cross realm : decrypt integrity check failed
Dave Botsch
botsch at cnf.cornell.edu
Wed Nov 8 13:48:17 EST 2006
So, I'm trying to set up one way cross realm auth.
We have two realms... realmA and realmB
On both KDCs, we have created the principal krbtgt/realmB at realmA with the same
kvno and the same password.
I can even kinit krbtgt/realmB at realmA (which talks to the realmA server) and
get a ticket as that principal.
So, here's where things go wacky...
I kinit user at realmA - fine
I then try to do something (ssh for example) that requires a ticket in realm B.
Failure with the following error: Decrypt Integrity Check Failed - this error
also shows up in the realmB kdc log.
a klist shows:
krbtgt/realmA at realmA
krbtgt/realmB at realmB
but, of course, no service ticket.
Any thoughts on what to try/look at? As best I can tell, this should just work,
but clearly it isn't.
I haven't figured out if there is a way to kinit krbtgt/realmB at realmA to
realmB's servers to verify it isn't somehow mangling the password -- is there a
way to do this?
realmB is rhel4u4 - krb5-server-1.3.4-33
I don't know what realmA is as I don't control that KDC.
Thanks!
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch at cnf.cornell.edu
********************************
More information about the Kerberos
mailing list