Question about krb5_rd_req

Ken Hornstein kenh at
Wed Jun 21 16:39:34 EDT 2006

>If I call krb5_rd_req specifying NULL for the server principal, then the 
>error message I get is 'Bad encryption type while decoding authenticator' 
>(RC=188).  But if I specify the server principal in krb5_rd_req, then I 
>get this error:  'Decrypt integrity check failed' (RC=31).
>[Both forms of the call to krb5_rd_req work fine when the keytabs are OK].
>We've now got our keytabs corrected, but I'm still curious about the 
>different error messages for the same keytabs, depending (it appears) only 
>on whether a server principal is supplied in the call to krb5_rd_req. Is 
>this discrepancy intended?  Right now, it's just curiosity on my part.

How facinating.  In theory, it really should be the same because in rd_req.c,
if server == NULL, it uses the server principal out of the AP_REQ.

It would be interesting to see what the code path is that is causing this;
I have personally never seen "Bad encryption type" in this scenario, even
for services which pass in NULL for the server principal.  Maybe it's worth
running it under a debugger?


More information about the Kerberos mailing list