From 7f11f7aff2b4d18d42c623bc665fb5bc6961d292 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 8 Oct 2021 15:53:47 +1300
Subject: [PATCH 1/2] heimdal:kdc: Fix incorrect condition

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 source4/heimdal/kdc/kerberos5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index ec0c5ade153..0cbf713ce9f 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -214,7 +214,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 		if (ret_enctype != NULL)
 		    *ret_enctype = etypes[i];
 		ret = 0;
-		if (is_preauth && is_default_salt_p(&def_salt, key))
+		if (!is_preauth || is_default_salt_p(&def_salt, key))
 		    goto out;
 	    }
 	}
-- 
2.25.1


From f76db0d32383dffd8635e74ac2cc55bb17bd044b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 8 Oct 2021 15:54:16 +1300
Subject: [PATCH 2/2] heimdal:kdc: Only check for default salt for des-cbc-crc
 enctype

Previously, this algorithm was preferring RC4 over AES for machine
accounts in the preauth case. This is because AES keys for machine
accounts in Active Directory use a non-default salt, while RC4 keys do
not use a salt. To avoid this behaviour, only prefer keys with default
salt for the des-cbc-crc enctype.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 source4/heimdal/kdc/kerberos5.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 0cbf713ce9f..4cba08fcbe6 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -214,7 +214,8 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 		if (ret_enctype != NULL)
 		    *ret_enctype = etypes[i];
 		ret = 0;
-		if (!is_preauth || is_default_salt_p(&def_salt, key))
+		if (!is_preauth || enctype != (krb5_enctype)ETYPE_DES_CBC_CRC
+		    || is_default_salt_p(&def_salt, key))
 		    goto out;
 	    }
 	}
-- 
2.25.1