lib/krb5_wrap: request enc_types in the correct order (bug #9272)

aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
should have a higher priority than arcfour-hmac-md5,
otherwise the KDC still gives us arcfour-hmac-md5 session keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8037337d6e9bcce33575f75cb6d4bb1e08e267e8..f04f6e18370bbebc83d8a9e8f7e01aba51696195 100644 (file)
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -685,15 +685,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
        krb5_ccache ccdef = NULL;
        krb5_auth_context auth_context = NULL;
        krb5_enctype enc_types[] = {
-               ENCTYPE_ARCFOUR_HMAC,
-               ENCTYPE_DES_CBC_MD5,
-               ENCTYPE_DES_CBC_CRC,
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-               ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
                ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 #endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+               ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+               ENCTYPE_ARCFOUR_HMAC,
+               ENCTYPE_DES_CBC_MD5,
+               ENCTYPE_DES_CBC_CRC,
                ENCTYPE_NULL};
 
        initialize_krb5_error_table();