summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/textdocs/NTDOMAIN.txt127
-rw-r--r--docs/textdocs/cifsntdomain.txt1059
2 files changed, 1186 insertions, 0 deletions
diff --git a/docs/textdocs/NTDOMAIN.txt b/docs/textdocs/NTDOMAIN.txt
new file mode 100644
index 0000000000..f0a43b6ba5
--- /dev/null
+++ b/docs/textdocs/NTDOMAIN.txt
@@ -0,0 +1,127 @@
+Contributor: Luke Kenneth Casson Leighton
+Created: October 20, 1997
+Updated: October 20, 1997
+
+Subject: NT Domain Logons
+===========================================================================
+
+As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without
+the need, use or intervention of NT 4.0 Server. This document describes
+how to set this up. Over the continued development of the 1.9.18alpha
+series, this process (and therefore this document) should become simpler.
+
+The support is still experimental, so should be used at your own risk.
+
+NT is not as robust as you might have been led to believe: during the
+development of the Domain Logon Support, one person reported having to
+reinstall NT from scratch: their workstation had become totally unuseable.
+
+This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
+
+
+Domain Logons using 1.9.18alpha1
+================================
+
+1) compile samba with -DNTDOMAIN
+
+2) carry out the following unix commands:
+
+ touch /tmp/netlogon
+ touch /tmp/srvsvc
+ chmod 666 /tmp/netlogon
+ chmod 666 /tmp/srvsvc
+
+3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
+ of date: you no longer need the DES libraries, but other than that,
+ ENCRYPTION.txt is current).
+
+4) for each workstation, add a line to smbpasswd with a username of MACHINE$
+ and a password of "machine". this process will be automated in further
+ releases.
+
+5) if using NT server to log in, run the User Manager for Domains, and
+ add the capability to "Log in Locally" to the policies.
+
+6) set up the following parameters in smb.conf
+
+; substitute your workgroup here
+ workgroup = SAMBA
+
+; a description of domain sids can be found elsewhere.
+ domain sid = S-1-5-21-123-456-789-123
+
+; tells workstations to use SAMBA as its Primary Domain Controller.
+ domain logons = yes
+
+7) make sure samba is running before the next step is carried out. if
+ this is your first time, just for fun you might like to switch the
+ debug log level to about 10. the NT pipes produces some very pretty
+ output when decoding requests and generating responses, which would
+ be particularly useful to see in tcpdump at some point.
+
+8) In the NT Network Settings, change the domain to SAMBA. Do
+ not attempt to create an account using the other part of the dialog:
+ it will fail at present.
+
+ You should get a wonderful message saying "Welcome to the SAMBA Domain."
+
+ If you don't, then please first increase your debug log levels and also
+ get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
+ You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't,
+ then you probably don't have "domain logons = yes" or there is some other
+ problem in resolving the NetBIOS name SAMBA<1c>.
+
+ On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
+ for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
+ or two. If when you get a connection to the SMB pipe NETLOGON, if /netlogon
+ access is refused, then you probably haven't granted the correct access
+ permissions on the /tmp/netlogon file. Likewise for the srvsvc file.
+
+ You may see a pipe connection to a wksta service being refused: this
+ is acceptable, we have found. You may also see a "Net Server Get Info"
+ being issued on the srvsvc pipe.
+
+ Assuming you got the Welcome message, go through the obligatory reboot...
+
+9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
+ If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
+ and the appearance of this login dialog, then there might be a problem:
+ at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
+
+ The domain box should have two entries: the hostname and the SAMBA domain.
+ Any local accounts are under the hostname domain, from which you will be
+ able to shut down the machine etc. At present, we do not specify that
+ the NT user logging in is a member of any groups, so will have no
+ priveleges, including the ability to shut down the machine.
+
+ Select the SAMBA domain, and type in a valid username and password for
+ which there is a valid entry in the samba server's smbpasswd LM/NT OWF
+ database.
+
+ You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
+ and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
+ can be approximately 600 bytes) as it contains user info.
+
+ Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
+ amongst this lot. If the SAM Logon is successful, the dialog should
+ disappear, and a standard SMB connection established to download the
+ profile specified in the SAM Logon (if it was).
+
+ At this point, you _may_ encounter difficulties in creating a remote
+ profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If
+ this occurs, then either find an existing profile on the samba server and
+ copy it into the location specified by the "logon path" smb.conf parameter
+ for the user logging in, or log in on the local machine, and use the
+ System | Profiles control panel to make a copy of the _local_ profile onto
+ the samba server.
+
+10) Play around. Look at the Samba Server: see if it can be found in the
+ browse lists. Check that it is accessible; run some applications.
+ Generally stress things. Laugh a lot. Logout of the NT machine
+ (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
+ two users simultaneously. Try logging the same user in twice.
+ Make Samba fall over, and then send bug reports to us, with NTDOM: at
+ the start of the subject line, as "samba-bugs@samba.anu.edu.au".
+
+Your reports, testing, patches and criticism will help us get this right.
+
diff --git a/docs/textdocs/cifsntdomain.txt b/docs/textdocs/cifsntdomain.txt
new file mode 100644
index 0000000000..1a3b1c429f
--- /dev/null
+++ b/docs/textdocs/cifsntdomain.txt
@@ -0,0 +1,1059 @@
+NT Domain Authentication
+------------------------
+
+Authors: - Luke Kenneth Casson Leighton (lkcl@switchboard.net)
+ - Paul Ashton (paul@argo.demon.co.uk)
+
+Version: 0.017 (20oct97)
+
+Distribution: Unlimited and encouraged, for the purposes of implementation
+ and comments. Feedback welcomed by the authors.
+
+Liability: Absolutely none accepted implicitly or explicitly, direct
+ or consequentially, for use, abuse, misuse, lack of use,
+ misunderstandings, mistakes, omissions, mis-information for
+ anything in or not in, related to or pertaining to this
+ document or anything else that a lawyer can think of or not
+ think of.
+
+Warning: Please bear in mind that an incorrect implementation of this
+ protocol can cause NT workstation to fail irrevocably, for
+ which the authors accept no liability (see above). Please
+ contact your vendor if you have any problems.
+
+Sources: - Packet Traces from Netmonitor (Service Pack 1 and above)
+ - Paul Ashton and Luke Leighton's other "NT Domain" doc.
+ - CIFS documentation - cifs6.txt
+ - CIFS documentation - cifsrap2.txt
+
+Original: http://mailhost.cb1.com/~lkcl/cifsntdomain.txt.
+ (Controlled copy maintained by lkcl@switchboard.net)
+
+Credits: - Paul Ashton: loads of work with Net Monitor;
+ understanding the NT authentication system;
+ reference implementation of the NT domain support on which
+ this document is originally based.
+ - Linus Nordberg: producing c-code from Paul's crypto spec.
+ - Windows Sourcer development team
+
+Contents:
+
+1) Introduction
+
+2) Structures and notes
+
+ 2.1) Notes
+ 2.2) Structures
+
+3) Transact Named Pipe Header/Tail
+
+ 3.1) Header
+ 3.2) Tail
+
+4) NTLSA Transact Named Pipe
+
+ 4.1) LSA Open Policy
+ 4.2) LSA Query Info Policy
+ 4.3) LSA Enumerate Trusted Domains
+ 4.4) LSA Open Secret
+ 4.5) LSA Close
+ 4.6) LSA Lookup SIDS
+ 4.7) LSA Lookup Names
+
+5) NETLOGON rpc Transact Named Pipe
+
+ 5.1) LSA Request Challenge
+ 5.2) LSA Authenticate 2
+ 5.3) LSA Server Password Set
+ 5.4) LSA SAM Logon
+ 5.5) LSA SAM Logoff
+
+6) \\MAILSLOT\NET\NTLOGON
+
+ 6.1) Query for PDC
+ 6.2) SAM Logon
+
+7) SRVSVC Transact Named Pipe
+
+ 7.1) Net Share Enum
+ 7.2) Net Server Get Info
+
+Appendix:
+
+A1) Cryptographic side of NT Domain Authentication
+
+
+
+1) Introduction
+---------------
+
+
+This document contains information to provide an NT workstation with login
+services, without the need for an NT server.
+
+It should be possible to select a domain instead of a workgroup (in the NT
+workstation's TCP/IP settings) and after the obligatory reboot, type in a
+username, password, select a domain and successfully log in. I would
+appreciate any feedback on your experiences with this process, and any
+comments, corrections and additions to this document.
+
+
+The packets described here can be easily derived from (and are probably
+better understood using) Netmon.exe. You will need to use the version
+of Netmon that matches your system, in order to correctly decode the
+NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from
+NT Service Pack 1 and its corresponding version of Netmon. It is intended
+that an annotated packet trace be produced, which will likely be more
+instructive than this document.
+
+Also needed, to fully implement NT Domain Login Services, is the
+document describing the cryptographic part of the NT authentication.
+This document is available from comp.protocols.smb; from the ntsecurity.net
+digest and from the samba digest, amongst other sources.
+
+A copy is available from:
+
+http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935
+http://mailhost.cb1.com/~lkcl/crypt.html
+
+
+A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se>
+of this protocol is available from:
+
+http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html
+http://mailhost.cb1.com/~lkcl/crypt.txt
+
+
+Also used to provide debugging information is the Check Build version of
+NT workstation, and enabling full debugging in NETLOGON. This is
+achieved by setting the following REG_SZ registry key to 0x1ffffff:
+
+HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
+
+- Incorrect direct editing of the registry can cause your machine to fail.
+ Then again, so can incorrect implementation of this protocol.
+ See "Liability:" above.
+
+
+Bear in mind that each packet over-the-wire will have its origin in an
+API call. Therefore, there are likely to be structures, enumerations
+and defines that are usefully documented elsewhere.
+
+
+This document is by no means complete or authoritative. Missing sections
+include, but are not limited to:
+
+- the meaning (and use by NT) of SIDs and RIDs.
+
+- mappings of RIDs to usernames (and vice-versa).
+
+- what a User ID is and what a Group ID is.
+
+- the exact meaning/definition of various magic constants or enumerations.
+
+- the reply error code and use of that error code when a workstation
+ becomes a member of a domain (to be described later). Failure to
+ return this error code will make the workstation report that it is
+ already a member of the domain.
+
+- the cryptographic side of the NetrServerPasswordSet command, which would
+ allow the workstation to change its password. This password is used to
+ generate the long-term session key. [It is possible to reject this
+ command, and keep the default workstation password].
+
+
+2) Notes and Structures
+-----------------------
+
+
+2.1) Notes
+----------
+
+- In the SMB Transact pipes, some "Structures", described here, appear to be
+ 4-byte aligned with the SMB header, at their start. Exactly which
+ "Structures" need aligning is not precisely known or documented.
+
+- In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be
+ 2-byte aligned with the start of the mailslot, at their start.
+
+- Domain SID is of the format S-revision-version-auth1-auth2...authN.
+ e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision.
+
+- any undocumented buffer pointers must be non-zero if the string buffer it
+ refers to contains characters. exactly what value they should be is unknown.
+ 0x0000 0002 seems to do the trick to indicate that the buffer exists. a
+ NULL buffer pointer indicates that the string buffer is of zero length.
+ If the buffer pointer is NULL, then it is suspected that the structure it
+ refers to is NOT put into (or taken out of) the SMB data stream. This is
+ empirically derived from, for example, the LSA SAM Logon response packet,
+ where if the buffer pointer is NULL, the user information is not inserted
+ into the data stream. Exactly what happens with an array of buffer pointers
+ is not known, although an educated guess can be made.
+
+- an array of structures (a container) appears to have a count and a pointer.
+ if the count is zero, the pointer is also zero. no further data is put
+ into or taken out of the SMB data stream. if the count is non-zero, then
+ the pointer is also non-zero. immediately following the pointer is the
+ count again, followed by an array of container sub-structures. the count
+ appears a third time after the last sub-structure.
+
+
+
+2.2) Structures
+---------------
+
+- sizeof VOID* is 32 bits.
+
+- sizeof char is 8 bits.
+
+- UTIME is 32 bits, indicating time in seconds since 01jan1970. documented
+ in cifs6.txt (section 3.5 page, page 30).
+
+- NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).
+
+- DOM_SID (domain SID structure) :
+
+ UINT32 num of sub-authorities in domain SID
+ UINT8 SID revision number
+ UINT8 num of sub-authorities in domain SID
+ UINT8[6] 6 bytes for domain SID - Identifier Authority.
+ UINT16[n_subauths] domain SID sub-authorities
+
+ Note: the domain SID is documented elsewhere.
+
+- STR (string) :
+
+ char[] null-terminated string of ascii characters.
+
+- UNIHDR (unicode string header) :
+
+ UINT16 length of unicode string
+ UINT16 max length of unicode string
+ UINT32 4 - undocumented.
+
+- UNIHDR2 (unicode string header plus buffer pointer) :
+
+ UNIHDR unicode string header
+ VOID* undocumented buffer pointer
+
+- UNISTR (unicode string) :
+
+ UINT16[] null-terminated string of unicode characters.
+
+- NAME (length-indicated unicode string) :
+
+ UINT32 length of unicode string
+ UINT16[] null-terminated string of unicode characters.
+
+- UNISTR2 (aligned unicode string) :
+
+ UINT8[] padding to get unicode string 4-byte aligned
+ with the start of the SMB header.
+ UINT32 max length of unicode string
+ UINT32 0 - undocumented
+ UINT32 length of unicode string
+ UINT16[] string of uncode characters.
+
+- POL_HND (LSA policy handle) :
+
+ char[20] policy handle
+
+- DOM_SID2 (domain SID structure, SIDS stored in unicode) :
+
+ UINT32 5 - SID type
+ UINT32 0 - undocumented
+ UNIHDR2 domain SID unicode string header
+ UNISTR domain SID unicode string
+
+ Note: there is a conflict between the unicode string header and the
+ unicode string itself as to which to use to indicate string
+ length. this will need to be resolved.
+
+ Note: the SID type indicates, for example, an alias; a well-known group etc.
+ this is documented somewhere.
+
+- DOM_RID (domain RID structure) :
+
+ UINT32 5 - well-known SID. 1 - user SID (see ShowACLs)
+ UINT32 5 - undocumented
+ UINT32 domain RID
+ UINT32 0 - domain index out of above reference domains
+
+
+- LOG_INFO (server, account, client structure) :
+
+ Note: logon server name starts with two '\' characters and is upper case.
+
+ Note: account name is the logon client name from the LSA Request Challenge,
+ with a $ on the end of it, in upper case.
+
+ VOID* undocumented buffer pointer
+ UNISTR2 logon server unicode string
+ UNISTR2 account name unicode string
+ UINT16 sec_chan - security channel type
+ UNISTR2 logon client machine unicode string
+
+- CLNT_SRV (server, client names structure) :
+
+ Note: logon server name starts with two '\' characters and is upper case.
+
+ VOID* undocumented buffer pointer
+ UNISTR2 logon server unicode string
+ VOID* undocumented buffer pointer
+ UNISTR2 logon client machine unicode string
+
+- CREDS (credentials + time stamp)
+
+ char[8] credentials
+ UTIME time stamp
+
+- CLNT_INFO2 (server, client structure, client credentials) :
+
+ Note: whenever this structure appears in a request, you must take a copy
+ of the client-calculated credentials received, because they will be
+ used in subsequent credential checks. the presumed intention is to
+ maintain an authenticated request/response trail.
+
+ CLNT_SRV client and server names
+ UINT8[] ???? padding, for 4-byte alignment with SMB header.
+ VOID* pointer to client credentials.
+ CREDS client-calculated credentials + client time
+
+- CLNT_INFO (server, account, client structure, client credentials) :
+
+ Note: whenever this structure appears in a request, you must take a copy
+ of the client-calculated credentials received, because they will be
+ used in subsequent credential checks. the presumed intention is to
+ maintain an authenticated request/response trail.
+
+ LOG_INFO logon account info
+ CREDS client-calculated credentials + client time
+
+- ID_INFO_1 (id info structure, auth level 1) :
+
+ VOID* ptr_id_info_1
+ UNIHDR domain name unicode header
+ UINT32 param control
+ UINT64 logon ID
+ UNIHDR user name unicode header
+ UNIHDR workgroup name unicode header
+ char[16] rc4 LM OWF Password
+ char[16] rc4 NT OWF Password
+ UNISTR2 domain name unicode string
+ UNISTR2 user name unicode string
+ UNISTR2 workgroup name unicode string
+
+- SAM_INFO (sam logon/logoff id info structure) :
+
+ CLNT_INFO2 client identification/authentication info
+ VOID* pointer to return credentials.
+ CRED return credentials - ignored.
+ UINT16 logon level
+ UINT16 switch value
+
+ switch (switch_value)
+ case 1:
+ {
+ ID_INFO_1 id_info_1;
+ }
+
+- GID (group id info) :
+
+ UINT32 group id
+ UINT32 user attributes (only used by NT 3.1 and 3.51)
+
+- DOM_REF (domain reference info) :
+
+ VOID* undocumented buffer pointer.
+ UINT32 num referenced domains?
+ VOID* undocumented domain name buffer pointer.
+ UINT32 32 - max number of entries
+ UINT32 4 - num referenced domains?
+
+ UNIHDR2 domain name unicode string header
+ UNIHDR2[num_ref_doms-1] referenced domain unicode string headers
+
+ UNISTR domain name unicode string
+ DOM_SID[num_ref_doms] referenced domain SIDs
+
+- DOM_INFO (domain info, levels 3 and 5 are the same)) :
+
+ UINT8[] ??? padding to get 4-byte alignment with start of SMB header
+ UINT16 domain name string length * 2
+ UINT16 domain name string length * 2
+ VOID* undocumented domain name string buffer pointer
+ VOID* undocumented domain SID string buffer pointer
+ UNISTR2 domain name (unicode string)
+ DOM_SID domain SID
+
+- USER_INFO (user logon info) :
+
+ NTTIME logon time
+ NTTIME logoff time
+ NTTIME kickoff time
+ NTTIME password last set time
+ NTTIME password can change time
+ NTTIME password must change time
+
+ UNIHDR username unicode string header
+ UNIHDR user's full name unicode string header
+ UNIHDR logon script unicode string header
+ UNIHDR profile path unicode string header
+ UNIHDR home directory unicode string header
+ UNIHDR home directory drive unicode string header
+
+ UINT16 logon count
+ UINT16 bad password count
+
+ UINT32 User ID
+ UINT32 Group ID
+ UINT32 num groups
+ VOID* undocumented buffer pointer to groups.
+
+ UINT32 user flags
+ char[16] unused user session key
+
+ UNIHDR logon server unicode string header
+ UNIHDR logon domain unicode string header
+ VOID* undocumented logon domain id pointer
+ char[40] 40 undocumented padding bytes. future expansion?
+
+ UINT32 0 - num_other_sids?
+ VOID* NULL - undocumented pointer to other domain SIDs.
+
+ UNISTR2 username unicode string
+ UNISTR2 user's full name unicode string
+ UNISTR2 logon script unicode string
+ UNISTR2 profile path unicode string
+ UNISTR2 home directory unicode string
+ UNISTR2 home directory drive unicode string
+
+ UINT32 num groups
+ GID[num_groups] group info
+
+ UNISTR2 logon server unicode string
+ UNISTR2 logon domain unicode string
+
+ DOM_SID domain SID
+ DOM_SID[num_sids] other domain SIDs?
+
+- SH_INFO_1_PTR (pointers to level 1 share info strings):
+
+Note: see cifsrap2.txt section5, page 10.
+
+ 0 for shi1_type indicates a Disk.
+ 1 for shi1_type indicates a Print Queue.
+ 2 for shi1_type indicates a Device.
+ 3 for shi1_type indicates an IPC pipe.
+ 0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
+
+ VOID* shi1_netname - pointer to net name
+ UINT32 shi1_type - type of share. 0 - undocumented.
+ VOID* shi1_remark - pointer to comment.
+
+- SH_INFO_1_STR (level 1 share info strings) :
+
+ UNISTR2 shi1_netname - unicode string of net name
+ UNISTR2 shi1_remark - unicode string of comment.
+
+- SHARE_INFO_1_CTR :
+
+ share container with 0 entries:
+
+ UINT32 0 - EntriesRead
+ UINT32 0 - Buffer
+
+ share container with > 0 entries:
+
+ UINT32 EntriesRead
+ UINT32 non-zero - Buffer
+ UINT32 EntriesRead
+
+ SH_INFO_1_PTR[EntriesRead] share entry pointers
+ SH_INFO_1_STR[EntriesRead] share entry strings
+
+ UINT8[] padding to get unicode string 4-byte
+ aligned with start of the SMB header.
+ UINT32 EntriesRead
+ UINT32 0 - padding
+
+- SERVER_INFO_101 :
+
+Note: see cifs6.txt section 6.4 - the fields described therein will be
+ of assistance here. for example, the type listed below is the
+ same as fServerType, which is described in 6.4.1.
+
+ SV_TYPE_WORKSTATION 0x00000001 All workstations
+ SV_TYPE_SERVER 0x00000002 All servers
+ SV_TYPE_SQLSERVER 0x00000004 Any server running with SQL
+ server
+ SV_TYPE_DOMAIN_CTRL 0x00000008 Primary domain controller
+ SV_TYPE_DOMAIN_BAKCTRL 0x00000010 Backup domain controller
+ SV_TYPE_TIME_SOURCE 0x00000020 Server running the timesource
+ service
+ SV_TYPE_AFP 0x00000040 Apple File Protocol servers
+ SV_TYPE_NOVELL 0x00000080 Novell servers
+ SV_TYPE_DOMAIN_MEMBER 0x00000100 Domain Member
+ SV_TYPE_PRINTQ_SERVER 0x00000200 Server sharing print queue
+ SV_TYPE_DIALIN_SERVER 0x00000400 Server running dialin service.
+ SV_TYPE_XENIX_SERVER 0x00000800 Xenix server
+ SV_TYPE_NT 0x00001000 NT server
+ SV_TYPE_WFW 0x00002000 Server running Windows for
+
+ SV_TYPE_SERVER_NT 0x00008000 Windows NT non DC server
+ SV_TYPE_POTENTIAL_BROWSER 0x00010000 Server that can run the browser
+ service
+ SV_TYPE_BACKUP_BROWSER 0x00020000 Backup browser server
+ SV_TYPE_MASTER_BROWSER 0x00040000 Master browser server
+ SV_TYPE_DOMAIN_MASTER 0x00080000 Domain Master Browser server
+ SV_TYPE_LOCAL_LIST_ONLY 0x40000000 Enumerate only entries marked
+ "local"
+ SV_TYPE_DOMAIN_ENUM 0x80000000 Enumerate Domains. The pszServer
+ and pszDomain parameters must be
+ NULL.
+
+ UINT32 500 - platform_id
+ VOID* pointer to name
+ UINT32 5 - major version
+ UINT32 4 - minor version
+ UINT32 type (SV_TYPE_... bit field)
+ VOID* pointer to comment
+
+ UNISTR2 sv101_name - unicode string of server name
+ UNISTR2 sv_101_comment - unicode string of server comment.
+
+ UINT8[] padding to get unicode string 4-byte
+ aligned with start of the SMB header.
+
+
+
+3) Transact Named Pipe Header/Tail
+----------------------------------
+
+Interesting note: if you set packed data representation to 0x0100 0000 then
+all 4-byte and 2-byte word ordering is turned around.
+
+3.1) Header
+-----------
+
+The start of each of the NTLSA and NETLOGON named pipes begins with:
+
+00 UINT8 5 - RPC major version
+01 UINT8 0 - RPC minor version
+02 UINT8 2 - RPC response packet
+03 UINT8 3 - first frag + last frag
+04 UINT32 0x1000 0000 - packed data representation
+08 UINT16 fragment length - data size (bytes) inc header and tail.
+0A UINT16 0 - authentication length
+0C UINT32 call identifier. matches 12th UINT32 of incoming RPC data.
+10 UINT32 allocation hint - data size (bytes) minus header and tail.
+14 UINT16 0 - presentation context identifier
+16 UINT8 0 - cancel count
+17 UINT8 0 - reserved
+18 ...... start of data (goes on for allocation_hint bytes)
+
+
+3.2 Tail
+--------
+
+The end of each of the NTLSA and NETLOGON named pipes ends with:
+
+ ...... end of data
+ UINT32 return code
+
+
+
+4) NTLSA Transact Named Pipe
+----------------------------
+
+Defines for this pipe, identifying the query are:
+
+- LSA Open Policy: 0x2c
+- LSA Query Info Policy: 0x07
+- LSA Enumerate Trusted Domains: 0x0d
+- LSA Open Secret: 0xff
+- LSA Lookup SIDs: 0xfe
+- LSA Lookup Names: 0xfd
+- LSA Close: 0x00
+
+
+4.1) LSA Open Policy
+--------------------
+
+Note: The policy handle can be anything you like.
+
+Request:
+
+ no extra data.
+
+Response:
+
+ POL_HND LSA policy handle
+
+ return 0 - indicates success
+
+
+4.2) LSA Query Info Policy
+--------------------------
+
+Note: The info class in response must be the same as that in the request.
+
+Request:
+
+ POL_HND LSA policy handle
+ UINT16 info class (also a policy handle?)
+
+Response:
+
+ VOID* undocumented buffer pointer
+ UINT16 info class (same as info class in request).
+
+ switch (info class)
+ case 3:
+ case 5:
+ {
+ DOM_INFO domain info, levels 3 and 5 (are the same).
+ }
+
+ return 0 - indicates success
+
+
+4.3) LSA Enumerate Trusted Domains
+----------------------------------
+
+Request:
+
+ no extra data
+
+Response:
+
+ UINT32 0 - enumeration context
+ UINT32 0 - entries read
+ UINT32 0 - trust information
+
+ return 0x8000 001a - "no trusted domains" success code
+
+
+4.4) LSA Open Secret
+--------------------
+
+Request:
+
+ no extra data
+
+Response:
+
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+
+ return 0x0C00 0034 - "no such secret" success code
+
+
+4.5) LSA Close
+--------------
+
+Request:
+
+ no extra data
+
+Response:
+
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+ UINT32 0 - undocumented
+
+ return 0 - indicates success
+
+
+4.6) LSA Lookup SIDS
+--------------------
+
+Note: num_entries in response must be same as num_entries in request.
+
+Request:
+
+ POL_HND LSA policy handle
+ UINT32 num_entries
+ VOID* undocumented domain SID buffer pointer
+ VOID* undocumented domain name buffer pointer
+ VOID*[num_entries] undocumented domain SID pointers to be looked up.
+ DOM_SID[num_entries] domain SIDs to be looked up.
+ char[16] completely undocumented 16 bytes.
+
+Response:
+
+ DOM_REF domain reference response
+
+ UINT32 num_entries (listed above)
+ VOID* undocumented buffer pointer
+
+ UINT32 num_entries (listed above)
+ DOM_SID2[num_entries] domain SIDs (from Request, listed above).
+
+ UINT32 num_entries (listed above)
+
+ return 0 - indicates success
+
+
+4.7) LSA Lookup Names
+---------------------
+
+Note: num_entries in response must be same as num_entries in request.
+
+Request:
+
+ POL_HND LSA policy handle
+ UINT32 num_entries
+ UINT32 num_entries
+ VOID* undocumented domain SID buffer pointer
+ VOID* undocumented domain name buffer pointer
+ NAME[num_entries] names to be looked up.
+ char[] undocumented bytes - falsely translated SID structure?
+
+Response:
+
+ DOM_REF domain reference response
+
+ UINT32 num_entries (listed above)
+ VOID* undocumented buffer pointer
+
+ UINT32 num_entries (listed above)
+ DOM_RID[num_entries] domain SIDs (from Request, listed above).
+
+ UINT32 num_entries (listed above)
+
+ return 0 - indicates success
+
+
+
+5) NETLOGON rpc Transact Named Pipe
+-----------------------------------
+
+Defines for this pipe, identifying the query are:
+
+- LSA Request Challenge: 0x04
+- LSA Server Password Set: 0x06
+- LSA SAM Logon: 0x02
+- LSA SAM Logoff: 0xfc
+- LSA Auth 2: 0x0f
+- LSA Logon Control: 0x0e
+
+
+5.1) LSA Request Challenge
+--------------------------
+
+Note: logon server name starts with two '\' characters and is upper case.
+
+Note: logon client is the machine, not the user.
+
+Note: the initial LanManager password hash, against which the challenge
+ is issued, is the machine name itself (lower case). there will be
+ calls issued (LSA Server Password Set) which will change this, later.
+ refusing these calls allows you to always deal with the same password
+ (i.e the LM# of the machine name in lower case).
+
+Request:
+
+ VOID* undocumented buffer pointer
+ UNISTR2 logon server unicode string
+ UNISTR2 logon client unicode string
+ char[8] client challenge
+
+Response:
+
+ char[8] server challenge
+
+ return 0 - indicates success
+
+
+
+5.2) LSA Authenticate 2
+-----------------------
+
+Note: in between request and response, calculate the client credentials,
+ and check them against the client-calculated credentials (this
+ process uses the previously received client credentials).
+
+Note: neg_flags in the response is the same as that in the request.
+
+Note: you must take a copy of the client-calculated credentials received
+ here, because they will be used in subsequent authentication packets.
+
+Request:
+
+ LOG_INFO client identification info
+
+ char[8] client-calculated credentials
+ UINT8[] padding to 4-byte align with start of SMB header.
+ UINT32 neg_flags - negotiated flags (usual value is 0x0000 01ff)
+
+Response:
+
+ char[8] server credentials.
+ UINT32 neg_flags - same as neg_flags in request.
+
+ return 0 - indicates success. failure value unknown.
+
+
+5.3) LSA Server Password Set
+----------------------------
+
+Note: the new password is suspected to be a DES encryption using the old
+ password to generate the key.
+
+Note: in between request and response, calculate the client credentials,
+ and check them against the client-calculated credentials (this
+ process uses the previously received client credentials).
+
+Note: the server credentials are constructed from the client-calculated
+ credentials and the client time + 1 second.
+
+Note: you must take a copy of the client-calculated credentials received
+ here, because they will be used in subsequent authentication packets.
+
+Request:
+
+ CLNT_INFO client identification/authentication info
+ char[] new password - undocumented.
+
+Response:
+
+ CREDS server credentials. server time stamp appears to be ignored.
+
+ return 0 - indicates success; 0xC000 006a indicates failure
+
+
+5.4) LSA SAM Logon
+------------------
+
+Note: valid_user is True iff the username and password hash are valid for
+ the requested domain.
+
+Request:
+
+ SAM_INFO sam_id structure
+
+Response:
+
+ VOID* undocumented buffer pointer
+ CREDS server credentials. server time stamp appears to be ignored.
+
+ if (valid_user)
+ {
+ UINT16 3 - switch value indicating USER_INFO structure.
+ VOID* non-zero - pointer to USER_INFO structure
+ USER_INFO user logon information
+
+ UINT32 1 - Authoritative response; 0 - Non-Auth?
+
+ return 0 - indicates success
+ }
+ else
+ {
+ UINT16 0 - switch value. value to indicate no user presumed.
+ VOID* 0x0000 0000 - indicates no USER_INFO structure.
+
+ UINT32 1 - Authoritative response; 0 - Non-Auth?
+
+ return 0xC000 0064 - NT_STATUS_NO_SUCH_USER.
+ }
+
+
+5.5) LSA SAM Logoff
+--------------------
+
+Note: presumably, the SAM_INFO structure is validated, and a (currently
+ undocumented) error code returned if the Logoff is invalid.
+
+Request:
+
+ SAM_INFO sam_id structure
+
+Response:
+
+ VOID* undocumented buffer pointer
+ CREDS server credentials. server time stamp appears to be ignored.
+
+ return 0 - indicates success. undocumented failure indication.
+
+
+6) \\MAILSLOT\NET\NTLOGON
+-------------------------
+
+Note: mailslots will contain a response mailslot, to which the response
+ should be sent. the target NetBIOS name is REQUEST_NAME<20>, where
+ REQUEST_NAME is the name of the machine that sent the request.
+
+
+6.1) Query for PDC
+------------------
+
+Note: NTversion, LMNTtoken, LM20token in response are the same as those
+ given in the request.
+
+Request:
+
+ UINT16 0x0007 - Query for PDC
+ STR machine name
+ STR response mailslot
+ UINT8[] padding to 2-byte align with start of mailslot.
+ UNISTR machine name
+ UINT32 NTversion
+ UINT16 LMNTtoken
+ UINT16 LM20token
+
+Response:
+
+ UINT16 0x000A - Respose to Query for PDC
+ STR machine name (in uppercase)
+ UINT8[] padding to 2-byte align with start of mailslot.
+ UNISTR machine name
+ UNISTR domain name
+ UINT32 NTversion (same as received in request)
+ UINT16 LMNTtoken (same as received in request)
+ UINT16 LM20token (same as received in request)
+
+
+6.2) SAM Logon
+--------------
+
+Note: machine name in response is preceded by two '\' characters.
+
+Note: NTversion, LMNTtoken, LM20token in response are the same as those
+ given in the request.
+
+Note: user name in the response is presumably the same as that in the request.
+
+Request:
+
+ UINT16 0x0012 - SAM Logon
+ UINT16 request count
+ UNISTR machine name
+ UNISTR user name
+ STR response mailslot
+ UINT32 alloweable account
+ UINT32 domain SID size
+ char[sid_size] domain SID, of sid_size bytes.
+ UINT8[] ???? padding to 4? 2? -byte align with start of mailslot.
+ UINT32 NTversion
+ UINT16 LMNTtoken
+ UINT16 LM20token
+
+Response:
+
+ UINT16 0x0013 - Response to SAM Logon
+ UNISTR machine name
+ UNISTR user name - workstation trust account
+ UNISTR domain name
+ UINT32 NTversion
+ UINT16 LMNTtoken
+ UINT16 LM20token
+
+
+
+7) SRVSVC Transact Named Pipe
+-----------------------------
+
+
+Defines for this pipe, identifying the query are:
+
+- Net Share Enum : 0x0f
+- Net Server Get Info : 0x15
+
+
+7.1) Net Share Enum
+------------------
+
+Note: share level and switch value in the response are presumably the
+ same as those in the request.
+
+Note: cifsrap2.txt (section 5) may be of limited assistance here.
+
+Request:
+
+ VOID* pointer (to server name?)
+ UNISTR2 server name
+
+ UINT8[] padding to get unicode string 4-byte aligned
+ with the start of the SMB header.
+
+ UINT32 share level
+ UINT32 switch value
+
+ VOID* pointer to SHARE_INFO_1_CTR
+ SHARE_INFO_1_CTR share info with 0 entries
+
+ UINT32 preferred maximum length (0xffff ffff)
+
+Response:
+
+ UINT32 share level
+ UINT32 switch value
+
+ VOID* pointer to SHARE_INFO_1_CTR
+ SHARE_INFO_1_CTR share info (only added if share info ptr is non-zero)
+
+ return 0 - indicates success
+
+
+7.2) Net Server Get Info
+------------------
+
+Note: level is the same value as in the request.
+
+Request:
+
+ UNISTR2 server name
+ UINT32 switch level
+
+Response:
+
+ UINT32 switch level
+ VOID* pointer to SERVER_INFO_101
+
+ SERVER_INFO_101 server info (only added if server info ptr is non-zero)
+
+ return 0 - indicates success
+
+
+
+Appendix
+--------
+
+A1) Cryptographic side of NT Domain Authentication
+--------------------------------------------------
+
+Definitions
+-----------
+
+Add(A1,A2): Intel byte ordered addition of corresponding 4 byte
+ words in arrays A1 and A2
+
+E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K
+
+lmowf(): Lan man hash
+
+ntowf(): NT hash
+
+PW: md4(machine_password) =3D=3D md4(lsadump $machine.acc)
+ =3D=3D pwdump(machine$)
+ (initially) =3D=3D md4(lmowf(unicode(machine)))
+
+RC4(K,Lk,D,Ld): RC4 encryption of data D of length Ld with key K
+ of length Lk
+
+v[m..n(,l)]: subset of v from bytes m to n, optionally padded
+ with zeroes to length l
+
+Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential
+
+Time(): 4 byte current time
+
+Cc,Cs: 8 byte client and server challenges
+Rc,Rs: 8 byte client and server credentials
+