OK. This is a bit of a long-shot and I apologize if the descriptino is insufficient.
There's a package krb5-gss-samples which includes a gss-client and gss-server program. you start gss-server like KRB5_KTNAME=/etc/krb5.keytab gss-server service@hostname where service is something like host and hostname is the host name. Note that you do not specify a realm name. then you use kinit to get client principals and gss-client localhost service@hostname test_message Probably what you'll discover is that gss-client and server work fine but that your pam module still fails. If that's the case, you could trim the set of keys in your keytab (particularly enctypes and kvnos) down to the one key that actually matters; ktutil can help with that. That may improve things with PAM. If none of that helps, then we'll have to deal with getting KRB5_TRACE working. Another possibility I just noticed is that there is a test program for the krb5_verify_init_creds function in src/lib/krb5/krb/t_vfy_increds.c. So, you could do something like apt-get build-dep krb5 apt-get source krb5 cd krb5-* debian/rules build cd build/lib/krb5/krb make check and then you'd have a t_vfy_increds binary that you could KRB5_TRACE. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org