Do not add NTLM2 to the NTLMSSP flags unconditionally - allow the

defaults specified by the caller to prevail.

Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.

Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.

Andrew Bartlett
(This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)

1 files changed, 4 insertions, 8 deletions

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 7517777920..49abf787ee 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -822,14 +822,6 @@ static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
-		nt_status = ntlmssp_sign_init(cli->ntlmssp_pipe_state);
-		
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-	}
-
 	data_blob_free(&ntlmssp_reply);
 	return NT_STATUS_OK;
 }
@@ -1336,6 +1328,10 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_na
 		if (!NT_STATUS_IS_OK(nt_status))
 			return False;
 
+		/* Currently the NTLMSSP code does not implement NTLM2 correctly for signing or sealing */
+
+		cli->ntlmssp_pipe_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+
 		nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state, 
 						 cli->user_name);
 		if (!NT_STATUS_IS_OK(nt_status))