krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Traiano Welcome Traiano.Welcome at mtnbusiness.co.za
Mon Apr 11 06:59:16 EDT 2011 

Hi List

I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos client with our current kerberos infrastructure. I would like users to authenticate ssh logins to the system  using kerberos, and so I'm using the pam_krb5 pam module. However, Krb5 authentication fails with the following significant error when I attempt ssh to the server:

"krb5_get_init_creds_password: Decrypt integrity check failed"

I've carefully confirmed the host principal on my KDC and krberos master, and triple-checked the krb5.conf and krb5.keytab, and connectivity between the client and the KDC, as well as ntp time synchronisation between all the systems involved. My question is:  Is there some way I can debug  this to a deeper level in order to pinpoint exactly why "Decrypt integrity check failed" ... I've tried sniffing packets during the communications between the client and the master kdc, unfortunately, the contents are largely encrypted, so I can't find any further data. Also, I've searched for more detailed debugging options for pam_krb5, ut it doesn't look like any exist ... the krb5kdc.log doesn't seem to offer more detailed information either ...

The full pam_krb5 debug  trace is as follows:

---
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x4)
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as bobjones at EVASIVE.ORG.ZA
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): authentication failure; logname=bobjones uid=0 euid=0 tty=ssh ruser= rhost=marvel.ops.evasive.org.za
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
---

Many thanks in Advance,
Traiano Welcome

More information about the Kerberos mailing list