cross realm : decrypt integrity check failed

Dave Botsch botsch at cnf.cornell.edu
Wed Nov 8 15:21:38 EST 2006 

Well.. we seem to have got it working.

What did we do different? Two things...

1. changed the order of the supported enctypes in kdc.conf so that the one being used in both places is listed first.
2. recreated the principal with -e to specify only the enctype being used in both places (doing 2 by itself before had not fixed the issue).

>From my understand of Kerberos, this should not matter... interesting.

On Wed, Nov 08, 2006 at 03:00:38PM -0500, Dave Botsch wrote:
> On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote:
> > >So, I know I've got the right password... I can manually kinit
> > >krbtgt/realmB at realmA using the supplied cross-realm password -- that works
> > 
> > Okay ... but unless you did some magic, you weren't sending that request
> > to realm B, you only sent that to realm A.
> 
> Right. I've been trying to figure out if there's a way to do this kinit to
> realmB with some sort of magic, but no luck so far. It would certainly be a
> useful test.
> 
> > 
> > 
> > Okay, one other thing comes to mind.  Is it possible that the default
> > key _salts_ are different between the two realms?  Do a getprinc on both
> > principals in both realms, and make sure the key salts (listed in the enctypes
> > after every key) are the same.  The keys should also be in the same order
> > (although I don't remember if mis-ordering results in this error).  When
> > I create cross-realm keys, I specify the enctype:salt pairs manually so
> > they will match and have the correct ordering.
> > 
> 
> I believe they match... well, one of them does at any rate. If I understand
> things, on realmA, it's set up with just one enc/salt type where I've got three
> on this end. One of those three is the one. I've tried recreating the principal
> with just the one and no luck.
> 
> 
> > --Ken
> 
> -- 
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch at cnf.cornell.edu
> ********************************
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch at cnf.cornell.edu
********************************

More information about the Kerberos mailing list