GSSAPI Decrypt integrity check failed

Robert Fitzpatrick robert at
Tue Jul 27 21:55:47 EDT 2004

Trying to get SASL to work with Heimdal 0.6 on FreeBSD 5.2.1. When doing
the sample-server test, it finds my ticket OK and presents a response
that the sample-client accepts and gives its response. The problem is
when sending that client response back to the server, this is what

esmtp# ./sample-server -s imap -p ../plugins/.libs
Generating client mechanism list...
Sending list of 8 mechanism(s)
S: <server response>
Waiting for client mechanism...
C: <client response from below>
got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error:  Miscellaneous failure (see
text) (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure
(authentication failure)
esmtp# ./sample-client -s imap -n -u spam -p
Waiting for mechanism list from server...
S: <server response from above>
recieved 57 byte message
Choosing best mechanism from: NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP
returning OK: spam
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: <client response>

Both the SASL and saslauthd ports are version 2.1.19 on the system.
Anyone know
what 'Decrypt integrity check failed' means? I found references to the
password being wrong when Googling it, but the password has been reset
and I get this same error with any user. I am starting the sample-server
and sample-client as follows, seems to find the service keytab OK, I am
using what I think is setup correctly. I extracted the Kerberos keytab
for imap/ and have it placed correctly in
/etc/krb5.keytab with 600 owned by the 'cyrus' user. The realm is

./sample-server -s imap -p ../plugins/.libs
./sample-client -s imap -n -u spam -p ../plugins/.libs
kadmin> list spam
  spam at WEBTENT.NET
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: spam at WEBTENT.NET

  Issued           Expires          Principal
Jul 27 10:18:04  Jul 27 20:18:04  krbtgt/WEBTENT.NET at WEBTENT.NET
Jul 27 10:18:09  Jul 27 20:18:04  imap/ at WEBTENT.NET
esmtp# ls -la /etc/krb5.keytab
-rw-------  1 cyrus  mail  586 Jul 26 19:49 /etc/krb5.keytab
Decrypt integrity check failed

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list