From 24f3f87706329e6e280dc6be6d025e997d46c910 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 22 Oct 2012 13:47:48 +0200
Subject: lib/krb5_wrap: request enc_types in the correct order (bug #9272)

aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
should have a higher priority than arcfour-hmac-md5,
otherwise the KDC still gives us arcfour-hmac-md5 session keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 lib/krb5_wrap/krb5_samba.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'lib/krb5_wrap')

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8037337d6e..f04f6e1837 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -685,15 +685,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
 	krb5_ccache ccdef = NULL;
 	krb5_auth_context auth_context = NULL;
 	krb5_enctype enc_types[] = {
-		ENCTYPE_ARCFOUR_HMAC,
-		ENCTYPE_DES_CBC_MD5,
-		ENCTYPE_DES_CBC_CRC,
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
 		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 #endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+		ENCTYPE_ARCFOUR_HMAC,
+		ENCTYPE_DES_CBC_MD5,
+		ENCTYPE_DES_CBC_CRC,
 		ENCTYPE_NULL};
 
 	initialize_krb5_error_table();
-- 
cgit