--- /dev/null
+Index: lib/crypto/dk/dk_decrypt.c
+===================================================================
+--- lib/crypto/dk/dk_decrypt.c (Revision 22448)
++++ lib/crypto/dk/dk_decrypt.c (Arbeitskopie)
+@@ -155,7 +155,8 @@
+ abort();
+ } else
+ cn = NULL;
+-
++{
++int bad = 0;
+ /* verify the hash */
+
+ d1.length = hashsize;
+@@ -165,8 +166,11 @@
+ goto cleanup;
+
+ if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
++bad = 1;
++/*
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto cleanup;
++*/
+ }
+
+ /* because this encoding isn't self-describing wrt length, the
+@@ -182,6 +186,29 @@
+
+ memcpy(output->data, d2.data+blocksize, output->length);
+
++ if (bad != 0 && output->length > 16) {
++ /*
++ * HACK:
++ * This is a HACK to allow Wireshark to decrypt DCERPC
++ * payload when header signing is used.
++ *
++ * We know the checksum was wrong, this happens
++ * when DCERPC uses header signing and we check for
++ * a valid gss_cfx_wrap_token header which is 16 byte long
++ * and starts with 0x05 0x04 and sits at the end of the
++ * encrypted data.
++ */
++ unsigned char *hdr = output->data + (output->length - 16);
++ if (hdr[0] == 0x05 && hdr[1] == 0x04) {
++ bad = 0;
++ }
++ }
++
++ if (bad != 0) {
++ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
++ goto cleanup;
++ }
++}
+ if (cn != NULL)
+ memcpy(ivec->data, cn, blocksize);
+