krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)
Traiano Welcome
Traiano.Welcome at mtnbusiness.co.za
Tue Apr 12 03:50:00 EDT 2011
Thanks, Russ, and Brian. (forgive top-posting, handicapped client :-P )
I'm now able to ssh as root to the system, after kinit, and it seems to accept my credentials. The only thing I changed was the permissions on the krb5.keytab file (from owner read/write only, to owner and group read). I issued a kdestroy, on the suspicion that cached credentials from previous keytabs may be the issue, but I doubt that's what resolved it.
Prior to getting this working, I was able to kinit on this system, and successfully obtain a krb5 ticket from the master kdc after providing my kerberos password, which I found rather odd.
________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: Monday, April 11, 2011 9:56 PM
To: Traiano Welcome
Cc: kerberos at mit.edu
Subject: Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)
Traiano Welcome <Traiano.Welcome at mtnbusiness.co.za> writes:
> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure. I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using
> the pam_krb5 pam module. However, Krb5 authentication fails with the
> following significant error when I attempt ssh to the server:
> "krb5_get_init_creds_password: Decrypt integrity check failed"
Brian's reply is correct if you have a GSSAPI-enabled ssh client. I also
wanted to add, though, that the above error message is Kerberos's way of
saying "password incorrect."
> I've carefully confirmed the host principal on my KDC and krberos
> master, and triple-checked the krb5.conf and krb5.keytab, and
> connectivity between the client and the KDC, as well as ntp time
> synchronisation between all the systems involved.
The problem isn't with your local keytab. If it were a keytab problem, it
would be an error in verify_init_creds, not get_init_creds. A failure at
get_init_creds indicates that the password didn't decrypt the reply from
the KDC.
> Also, I've searched for more detailed debugging options for pam_krb5, ut
> it doesn't look like any exist ...
You've got all the information that pam_krb5 has. It did a password
authentication, and the key formed from the password didn't decrypt the
KDC reply. There isn't much else it can tell you.
> the krb5kdc.log doesn't seem to offer more detailed information either
I think you should see a failed authentication error on the KDC side, but
it isn't likely to offer any more information.
Have you tried running kinit as that user (with the principal name exactly
the same as what's in the debug log) on the host you're trying to log on
to and confirmed that password does work?
> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as bobjones at EVASIVE.ORG.ZA
> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list