Cross Realm Authentication: "Decrypt integrity check failed"
ms419@freezone.co.uk
ms419 at freezone.co.uk
Thu Mar 11 23:37:41 EST 2004
I have two working realms: "LAT" and "RUZ". I created principals
"krbtgt/LAT at RUZ" and "krbtgt/RUZ at LAT". I used "kdb5_util -r RUZ dump
datatrans krbtgt/LAT at RUZ krbtgt/RUZ at LAT" and "kdb5_util -r LAT load
-update datatrans" to transfer these principles from one realm to the
other.
"RUZ" contains the principle "host/wum.lat at RUZ". It is installed in
this host's keytab. "domain_realm" contains the entry "wum.lat = RUZ".
However, when I attempt to acquire a ticket for "host/wum.lat at RUZ" as
"admin at LAT", the KDC complains:
---
Mar 11 20:10:45 wum krb5kdc[13912]: AS_REQ (6 etypes {18 16 23 1 3 2})
192.168.179.73: NEEDED_PREAUTH: admin at LAT for krbtgt/LAT at LAT,
Additional pre-authentication required
Mar 11 20:10:45 wum krb5kdc[13912]: AS_REQ (6 etypes {18 16 23 1 3 2})
192.168.179.73: ISSUE: authtime 1079064645, etypes {rep=16 tkt=16
ses=16}, admin at LAT for krbtgt/LAT at LAT
Mar 11 20:10:45 wum krb5kdc[13912]: TGS_REQ (6 etypes {18 16 23 1 3 2})
192.168.179.73: ISSUE: authtime 1079064645, etypes {rep=16 tkt=16
ses=16}, admin at LAT for krbtgt/RUZ at LAT
Mar 11 20:10:45 wum krb5kdc[13912]: TGS_REQ (6 etypes {18 16 23 1 3 2})
192.168.179.73: PROCESS_TGS: authtime 0, <unknown client> for
host/wum.lat at RUZ, Decrypt integrity check failed
Mar 11 20:10:48 wum sshd[12296]: Failed password for admin from
192.168.24.106 port 58802 ssh2
---
(I would ordinarily use GSSAPI rather than enter my password using ssh
- but this is broken - for the same reason?) In other tests, I verify
that I acquire the "krbtgt/LAT at LAT" ticket, and the "krbtgt/RUZ at LAT"
ticket:
---
Default Principal: admin at LAT
Valid Starting Expires Service Principal
03/11/04 20:29:16 03/12/04 06:29:16 krbtgt/LAT at LAT
renew until 03/18/04 20:29:16
03/11/04 20:29:23 03/12/04 06:29:16 krbtgt/RUZ at LAT
renew until 03/11/04 20:29:23
---
But these tickets don't grant me tickets from "RUZ". What did I do
wrong?
Thanks,
Jack
More information about the Kerberos
mailing list