From 1ec7132b3058fb9d20ac188ea1840db2b068bea1 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 7 May 2006 09:28:49 +0000
Subject: r15484: Make accept_security_context() more compatible with how
 Samba3 (and similarly built clients) behave.

This is better than just ignoring the checksum, if it isn't the GSSAPI
checksum.  (Samba4 clients in Samba3 mode use more than just the MD5
checksum, and will use a signed AES checksum if available.  Actual
samba3 may well do the same in future, against a suitable KDC).

Also a change for easier debugging of checksum issues.

Andrew Bartlett
(This used to be commit 120374f5f9e9af0653a26e0308e4bfdabbcaa3f3)
---
 source4/heimdal/lib/krb5/crypto.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source4/heimdal/lib/krb5')

diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 2e8160518b..1a37ec538b 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -2042,7 +2042,8 @@ verify_checksum(krb5_context context,
     }
     keyed_checksum = (ct->flags & F_KEYED) != 0;
     if(keyed_checksum && crypto == NULL) {
-	krb5_clear_error_string (context);
+	krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context",
+			       ct->name);
 	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
     }
     if(keyed_checksum)
-- 
cgit