Russ Allbery <r...@stanford.edu> writes: > Check the host/* principal on the system to which you were authenticating. > I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that > only tickets that are pre-authenticated can authenticate to that service > principal.
Indeed, that was it! Russ saves the day again. Curious: I assume that the failure mode here is some variation on the sshd machine asking the KDC for a delegation and the KDC refusing. Does the refusal include enough information to produce an error message (either in the sshd log or elsewhere) mentioning this as the reason for the failure? In general I find that sshd really does a very poor job explaining the reason why things went wrong when it comes to Kerberos/GSSAPI. I've got some free cycles this summer that I can put towards fixing that if it's something that can be fixed. - a ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos