MIT vs. Heimdal/Sun: "Decrypt integrity check failed"
kapet at hrz.tu-chemnitz.de
Thu Jun 3 05:08:19 EDT 2004
we have a KDC (Heimdal 0.6.2) running for a test. kinit works, it
successfully provides users with krb4 and krb5 TGTs.
But now I am trying to write a simple GSS based program and get an
error which I can not clearly classify:
0. A service principal was created on the KDC. A krb5 keytab on the
GSS test machine was created by calling Heimdal's kadmin with
"ext_keytab *hostname*". The keytab contains 10 different
encryptions of the service key. The user calling the GSS client-app
always has a clean ticket cache with only the krb5 TGT in it.
1. GSS client- and server-app on the GSS test machine both use MIT
Kerberos5 1.3.1. This works like a charm. I will use this GSS
server-app for all further tests.
2. The GSS client-app on another machine, also using MIT Kerberos5
1.3.1, works too.
3. The GSS client-app using Heimdal 0.6.2 on just another Linux machine
does not work.
4. The GSS client-app on SunOS 5.8 (using Sun's GSS-implementation) does
not work either.
The GSS server-app shows the same error message for 3. and 4.:
gss_accept_sec_context: Miscellaneous failure
gss_accept_sec_context: Decrypt integrity check failed
(The GSS client-app then gets an error message from the server and quits
I traced the GSS server-app (during 3.) and found it calculating a MD5
sum (it was using des-cbc-md5) which came out different than the one
from the client.
So where is the problem?
Thanks in advance,
Dipl. Inf. Karsten Petersen, Universitaetsrechenzentrum, TU Chemnitz
E-Mail: kapet at hrz.tu-chemnitz.de
Telefon: (0371) - 531 - 1725
Arbeitsplatz: Strasse der Nationen 62 // Raum 1/B301.A
More information about the Kerberos