s3-winbind Don't send the LM password to the server, ever

This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.

We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.

Andrew Bartlett

1 files changed, 1 insertions, 11 deletions

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d52d4e2703..23ffb87b7e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1145,7 +1145,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
 	int attempts = 0;
-	unsigned char local_lm_response[24];
 	unsigned char local_nt_response[24];
 	fstring name_domain, name_user;
 	bool retry;
@@ -1198,16 +1197,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 		data_blob_free(&nt_response);
 
 	} else {
-		if (lp_client_lanman_auth()
-		    && SMBencrypt(state->request->data.auth.pass,
-				  chal,
-				  local_lm_response)) {
-			lm_resp = data_blob_talloc(state->mem_ctx,
-						   local_lm_response,
-						   sizeof(local_lm_response));
-		} else {
-			lm_resp = data_blob_null;
-		}
+		lm_resp = data_blob_null;
 		SMBNTencrypt(state->request->data.auth.pass,
 			     chal,
 			     local_nt_response);