diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5e696be6c70..2049cad477c 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2873,18 +2873,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 	DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
 		  name_domain, name_user));
 
-	if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
-		|| state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
-		if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
-		     state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
-			DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
-				  state->request->data.auth_crap.lm_resp_len,
-				  state->request->data.auth_crap.nt_resp_len));
-			result = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
-	}
-
 	lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
 					state->request->data.auth_crap.lm_resp_len);
 
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index 98c43cdaa29..25e6bad687b 100644
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -140,6 +140,18 @@ struct tevent_req *winbindd_pam_auth_crap_send(
 		fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
 	}
 
+	if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
+		|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
+		if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
+		     request->extra_len != request->data.auth_crap.nt_resp_len) {
+			DBG_ERR("Invalid password length %u/%u\n",
+				request->data.auth_crap.lm_resp_len,
+				request->data.auth_crap.nt_resp_len);
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return tevent_req_post(req, ev);
+		}
+	}
+
 	subreq = wb_domain_request_send(state, global_event_context(), domain,
 					request);
 	if (tevent_req_nomem(subreq, req)) {