From 5cfe949108f253a8e20c835cb53fe6f5eae7fbb5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 10 Dec 2010 12:10:07 +1100 Subject: [PATCH] s3-winbind Don't send the LM password to the server, ever This is for the case where we have the plaintext password locally, and can construct the challenge-response values here. We should never ever use the LM password in domain authentication. The last domain controller to only have LM passwords stored was NT 3.5. Andrew Bartlett --- source3/winbindd/winbindd_pam.c | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index d52d4e27031..23ffb87b7e0 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1145,7 +1145,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, DATA_BLOB lm_resp; DATA_BLOB nt_resp; int attempts = 0; - unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; fstring name_domain, name_user; bool retry; @@ -1198,16 +1197,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, data_blob_free(&nt_response); } else { - if (lp_client_lanman_auth() - && SMBencrypt(state->request->data.auth.pass, - chal, - local_lm_response)) { - lm_resp = data_blob_talloc(state->mem_ctx, - local_lm_response, - sizeof(local_lm_response)); - } else { - lm_resp = data_blob_null; - } + lm_resp = data_blob_null; SMBNTencrypt(state->request->data.auth.pass, chal, local_nt_response); -- 2.34.1