Pretty much as described in the thread title. I'm running RHEL6 on both the server and the client.

I followed Red Hat's own instructions to set the kdc up

I have a user called krb, that has been added to the KDC and I can get a ticket from the KDC, by using If I then try to log in to the KDC, from the KDC, with this works fine, in other words, it logs in using GSSAPI authentication.
So that tells me that both ssh client and daemon are configured fine for Kerberos authentication.

I have configured the client to use kerberos using authconfig-tui. I have compared both the client and the server /etc/krb5.conf files and they are identical.

Name resolution works fine for both server and client, in other words I can ping kdcserver from the server and the client and I can ping sshclient from server and client both fqdn and hostname.

I get a ticket for krb with kinit krb in sshclient and I get
I then add the sshclient to KDC, as described here.In actual fact, I add one with fqdn and another just the hostname for good measure and place them in the client /etc/krb5.keytab file.

When I try again, I get this:

debug1: Unspecified GSS failure. Minor code may provide more information\nWrong principal in request\n

If I do klist, I have these tickets now :
any ideas?

TIA

edit.

I've just tried ssh directly on the client ssh krb@sshclient -v, I also get in with GSSAPI authentication (as long as there is a ticket)

These are the tickets I have after a successful login.

krbtgt/DOMAIN.COM@DOMAIN.COM
host/sshclient.domain.com@DOMAIN.COM

This would suggest that i'm getting the right ticket above when I try client to server

What is going on???

Try checking /etc/hosts format, should be '<ip_address> <fqdn> <short_hostname>', also check the output of 'hostname' and 'hostname -s'

I had the format the other way about, i.e. short_hostname before fqdn, but even changing that seemed to make no difference.

I've managed to get it working. I created a new zone in my DNS server and used the DNS server instead of the hosts file, I also reinstalled the KDC server, here is a list of steps that I took to get it to work from scratch:

installed kdc (yum install krb5-server)

created kdc db (kdb5_util create -s)

added root/admin (kadmin.local -q "addprinc root/admin")

added krb (kadmin.local -q "addprinc krb")

ssh kdcserver from kdcserver-- complains about missing host/kdcserver.domain.com in Kerberos database
ssh kdcserver from client-- complains about missing host/kdcserver.domain.com in Kerberos database

kadmin.local on kdcserver
addprinc -randkey host/kdcserver.domain.com

ssh kdcserver from kdcserver-- complains EM Get Key table file '/etc/krb5.keytab' not found
ssh kdcserver from client-- complains EM Get Key table file '/etc/krb5.keytab' not found

added host/kdcserver.domain.com to /etc/krb5.keytab in kdcserver (kadmin | ktadd -k /etc/krb5.keytab host/kdcserver.domain.com)

ssh kdcserver from kdcserver works !!!!
ssh kdcserver from client works !!!!

Tried ssh client from kdcserver -- complains about missing host/client.domain.com in Kerberos database

kadmin.local on kdcserver
addprinc -randkey host/client.domain.com
added host/client.domain.com to /etc/krb5.keytab in client

ssh client from kdcserver works!!!!!!

Thus, In order to add a new host I would need to do:

on kdcserver

kadmin.local
addprinc -randkey host/newhost.domain.com

and add host/newhost.domain.com to /etc/krb5.keytab in newhost

and this does indeed work.

I think I'll stick with my 389-server

I was just having a look at this as part of the preparation for the RHCE, where there is a fairly undefined objective regarding Kerberos Authentication (Configure system to authenticate using Kerberos)

I have created a post in my blog explaining the steps taken, for future reference.

For some reason, I think I'm missing SPNs, I cannot ssh working with a windows 2003 ad, which I already had up and running. I sort of does not make too much sense to have Kerberos on its own, i.e. without an LDAP service for accounts, but there you go.