From eb66b26cd18ceef2368506479d90bf7e4f0f83a0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 25 Mar 2006 01:00:37 +0000
Subject: r14701: Allow, with non-default options, NTLMSSP to access the LM
 session key, even when not sending the LM response.  Needed to pass the
 test_session_key against Win2k3.

Yes, I think this is a security flaw in the use of Win2k3-compatible NTLM.

Andrew Bartlett
(This used to be commit cb6c27b4f29878a6a904f798e228eea05cc658e1)
---
 source4/auth/ntlmssp/ntlmssp_client.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'source4/auth/ntlmssp')

diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 79f62349a6..1244c0dfbc 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -194,8 +194,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	}
 	
 	if (!(flags & CLI_CRED_LANMAN_AUTH)) {
-		/* LM Key is incompatible... */
-		gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+		/* LM Key is still possible, just silly.  Fortunetly
+		 * we require command line options to end up here */
+		/* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
 	}
 
 	if (!(flags & CLI_CRED_NTLM2)) {
-- 
cgit