s4:kdc: use the strongest possible tgs session key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index 061296a4f407173dc4cf706e6df3f9fc45691b54..acc19df8383319221686fa8fe50f37411079b5e2 100644 (file)
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -373,10 +373,14 @@ static void kdc_task_init(struct task_server *task)
         *
         * The old behavior in the _kdc_get_preferred_key()
         * function is use_strongest_server_key=TRUE.
+        *
+        * We actually want the behavior of
+        * tgs_use_strongest_session_key=TRUE,
+        * see https://bugzilla.samba.org/show_bug.cgi?id=13135
         */
        kdc_config->as_use_strongest_session_key = false;
        kdc_config->preauth_use_strongest_session_key = false;
-       kdc_config->tgs_use_strongest_session_key = false;
+       kdc_config->tgs_use_strongest_session_key = true;
        kdc_config->use_strongest_server_key = true;
 
        kdc_config->autodetect_referrals = false;