This is the checkin that adds the security=domain functionality.

WARNING - so far this has only been tested against a Samba PDC
(still waiting for IS to add me the machine accounts :-).

Still missing is the code in smbpasswd that will add a machine
account password and change it on the domain controller, but
this is not hard, and I will check it in soon.

Jeremy.
(This used to be commit 17b94a7084621b3f0106dd4d3386f05cdfc56d19)

2 files changed, 89 insertions, 106 deletions

diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c
index fe00c39e4c..1feda1cfe3 100644
--- a/source3/rpc_client/cli_login.c
+++ b/source3/rpc_client/cli_login.c
@@ -75,67 +75,45 @@ BOOL cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16])
   return True;
 }
 
-#if 0
 /****************************************************************************
- server password set
+ Set machine password.
  ****************************************************************************/
 
-BOOL do_nt_srv_pwset(struct cli_state *cli, 
-                     uint8 sess_key[16], DOM_CRED *clnt_cred, DOM_CRED *rtn_cred,
-                     char *new_mach_pwd,
-                     char *dest_host, char *mach_acct, char *myhostname)
+BOOL cli_nt_srv_pwset(struct cli_state *cli, unsigned char *new_hashof_mach_pwd)
 {
-  DOM_CRED cred;
-  char nt_cypher[16];
-  uint8 mode = 1;
-  char nt_owf_new_mach_pwd[16];
+  unsigned char processed_new_pwd[16];
 
-#ifdef DEBUG_PASSWORD
-  DEBUG(100,("generating nt owf from new machine pwd: %s\n", new_mach_pwd));
-#endif
-  nt_owf_gen(new_mach_pwd, nt_owf_new_mach_pwd);
+  DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
 
 #ifdef DEBUG_PASSWORD
-  dump_data(6, nt_owf_new_mach_pwd, 16);
+  dump_data(6, new_hashof_mach_pwd, 16);
 #endif
 
-  if (!obfuscate_pwd(nt_cypher, nt_owf_new_mach_pwd, mode))
-  {
-    DEBUG(5,("do_nt_srv_pwset: encrypt mach pwd failed\n"));
-    return False;
-  }
-	
-  clnt_cred->timestamp.time = time(NULL);
-
-  memcpy(&cred, clnt_cred, sizeof(cred));
-
-  /* calculate credentials */
-  cred_create(sess_key, &(clnt_cred->challenge),
-              cred.timestamp, &(cred.challenge));
+  /* Process the new password. */
+  cred_hash3( processed_new_pwd, new_hashof_mach_pwd, cli->sess_key, 0);
 
   /* send client srv_pwset challenge */
-  return do_net_srv_pwset(cli, fnum, sess_key, clnt_cred,
-                          dest_host, mach_acct, 2, myhostname,
-                          &cred, rtn_cred, nt_cypher);
+  return cli_net_srv_pwset(cli, processed_new_pwd);
 }
 
 /****************************************************************************
- make interactive sam login info
+NT login - interactive.
+*NEVER* use this code. This method of doing a logon (sending the cleartext
+password equivalents, protected by the session key) is inherently insecure
+given the current design of the NT Domain system. JRA.
  ****************************************************************************/
 
-void make_nt_login_interactive(NET_ID_INFO_CTR *ctr,
-                               uchar sess_key[16],
-                               char *domain, char *myhostname,
-                               uint32 smb_userid, char *username)
+BOOL cli_nt_login_interactive(struct cli_state *cli, char *domain, char *username, 
+                              uint32 smb_userid_low, char *password,
+                              NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3)
 {
-  /****************** SAM Info Preparation *******************/
-
-  char *smb_user_passwd = getpass("Enter NT Login Password:");
+  unsigned char lm_owf_user_pwd[16];
+  unsigned char nt_owf_user_pwd[16];
+  BOOL ret;
 
-  char lm_owf_user_pwd[16];
-  char nt_owf_user_pwd[16];
+  DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__));
 
-  nt_lm_owf_gen(smb_user_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
+  nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
 
 #ifdef DEBUG_PASSWORD
 
@@ -147,18 +125,35 @@ void make_nt_login_interactive(NET_ID_INFO_CTR *ctr,
 
 #endif
 
-  /* indicate an "interactive" login */
-  ctr->switch_value = 1;
+  DEBUG(5,("cli_nt_login_network: %d\n", __LINE__));
 
-  /* this is used in both the SAM Logon and the SAM Logoff */
-  make_id_info1(&ctr->auth.id1, domain, 0,
-                smb_userid, 0, username, myhostname,
-                sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
+  /* indicate a "network" login */
+  ctr->switch_value = INTERACTIVE_LOGON_TYPE;
+
+  /* Create the structure needed for SAM logon. */
+  make_id_info1(&ctr->auth.id1, domain, 0, 
+                smb_userid_low, 0,
+                username, global_myname,
+                cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
+
+  /* Ensure we overwrite all the plaintext password
+     equivalents. */
+  memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd));
+  memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd));
+
+  /* Send client sam-logon request - update credentials on success. */
+  ret = cli_net_sam_logon(cli, ctr, user_info3);
+
+  memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd));
+  memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd));
+
+  return ret;
 }
-#endif
 
 /****************************************************************************
-NT login.
+NT login - network.
+*ALWAYS* use this call to validate a user as it does not expose plaintext
+password equivalents over the network. JRA.
 ****************************************************************************/
 
 BOOL cli_nt_login_network(struct cli_state *cli, char *domain, char *username, 
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 91dbd27421..a8aba1c5dc 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -34,10 +34,29 @@ extern pstring global_myname;
 extern fstring global_myworkgroup;
 
 /****************************************************************************
+Generate the next creds to use.
+****************************************************************************/
+
+static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred)
+{
+  /*
+   * Create the new client credentials.
+   */
+
+  cli->clnt_cred.timestamp.time = time(NULL);
+
+  memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred));
+
+  /* Calculate the new credentials. */
+  cred_create(cli->sess_key, &(cli->clnt_cred.challenge),
+              new_clnt_cred->timestamp, &(new_clnt_cred->challenge));
+}
+
+/****************************************************************************
 do a LSA Logon Control2
 ****************************************************************************/
 
-BOOL do_net_logon_ctrl2(struct cli_state *cli, uint32 status_level)
+BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level)
 {
   prs_struct rbuf;
   prs_struct buf; 
@@ -224,38 +243,33 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_
   return valid_chal;
 }
 
-#if 0
 /***************************************************************************
-do a LSA Server Password Set
+LSA Server Password Set.
 ****************************************************************************/
 
-BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum,
-                      uchar sess_key[16], DOM_CRED *sto_clnt_cred,
-                      char *logon_srv, char *mach_acct, uint16 sec_chan_type,
-                      char *comp_name, DOM_CRED *clnt_cred, DOM_CRED *srv_cred,
-                      uint8 nt_owf_new_mach_pwd[16])
+BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16])
 {
   prs_struct rbuf;
   prs_struct buf; 
+  DOM_CRED new_clnt_cred;
   NET_Q_SRV_PWSET q_s;
-  BOOL valid_cred = False;
+  BOOL ok = False;
+  uint16 sec_chan_type = 2;
 
-  if (srv_cred == NULL || clnt_cred == NULL)
-    return False;
+  gen_next_creds( cli, &new_clnt_cred);
 
   prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
   prs_init(&rbuf, 0,    4, SAFETY_MARGIN, True );
 
-
   /* create and send a MSRPC command with api NET_SRV_PWSET */
 
-  DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n",
-           cli->srv_name_slash, mach_acct, sec_chan_type, comp_name,
-           credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time));
+  DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n",
+           cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname,
+           credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time));
 
   /* store the parameters */
-  make_q_srv_pwset(&q_s, sess_key, logon_srv, mach_acct, sec_chan_type,
-                   comp_name, clnt_cred, nt_owf_new_mach_pwd);
+  make_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type,
+                   global_myname, &new_clnt_cred, hashed_mach_pwd);
 
   /* turn parameters into data stream */
   net_io_q_srv_pwset("", &q_s,  &buf, 0);
@@ -264,7 +278,6 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum,
   if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf))
   {
     NET_R_SRV_PWSET r_s;
-    BOOL ok;
 
     net_io_r_srv_pwset("", &r_s, &rbuf, 0);
     ok = (rbuf.offset != 0);
@@ -277,31 +290,26 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum,
       ok = False;
     }
 
-    if (ok)
+    /* Update the credentials. */
+    if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred)) == 0)
     {
-      if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_cred)))
-      {
-        DEBUG(5, ("do_net_srv_pwset: server credential check OK\n"));
-        /* ok, at last: we're happy. return the challenge */
-        memcpy(srv_cred, &(r_s.srv_cred), sizeof(r_s.srv_cred));
-        valid_cred = True;
-      }
-      else
-      {
-        DEBUG(5, ("do_net_srv_pwset: server credential check failed\n"));
-      }
+      /*
+       * Server replied with bad credential. Fail.
+       */
+      DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \
+password ?).\n", cli->desthost ));
+      ok = False;
     }
   }
 
   prs_mem_free(&rbuf);
   prs_mem_free(&buf );
 
-  return valid_cred;
+  return ok;
 }
-#endif
 
 /***************************************************************************
-LSA SAM Logon.
+LSA SAM Logon - interactive or network.
 ****************************************************************************/
 
 BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, 
@@ -314,17 +322,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr,
   NET_Q_SAM_LOGON q_s;
   BOOL ok = False;
 
-  /*
-   * Create the new client credentials.
-   */
-
-  cli->clnt_cred.timestamp.time = time(NULL);
-
-  memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred));
-
-  /* Calculate the new credentials. */
-  cred_create(cli->sess_key, &(cli->clnt_cred.challenge),
-              new_clnt_cred.timestamp, &(new_clnt_cred.challenge));
+  gen_next_creds( cli, &new_clnt_cred);
 
   prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
   prs_init(&rbuf, 0,    4, SAFETY_MARGIN, True );
@@ -400,17 +398,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr)
   uint16 validation_level = 3;
   BOOL ok = False;
 
-  /*
-   * Create the new client credentials.
-   */
-
-  cli->clnt_cred.timestamp.time = time(NULL);
-
-  memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred));
-
-  /* Calculate the new credentials. */
-  cred_create(cli->sess_key, &(cli->clnt_cred.challenge),
-              new_clnt_cred.timestamp, &(new_clnt_cred.challenge));
+  gen_next_creds( cli, &new_clnt_cred);
 
   prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
   prs_init(&rbuf, 0,    4, SAFETY_MARGIN, True );
@@ -453,7 +441,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr)
        */
       DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \
 password ?).\n", cli->desthost ));
-        ok = False;
+      ok = False;
     }
   }