From b4548e78f1b1a706619b90e88d876ec06b80ac41 Mon Sep 17 00:00:00 2001
From: huaraz <huaraz@moeller.plus.com>
Date: Sat, 25 Jan 2020 03:36:49 +0000
Subject: [PATCH] kerberos_ldap_group: fix encryption type for cross realm
 check (#542)

Newer setups require AESxxx encryption but old Crossrealm
tickets are still using RC4. Remove the use of the cached client
ticket encryption type and use the configured default list
(which must include AESxxx and RC4).
---
 src/acl/external/kerberos_ldap_group/support_krb5.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
index 48b7c0f15a..6d50c73166 100644
--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
+++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -465,6 +465,12 @@ krb5_create_cache(char *domain, char *service_principal_name)
                     k5_error("Error while initialising TGT credentials", code);
                     goto loop_end;
                 }
+
+                // overwrite limitation of enctypes
+                creds->keyblock.enctype = 0;
+                if (creds->keyblock.contents)
+                    krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);
-- 
2.47.2