KRB5KRB_AP_ERR_BAD_INTEGRITY from krb5_arcfour_decrypt

Jeffrey Altman jaltman at
Tue Feb 17 09:28:13 EST 2009

Nikhil Mishra wrote:
> Hi All ,
> This is my setup .
> windows XP client
> windows 2003 server AD and KDC .
> Linux FC with MIT kerberos 1.6.3
> I generate keytab for  SPN using this command  :
> ktpass -princ cifs/cifsserver2 at WXYZ.COM -mapuser cifsserver2 -pass rohati123
> /ptype KRB
> 5_NT_SRV_INST -setpass -setupn -out cifs.keytab
> The user is actually a computer name and not an actual user in domain ( I
> dont know If it effects but Just in case )
> I want to route my traffic through a linux box and I am trying to decrypt
> AP_REQ using this keytab
> I looked at kvno and everything else matches so , basically krb_kt_get_entry
> passes .
> Why would this fail while decrypting the packet in krb5_decrypt_tkt_part
> I have tried debugging it and beyond all reasons I dont find a reason why
> Any help would be appreciated !!!
> Thanks & Regards
> Nikhil

Can you verify the keytab with

  kvno -k cifs.keytab cifs/cifsserver2 at WXYZ.COM

when the default credential cache contains a TGT in the WXYZ.COM realm?

Are you in fact obtaining a ticket whose service name is "cifs/cifsserver2"?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list