Problems with kinit invocations

Greg Hudson ghudson at
Wed Mar 28 23:47:29 EDT 2018

On 03/27/2018 02:33 PM, Jonathan Maron wrote:
> I’ve noticed that the kinit failures correlate to situations in which
> TCP fails and UDP is used.  In every case when the client waits a second
> and switches to UDP the kinit invocation fails.  Does this ring any bells?

The successful trace log from the original message also showed a
fallback to UDP.

Ignoring that, I don't see how the transport would be relevant, unless
the UDP port were being served by a different KDC process with a
slightly different database.

> Could the error processing be related to the decrypt integrity check failure noted in the server log?

"preauth (encrypted_timestamp) verify failure: Decrypt integrity check
failed" is the expected message when encrypted timestamp is tried with
the wrong key (typically due to the wrong password being entered).
(More recent versions of the KDC would say "Preauthentication failed"
instead.)  I don't know why that's happening, since the same key was
used in the successful and unsuccessful trace logs.  But it also doesn't
account for the weird error processing in the client trace log.

More information about the Kerberos mailing list