kerberos_ldap_group: fix encryption type for cross realm check (#542)

Newer setups require AESxxx encryption but old Crossrealm
tickets are still using RC4. Remove the use of the cached client
ticket encryption type and use the configured default list
(which must include AESxxx and RC4).

diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
index 48b7c0f15a09c6ca4c79b1bd2f9c8b5df1b20473..6d50c73166135c9f806cc06ef561413bed30d920 100644 (file)
--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
+++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -465,6 +465,12 @@ krb5_create_cache(char *domain, char *service_principal_name)
                     k5_error("Error while initialising TGT credentials", code);
                     goto loop_end;
                 }
+
+                // overwrite limitation of enctypes
+                creds->keyblock.enctype = 0;
+                if (creds->keyblock.contents)
+                    krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);