kprop: Decrypt integrity check failed while getting initial credentials

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

kprop: Decrypt integrity check failed while getting initial credentials

Laura Smith
Hi,

I am getting the somewhat obscure error message "kprop: Decrypt integrity check failed while getting initial credentials" when attempting to setup a slave.

I have followed the instructions in the docs to the letter.

I am aware of a previous posting to the list (http://kerberos.996246.n3.nabble.com/Decrypt-integrity-check-failed-td14510.html) which suggested that keytab key version mismatches were to blame.   However ktadd on my system apppears to increment the relevant key versions each time you call it (the docs seem to suggest this is expected).   So in order to comply with the purported key version, I scp'd the keytab from master to slave.  But that made no difference.

I have also noted that "tcpdump -npi eth0 dst port 754" on the slave shows no traffic being sent when kprop is called on the master ?  So it seems this "decrypt integrity check" thing is something local on the master ?

I'm dazed and confused !

Laura


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kprop: Decrypt integrity check failed while getting initial credentials

Greg Hudson
On 5/19/19 5:05 AM, Laura Smith wrote:
> I am getting the somewhat obscure error message "kprop: Decrypt integrity check failed while getting initial credentials" when attempting to setup a slave.
[...]
> I have also noted that "tcpdump -npi eth0 dst port 754" on the slave shows no traffic being sent when kprop is called on the master ?  So it seems this "decrypt integrity check" thing is something local on the master ?

Yes, it's local on the master KDC.  kprop begins by getting Kerberos
credentials for the host principal of the replica KDC, and this step is
failing.  You can simulate this step with "kinit -k host/replica.name"
to try to isolate the problem.

I can't think of any simple way to get mismatched keys between the
master KDC's keytab and its own Kerberos database.  Check that kinit (or
kprop, if you can't reproduce the problem with kinit) is talking to the
master KDC and not some other KDC--you can do this with
"KRB5_TRACE=/dev/stdout kinit ...".
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kprop: Decrypt integrity check failed while getting initial credentials

Greg Hudson
On 5/19/19 10:27 AM, Greg Hudson wrote:
> Yes, it's local on the master KDC.  kprop begins by getting Kerberos
> credentials for the host principal of the replica KDC, and this step is
> failing.  You can simulate this step with "kinit -k host/replica.name"
> to try to isolate the problem.

Apologies; that wasn't correct.  I should have said:

kprop begins by getting Kerberos credentials for
host/master.kdc.name@REALM to host/replica.kdc.name@REALM.  You can
simulate this step with:

  kinit -k -S host/replica.kdc.name host/master.kdc.name

Each KDC should only have its own host principal in its keytab file.  If
you extracted the host principal for host/master.kdc.name on the replica
KDC (therefore incrementing the key version of host/master.kdc.name and
invalidating the master KDC's keytab file), that might account for the
error.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos