Decrypt integrity check failed while getting initial ticket

Stephen Carville (Kerberos List) b44261a2 at
Mon Dec 9 18:31:03 EST 2019

On 12/9/19 1:56 PM, Greg Hudson [Masked] wrote:
> Lereta Email Checkpoint: External email. Please make sure you trust this source before clicking links or opening attachments.
> **********************************************************************
> --------------------------Blur---------------------------
> Preview: On 12/9/19 1:04 PM, Stephen Carville (Kerberos List) wrote: > --> SPAM? CLICK to BLOCK:
> This email is Masked using Blur - it was sent from to b44261a2 at (your reply stays Masked). To protect your privacy, do not forward this message, or add new recipients like CCs or BCCs (
> Thanks for being a Blur customer! If you haven't yet, [ Try DeleteMe at a discount: ]
> -------------------------By Abine--------------------------
> On 12/9/19 1:04 PM, Stephen Carville (Kerberos List) wrote:
>> Recently I migrated the kerberos master and one slave to another
>> location using tool called "Zerto".  Perhaps coincidentally, replication
>> broke with the above error message. I checked that DNS A and PTR records
>> for all the servers are correct.  I can get a ticket using kinit (kinit
>> -k host/<hostname>). I finally recreated the keytab file
>> (/etc/krb5.keytab) and propagated it to the other three servers.  Still
>> no replication.
> I suggest running "KRB5_TRACE=/dev/stdout kprop ..." to get a better
> idea of what ticket it's trying to get.  It should be doing something
> similar to "kinit -k host/hostname", but if you've just migrated hosts,
> there could be a difference in the canonical hostname as it appears to
> libkrb5.

That helped... Thank you.

The trace revealed that the master server was checking one of the slave 
servers. Since it was not updated with the new keys, the authentication 

[13734] 1575929629.412353: Initializing MEMORY:_kproptkt with default 
princ host/ at TOTALFLOOD.COM
[13734] 1575929629.413138: Getting initial credentials for 
[13734] 1575929629.413497: Setting initial creds service to 
[13734] 1575929629.413565: Sending request (228 bytes) to TOTALFLOOD.COM
[13734] 1575929629.413809: Resolving hostname
[13734] 1575929629.414318: Sending initial UDP request to dgram
[13734] 1575929629.415194: Received answer from dgram
[13734] 1575929629.415261: Response was not from master KDC
[13734] 1575929629.415349: Processing preauth types: 19
[13734] 1575929629.415380: Selected etype info: etype aes256-cts, salt 
"(null)", params ""
[13734] 1575929629.415391: Produced preauth for next request: (empty)
[13734] 1575929629.415403: Salt derived from principal:
[13734] 1575929629.415413: Getting AS key, salt 
"", params ""
[13734] 1575929629.415596: Retrieving 
host/ at TOTALFLOOD.COM from FILE:/etc/krb5.keytab (vno 
0, enctype aes256-cts) with result: 0/Success
[13734] 1575929629.415629: AS key obtained from gak_fct: aes256-cts/6FC7
/usr/sbin/kprop: Decrypt integrity check failed while getting initial ticket

I had the realm defined thusly:

   kdc =

   admin_server =
   master_kdc =
  } is a CNAME record for is a CNAME record for

I changed the kdc line to "kdc =" and the 
propagation succeeded.

I then changed it back and all is good again.


More information about the Kerberos mailing list