[33321] in Kerberos
krb5_get_init_creds_password: Decrypt integrity check failed (KRB5
daemon@ATHENA.MIT.EDU (Traiano Welcome)
Mon Apr 11 07:00:20 2011
From: Traiano Welcome <Traiano.Welcome@mtnbusiness.co.za>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 11 Apr 2011 10:59:16 +0000
Message-ID: <E012414FCF65894B89F69DE76AE15E99058D60F0@CPT-EXCH01.int.mtnbusiness.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi List
I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos client with our current kerberos infrastructure. I would like users to authenticate ssh logins to the system using kerberos, and so I'm using the pam_krb5 pam module. However, Krb5 authentication fails with the following significant error when I attempt ssh to the server:
"krb5_get_init_creds_password: Decrypt integrity check failed"
I've carefully confirmed the host principal on my KDC and krberos master, and triple-checked the krb5.conf and krb5.keytab, and connectivity between the client and the KDC, as well as ntp time synchronisation between all the systems involved. My question is: Is there some way I can debug this to a deeper level in order to pinpoint exactly why "Decrypt integrity check failed" ... I've tried sniffing packets during the communications between the client and the master kdc, unfortunately, the contents are largely encrypted, so I can't find any further data. Also, I've searched for more detailed debugging options for pam_krb5, ut it doesn't look like any exist ... the krb5kdc.log doesn't seem to offer more detailed information either ...
The full pam_krb5 debug trace is as follows:
---
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x4)
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as bobjones@EVASIVE.ORG.ZA
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): authentication failure; logname=bobjones uid=0 euid=0 tty=ssh ruser= rhost=marvel.ops.evasive.org.za
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
---
Many thanks in Advance,
Traiano Welcome
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
