cross realm : decrypt integrity check failed

Dave Botsch botsch at cnf.cornell.edu
Wed Nov 8 15:00:38 EST 2006


On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote:
> >So, I know I've got the right password... I can manually kinit
> >krbtgt/realmB at realmA using the supplied cross-realm password -- that works
> 
> Okay ... but unless you did some magic, you weren't sending that request
> to realm B, you only sent that to realm A.

Right. I've been trying to figure out if there's a way to do this kinit to
realmB with some sort of magic, but no luck so far. It would certainly be a
useful test.

> 
> 
> Okay, one other thing comes to mind.  Is it possible that the default
> key _salts_ are different between the two realms?  Do a getprinc on both
> principals in both realms, and make sure the key salts (listed in the enctypes
> after every key) are the same.  The keys should also be in the same order
> (although I don't remember if mis-ordering results in this error).  When
> I create cross-realm keys, I specify the enctype:salt pairs manually so
> they will match and have the correct ordering.
> 

I believe they match... well, one of them does at any rate. If I understand
things, on realmA, it's set up with just one enc/salt type where I've got three
on this end. One of those three is the one. I've tried recreating the principal
with just the one and no luck.


> --Ken

-- 
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch at cnf.cornell.edu
********************************



More information about the Kerberos mailing list