kprop: Decrypt integrity check failed while getting initial credentials
Greg Hudson
ghudson at mit.edu
Sun May 19 10:36:36 EDT 2019
On 5/19/19 10:27 AM, Greg Hudson wrote:
> Yes, it's local on the master KDC. kprop begins by getting Kerberos
> credentials for the host principal of the replica KDC, and this step is
> failing. You can simulate this step with "kinit -k host/replica.name"
> to try to isolate the problem.
Apologies; that wasn't correct. I should have said:
kprop begins by getting Kerberos credentials for
host/master.kdc.name at REALM to host/replica.kdc.name at REALM. You can
simulate this step with:
kinit -k -S host/replica.kdc.name host/master.kdc.name
Each KDC should only have its own host principal in its keytab file. If
you extracted the host principal for host/master.kdc.name on the replica
KDC (therefore incrementing the key version of host/master.kdc.name and
invalidating the master KDC's keytab file), that might account for the
error.
More information about the Kerberos
mailing list