cross realm : decrypt integrity check failed

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Nov 8 14:54:38 EST 2006


>So, I know I've got the right password... I can manually kinit
>krbtgt/realmB at realmA using the supplied cross-realm password -- that works

Okay ... but unless you did some magic, you weren't sending that request
to realm B, you only sent that to realm A.

>So, I can take that same password, copy it to the clipboard so that I know I
>don't fat-finger it, paste it in to the cross realm principal on realmB... and
>I get that error.
>
>I'm wondering if it's like I said a unicode weirdness (which doesn't make
>sense) or if it's somehow using the wrong enctype (even though the enctypes
>supposedly match).

Okay, one other thing comes to mind.  Is it possible that the default
key _salts_ are different between the two realms?  Do a getprinc on both
principals in both realms, and make sure the key salts (listed in the enctypes
after every key) are the same.  The keys should also be in the same order
(although I don't remember if mis-ordering results in this error).  When
I create cross-realm keys, I specify the enctype:salt pairs manually so
they will match and have the correct ordering.

--Ken



More information about the Kerberos mailing list