kinit is ok, but ssh is not

[Giuseppe Mazza]

Dear All,

I have built a test infrastructure as below:
gm-u1204 = Ubuntu12.04 server running my kdc (realm -> GML.DOC.IC.AC.UK)
gm-win2012 = Windows 2012 running my dc (domain -> GMW.DOC.IC.AC.UK)

I have setup a nontransitive trust, i.e.
"One-way: incoming Users in this domain          GMW.DOC.IC.AC.UK
 can be authenticated in the specified realm     GML.DOC.IC.AC.UK
"

1] I can
mazza at gm-u1204:~$ kinit giuseppe at GMW.DOC.IC.AC.UK
mazza at gm-u1204:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: giuseppe at GMW.DOC.IC.AC.UK

Valid starting     Expires            Service principal
02/05/14 15:55:17  03/05/14 01:55:34
krbtgt/GMW.DOC.IC.AC.UK at GMW.DOC.IC.AC.UK
	renew until 03/05/14 15:55:17

2] but I can not
mazza at gm-u1204:~$ ssh -vvv giuseppe at gm-u1204
...
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot find KDC for requested realm
...
debug1: Next authentication method: password
giuseppe at gm-u1204's password:

and I am asked for giuseppe's password :-(

I have noticed the "Cannot find KDC for requested realm" message above.

My /etc/krb5.conf contains the lines below:


root at gm-u1204:~# grep -A 1 -B 2 GML /etc/krb5.conf
[libdefaults]
	default_realm = GML.DOC.IC.AC.UK
	rdns = false
--
# in the section below:
[realms]
        GML.DOC.IC.AC.UK = {
                kdc = gml.doc.ic.ac.uk
--
# in the section below:
[domain_realm]
	.doc.ic.ac.uk = GML.DOC.IC.AC.UK
	doc.ic.ac.uk = GML.DOC.IC.AC.UK
	.mit.edu = ATHENA.MIT.EDU



root at gm-u1204:~# grep -A 2 GMW /etc/krb5.conf
        GMW.DOC.IC.AC.UK = {
                kdc = gm-win2012.doc.ic.ac.uk:88
		default_domain = doc.ic.ac.uk


I wonder if you could provide some help to solve my problem.

Thank you in advance,
Giuseppe