Decrypt integrity check failed

Richard E. Silverman res at qoxp.net
Mon Jul 10 23:24:05 EDT 2006 

>>>>> "jonr" == jonr  <jonr at destar.net> writes:

    jonr> Quoting "Richard E. Silverman" <res at qoxp.net>:
    >> >>>>> "jonr" == jonr <jonr at destar.net> writes:
    >> 
    jonr> I have a slave kdc and am trying to get the master to kprop the
    jonr> db to the slave.  I continually get this error: kprop: Decrypt
    jonr> integrity check failed while getting initial ticket
    >> 
    >> 
    >> >> From what I have read it is a wrong password for one of the
    >> hosts >> in the
    jonr> database.
    >>  No; the problem here is probably the key of the master kdc's host
    >> principal, on the slave.  The slave uses it to authenticate the
    >> peer and compare to kpropd.conf, which lists the hosts allowed to
    >> update the slave's copy of the KDB.

    jonr> Thanks for the help Richard, I have been slowly slipping into
    jonr> madness trying to grasp kerberos. The file that the slave looks
    jonr> in to validate is the kadm5.keytab file, is that correct? 

No; at least, in my setup, kpropd looks in the system keytab
/etc/krb5.keytab (or similar).  kadm5.keytab is for kadmin(d), a different
set of programs.

    jonr> I have tried scp'ing this file to my slave thinking that would have the
    jonr> correct permissions, this did not work, same error.

    jonr> How do I fix this error?

Actually, I misspoke above.  I should have said: the problem is likely
that the master kdc's host principal key stored in the KDB does not match
the one in the its system keytab.  kprop does a kinit with the host
principal, and then uses that to obtain a ticket for the slave host, in
order to authenticate itself to kpropd on the slave.  The error means that it
could not decrypt the KDC's response with its key, indicating a mismatch.
Check the key version number:

# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  14 host/foo.bar.com at BAR.COM

$ kvno host/foo.bar.com at BAR.COM
host/foo.bar.com at BAR.COM: kvno = 14

Make sure they match.  If they don't, re-extact the key:

# kadmin
Password for you/admin at BAR.COM:
kadmin: ktadd -k /etc/krb5.keytab host/foo.bar.com at BAR.COM

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list