kinit is ok, but ssh is not

Giuseppe Mazza g.mazza at
Fri May 2 12:35:22 EDT 2014

Dear All,

I have built a test infrastructure as below:
gm-u1204 = Ubuntu12.04 server running my kdc (realm -> GML.DOC.IC.AC.UK)
gm-win2012 = Windows 2012 running my dc (domain -> GMW.DOC.IC.AC.UK)

I have setup a nontransitive trust, i.e.
"One-way: incoming Users in this domain          GMW.DOC.IC.AC.UK
 can be authenticated in the specified realm     GML.DOC.IC.AC.UK

1] I can
mazza at gm-u1204:~$ kinit giuseppe at GMW.DOC.IC.AC.UK
mazza at gm-u1204:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: giuseppe at GMW.DOC.IC.AC.UK

Valid starting     Expires            Service principal
02/05/14 15:55:17  03/05/14 01:55:34
	renew until 03/05/14 15:55:17

2] but I can not
mazza at gm-u1204:~$ ssh -vvv giuseppe at gm-u1204
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot find KDC for requested realm
debug1: Next authentication method: password
giuseppe at gm-u1204's password:

and I am asked for giuseppe's password :-(

I have noticed the "Cannot find KDC for requested realm" message above.

My /etc/krb5.conf contains the lines below:

root at gm-u1204:~# grep -A 1 -B 2 GML /etc/krb5.conf
	default_realm = GML.DOC.IC.AC.UK
	rdns = false
# in the section below:
        GML.DOC.IC.AC.UK = {
                kdc =
# in the section below:

root at gm-u1204:~# grep -A 2 GMW /etc/krb5.conf
        GMW.DOC.IC.AC.UK = {
                kdc =
		default_domain =

I wonder if you could provide some help to solve my problem.

Thank you in advance,

More information about the Kerberos mailing list