Don't configure disabled krb5 enctypes in FIPS mode

The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

install/share/kerberos.ldif

@@ -18,14 +18,14 @@ krbSupportedEncSaltTypes: aes256-cts:normal
 krbSupportedEncSaltTypes: aes256-cts:special
 krbSupportedEncSaltTypes: aes128-cts:normal
 krbSupportedEncSaltTypes: aes128-cts:special
-krbSupportedEncSaltTypes: des3-hmac-sha1:normal
-krbSupportedEncSaltTypes: des3-hmac-sha1:special
-krbSupportedEncSaltTypes: arcfour-hmac:normal
-krbSupportedEncSaltTypes: arcfour-hmac:special
-krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
-krbSupportedEncSaltTypes: camellia128-cts-cmac:special
-krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
-krbSupportedEncSaltTypes: camellia256-cts-cmac:special
+${FIPS}krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+${FIPS}krbSupportedEncSaltTypes: des3-hmac-sha1:special
+${FIPS}krbSupportedEncSaltTypes: arcfour-hmac:normal
+${FIPS}krbSupportedEncSaltTypes: arcfour-hmac:special
+${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
+${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
+${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
+${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
 krbDefaultEncSaltTypes: aes256-cts:special