>If I call krb5_rd_req specifying NULL for the server principal, then the >error message I get is 'Bad encryption type while decoding authenticator' >(RC=188). But if I specify the server principal in krb5_rd_req, then I >get this error: 'Decrypt integrity check failed' (RC=31). > >[Both forms of the call to krb5_rd_req work fine when the keytabs are OK]. > >We've now got our keytabs corrected, but I'm still curious about the >different error messages for the same keytabs, depending (it appears) only >on whether a server principal is supplied in the call to krb5_rd_req. Is >this discrepancy intended? Right now, it's just curiosity on my part.
How facinating. In theory, it really should be the same because in rd_req.c, if server == NULL, it uses the server principal out of the AP_REQ. It would be interesting to see what the code path is that is causing this; I have personally never seen "Bad encryption type" in this scenario, even for services which pass in NULL for the server principal. Maybe it's worth running it under a debugger? --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
