KRB5KRB_AP_ERR_BAD_INTEGRITY from krb5_arcfour_decrypt
Jeffrey Altman
jaltman at secure-endpoints.com
Tue Feb 17 09:28:13 EST 2009
Nikhil Mishra wrote:
> Hi All ,
>
> This is my setup .
>
> windows XP client
> windows 2003 server AD and KDC .
> Linux FC with MIT kerberos 1.6.3
>
> I generate keytab for SPN using this command :
>
>
> ktpass -princ cifs/cifsserver2 at WXYZ.COM -mapuser cifsserver2 -pass rohati123
> /ptype KRB
> 5_NT_SRV_INST -setpass -setupn -out cifs.keytab
>
> The user is actually a computer name and not an actual user in domain ( I
> dont know If it effects but Just in case )
>
> I want to route my traffic through a linux box and I am trying to decrypt
> AP_REQ using this keytab
> I looked at kvno and everything else matches so , basically krb_kt_get_entry
> passes .
>
> Why would this fail while decrypting the packet in krb5_decrypt_tkt_part
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
> I have tried debugging it and beyond all reasons I dont find a reason why
>
>
> Any help would be appreciated !!!
>
> Thanks & Regards
>
> Nikhil
Can you verify the keytab with
kvno -k cifs.keytab cifs/cifsserver2 at WXYZ.COM
when the default credential cache contains a TGT in the WXYZ.COM realm?
Are you in fact obtaining a ticket whose service name is "cifs/cifsserver2"?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20090217/7efb4659/attachment.bin
More information about the krbdev
mailing list