Decrypt integrity check failed
Marcus Watts
mdw at umich.edu
Tue Jul 11 01:21:45 EDT 2006
"Richard E. Silverman" <res at qoxp.net> writes:
...
> Check the key version number:
>
> # klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 14 host/foo.bar.com at BAR.COM
>
> $ kvno host/foo.bar.com at BAR.COM
> host/foo.bar.com at BAR.COM: kvno = 14
>
> Make sure they match. If they don't, re-extact the key:
>
> # kadmin
> Password for you/admin at BAR.COM:
> kadmin: ktadd -k /etc/krb5.keytab host/foo.bar.com at BAR.COM
Couple of things.
There is another way to check out whether a keytab works: kinit.
This is good because it's not impossible to get a keytab that *appears*
to have the same kvno but doesn't work. (for instance, delete the
principal, then recreate it.)
For instance:
spam# klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 08/19/04 03:56:25 imap/spam.ifs.umich.edu at UMICH.EDU (Triple DES cbc mode with HMAC/sha1)
3 08/19/04 03:56:25 imap/spam.ifs.umich.edu at UMICH.EDU (DES cbc mode with CRC-32)
3 03/22/06 04:01:29 pop/spam.ifs.umich.edu at UMICH.EDU (Triple DES cbc mode with HMAC/sha1)
3 03/22/06 04:01:29 pop/spam.ifs.umich.edu at UMICH.EDU (DES cbc mode with CRC-32)
spam#
tells me I have 2 principals, each with 2 encryption types,
(and when those keytab entries were written, if you care.)
spam# kinit -k -t /etc/krb5.keytab imap/spam.ifs.umich.edu
spam# klist -5fea
Ticket cache: FILE:/tmp/krb5cc_25131_eVt6pe
Default principal: imap/spam.ifs.umich.edu at UMICH.EDU
Valid starting Expires Service principal
07/11/06 00:45:16 07/12/06 00:45:16 krbtgt/UMICH.EDU at UMICH.EDU
Flags: FPI, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Addresses: (none)
spam#
tells me that I have a keytab entry that actually works for
imap/spam.ifs.umich.edu at UMICH.EDU, also it looks likely that I
used 3des to get that key (plus some other information of no particular
consequence here.)
Another clue that's sometimes useful is log file entries, in this case,
in krb5kdc's log:
Jul 11 00:45:16 AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.211.1.36: ISSUE: authtime 1152593116, etypes {rep=16 tkt=16 ses=16}, imap/spam.ifs.umich.edu at UMICH.EDU for krbtgt/UMICH.EDU at UMICH.EDU
For instance, that can tell you which principal you were actually trying to authenticate
as.
Secondly, in this case, since it appears that "jonr" is trying to
set up replication, it's important to be very careful about configuration
files. Specifically, you probably don't want krb5.conf entries (or DNS
entries) that point to slaves until you have replication working to those slaves.
If you're somehow trying to get a ticket from a slave that has an old
copy of the database, there's definitely opportunity for confusion.
-Marcus
More information about the Kerberos
mailing list