KRB5KRB_AP_ERR_BAD_INTEGRITY from krb5_arcfour_decrypt
Douglas E. Engert
deengert at anl.gov
Tue Feb 17 10:03:12 EST 2009
Nikhil Mishra wrote:
> Hi All ,
>
> This is my setup .
>
> windows XP client
> windows 2003 server AD and KDC .
> Linux FC with MIT kerberos 1.6.3
>
> I generate keytab for SPN using this command :
>
>
> ktpass -princ cifs/cifsserver2 at WXYZ.COM -mapuser cifsserver2 -pass rohati123
> /ptype KRB
> 5_NT_SRV_INST -setpass -setupn -out cifs.keytab
What version of ktpass? There were some issues with the 2003 version,
Google for ktpass 2003 to see more.
>
> The user is actually a computer name and not an actual user in domain ( I
> dont know If it effects but Just in case )
>
> I want to route my traffic through a linux box and I am trying to decrypt
> AP_REQ using this keytab
What do you mean you are trying to route traffic through the linux box?
You mean the AP_REQ is actually from the XP client to the file server server
and you are the man-in-the-middle trying to decrypt it?
But the KDC may be using the actual cifs server key under a different account
with a random password used to generate the key.
You must be careful to change the key in the KDC and on the server to keep them
in sync.
> I looked at kvno and everything else matches so , basically krb_kt_get_entry
> passes .
>
> Why would this fail while decrypting the packet in krb5_decrypt_tkt_part
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
> I have tried debugging it and beyond all reasons I dont find a reason why
>
>
> Any help would be appreciated !!!
>
> Thanks & Regards
>
> Nikhil
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list