diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ce3075f..6241055 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle,
     }
 #endif
 
+    if (authdat->checksum == NULL) {
+        /* missing checksum counts as "inappropriate type" */
+        code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+        major_status = GSS_S_FAILURE;
+        goto fail;
+    }
+
     if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
         /* Samba does not send 0x8003 GSS-API checksums */
         krb5_boolean valid;