cross realm : decrypt integrity check failed

Douglas E. Engert deengert at anl.gov
Wed Nov 8 15:35:12 EST 2006


The normal salt uses the realm and principal components, so in realmA the salt
is realmAkrbtgtrealmB and in realmB the salt is realmBkrbtgtrealmA. You need to
create them without a salt or the same salt.

With the Heimdal kadmin you can add a principal with  -key DES-key in hex,
which avoids the salt issues.



Dave Botsch wrote:

> On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote:
> 
>>>So, I know I've got the right password... I can manually kinit
>>>krbtgt/realmB at realmA using the supplied cross-realm password -- that works
>>
>>Okay ... but unless you did some magic, you weren't sending that request
>>to realm B, you only sent that to realm A.
> 
> 
> Right. I've been trying to figure out if there's a way to do this kinit to
> realmB with some sort of magic, but no luck so far. It would certainly be a
> useful test.
> 
> 
>>
>>Okay, one other thing comes to mind.  Is it possible that the default
>>key _salts_ are different between the two realms?  Do a getprinc on both
>>principals in both realms, and make sure the key salts (listed in the enctypes
>>after every key) are the same.  The keys should also be in the same order
>>(although I don't remember if mis-ordering results in this error).  When
>>I create cross-realm keys, I specify the enctype:salt pairs manually so
>>they will match and have the correct ordering.
>>
> 
> 
> I believe they match... well, one of them does at any rate. If I understand
> things, on realmA, it's set up with just one enc/salt type where I've got three
> on this end. One of those three is the one. I've tried recreating the principal
> with just the one and no luck.
> 
> 
> 
>>--Ken
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list