Restrict the enctypes in the generated krb5.conf files to Win2003 types.

This fixes the failure observed on FC8 when joining a Windows 2008 RC1
domain.  We currently do not handle user session keys correctly
when the KDC uses AES in the ticket replies.

diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index 890ea2bcb5136f599497ea35a140e0010d4d5fa9..089540536ccca1f8ea789b4f6e6b5cbc5c8e0d99 100644 (file)
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -676,11 +676,15 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do
                TALLOC_FREE(dname);
                return False;
        }
-               
-       file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n"
-                               "[realms]\n\t%s = {\n"
-                               "\t%s\t}\n",
-                               realm_upper, realm_upper, kdc_ip_string);
+
+       file_contents = talloc_asprintf(fname,
+                                       "[libdefaults]\n\tdefault_realm = %s\n"
+                                       "default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+                                       "default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+                                       "preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+                                       "[realms]\n\t%s = {\n"
+                                       "\t%s\t}\n",
+                                       realm_upper, realm_upper, kdc_ip_string);
 
        if (!file_contents) {
                TALLOC_FREE(dname);