Hi, I hope I'm at the right place here for my issue.
This is the case: On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket: --- macbook013:~ vm$ klist -v Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D Principal: v...@realm.com Cache version: 0 Server: krbtgt/realm....@realm.com Client: v...@realm.com Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 Ticket length: 342 Auth time: Oct 26 13:55:09 2016 End time: Nov 25 12:55:05 2016 Renew till: Jan 26 12:55:05 2017 Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable, forwardable Addresses: addressless --- If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes) to a linux-server, the ticket there is not renewable anymore: --- macbook013:~ vm$ ssh linuxserver2 linuxserver2 ~ # klist -f Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000 Default principal: v...@realm.com Valid starting Expires Service principal 10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/realm....@realm.com Flags: FfPAT linuxserver2 ~ # krenew krenew: error renewing credentials: KDC can't fulfill requested option linuxserver2 ~ # kinit -R kinit: KDC can't fulfill requested option while renewing credentials --- If I do a kinit on linuxserver1 and get a renewable ticket there and ssh to linuxserver2, the forwarded ticket stays renewable. I guess it has something to do with the ssh-client on Mac OS X? (but copying the ssh_config from linuxserver1 to the macbook does not solve it. Copying the krb5.conf doesn't solve it either) Or should I search the cause in another direction? Maybe I'm missing something obvious. Thank you for thinking with me! VM ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos