s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()

We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index a5e7cebab1bd32d05aa8a084e40f607a0319b194..115ef1c94b21a62baddbb329b7c252137bd2cfc7 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -409,18 +409,12 @@ out:
 
 
 static int samba_kdc_set_random_keys(krb5_context context,
-                                    struct samba_kdc_db_context *kdc_db_ctx,
-                                    struct sdb_keys *keys,
-                                    bool is_protected)
+                                    uint32_t supported_enctypes,
+                                    struct sdb_keys *keys)
 {
-       uint32_t supported_enctypes = ENC_ALL_TYPES;
        struct ldb_val secret_val;
        uint8_t secretbuffer[32];
 
-       if (is_protected) {
-               supported_enctypes &= ~ENC_RC4_HMAC_MD5;
-       }
-
        /*
         * Fake keys until we have a better way to reject
         * non-pkinit requests.
@@ -674,9 +668,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
        if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
            && (userAccountControl & UF_SMARTCARD_REQUIRED)) {
                ret = samba_kdc_set_random_keys(context,
-                                               kdc_db_ctx,
-                                               &entry->keys,
-                                               is_protected);
+                                               supported_enctypes,
+                                               &entry->keys);
 
                *supported_enctypes_out = supported_enctypes;