Hi, Ok, I managed to find some more debugging info.
When I kinit on the client, log.samba on the server reports (I put spaces around every "@" so that the list does not interpret them as e-mail addresses): Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51790 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET Kerberos: No preauth found, returning PREAUTH-REQUIRED -- user @ MYDOMAIN.NET Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:34138 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET Kerberos: ENC-TS Pre-authentication succeeded -- user @ MYDOMAIN.NETusing arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-07-10T09:53:20 starttime: unset endtime: 2012-07-10T19:53:20 renew till: 2012-07-11T09:53:11 Kerberos: Client supported enctypes: arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, proxiable, forwardable Then when I try to ssh to the server, log.samba reports: Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51485 for host/ cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, proxiable, forwardable] Kerberos: TGS-REQ authtime: 2012-07-10T09:53:20 starttime: 2012-07-10T09:53:39 endtime: 2012-07-10T19:53:20 renew till: 2012-07-11T09:53:11 and ssh just reports: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method If I repeat the ssh command, nothing pops up in log.samba unless I kinit again. When looking at the log.samba file, it looks like ssh GSSAPI succeeded but ssh thinks differently. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba