kprop: Decrypt integrity check failed while getting initial credentials

Greg Hudson ghudson at mit.edu
Sun May 19 10:27:31 EDT 2019


On 5/19/19 5:05 AM, Laura Smith wrote:
> I am getting the somewhat obscure error message "kprop: Decrypt integrity check failed while getting initial credentials" when attempting to setup a slave.
[...]
> I have also noted that "tcpdump -npi eth0 dst port 754" on the slave shows no traffic being sent when kprop is called on the master ?  So it seems this "decrypt integrity check" thing is something local on the master ?

Yes, it's local on the master KDC.  kprop begins by getting Kerberos
credentials for the host principal of the replica KDC, and this step is
failing.  You can simulate this step with "kinit -k host/replica.name"
to try to isolate the problem.

I can't think of any simple way to get mismatched keys between the
master KDC's keytab and its own Kerberos database.  Check that kinit (or
kprop, if you can't reproduce the problem with kinit) is talking to the
master KDC and not some other KDC--you can do this with
"KRB5_TRACE=/dev/stdout kinit ...".


More information about the Kerberos mailing list