gssapi-with-mic and Win2K KDC?

[Aaron Grewell]

> Try using  "ssh -vvv -l adminaccount server.uwb.edu" 
> 
> I tried something using user at host and it failed, but -l user host works. 

Using -l or user at host doesn't seem to make a difference here, must be
something configuration-related that I've missed.

> What happened to gssapi-with-mic here? Does the sshd have 
> a keytab with the host/<hostname>@<realm> principal?
> 

It does.
  
> Did the user do a kinit to get a ticket? 

I did a successful kinit immediately before attempting the ssh
connection.

[localaccount at cygnus localaccount]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: adminaccount at UWB.EDU

Valid starting     Expires            Service principal
06/01/04 10:08:59  06/01/04 20:09:06  krbtgt/UWB.EDU at UWB.EDU
        renew until 06/02/04 10:08:59


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached


> On my system, I get:
> 
> debug1: Authentications that can continue: publickey,gssapi-with-mic,gssapi
> debug3: start over, passed a different list publickey,gssapi-with-mic,gssapi
> debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials

Hmm.  One of the things I noticed was that running sshd in debug mode
"-D -ddd" and watching a connection attempt did not show anything about
Kerberos or GSSAPI.  I'm not sure what that means.  I ran ldd against
sshd and it is linked against my kerb libraries, so I'm not sure how to
proceed.