SMB connection established to download the
+   profile specified in the SAM Logon (if it was).
+
+   At this point, you _may_ encounter difficulties in creating a remote
+   profile, and the login may terminate (generating an LSA_SAM_LOGOFF).  If
+   this occurs, then either find an existing profile on the samba server and
+   copy it into the location specified by the "logon path" smb.conf parameter
+   for the user logging in, or log in on the local machine, and use the
+   System | Profiles control panel to make a copy of the _local_ profile onto
+   the samba server.
+
+10) Play around.  Look at the Samba Server: see if it can be found in the
+   browse lists.  Check that it is accessible; run some applications.
+   Generally stress things.  Laugh a lot.  Logout of the NT machine
+   (generating an LSA_SAM_LOGOFF) and log back in again.  Try logging in
+   two users simultaneously.  Try logging the same user in twice.
+   Make Samba fall over, and then send bug reports to us, with NTDOM: at
+   the start of the subject line, as "samba-bugs@samba.anu.edu.au".
+
+Your reports, testing, patches and criticism will help us get this right.
+
diff --git a/docs/textdocs/cifsntdomain.txt b/docs/textdocs/cifsntdomain.txt
new file mode 100644
index 0000000000..1a3b1c429f
--- /dev/null
+++ b/docs/textdocs/cifsntdomain.txt
@@ -0,0 +1,1059 @@
+NT Domain Authentication
+------------------------
+
+Authors:	- Luke Kenneth Casson Leighton (lkcl@switchboard.net)
+		- Paul Ashton                  (paul@argo.demon.co.uk)
+
+Version:		0.017 (20oct97)
+
+Distribution:	Unlimited and encouraged, for the purposes of implementation
+		and comments.  Feedback welcomed by the authors.
+
+Liability:	Absolutely none accepted implicitly or explicitly, direct
+		or consequentially, for use, abuse, misuse, lack of use,
+		misunderstandings, mistakes, omissions, mis-information for
+		anything in or not in, related to or pertaining to this
+		document or anything else that a lawyer can think of or not
+		think of.
+
+Warning:	Please bear in mind that an incorrect implementation of this
+		protocol can cause NT workstation to fail irrevocably, for
+		which the authors accept no liability (see above).  Please
+		contact your vendor if you have any problems.
+
+Sources:	- Packet Traces from Netmonitor (Service Pack 1 and above)
+		- Paul Ashton and Luke Leighton's other "NT Domain" doc.
+		- CIFS documentation - cifs6.txt
+		- CIFS documentation - cifsrap2.txt
+
+Original:	http://mailhost.cb1.com/~lkcl/cifsntdomain.txt.
+		(Controlled copy maintained by lkcl@switchboard.net)
+
+Credits:	- Paul Ashton: loads of work with Net Monitor; 
+		  understanding the NT authentication system;
+		  reference implementation of the NT domain support on which
+		  this document is originally based.
+		- Linus Nordberg: producing c-code from Paul's crypto spec.
+		- Windows Sourcer development team
+
+Contents:
+
+1) Introduction
+
+2) Structures and notes
+
+   2.1) Notes
+   2.2) Structures
+
+3) Transact Named Pipe Header/Tail
+
+   3.1) Header
+   3.2) Tail
+
+4) NTLSA Transact Named Pipe
+
+   4.1) LSA Open Policy
+   4.2) LSA Query Info Policy
+   4.3) LSA Enumerate Trusted Domains
+   4.4) LSA Open Secret
+   4.5) LSA Close
+   4.6) LSA Lookup SIDS
+   4.7) LSA Lookup Names
+
+5) NETLOGON rpc Transact Named Pipe
+
+   5.1) LSA Request Challenge
+   5.2) LSA Authenticate 2
+   5.3) LSA Server Password Set
+   5.4) LSA SAM Logon
+   5.5) LSA SAM Logoff
+
+6) \\MAILSLOT\NET\NTLOGON
+
+   6.1) Query for PDC
+   6.2) SAM Logon
+
+7) SRVSVC Transact Named Pipe
+
+   7.1) Net Share Enum
+   7.2) Net Server Get Info
+
+Appendix:
+
+A1) Cryptographic side of NT Domain Authentication
+
+
+
+1) Introduction
+---------------
+
+
+This document contains information to provide an NT workstation with login
+services, without the need for an NT server.
+
+It should be possible to select a domain instead of a workgroup (in the NT
+workstation's TCP/IP settings) and after the obligatory reboot, type in a
+username, password, select a domain and successfully log in.  I would
+appreciate any feedback on your experiences with this process, and any
+comments, corrections and additions to this document.
+
+
+The packets described here can be easily derived from (and are probably
+better understood using) Netmon.exe.  You will need to use the version
+of Netmon that matches your system, in order to correctly decode the
+NETLOGON, lsarpc and srvsvc Transact pipes.  This document is derived from
+NT Service Pack 1 and its corresponding version of Netmon.  It is intended
+that an annotated packet trace be produced, which will likely be more
+instructive than this document.
+
+Also needed, to fully implement NT Domain Login Services, is the 
+document describing the cryptographic part of the NT authentication.
+This document is available from comp.protocols.smb; from the ntsecurity.net
+digest and from the samba digest, amongst other sources.
+
+A copy is available from:
+
+http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935
+http://mailhost.cb1.com/~lkcl/crypt.html
+
+
+A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se>
+of this protocol is available from:
+
+http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html
+http://mailhost.cb1.com/~lkcl/crypt.txt
+
+
+Also used to provide debugging information is the Check Build version of
+NT workstation, and enabling full debugging in NETLOGON.  This is
+achieved by setting the following REG_SZ registry key to 0x1ffffff:
+
+HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
+
+- Incorrect direct editing of the registry can cause your machine to fail.
+  Then again, so can incorrect implementation of this protocol.
+  See "Liability:" above.
+
+
+Bear in mind that each packet over-the-wire will have its origin in an
+API call.  Therefore, there are likely to be structures, enumerations
+and defines that are usefully documented elsewhere.
+
+
+This document is by no means complete or authoritative.  Missing sections
+include, but are not limited to:
+
+- the meaning (and use by NT) of SIDs and RIDs.
+
+- mappings of RIDs to usernames (and vice-versa).
+
+- what a User ID is and what a Group ID is.
+
+- the exact meaning/definition of various magic constants or enumerations.
+
+- the reply error code and use of that error code when a workstation
+  becomes a member of a domain (to be described later).  Failure to
+  return this error code will make the workstation report that it is
+  already a member of the domain.
+
+- the cryptographic side of the NetrServerPasswordSet command, which would
+  allow the workstation to change its password.  This password is used to
+  generate the long-term session key.  [It is possible to reject this
+  command, and keep the default workstation password].
+   
+
+2) Notes and Structures
+-----------------------
+
+
+2.1) Notes
+----------
+
+- In the SMB Transact pipes, some "Structures", described here, appear to be
+  4-byte aligned with the SMB header, at their start.  Exactly which
+  "Structures" need aligning is not precisely known or documented.
+
+- In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be
+  2-byte aligned with the start of the mailslot, at their start.
+
+- Domain SID is of the format S-revision-version-auth1-auth2...authN.
+  e.g S-1-5-123-456-789-123-456.  the 5 could be a sub-revision.
+
+- any undocumented buffer pointers must be non-zero if the string buffer it
+  refers to contains characters.  exactly what value they should be is unknown.
+  0x0000 0002 seems to do the trick to indicate that the buffer exists.  a
+  NULL buffer pointer indicates that the string buffer is of zero length.
+  If the buffer pointer is NULL, then it is suspected that the structure it
+  refers to is NOT put into (or taken out of) the SMB data stream.  This is
+  empirically derived from, for example, the LSA SAM Logon response packet,
+  where if the buffer pointer is NULL, the user information is not inserted
+  into the data stream.  Exactly what happens with an array of buffer pointers
+  is not known, although an educated guess can be made.
+
+- an array of structures (a container) appears to have a count and a pointer.
+  if the count is zero, the pointer is also zero.  no further data is put
+  into or taken out of the SMB data stream.  if the count is non-zero, then
+  the pointer is also non-zero.  immediately following the pointer is the
+  count again, followed by an array of container sub-structures.  the count
+  appears a third time after the last sub-structure.
+
+  
+
+2.2) Structures
+---------------
+
+- sizeof VOID* is 32 bits.
+
+- sizeof char is 8 bits.
+
+- UTIME is 32 bits, indicating time in seconds since 01jan1970.  documented
+  in cifs6.txt (section 3.5 page, page 30).
+
+- NTTIME is 64 bits.  documented in cifs6.txt (section 3.5 page, page 30).
+
+- DOM_SID (domain SID structure) :
+
+        UINT32             num of sub-authorities in domain SID
+        UINT8              SID revision number
+        UINT8              num of sub-authorities in domain SID
+        UINT8[6]           6 bytes for domain SID - Identifier Authority.
+        UINT16[n_subauths] domain SID sub-authorities
+
+  Note: the domain SID is documented elsewhere.
+
+- STR (string) :
+
+        char[]             null-terminated string of ascii characters.
+
+- UNIHDR (unicode string header) :
+
+        UINT16             length of unicode string
+        UINT16             max length of unicode string
+        UINT32             4 - undocumented.
+   
+- UNIHDR2 (unicode string header plus buffer pointer) :
+
+        UNIHDR             unicode string header
+        VOID*              undocumented buffer pointer
+
+- UNISTR (unicode string) :
+
+        UINT16[]           null-terminated string of unicode characters.
+
+- NAME (length-indicated unicode string) :
+
+        UINT32             length of unicode string
+        UINT16[]           null-terminated string of unicode characters.
+
+- UNISTR2 (aligned unicode string) :
+
+        UINT8[]            padding to get unicode string 4-byte aligned
+                           with the start of the SMB header.
+        UINT32             max length of unicode string
+        UINT32             0 - undocumented
+        UINT32             length of unicode string
+        UINT16[]           string of uncode characters.
+
+- POL_HND (LSA policy handle) :
+
+    char[20]           policy handle
+
+- DOM_SID2 (domain SID structure, SIDS stored in unicode) :
+
+        UINT32             5 - SID type
+        UINT32             0 - undocumented
+        UNIHDR2            domain SID unicode string header
+        UNISTR             domain SID unicode string
+
+  Note:	there is a conflict between the unicode string header and the
+	unicode string itself as to which to use to indicate string
+	length.  this will need to be resolved.
+
+  Note:	the SID type indicates, for example, an alias; a well-known group etc.
+	this is documented somewhere.
+
+- DOM_RID (domain RID structure) :
+
+        UINT32             5 - well-known SID.  1 - user SID (see ShowACLs)
+        UINT32             5 - undocumented
+        UINT32             domain RID 
+        UINT32             0 - domain index out of above reference domains
+        
+
+- LOG_INFO (server, account, client structure) :
+
+  Note:	logon server name starts with two '\' characters and is upper case.
+
+  Note:	account name is the logon client name from the LSA Request Challenge,
+	with a $ on the end of it, in upper case.
+
+        VOID*       undocumented buffer pointer
+        UNISTR2     logon server unicode string
+        UNISTR2     account name unicode string
+        UINT16      sec_chan - security channel type
+        UNISTR2     logon client machine unicode string
+
+- CLNT_SRV (server, client names structure) :
+
+  Note:	logon server name starts with two '\' characters and is upper case.
+
+        VOID*       undocumented buffer pointer
+        UNISTR2     logon server unicode string
+        VOID*       undocumented buffer pointer
+        UNISTR2     logon client machine unicode string
+
+- CREDS (credentials + time stamp)
+
+        char[8]     credentials
+        UTIME       time stamp
+    
+- CLNT_INFO2 (server, client structure, client credentials) :
+
+  Note: whenever this structure appears in a request, you must take a copy
+	of the client-calculated credentials received, because they will be
+	used in subsequent credential checks.  the presumed intention is to
+	maintain an authenticated request/response trail.
+        
+        CLNT_SRV     client and server names
+        UINT8[]      ???? padding, for 4-byte alignment with SMB header.
+        VOID*        pointer to client credentials.
+        CREDS        client-calculated credentials + client time
+
+- CLNT_INFO (server, account, client structure, client credentials) :
+
+  Note: whenever this structure appears in a request, you must take a copy
+	of the client-calculated credentials received, because they will be
+	used in subsequent credential checks.  the presumed intention is to
+	maintain an authenticated request/response trail.
+        
+        LOG_INFO    logon account info
+        CREDS       client-calculated credentials + client time
+
+- ID_INFO_1 (id info structure, auth level 1) :
+
+    VOID*         ptr_id_info_1
+    UNIHDR        domain name unicode header
+    UINT32        param control
+    UINT64        logon ID
+    UNIHDR        user name unicode header
+    UNIHDR        workgroup name unicode header
+    char[16]      rc4 LM OWF Password
+    char[16]      rc4 NT OWF Password
+    UNISTR2       domain name unicode string
+    UNISTR2       user name unicode string
+    UNISTR2       workgroup name unicode string
+
+- SAM_INFO (sam logon/logoff id info structure) :
+
+        CLNT_INFO2  client identification/authentication info
+        VOID*       pointer to return credentials.
+        CRED        return credentials - ignored.
+        UINT16      logon level
+        UINT16      switch value
+
+        switch (switch_value)
+        case 1:
+        {
+            ID_INFO_1     id_info_1;
+        }
+
+- GID (group id info) :
+
+        UINT32      group id
+        UINT32      user attributes (only used by NT 3.1 and 3.51)
+
+- DOM_REF (domain reference info) :
+
+        VOID*                    undocumented buffer pointer.
+        UINT32                   num referenced domains?
+        VOID*                    undocumented domain name buffer pointer.
+        UINT32                   32 - max number of entries
+        UINT32                   4 - num referenced domains?
+
+        UNIHDR2                  domain name unicode string header
+        UNIHDR2[num_ref_doms-1]  referenced domain unicode string headers
+
+        UNISTR                   domain name unicode string
+        DOM_SID[num_ref_doms]    referenced domain SIDs
+
+- DOM_INFO (domain info, levels 3 and 5 are the same)) :
+
+        UINT8[]     ??? padding to get 4-byte alignment with start of SMB header
+        UINT16      domain name string length * 2
+        UINT16      domain name string length * 2
+        VOID*       undocumented domain name string buffer pointer
+        VOID*       undocumented domain SID string buffer pointer
+        UNISTR2     domain name (unicode string)
+        DOM_SID     domain SID
+
+- USER_INFO (user logon info) :
+
+        NTTIME            logon time
+        NTTIME            logoff time
+        NTTIME            kickoff time
+        NTTIME            password last set time
+        NTTIME            password can change time
+        NTTIME            password must change time
+
+        UNIHDR            username unicode string header
+        UNIHDR            user's full name unicode string header
+        UNIHDR            logon script unicode string header
+        UNIHDR            profile path unicode string header
+        UNIHDR            home directory unicode string header
+        UNIHDR            home directory drive unicode string header
+
+        UINT16            logon count
+        UINT16            bad password count
+
+        UINT32            User ID
+        UINT32            Group ID
+        UINT32            num groups
+        VOID*             undocumented buffer pointer to groups.
+
+        UINT32            user flags
+        char[16]          unused user session key
+
+        UNIHDR            logon server unicode string header
+        UNIHDR            logon domain unicode string header
+        VOID*             undocumented logon domain id pointer
+        char[40]          40 undocumented padding bytes.  future expansion?
+
+        UINT32            0 - num_other_sids?
+        VOID*             NULL - undocumented pointer to other domain SIDs.
+        
+        UNISTR2           username unicode string
+        UNISTR2           user's full name unicode string
+        UNISTR2           logon script unicode string
+        UNISTR2           profile path unicode string
+        UNISTR2           home directory unicode string
+        UNISTR2           home directory drive unicode string
+
+        UINT32            num groups
+        GID[num_groups]   group info
+
+        UNISTR2           logon server unicode string
+        UNISTR2           logon domain unicode string
+
+        DOM_SID           domain SID
+        DOM_SID[num_sids] other domain SIDs?
+
+- SH_INFO_1_PTR (pointers to level 1 share info strings):
+
+Note:	see cifsrap2.txt section5, page 10.
+
+	0 for shi1_type indicates a  Disk.
+	1 for shi1_type indicates a  Print Queue.
+	2 for shi1_type indicates a  Device.
+	3 for shi1_type indicates an IPC pipe.
+	0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
+
+        VOID*        shi1_netname - pointer to net name
+        UINT32       shi1_type    - type of share.  0 - undocumented.
+        VOID*        shi1_remark  - pointer to comment.
+
+- SH_INFO_1_STR (level 1 share info strings) :
+
+        UNISTR2      shi1_netname - unicode string of net name
+        UNISTR2      shi1_remark  - unicode string of comment.
+
+- SHARE_INFO_1_CTR :
+
+    share container with 0 entries:
+
+        UINT32        0 - EntriesRead
+        UINT32        0 - Buffer
+
+    share container with > 0 entries:
+
+        UINT32                      EntriesRead
+        UINT32                      non-zero - Buffer
+        UINT32                      EntriesRead
+
+        SH_INFO_1_PTR[EntriesRead]  share entry pointers
+        SH_INFO_1_STR[EntriesRead]  share entry strings
+
+        UINT8[]                     padding to get unicode string 4-byte
+                                    aligned with start of the SMB header.
+        UINT32                      EntriesRead
+    	UINT32                      0 - padding
+
+- SERVER_INFO_101 :
+
+Note:	see cifs6.txt section 6.4 - the fields described therein will be
+	of assistance here.  for example, the type listed below is the
+	same as fServerType, which is described in 6.4.1.
+
+	SV_TYPE_WORKSTATION        0x00000001  All workstations
+	SV_TYPE_SERVER             0x00000002  All servers
+	SV_TYPE_SQLSERVER          0x00000004  Any server running with SQL
+	                                       server
+	SV_TYPE_DOMAIN_CTRL        0x00000008  Primary domain controller
+	SV_TYPE_DOMAIN_BAKCTRL     0x00000010  Backup domain controller
+	SV_TYPE_TIME_SOURCE        0x00000020  Server running the timesource
+					       service
+	SV_TYPE_AFP                0x00000040  Apple File Protocol servers
+	SV_TYPE_NOVELL             0x00000080  Novell servers
+	SV_TYPE_DOMAIN_MEMBER      0x00000100  Domain Member
+	SV_TYPE_PRINTQ_SERVER      0x00000200  Server sharing print queue
+	SV_TYPE_DIALIN_SERVER      0x00000400  Server running dialin service.
+	SV_TYPE_XENIX_SERVER       0x00000800  Xenix server
+	SV_TYPE_NT                 0x00001000  NT server
+	SV_TYPE_WFW                0x00002000  Server running Windows for
+
+	SV_TYPE_SERVER_NT          0x00008000  Windows NT non DC server
+	SV_TYPE_POTENTIAL_BROWSER  0x00010000  Server that can run the browser
+	                                       service
+	SV_TYPE_BACKUP_BROWSER     0x00020000  Backup browser server
+	SV_TYPE_MASTER_BROWSER     0x00040000  Master browser server
+	SV_TYPE_DOMAIN_MASTER      0x00080000  Domain Master Browser server
+	SV_TYPE_LOCAL_LIST_ONLY    0x40000000  Enumerate only entries marked
+	                                       "local"
+	SV_TYPE_DOMAIN_ENUM        0x80000000  Enumerate Domains. The pszServer
+	                                       and pszDomain parameters must be
+	                                       NULL.
+
+        UINT32        500 - platform_id
+        VOID*         pointer to name
+        UINT32        5 - major version
+        UINT32        4 - minor version
+        UINT32        type (SV_TYPE_... bit field)
+        VOID*         pointer to comment
+
+        UNISTR2       sv101_name - unicode string of server name
+        UNISTR2       sv_101_comment  - unicode string of server comment.
+
+        UINT8[]       padding to get unicode string 4-byte
+                      aligned with start of the SMB header.
+
+
+
+3) Transact Named Pipe Header/Tail
+----------------------------------
+
+Interesting note: if you set packed data representation to 0x0100 0000 then
+all 4-byte and 2-byte word ordering is turned around.
+
+3.1) Header
+-----------
+
+The start of each of the NTLSA and NETLOGON named pipes begins with:
+
+00  UINT8         5 - RPC major version
+01  UINT8         0 - RPC minor version
+02  UINT8         2 - RPC response packet
+03  UINT8         3 - first frag + last frag
+04  UINT32        0x1000 0000 - packed data representation
+08  UINT16        fragment length - data size (bytes) inc header and tail.
+0A  UINT16        0 - authentication length 
+0C  UINT32        call identifier.  matches 12th UINT32 of incoming RPC data.
+10  UINT32        allocation hint - data size (bytes) minus header and tail.
+14  UINT16        0 - presentation context identifier
+16  UINT8         0 - cancel count
+17  UINT8         0 - reserved
+18  ......        start of data (goes on for allocation_hint bytes)
+
+
+3.2 Tail
+--------
+
+The end of each of the NTLSA and NETLOGON named pipes ends with:
+
+    ......        end of data
+    UINT32        return code
+
+
+
+4) NTLSA Transact Named Pipe
+----------------------------
+        
+Defines for this pipe, identifying the query are:
+
+- LSA Open Policy:               0x2c
+- LSA Query Info Policy:         0x07
+- LSA Enumerate Trusted Domains: 0x0d
+- LSA Open Secret:               0xff
+- LSA Lookup SIDs:               0xfe
+- LSA Lookup Names:              0xfd
+- LSA Close:                     0x00
+
+
+4.1) LSA Open Policy
+--------------------
+
+Note:	The policy handle can be anything you like.
+
+Request:
+
+    no extra data.
+
+Response:
+
+    POL_HND   LSA policy handle
+
+    return    0 - indicates success
+
+
+4.2) LSA Query Info Policy
+--------------------------
+
+Note:	The info class in response must be the same as that in the request.
+
+Request:
+
+    POL_HND   LSA policy handle
+    UINT16    info class (also a policy handle?)
+
+Response:
+
+    VOID*     undocumented buffer pointer
+    UINT16    info class (same as info class in request).
+    
+    switch (info class)
+    case 3:
+    case 5:
+    {
+        DOM_INFO domain info, levels 3 and 5 (are the same).
+    }
+
+    return    0 - indicates success
+
+
+4.3) LSA Enumerate Trusted Domains
+----------------------------------
+
+Request:
+
+    no extra data
+
+Response:
+
+    UINT32     0 - enumeration context
+    UINT32     0 - entries read
+    UINT32     0 - trust information
+
+    return     0x8000 001a - "no trusted domains" success code
+
+
+4.4) LSA Open Secret
+--------------------
+
+Request:
+
+    no extra data
+
+Response:
+
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+
+    return    0x0C00 0034 - "no such secret" success code
+
+
+4.5) LSA Close
+--------------
+
+Request:
+
+    no extra data
+
+Response:
+
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+    UINT32    0 - undocumented
+
+    return    0 - indicates success
+
+
+4.6) LSA Lookup SIDS
+--------------------
+
+Note:	num_entries in response must be same as num_entries in request.
+
+Request:
+
+    POL_HND            LSA policy handle
+    UINT32             num_entries
+    VOID*              undocumented domain SID buffer pointer
+    VOID*              undocumented domain name buffer pointer
+    VOID*[num_entries] undocumented domain SID pointers to be looked up.
+    DOM_SID[num_entries] domain SIDs to be looked up.
+    char[16]           completely undocumented 16 bytes.
+
+Response:
+
+    DOM_REF               domain reference response
+
+    UINT32                num_entries (listed above)
+    VOID*                 undocumented buffer pointer
+
+    UINT32                num_entries (listed above)
+    DOM_SID2[num_entries] domain SIDs (from Request, listed above).
+
+    UINT32                num_entries (listed above)
+
+    return                0 - indicates success
+
+
+4.7) LSA Lookup Names
+---------------------
+
+Note:	num_entries in response must be same as num_entries in request.
+
+Request:
+
+    POL_HND            LSA policy handle
+    UINT32             num_entries
+    UINT32             num_entries
+    VOID*              undocumented domain SID buffer pointer
+    VOID*              undocumented domain name buffer pointer
+    NAME[num_entries]  names to be looked up.
+    char[]             undocumented bytes - falsely translated SID structure?
+
+Response:
+
+    DOM_REF               domain reference response
+
+    UINT32                num_entries (listed above)
+    VOID*                 undocumented buffer pointer
+
+    UINT32                num_entries (listed above)
+    DOM_RID[num_entries]  domain SIDs (from Request, listed above).
+
+    UINT32                num_entries (listed above)
+
+    return                0 - indicates success
+
+
+
+5) NETLOGON rpc Transact Named Pipe
+-----------------------------------
+
+Defines for this pipe, identifying the query are:
+
+- LSA Request Challenge:         0x04
+- LSA Server Password Set:       0x06
+- LSA SAM Logon:                 0x02
+- LSA SAM Logoff:                0xfc
+- LSA Auth 2:                    0x0f
+- LSA Logon Control:             0x0e
+
+
+5.1) LSA Request Challenge
+--------------------------
+
+Note:	logon server name starts with two '\' characters and is upper case.
+
+Note:	logon client is the machine, not the user.
+
+Note:	the initial LanManager password hash, against which the challenge
+	is issued, is the machine name itself (lower case).  there will be
+	calls issued (LSA Server Password Set) which will change this, later.
+	refusing these calls allows you to always deal with the same password
+	(i.e the LM# of the machine name in lower case).
+
+Request:
+
+    VOID*       undocumented buffer pointer
+    UNISTR2     logon server unicode string
+    UNISTR2     logon client unicode string
+    char[8]     client challenge
+
+Response:
+
+    char[8]     server challenge
+
+    return    0 - indicates success
+
+
+
+5.2) LSA Authenticate 2
+-----------------------
+
+Note:	in between request and response, calculate the client credentials,
+	and check them against the client-calculated credentials (this
+	process uses the previously received client credentials).
+
+Note:	neg_flags in the response is the same as that in the request.
+
+Note:	you must take a copy of the client-calculated credentials received
+	here, because they will be used in subsequent authentication packets.
+
+Request:
+
+    LOG_INFO    client identification info
+
+    char[8]     client-calculated credentials
+    UINT8[]     padding to 4-byte align with start of SMB header.
+    UINT32      neg_flags - negotiated flags (usual value is 0x0000 01ff)
+
+Response:
+
+    char[8]     server credentials.
+    UINT32      neg_flags - same as neg_flags in request.
+
+    return    0 - indicates success.  failure value unknown.
+
+
+5.3) LSA Server Password Set
+----------------------------
+
+Note:	the new password is suspected to be a DES encryption using the old
+	password to generate the key.
+
+Note:	in between request and response, calculate the client credentials,
+	and check them against the client-calculated credentials (this
+	process uses the previously received client credentials).
+
+Note:	the server credentials are constructed from the client-calculated
+	credentials and the client time + 1 second.
+
+Note:	you must take a copy of the client-calculated credentials received
+	here, because they will be used in subsequent authentication packets.
+
+Request:
+
+    CLNT_INFO   client identification/authentication info
+    char[]      new password - undocumented.
+    
+Response:
+
+    CREDS       server credentials.  server time stamp appears to be ignored.
+
+    return    0 - indicates success; 0xC000 006a indicates failure
+
+
+5.4) LSA SAM Logon
+------------------
+
+Note:	valid_user is True iff the username and password hash are valid for
+	the requested domain.
+
+Request:
+
+    SAM_INFO    sam_id structure
+
+Response:
+
+    VOID*       undocumented buffer pointer
+    CREDS       server credentials.  server time stamp appears to be ignored.
+    
+    if (valid_user)
+    {
+		UINT16      3 - switch value indicating USER_INFO structure.
+        VOID*     non-zero - pointer to USER_INFO structure
+        USER_INFO user logon information
+
+        UINT32    1 - Authoritative response; 0 - Non-Auth?
+
+        return    0 - indicates success
+    }
+    else
+    {
+		UINT16    0 - switch value.  value to indicate no user presumed.
+        VOID*     0x0000 0000 - indicates no USER_INFO structure.
+
+        UINT32    1 - Authoritative response; 0 - Non-Auth?
+
+        return    0xC000 0064 - NT_STATUS_NO_SUCH_USER.
+    }
+
+
+5.5) LSA SAM Logoff
+--------------------
+
+Note:	presumably, the SAM_INFO structure is validated, and a (currently
+	undocumented) error code returned if the Logoff is invalid.
+
+Request:
+
+    SAM_INFO    sam_id structure
+
+Response:
+
+    VOID*       undocumented buffer pointer
+    CREDS       server credentials.  server time stamp appears to be ignored.
+
+    return      0 - indicates success.  undocumented failure indication.
+
+
+6) \\MAILSLOT\NET\NTLOGON
+-------------------------
+
+Note:	mailslots will contain a response mailslot, to which the response
+	should be sent.  the target NetBIOS name is REQUEST_NAME<20>, where
+	REQUEST_NAME is the name of the machine that sent the request.
+
+
+6.1) Query for PDC
+------------------
+
+Note:	NTversion, LMNTtoken, LM20token in response are the same as those
+	given in the request.
+
+Request:
+
+    UINT16         0x0007 - Query for PDC
+    STR            machine name
+    STR            response mailslot
+    UINT8[]        padding to 2-byte align with start of mailslot.
+    UNISTR         machine name
+    UINT32         NTversion
+    UINT16         LMNTtoken
+    UINT16         LM20token
+
+Response:
+
+    UINT16         0x000A - Respose to Query for PDC
+    STR            machine name (in uppercase)
+    UINT8[]        padding to 2-byte align with start of mailslot.
+    UNISTR         machine name
+    UNISTR         domain name
+    UINT32         NTversion (same as received in request)
+    UINT16         LMNTtoken (same as received in request)
+    UINT16         LM20token (same as received in request)
+
+
+6.2) SAM Logon
+--------------
+
+Note:	machine name in response is preceded by two '\' characters.
+
+Note:	NTversion, LMNTtoken, LM20token in response are the same as those
+	given in the request.
+
+Note:	user name in the response is presumably the same as that in the request.
+
+Request:
+
+    UINT16         0x0012 - SAM Logon
+    UINT16         request count
+    UNISTR         machine name
+    UNISTR         user name
+    STR            response mailslot
+    UINT32         alloweable account
+    UINT32         domain SID size
+    char[sid_size] domain SID, of sid_size bytes.
+    UINT8[]        ???? padding to 4? 2? -byte align with start of mailslot.
+    UINT32         NTversion
+    UINT16         LMNTtoken
+    UINT16         LM20token
+    
+Response:
+
+    UINT16         0x0013 - Response to SAM Logon
+    UNISTR         machine name
+    UNISTR         user name - workstation trust account
+    UNISTR         domain name 
+    UINT32         NTversion
+    UINT16         LMNTtoken
+    UINT16         LM20token
+
+
+
+7) SRVSVC Transact Named Pipe
+-----------------------------
+
+
+Defines for this pipe, identifying the query are:
+
+- Net Share Enum :              0x0f
+- Net Server Get Info :         0x15
+
+
+7.1) Net Share Enum
+------------------
+
+Note:	share level and switch value in the response are presumably the 
+	same as those in the request.
+
+Note:	cifsrap2.txt (section 5) may be of limited assistance here.
+
+Request:
+
+    VOID*             pointer (to server name?)
+	UNISTR2           server name
+
+    UINT8[]           padding to get unicode string 4-byte aligned
+                      with the start of the SMB header.
+
+    UINT32            share level
+    UINT32            switch value
+
+    VOID*             pointer to SHARE_INFO_1_CTR
+    SHARE_INFO_1_CTR  share info with 0 entries
+
+    UINT32            preferred maximum length (0xffff ffff)
+
+Response:
+
+    UINT32            share level
+    UINT32            switch value
+
+    VOID*             pointer to SHARE_INFO_1_CTR
+    SHARE_INFO_1_CTR  share info (only added if share info ptr is non-zero)
+
+    return            0 - indicates success
+
+
+7.2) Net Server Get Info
+------------------
+
+Note:	level is the same value as in the request.
+
+Request:
+
+	UNISTR2           server name
+    UINT32            switch level
+
+Response:
+
+    UINT32            switch level
+    VOID*             pointer to SERVER_INFO_101
+
+    SERVER_INFO_101   server info (only added if server info ptr is non-zero)
+
+    return            0 - indicates success
+
+
+
+Appendix
+--------
+
+A1) Cryptographic side of NT Domain Authentication
+--------------------------------------------------
+
+Definitions
+-----------
+
+Add(A1,A2): Intel byte ordered addition of corresponding 4 byte
+            words in arrays A1 and A2
+
+E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K
+
+lmowf(): Lan man hash
+
+ntowf(): NT hash
+
+PW: md4(machine_password) =3D=3D md4(lsadump $machine.acc)
+                          =3D=3D pwdump(machine$)
+              (initially) =3D=3D md4(lmowf(unicode(machine)))
+
+RC4(K,Lk,D,Ld): RC4 encryption of data D of length Ld with key K
+                of length Lk
+
+v[m..n(,l)]: subset of v from bytes m to n, optionally padded
+             with zeroes to length l
+
+Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential
+
+Time(): 4 byte current time
+
+Cc,Cs: 8 byte client and server challenges
+Rc,Rs: 8 byte client and server credentials
+