Question about krb5_rd_req
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jun 21 16:39:34 EDT 2006
>If I call krb5_rd_req specifying NULL for the server principal, then the
>error message I get is 'Bad encryption type while decoding authenticator'
>(RC=188). But if I specify the server principal in krb5_rd_req, then I
>get this error: 'Decrypt integrity check failed' (RC=31).
>
>[Both forms of the call to krb5_rd_req work fine when the keytabs are OK].
>
>We've now got our keytabs corrected, but I'm still curious about the
>different error messages for the same keytabs, depending (it appears) only
>on whether a server principal is supplied in the call to krb5_rd_req. Is
>this discrepancy intended? Right now, it's just curiosity on my part.
How facinating. In theory, it really should be the same because in rd_req.c,
if server == NULL, it uses the server principal out of the AP_REQ.
It would be interesting to see what the code path is that is causing this;
I have personally never seen "Bad encryption type" in this scenario, even
for services which pass in NULL for the server principal. Maybe it's worth
running it under a debugger?
--Ken
More information about the Kerberos
mailing list