[Freeipa-users] Kerberos and Cisco
Simo Sorce
simo at redhat.com
Sun Dec 23 18:31:34 UTC 2012
On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote:
> On 12/21/2012 05:40 PM, Mike Mercier wrote:
> > Hi Bret,
> >
> >
> > I tried this once in the past with no success. If I recall
> > correctly (I can't find the reference anymore), Cisco (at least in
> > IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This
> > enctype disabled by default in FreeIPA.
>
> allow_weak_crypto = true
>
> in krb5.conf to enable it.
These instructions are relevant only for a Linux based client.
Bret,
on top of changing the above on the server and restarting it,
you need to add DES as an allowed enctype in the IPA server LDAP
attribute that controls it(*) as well as explicitly specify you want a
DES key when you use ipa-getkeytab to get a keytab for you device.
(*) This attribute is called krbSupportedEncSaltTypes and is stored in
cn=<REALM>,cn=kerberos,cn=<suffix> in your LDAP server.
You probably want to add the value: des-cbc-crc:normal
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list