2 files changed, 13 insertions, 3 deletions

diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index aa9a113e8d..1d181ae958 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -144,6 +144,7 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
 		/* LM Key is incompatible... */
 		*flags &= ~CLI_CRED_LANMAN_AUTH;
 	} else {
+		uint8_t lm_hash[16];
 		nt_response = data_blob_talloc(mem_ctx, NULL, 24);
 		SMBOWFencrypt(nt_hash->hash, challenge.data,
 			      nt_response.data);
@@ -160,7 +161,6 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
 			if (!password) {
 				lm_response = nt_response;
 			} else {
-				uint8_t lm_hash[16];
 				lm_response = data_blob_talloc(mem_ctx, NULL, 24);
 				if (!SMBencrypt(password,challenge.data,
 						lm_response.data)) {
@@ -188,6 +188,15 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
 			/* LM Key is incompatible... */
 			lm_response = nt_response;
 			*flags &= ~CLI_CRED_LANMAN_AUTH;
+
+			const char *password;
+			password = cli_credentials_get_password(cred);
+			if (password) {
+				E_deshash(password, lm_hash);
+				lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+				memcpy(lm_session_key.data, lm_hash, 8);
+				memset(&lm_session_key.data[8], '\0', 8);
+			}
 		}
 	}
 	if (_lm_response) {
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 79f62349a6..1244c0dfbc 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -194,8 +194,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	}
 	
 	if (!(flags & CLI_CRED_LANMAN_AUTH)) {
-		/* LM Key is incompatible... */
-		gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+		/* LM Key is still possible, just silly.  Fortunetly
+		 * we require command line options to end up here */
+		/* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
 	}
 
 	if (!(flags & CLI_CRED_NTLM2)) {