From 55211f297f6d4fe3958ab50de83afa6b6d04f028 Mon Sep 17 00:00:00 2001
From: huaraz <huaraz@moeller.plus.com>
Date: Sat, 25 Jan 2020 03:36:49 +0000
Subject: [PATCH] kerberos_ldap_group: fix encryption type for cross realm
 check (#542)

Newer setups require AESxxx encryption but old Crossrealm
tickets are still using RC4. Remove the use of the cached client
ticket encryption type and use the configured default list
(which must include AESxxx and RC4).
---
 src/acl/external/kerberos_ldap_group/support_krb5.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
index 48b7c0f15a..6d50c73166 100644
--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
+++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -465,6 +465,12 @@ krb5_create_cache(char *domain, char *service_principal_name)
                     k5_error("Error while initialising TGT credentials", code);
                     goto loop_end;
                 }
+
+                // overwrite limitation of enctypes
+                creds->keyblock.enctype = 0;
+                if (creds->keyblock.contents)
+                    krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);
-- 
2.47.2