osx: Avoid blocking the KDC in KEYCHAIN in tests

If a client tries to use PKINIT we can block in the OS X keychain if no
anchors are configured.

tests/gss/krb5.conf.in

@@ -18,6 +18,21 @@ include @srcdirabs@/include-krb5.conf
 	}
 
 [kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
 	database = {
 		dbname = @objdir@/current-db
 		realm = TEST.H5L.SE

tests/plugin/krb5.conf.in

@@ -19,6 +19,21 @@
 	}
 
 [kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
 	database = {
 		dbname = @objdir@/current-db
 		realm = TEST.H5L.SE