kprop: Decrypt integrity check failed while getting initial credentials

Greg Hudson ghudson at mit.edu
Sun May 19 10:36:36 EDT 2019


On 5/19/19 10:27 AM, Greg Hudson wrote:
> Yes, it's local on the master KDC.  kprop begins by getting Kerberos
> credentials for the host principal of the replica KDC, and this step is
> failing.  You can simulate this step with "kinit -k host/replica.name"
> to try to isolate the problem.

Apologies; that wasn't correct.  I should have said:

kprop begins by getting Kerberos credentials for
host/master.kdc.name at REALM to host/replica.kdc.name at REALM.  You can
simulate this step with:

  kinit -k -S host/replica.kdc.name host/master.kdc.name

Each KDC should only have its own host principal in its keytab file.  If
you extracted the host principal for host/master.kdc.name on the replica
KDC (therefore incrementing the key version of host/master.kdc.name and
invalidating the master KDC's keytab file), that might account for the
error.


More information about the Kerberos mailing list