1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

mit-kdc: Use more strict KDC default settings

As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
Andreas Schneider 2021-10-11 10:55:52 +02:00 committed by Andreas Schneider
parent 3507e96b3d
commit 28be1acd8e
2 changed files with 14 additions and 0 deletions

View File

@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
f.write("\tkdc_ports = 88\n")
f.write("\tkdc_tcp_ports = 88\n")
f.write("\tkadmind_port = 464\n")
f.write("\trestrict_anonymous_to_tgt = true\n")
f.write("\n")
f.write("[realms]\n")
f.write("\t%s = {\n" % realm)
f.write("\t\tmaster_key_type = aes256-cts\n")
f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % realm.lower())
f.write("\t\tmaster_key_type = aes256-cts\n")
f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % domain)
f.write("\t\tmaster_key_type = aes256-cts\n")
f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")

View File

@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$)
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
[realms]
$ctx->{realm} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
$ctx->{dnsname} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
$ctx->{domain} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
[dbmodules]