On 03/27/2018 02:33 PM, Jonathan Maron wrote: > I’ve noticed that the kinit failures correlate to situations in which > TCP fails and UDP is used. In every case when the client waits a second > and switches to UDP the kinit invocation fails. Does this ring any bells?
The successful trace log from the original message also showed a fallback to UDP. Ignoring that, I don't see how the transport would be relevant, unless the UDP port were being served by a different KDC process with a slightly different database. > Could the error processing be related to the decrypt integrity check failure > noted in the server log? "preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed" is the expected message when encrypted timestamp is tried with the wrong key (typically due to the wrong password being entered). (More recent versions of the KDC would say "Preauthentication failed" instead.) I don't know why that's happening, since the same key was used in the successful and unsuccessful trace logs. But it also doesn't account for the weird error processing in the client trace log. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos