[Freeipa-users] "Decrypt integrity check failed" issue

Vitaly linux at karasik.org
Wed Jun 26 10:19:23 UTC 2013 

Update: Sumit, you were right - my problem was related to user password. To
be more precise, it wasn't wrong password, but probably some password's
properties/policy. After resetting password via IPA console this user is
able to login. I don't understand why.
But I'm really want to understand what caused to this problem and what is
explanation to this magic pam_ldap vs pam_lap+pam_krb5 difference.


On Wed, Jun 26, 2013 at 1:00 PM, Vitaly <linux at karasik.org> wrote:

> Well, probably I missed something...
> I see  very weird thing: when my system-auth pam config *contains* pm_krb5
> module before pam_ldap, use can login. When there is just pam_ldap, user
> cannot login.
> In assumption that we're able to use LDAP authentication, but some wrong
> with Kerberos, situation should be opposite, IMHO.
>
> Password is right. BTW, is there any way  (increase debug level?) to get
> more meaningful message?
>
>
>
>
> On Wed, Jun 26, 2013 at 12:39 PM, Sumit Bose <sbose at redhat.com> wrote:
>
>> On Wed, Jun 26, 2013 at 12:28:57PM +0300, Vitaly wrote:
>> > How I should debug & fix "Decrypt integrity check failed"  problem?
>>
>> This typically means wrong password.
>>
>> HTH
>>
>> bye,
>> Sumit
>> >
>> > TIA,
>> > Vitaly
>> >
>> >
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7748](info): AS_REQ (12
>> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21:
>> NEEDED_PREAUTH:
>> > username at PROD.EXAMPLE.COM for krbtgt/PROD.EXAMPLE.COM at PROD.EXAMPLE.COM,
>> > Additional pre-authentication required
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): preauth
>> > (timestamp) verify failure: Decrypt integrity check failed
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): AS_REQ (12
>> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21:
>> PREAUTH_FAILED:
>> > username at PROD.EXAMPLE.COM for krbtgt/PROD.EXAMPLE.COM at PROD.EXAMPLE.COM,
>> > Decrypt integrity check failed
>>
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130626/565f7f94/attachment.htm>

More information about the Freeipa-users mailing list