diff options
Diffstat (limited to 'source4/auth/credentials/credentials_ntlm.c')
| -rw-r--r-- | source4/auth/credentials/credentials_ntlm.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index 8540d07305..6a8b284e78 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); + /* If we are sending a username@realm login (see function + * above), then we will not send LM, it will not be + * accepted */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + + /* Likewise if we are a machine account (avoid protocol downgrade attacks) */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + if (!nt_hash) { static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ |