MIT vs. Heimdal/Sun: "Decrypt integrity check failed"

Alberto Patino jalbertop at
Fri Jun 4 16:18:53 EDT 2004

On Thu, 2004-06-03 at 08:38, Karsten Petersen wrote:
> Hi,
> after some more testing and playing around with krb5.conf directives I
> believe that I have found the problem:
> Karsten Petersen wrote:
> > we have a KDC (Heimdal 0.6.2) running for a test.  kinit works, it
> > successfully provides users with krb4 and krb5 TGTs.
> Because we want to migrate our AFS to Heimdal Kerberos5, we have the
> AFS-salt (and the v4-salt) activated on the kdc.
I have the same configuration Heimdal 0.6 kdc on a SUN network.
> > 0. A service principal was created on the KDC.
> And this principal got by default not only v5-salted keys, but also v4-
> and AFS-salted.
> > A krb5 keytab on the GSS test machine was created by calling Heimdal's
> > kadmin with "ext_keytab *hostname*".
> This exported all keys to the keytab, which therefore ended up with
> several keys per encryption type.
> > The keytab contains 10 different encryptions of the service key.
> 3 x des-cbc-crc
> 3 x des-cbc-md4
> 3 x des-cbc-md5
> 1 x des3-cbc-hmac
> > 1. GSS client- and server-app on the GSS test machine both use MIT
> >    Kerberos5 1.3.1.  This works like a charm.
> Yeah, because it took the des3-cbc-hmac key.  If forced to some other
> encryption type, it did not work too.
> After deleting the principal on the server, recreating it only with
> v5-salted keys and exporting it again - everything worked.
> > So where is the problem?
> It seems to me that MIT Kerberos5 1.3.1 is not able to handle keytab
> files with several keys of the same encryption type (but different
> salts).
I had exactly the same problem to runn Sun Microsystems NFS using
Heimdal KDC instead of the Mit based krb5kdc.
In my case I didn't remove the encrytio types from the KDC server, but
I DO delete the extra entries from the /etc/krb5/krb5.keytab SUN-MIT
dependent file ( Because the SUN NFS use native kr5 library from MIT)
> Or is there some magical krb5.conf option I did not find yet?
> Best wishes,
> Karsten Petersen

More information about the Kerberos mailing list