Do not add NTLM2 to the NTLMSSP flags unconditionally - allow the

defaults specified by the caller to prevail.

Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.

Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.

Andrew Bartlett

1 files changed, 6 insertions, 2 deletions

diff --git a/source/libsmb/ntlmssp.c b/source/libsmb/ntlmssp.c
index a0da1efcc10..d3611960471 100644
--- a/source/libsmb/ntlmssp.c
+++ b/source/libsmb/ntlmssp.c
@@ -774,8 +774,6 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 	}
 
-	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-	
 	/* generate the ntlmssp negotiate packet */
 	msrpc_gen(next_request, "CddAA",
 		  "NTLMSSP",
@@ -812,6 +810,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
 	DATA_BLOB nt_response = data_blob(NULL, 0);
 	DATA_BLOB session_key = data_blob(NULL, 0);
 	DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
+	NTSTATUS nt_status;
 
 	if (!msrpc_parse(&reply, "CdBd",
 			 "NTLMSSP",
@@ -1002,6 +1001,11 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
 
 	ntlmssp_state->expected_state = NTLMSSP_UNKNOWN;
 
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
+		DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
+		return nt_status;
+	}
+
 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
 }