Decrypt integrity check failed while changing password

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Decrypt integrity check failed while changing password

Brian Davidson
I had to do a bunch of account cleanups (~35,000 deletions) yesterday.  
Today, I'm getting the message 'change_password: Decrypt integrity
check failed while changing password for "[hidden email]"' when
trying to change a password.  If I create a new principal, I am able to
change it's password.  I'm using kadmin.local -- we don't run kadmind.

Anyone have an idea what I deleted that I shouldn't have?

I didn't delete K/M, or host/*.  I did delete krbtgt/* and kadmin/*,
but I wanted to re-key those anyways (that's my story, and I'm sticking
to it).  I'd clearly like to avoid doing this again in the future...

Thanks,

Brian Davidson
George Mason University

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt integrity check failed while changing password

Ken Hornstein
>I had to do a bunch of account cleanups (~35,000 deletions) yesterday.  
>Today, I'm getting the message 'change_password: Decrypt integrity
>check failed while changing password for "[hidden email]"' when
>trying to change a password.  If I create a new principal, I am able to
>change it's password.  I'm using kadmin.local -- we don't run kadmind.
>
>Anyone have an idea what I deleted that I shouldn't have?

I suspect that since you deleted kadmin/history, you're getting this error
from deep within the kadmin library when it's trying to access the password
history.  That's just a guess, though.  You're getting this message from
kadmin.local, right?

How you recover from this ... well, I have no idea, actually.  Did you
happen to save the old kadmind keytab?

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt integrity check failed while changing password

Brian Davidson
Ken,

You, of course, are brilliant.  Setting the history to 1, and then back
up to 10 seems to fix it.  I realize that a side effect of this is that
users can reuse any of their recent password the next time they go to
change their password.

Thanks!

Brian

On Sep 14, 2005, at 1:17 PM, Ken Hornstein wrote:

>> I had to do a bunch of account cleanups (~35,000 deletions) yesterday.
>> Today, I'm getting the message 'change_password: Decrypt integrity
>> check failed while changing password for "[hidden email]"' when
>> trying to change a password.  If I create a new principal, I am able
>> to
>> change it's password.  I'm using kadmin.local -- we don't run kadmind.
>>
>> Anyone have an idea what I deleted that I shouldn't have?
>
> I suspect that since you deleted kadmin/history, you're getting this
> error
> from deep within the kadmin library when it's trying to access the
> password
> history.  That's just a guess, though.  You're getting this message
> from
> kadmin.local, right?
>
> How you recover from this ... well, I have no idea, actually.  Did you
> happen to save the old kadmind keytab?
>
> --Ken
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos