Add AES SHA-2 HMAC family as default KDC etypes

Resolves: rhbz#2114771
Signed-off-by: Julien Rische <jrische@redhat.com>

kdc.conf

@@ -5,10 +5,12 @@
 
 [realms]
 EXAMPLE.COM = {
-     #master_key_type = aes256-cts
+     master_key_type = aes256-cts-hmac-sha384-192
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      default_principal_flags = +preauth
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
-     supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
+     supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
+     # Supported encryption types for FIPS mode:
+     #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
 }

krb5.spec

@@ -10,7 +10,7 @@
 #
 # baserelease is what we have standardized across Fedora and what
 # rpmdev-bumpspec knows how to handle.
-%global baserelease 5
+%global baserelease 6
 
 # This should be e.g. beta1 or %%nil
 %global pre_release %nil
@@ -710,6 +710,11 @@ exit 0
 %{_datarootdir}/%{name}-tests/
 
 %changelog
+* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
+- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
+- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
+- Resolves: rhbz#2114771
+
 * Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
 - Strip debugging data from ksu executable file