CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
We were using the enctype from the PA-TGS-REQ's AP-REQ's Ticket to
decide what key from the service's realm's krbtgt principal to use.
This breaks when: a) we're doing cross-realm, b) the service's
realm's krbtgt principal doesn't have keys for the enctype used in
the cross-realm TGT.
The fix is to pick the correct key (strongest or first, per-config)
from the service's realm's krbtgt principal.
(backported from Heimdal commit
8586d9f88efcf60b971466f0d83ea0bc1962e24f)
[jsutton@samba.org Fixed conflicts due to different Heimdal revision]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[This is 4.15 only]
Reviewed-by: Stefan Metzmacher <metze@samba.org>