On 12/23/2012 07:31 PM, Simo Sorce wrote:
On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote:
On 12/21/2012 05:40 PM, Mike Mercier wrote:
Hi Bret,

I tried this once in the past with no success.  If I recall
correctly (I can't find the reference anymore), Cisco (at least in
IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype.  This
enctype disabled by default in FreeIPA.

allow_weak_crypto = true

in krb5.conf to enable it.

These instructions are relevant only for a Linux based client.

on top of changing the above on the server and restarting it,
you need to add DES as an allowed enctype in the IPA server LDAP
attribute that controls it(*) as well as explicitly specify you want a
DES key when you use ipa-getkeytab to get a keytab for you device.

(*) This attribute is called krbSupportedEncSaltTypes and is stored in
cn=<REALM>,cn=kerberos,cn=<suffix> in your LDAP server.

You probably want to add the value: des-cbc-crc:normal

I would add: DES + CRC is considered insecure, weight it in your use case carefully.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to