Patch for Ticket#: 2015061621000357

diff -Nuar heimdal-1.6~git20120403+dfsg1.orig/debian/patches/98_allow-no-checksum.patch heimdal-1.6~git20120403+dfsg1/debian/patches//98_allow-no-checksum.patch
--- heimdal-1.6~git20120403+dfsg1.orig/debian/patches/98_allow-no-checksum.patch	1970-01-01 01:00:00.000000000 +0100
+++ heimdal-1.6~git20120403+dfsg1/debian/patches//98_allow-no-checksum.patch	2015-06-30 11:31:28.000000000 +0200
@@ -0,0 +1,062 @@
+From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 26 Jun 2015 19:14:56 +1200
+Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum
+ at all
+
+This was seen in the wild, with a real NAS against the AD DC
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ .../heimdal/lib/gssapi/krb5/accept_sec_context.c    | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
+index 5a00e12..137f10a 100644
+--- a/lib/gssapi/krb5/accept_sec_context.c
++++ b/lib/gssapi/krb5/accept_sec_context.c
+@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
+ 	    return ret;
+ 	}
+ 
+-	if (authenticator->cksum == NULL) {
+-	    krb5_free_authenticator(context, &authenticator);
+-	    *minor_status = 0;
+-	    return GSS_S_BAD_BINDINGS;
+-	}
+-
+-        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
++        if (authenticator->cksum != NULL
++	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+             ret = _gsskrb5_verify_8003_checksum(minor_status,
+ 						input_chan_bindings,
+ 						authenticator->cksum,
+@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
+ 	    if (ret) {
+ 		return ret;
+ 	    }
+-        } else {
++        } else if (authenticator->cksum != NULL) {
+ 	    krb5_crypto crypto;
+ 
+ 	    kret = krb5_crypto_init(context,
+@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
+  	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ 	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
+ 		ctx->flags |= GSS_C_MUTUAL_FLAG;
+-        }
++        } else {
++	    /*
++	     * Windows also accepts no checksum, and some clients send
++	     * this, so here also ap_options to guess the mutual flag.
++	     */
++ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
++	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
++		ctx->flags |= GSS_C_MUTUAL_FLAG;
++	}
+     }
+ 
+     if(ctx->flags & GSS_C_MUTUAL_FLAG) {
+-- 
+2.1.4
+
diff -Nuar samba-4.2.2.orig/debian/patches/series samba-4.2.2/debian/patches//series
--- samba-4.2.2.orig/debian/patches/series	2015-06-30 11:15:36.000000000 +0200
+++ samba-4.2.2/debian/patches//series	2015-06-30 11:31:28.000000000 +0200
@@ -10000,0 +10000,1 @@
+98_allow-no-checksum.patch