[cifs-protocol] No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ

Andrew Bartlett abartlet at samba.org
Wed Jul 8 21:10:25 UTC 2015

RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ
packet from the client to the application server in the initial GSSAPI
exchange (eg, the input to accept_sec_context). 

"The authenticator in the KRB_AP_REQ message MUST include the optional
 sequence number and the checksum field.  The checksum field is used
 to convey service flags, channel bindings, and optional delegation

In order for Samba to interoperate with a "Huawei Unified Storage System
S5500 V3" we found that we not only had to allow a krb5 checksum (that
Samba erroneously produced for many years), but also no checksum

Tests (patches to Samba's own fake gssapi implementation) show that
Windows also accepts this.

This deviation from RFC4121 isn't documented in MS-KILE.  Can you please
explain what is going on here?

As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL
pointer de-reference in

I don't see this as a security issue, as despite the name the checksum
is being re-used simply as an opaque data field, in an authenticated


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list