On 5/19/19 5:05 AM, Laura Smith wrote: > I am getting the somewhat obscure error message "kprop: Decrypt integrity > check failed while getting initial credentials" when attempting to setup a > slave. [...] > I have also noted that "tcpdump -npi eth0 dst port 754" on the slave shows no > traffic being sent when kprop is called on the master ? So it seems this > "decrypt integrity check" thing is something local on the master ?
Yes, it's local on the master KDC. kprop begins by getting Kerberos credentials for the host principal of the replica KDC, and this step is failing. You can simulate this step with "kinit -k host/replica.name" to try to isolate the problem. I can't think of any simple way to get mismatched keys between the master KDC's keytab and its own Kerberos database. Check that kinit (or kprop, if you can't reproduce the problem with kinit) is talking to the master KDC and not some other KDC--you can do this with "KRB5_TRACE=/dev/stdout kinit ...". ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
