cross realm : decrypt integrity check failed
Dave Botsch
botsch at cnf.cornell.edu
Wed Nov 8 15:00:38 EST 2006
On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote:
> >So, I know I've got the right password... I can manually kinit
> >krbtgt/realmB at realmA using the supplied cross-realm password -- that works
>
> Okay ... but unless you did some magic, you weren't sending that request
> to realm B, you only sent that to realm A.
Right. I've been trying to figure out if there's a way to do this kinit to
realmB with some sort of magic, but no luck so far. It would certainly be a
useful test.
>
>
> Okay, one other thing comes to mind. Is it possible that the default
> key _salts_ are different between the two realms? Do a getprinc on both
> principals in both realms, and make sure the key salts (listed in the enctypes
> after every key) are the same. The keys should also be in the same order
> (although I don't remember if mis-ordering results in this error). When
> I create cross-realm keys, I specify the enctype:salt pairs manually so
> they will match and have the correct ordering.
>
I believe they match... well, one of them does at any rate. If I understand
things, on realmA, it's set up with just one enc/salt type where I've got three
on this end. One of those three is the one. I've tried recreating the principal
with just the one and no luck.
> --Ken
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch at cnf.cornell.edu
********************************
More information about the Kerberos
mailing list