Index: samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c
===================================================================
--- samba-4.10.1.orig/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -419,9 +419,10 @@ static int password_hash_bypass(struct l
 						 "PrimaryKerberos num_old_keys > num_keys");
 			}
 
-			if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) {
+			if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5 &&
+				k->ctr.ctr3.keys[0].keytype != DUMMY_NTHASH_KEYTYPE) {
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
-						 "PrimaryKerberos key[0] != DES_CBC_MD5");
+						 "PrimaryKerberos key[0] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
 			}
 			// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
 			// [MS-SAMR] Section 2.2.10.8 footnote <23>
@@ -430,7 +431,8 @@ static int password_hash_bypass(struct l
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
 						 "PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE");
 			}
-			if (k->ctr.ctr3.keys[0].value_len != 8) {
+			if (k->ctr.ctr3.keys[0].value_len != 8 &&
+				k->ctr.ctr3.keys[0].keytype == ENCTYPE_DES_CBC_MD5) {
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
 						 "PrimaryKerberos key[0] value_len != 8");
 			}
@@ -512,9 +514,10 @@ static int password_hash_bypass(struct l
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
 						 "KerberosNewerKeys key[1] != AES128");
 			}
-			if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) {
+			if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5 &&
+				k->ctr.ctr4.keys[2].keytype != DUMMY_NTHASH_KEYTYPE) {
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
-						 "KerberosNewerKeys key[2] != DES_CBC_MD5");
+						 "KerberosNewerKeys key[2] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
 			}
 			// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
 			// [MS-SAMR] Section 2.2.10.8 footnote <23>
@@ -532,7 +535,8 @@ static int password_hash_bypass(struct l
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
 						 "KerberosNewerKeys key[1] value_len != 16");
 			}
-			if (k->ctr.ctr4.keys[2].value_len != 8) {
+			if (k->ctr.ctr4.keys[2].value_len != 8 &&
+				k->ctr.ctr4.keys[2].keytype == ENCTYPE_DES_CBC_MD5) {
 				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
 						 "KerberosNewerKeys key[2] value_len != 8");
 			}