Use only AES enctypes by default

Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
 extern const char *ipa_etc_config_dn;
 extern const char *ipa_pwd_config_dn;
 
-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in LDAP */
 static const char *ipapwd_def_encsalts[] = {
-    "des3-hmac-sha1:normal",
-/*    "arcfour-hmac:normal",
-    "des-hmac-sha1:normal",
-    "des-cbc-md5:normal", */
-    "des-cbc-crc:normal",
-/*    "des-cbc-crc:v4",
-    "des-cbc-crc:afs3", */
+    "aes256-cts:special",
+    "aes128-cts:special",
     NULL
 };
 

install/share/kerberos.ldif

@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
 krbDefaultEncSaltTypes: aes256-cts:special
 krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special
 
 # Default password Policy
 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX