[38543] in Kerberos
Re: kprop: Decrypt integrity check failed while getting initial
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun May 19 10:36:46 2019
From: Greg Hudson <ghudson@mit.edu>
To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>,
"kerberos@mit.edu"
<kerberos@mit.edu>
Message-ID: <ef0f9744-f86e-c817-82e3-9608e8d1d5c4@mit.edu>
Date: Sun, 19 May 2019 10:36:36 -0400
MIME-Version: 1.0
In-Reply-To: <94429047-9c9c-23f0-b8dc-b70ba6b26b3c@mit.edu>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 5/19/19 10:27 AM, Greg Hudson wrote:
> Yes, it's local on the master KDC. kprop begins by getting Kerberos
> credentials for the host principal of the replica KDC, and this step is
> failing. You can simulate this step with "kinit -k host/replica.name"
> to try to isolate the problem.
Apologies; that wasn't correct. I should have said:
kprop begins by getting Kerberos credentials for
host/master.kdc.name@REALM to host/replica.kdc.name@REALM. You can
simulate this step with:
kinit -k -S host/replica.kdc.name host/master.kdc.name
Each KDC should only have its own host principal in its keytab file. If
you extracted the host principal for host/master.kdc.name on the replica
KDC (therefore incrementing the key version of host/master.kdc.name and
invalidating the master KDC's keytab file), that might account for the
error.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
