Hello, I am trying to use Kerberos ticket from one AD-joined machine to login to another AD-joined machine without passwords. I passed -o GSSAPIAuthentication=yes to ssh on client and export KRB5_TRACE=/dev/stdout to print out the debug message. It shows me Creating authenticator for user@xxxxxxxxxx -> host/hostname.domain@domain.realm. All good there. On the server side, I have GSSAPIAuthentication=yes in sshd_config, DEBUG3 set, and there keeps an error message of debug1: No credentials were supplied, or the credentials were unavailable or inaccessible. No key table entry found matching host/hostname.domain@(empty ?) I am confused as to why sshd decides to drop the @domain.realm part. There is no host/hostname.domain@ entries in klist, so is there a way to debug or force the sshd to honor what the client has sent? Many thanks. Lucas. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
