From: [EMAIL PROTECTED] > the KDC is the only machine on the network that is running > current (snap > upgraded last night), the rest are on 3.9 release. here are > the debugging outputs: > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > > the ssh -vvv outputs are not that enlightening, syslogging > auth.debug doesn't > show anything extra and it's not clear how to, if possible, > turn up the kerberos > log level. > > any advice would be appreciated. i suspect that this is some > issue related to > the KDC runnning current and the other machines being on 3.9 release.
I ran into similar failures between versions of OpenBSD (KDC running current and older releases on clients) that I was able to debug down to the level of detecting an error related to "MIC failures". I think I had to bump up debugging on sshd to get that. You might try this on the client systems' krb5.conf as it took care of the problem for me: [gssapi] correct_des3_mic = host/[EMAIL PROTECTED] ... or whatever appropriate wildcard you should have. Assuming this works for you, I'd be interested in knowing what the exact nature of the problem is, I hate fixing something blindly without knowing why it's fixed. DS