Decrypt integrity check failed
Richard E. Silverman
res at qoxp.net
Mon Jul 10 23:24:05 EDT 2006
>>>>> "jonr" == jonr <jonr at destar.net> writes:
jonr> Quoting "Richard E. Silverman" <res at qoxp.net>:
>> >>>>> "jonr" == jonr <jonr at destar.net> writes:
>>
jonr> I have a slave kdc and am trying to get the master to kprop the
jonr> db to the slave. I continually get this error: kprop: Decrypt
jonr> integrity check failed while getting initial ticket
>>
>>
>> >> From what I have read it is a wrong password for one of the
>> hosts >> in the
jonr> database.
>> No; the problem here is probably the key of the master kdc's host
>> principal, on the slave. The slave uses it to authenticate the
>> peer and compare to kpropd.conf, which lists the hosts allowed to
>> update the slave's copy of the KDB.
jonr> Thanks for the help Richard, I have been slowly slipping into
jonr> madness trying to grasp kerberos. The file that the slave looks
jonr> in to validate is the kadm5.keytab file, is that correct?
No; at least, in my setup, kpropd looks in the system keytab
/etc/krb5.keytab (or similar). kadm5.keytab is for kadmin(d), a different
set of programs.
jonr> I have tried scp'ing this file to my slave thinking that would have the
jonr> correct permissions, this did not work, same error.
jonr> How do I fix this error?
Actually, I misspoke above. I should have said: the problem is likely
that the master kdc's host principal key stored in the KDB does not match
the one in the its system keytab. kprop does a kinit with the host
principal, and then uses that to obtain a ticket for the slave host, in
order to authenticate itself to kpropd on the slave. The error means that it
could not decrypt the KDC's response with its key, indicating a mismatch.
Check the key version number:
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
14 host/foo.bar.com at BAR.COM
$ kvno host/foo.bar.com at BAR.COM
host/foo.bar.com at BAR.COM: kvno = 14
Make sure they match. If they don't, re-extact the key:
# kadmin
Password for you/admin at BAR.COM:
kadmin: ktadd -k /etc/krb5.keytab host/foo.bar.com at BAR.COM
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list