KRB5KRB_AP_ERR_BAD_INTEGRITY from krb5_arcfour_decrypt

Douglas E. Engert deengert at
Tue Feb 17 10:03:12 EST 2009

Nikhil Mishra wrote:
> Hi All ,
> This is my setup .
> windows XP client
> windows 2003 server AD and KDC .
> Linux FC with MIT kerberos 1.6.3
> I generate keytab for  SPN using this command  :
> ktpass -princ cifs/cifsserver2 at WXYZ.COM -mapuser cifsserver2 -pass rohati123
> /ptype KRB
> 5_NT_SRV_INST -setpass -setupn -out cifs.keytab

What version of ktpass? There were some issues with the 2003 version,
Google for ktpass 2003 to see more.

> The user is actually a computer name and not an actual user in domain ( I
> dont know If it effects but Just in case )
> I want to route my traffic through a linux box and I am trying to decrypt
> AP_REQ using this keytab

What do you mean you are trying to route traffic through the linux box?
You mean the AP_REQ is actually from the XP client to the file server server
and you are the man-in-the-middle trying to decrypt it?

But the KDC may be using the actual cifs server key under a different account
with a random password used to generate the key.

You must be careful to change the key in the KDC and on the server to keep them
in sync.

> I looked at kvno and everything else matches so , basically krb_kt_get_entry
> passes .

> Why would this fail while decrypting the packet in krb5_decrypt_tkt_part
> I have tried debugging it and beyond all reasons I dont find a reason why
> Any help would be appreciated !!!
> Thanks & Regards
> Nikhil
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list