cross realm : decrypt integrity check failed

Dave Botsch botsch at cnf.cornell.edu
Wed Nov 8 13:48:17 EST 2006


So, I'm trying to set up one way cross realm auth.

We have two realms... realmA and realmB

On both KDCs, we have created the principal krbtgt/realmB at realmA with the same
kvno and the same password.

I can even kinit krbtgt/realmB at realmA (which talks to the realmA server) and
get a ticket as that principal.

So, here's where things go wacky...

I kinit user at realmA - fine

I then try to do something (ssh for example) that requires a ticket in realm B.

Failure with the following error: Decrypt Integrity Check Failed - this error
also shows up in the realmB kdc log.

a klist shows:
krbtgt/realmA at realmA
krbtgt/realmB at realmB

but, of course, no service ticket.

Any thoughts on what to try/look at? As best I can tell, this should just work,
but clearly it isn't.

I haven't figured out if there is a way to kinit krbtgt/realmB at realmA to
realmB's servers to verify it isn't somehow mangling the password -- is there a
way to do this?

realmB is rhel4u4 - krb5-server-1.3.4-33

I don't know what realmA is as I don't control that KDC.

Thanks!

-- 
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch at cnf.cornell.edu
********************************



More information about the Kerberos mailing list