GSSAPI authentication ceased working

Wesley Craig wes at
Thu Jan 8 14:21:30 EST 2009

On 02 Jan 2009, at 11:19, Lars Hanke wrote:
> hermod: /var/log/auth.log
> Jan  2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS  
> failure.  Minor code may provide more information (Decrypt  
> integrity check failed)
> hel: /var/log/syslog
> Jan  2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1  
> 3 2}) PROCESS_TGS: authtime 0,  <unknown client> for  
> imap/hermod.mgr at MGR, Decrypt integrity check failed

As I read this, hel is saying that the TGT is bad.  You're trying to  
obtain a service ticket for imap/hermod, but the TGT you're  
attempting to use is not accepted by the KDC.  If you klist after  
running imtest, you have no imap/hermod ticket.  I've never seen an  
error like that.  It suggests that you KDC is really broken :)   
Something like the key used to encrypt your TGT isn't valid for  
obtaining service tickets.


More information about the Info-cyrus mailing list