Re: Decrypt integrity check failed

Mon, 10 Jul 2006 21:16:07 -0700 

>>>>> "jonr" == jonr  <[EMAIL PROTECTED]> writes:

    jonr> Quoting "Richard E. Silverman" <[EMAIL PROTECTED]>:
    >> >>>>> "jonr" == jonr <[EMAIL PROTECTED]> writes:
    >> 
    jonr> I have a slave kdc and am trying to get the master to kprop the
    jonr> db to the slave.  I continually get this error: kprop: Decrypt
    jonr> integrity check failed while getting initial ticket
    >> 
    >> 
    >> >> From what I have read it is a wrong password for one of the
    >> hosts >> in the
    jonr> database.
    >>  No; the problem here is probably the key of the master kdc's host
    >> principal, on the slave.  The slave uses it to authenticate the
    >> peer and compare to kpropd.conf, which lists the hosts allowed to
    >> update the slave's copy of the KDB.

    jonr> Thanks for the help Richard, I have been slowly slipping into
    jonr> madness trying to grasp kerberos. The file that the slave looks
    jonr> in to validate is the kadm5.keytab file, is that correct? 

No; at least, in my setup, kpropd looks in the system keytab
/etc/krb5.keytab (or similar).  kadm5.keytab is for kadmin(d), a different
set of programs.

    jonr> I have tried scp'ing this file to my slave thinking that would have 
the
    jonr> correct permissions, this did not work, same error.

    jonr> How do I fix this error?

Actually, I misspoke above.  I should have said: the problem is likely
that the master kdc's host principal key stored in the KDB does not match
the one in the its system keytab.  kprop does a kinit with the host
principal, and then uses that to obtain a ticket for the slave host, in
order to authenticate itself to kpropd on the slave.  The error means that it
could not decrypt the KDC's response with its key, indicating a mismatch.
Check the key version number:

# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  14 host/[EMAIL PROTECTED]

$ kvno host/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]: kvno = 14

Make sure they match.  If they don't, re-extact the key:

# kadmin
Password for you/[EMAIL PROTECTED]:
kadmin: ktadd -k /etc/krb5.keytab host/[EMAIL PROTECTED]

-- 
  Richard Silverman
  [EMAIL PROTECTED]

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to