s3-winbind Don't send the LM password to the server, ever

This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.

We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.

Andrew Bartlett

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d52d4e27031791f0b9d3927dd29af0dc05fa5e57..23ffb87b7e09416e8019944b02800f6af6e86a81 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1145,7 +1145,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
        DATA_BLOB lm_resp;
        DATA_BLOB nt_resp;
        int attempts = 0;
-       unsigned char local_lm_response[24];
        unsigned char local_nt_response[24];
        fstring name_domain, name_user;
        bool retry;
@@ -1198,16 +1197,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
                data_blob_free(&nt_response);
 
        } else {
-               if (lp_client_lanman_auth()
-                   && SMBencrypt(state->request->data.auth.pass,
-                                 chal,
-                                 local_lm_response)) {
-                       lm_resp = data_blob_talloc(state->mem_ctx,
-                                                  local_lm_response,
-                                                  sizeof(local_lm_response));
-               } else {
-                       lm_resp = data_blob_null;
-               }
+               lm_resp = data_blob_null;
                SMBNTencrypt(state->request->data.auth.pass,
                             chal,
                             local_nt_response);