all, but falling back to the inbuilt krb5 password checking. This appears to not be correctly writing out a credentials cache. If you want to track down the credentials forwarding problem further, could you send me privately a copy of the debug logs from the server (with -d) and the client (with -v -v), where the client has valid credentials in the cache when invoked. Cheers, Simon.