2 files changed, 13 insertions, 6 deletions

diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 82d6dd0e8f..ef870af3bf 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -123,7 +123,12 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 	*out = data_blob(NULL, 0);
 
 	if (gensec_ntlmssp_state->expected_state == NTLMSSP_DONE) {
-		return NT_STATUS_OK;
+		/* We are strict here because other modules, which we
+		 * don't fully control (such as GSSAPI) are also
+		 * strict, but are tested less often */
+
+		DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	if (!out_mem_ctx) {
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 726885c82f..add774f84e 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -353,11 +353,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 
 	gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
 
-	nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", 
-			  nt_errstr(nt_status)));
-		return nt_status;
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) {
+		nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", 
+				  nt_errstr(nt_status)));
+			return nt_status;
+		}
 	}
 
 	return nt_status;