cross realm : decrypt integrity check failed
Douglas E. Engert
deengert at anl.gov
Wed Nov 8 15:11:50 EST 2006
Dave Botsch wrote:
> So, I'm trying to set up one way cross realm auth.
>
> We have two realms... realmA and realmB
>
> On both KDCs, we have created the principal krbtgt/realmB at realmA with the same
> kvno and the same password.
And same e-types?
>
> I can even kinit krbtgt/realmB at realmA (which talks to the realmA server) and
> get a ticket as that principal.
>
> So, here's where things go wacky...
>
> I kinit user at realmA - fine
>
> I then try to do something (ssh for example) that requires a ticket in realm B.
>
> Failure with the following error: Decrypt Integrity Check Failed - this error
> also shows up in the realmB kdc log.
>
> a klist shows:
> krbtgt/realmA at realmA
> krbtgt/realmB at realmB
Is the above correct? The second one should be krbtgt/realmB at realmA
i.e. ticket issued by A but usable at realm B.
>
> but, of course, no service ticket.
>
> Any thoughts on what to try/look at? As best I can tell, this should just work,
> but clearly it isn't.
>
> I haven't figured out if there is a way to kinit krbtgt/realmB at realmA to
> realmB's servers to verify it isn't somehow mangling the password -- is there a
> way to do this?
>
> realmB is rhel4u4 - krb5-server-1.3.4-33
>
> I don't know what realmA is as I don't control that KDC.
Then how do you know the key was added correctly? Is realm A Windows AD?
As Ken said, sounds like keys don't match.
>
> Thanks!
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list