mit-kdc: Use more strict KDC default settings

As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py
index 6b8ceb28733ca21a52eaa4c48e853107ffd6ae45..665c031ffa5e088c168ef5e45402598cfa6e4c2e 100644 (file)
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
         f.write("\tkdc_ports = 88\n")
         f.write("\tkdc_tcp_ports = 88\n")
         f.write("\tkadmind_port = 464\n")
+        f.write("\trestrict_anonymous_to_tgt = true\n")
         f.write("\n")
 
         f.write("[realms]\n")
 
         f.write("\t%s = {\n" % realm)
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 
         f.write("\t%s = {\n" % realm.lower())
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 
         f.write("\t%s = {\n" % domain)
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index c4f8eb5d4f9ebcd14c3a9022e9bab7457546f8ec..ab6d8edc2cce7c6be0d4c7cfe447fb0a41f602f8 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$)
 [kdcdefaults]
        kdc_ports = 88
        kdc_tcp_ports = 88
+       restrict_anonymous_to_tgt = true
 
 [realms]
        $ctx->{realm} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
        $ctx->{dnsname} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
        $ctx->{domain} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
 [dbmodules]