2 files changed, 44 insertions, 15 deletions

diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c
index ad580811a5..73ecc90ea8 100644
--- a/source4/heimdal/lib/gssapi/8003.c
+++ b/source4/heimdal/lib/gssapi/8003.c
@@ -185,13 +185,9 @@ gssapi_krb5_verify_8003_checksum(
 	return GSS_S_BAD_BINDINGS;
     }
     
-    /* This is the case where Samba3 has built GSSAPI out of
-     * krb5 the 'dodgy' way.  We have to accept the non-GSSAPI
-     * checksum because windows does */
-    
     if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
-	    *flags = 0;
-	    return GSS_S_COMPLETE;
+	*minor_status = 0;
+	return GSS_S_BAD_BINDINGS;
     }
     
     /* XXX should handle checksums > 24 bytes */
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 9ca60a6cdd..afca449c5c 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -371,15 +371,48 @@ gsskrb5_acceptor_start
 	    return ret;
 	}
 
-	ret = gssapi_krb5_verify_8003_checksum(minor_status,
-					       input_chan_bindings,
-					       authenticator->cksum,
-					       &flags,
-					       &(*context_handle)->fwd_data);
-	krb5_free_authenticator(gssapi_krb5_context, &authenticator);
-	if (ret) {
-	    return ret;
-	}
+        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+            ret = gssapi_krb5_verify_8003_checksum(minor_status,
+                                                   input_chan_bindings,
+                                                   authenticator->cksum,
+                                                   &flags,
+                                                   &(*context_handle)->fwd_data);
+
+	    krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+	    if (ret) {
+		return ret;
+	    }
+        } else {
+	    krb5_crypto crypto;
+
+	    kret = krb5_crypto_init(gssapi_krb5_context, 
+				   (*context_handle)->auth_context->keyblock, 
+				   0, &crypto);
+	    if(kret) {
+		krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+		ret = GSS_S_FAILURE;
+		*minor_status = kret;
+		gssapi_krb5_set_error_string ();
+		return ret;
+	    }
+
+	    /* Windows accepts Samba3's use of a kerberos, 
+	       rather than GSSAPI checksum here */
+	    kret = krb5_verify_checksum(gssapi_krb5_context,
+					crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+					authenticator->cksum);
+	    krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+	    if(kret) {
+		ret = GSS_S_FAILURE;
+		*minor_status = kret;
+		gssapi_krb5_set_error_string ();
+		return ret;
+	    }
+
+	    flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        }
     }
     
     if(flags & GSS_C_MUTUAL_FLAG) {