mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
parent
3507e96b3d
commit
28be1acd8e
@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
|
||||
f.write("\tkdc_ports = 88\n")
|
||||
f.write("\tkdc_tcp_ports = 88\n")
|
||||
f.write("\tkadmind_port = 464\n")
|
||||
f.write("\trestrict_anonymous_to_tgt = true\n")
|
||||
f.write("\n")
|
||||
|
||||
f.write("[realms]\n")
|
||||
|
||||
f.write("\t%s = {\n" % realm)
|
||||
f.write("\t\tmaster_key_type = aes256-cts\n")
|
||||
f.write("\t\tdefault_principal_flags = +preauth\n")
|
||||
f.write("\t}\n")
|
||||
f.write("\n")
|
||||
|
||||
f.write("\t%s = {\n" % realm.lower())
|
||||
f.write("\t\tmaster_key_type = aes256-cts\n")
|
||||
f.write("\t\tdefault_principal_flags = +preauth\n")
|
||||
f.write("\t}\n")
|
||||
f.write("\n")
|
||||
|
||||
f.write("\t%s = {\n" % domain)
|
||||
f.write("\t\tmaster_key_type = aes256-cts\n")
|
||||
f.write("\t\tdefault_principal_flags = +preauth\n")
|
||||
f.write("\t}\n")
|
||||
f.write("\n")
|
||||
|
||||
|
@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$)
|
||||
[kdcdefaults]
|
||||
kdc_ports = 88
|
||||
kdc_tcp_ports = 88
|
||||
restrict_anonymous_to_tgt = true
|
||||
|
||||
[realms]
|
||||
$ctx->{realm} = {
|
||||
master_key_type = aes256-cts
|
||||
default_principal_flags = +preauth
|
||||
}
|
||||
|
||||
$ctx->{dnsname} = {
|
||||
master_key_type = aes256-cts
|
||||
default_principal_flags = +preauth
|
||||
}
|
||||
|
||||
$ctx->{domain} = {
|
||||
master_key_type = aes256-cts
|
||||
default_principal_flags = +preauth
|
||||
}
|
||||
|
||||
[dbmodules]
|
||||
|
Loading…
Reference in New Issue
Block a user