I need help to understand why the same principal works fine for an host but not for another, both in the same realm (let's call it HDX), when they try to authenticate to KDC in another realm (let's call it HDY)
The principal is like this: user/HDY@HDY, and it is used to authenticate a host (host1) from HDX realm in HDY realm.
Everything works fine for this host, so I copied the keytab with the principal to another host (host2).
Host1 authenticates for krbtgt/HDY@HDY, instead host2 tries to obtain krbtgt/HDX@HDY
and receives the following error:
UNKNOWN_SERVER: authtime 0, user/HDY@HDY for krbtgt/HDX@HDY, Server not found in Kerberos database.
This is clear, because in KDC database there is only krbtgt/HDY@HDY, not krbtgt/HDX@HDY. It is not clear to me why host1 can obtain the ticket instead host2 cannot.
I hope you can help me, Iet me know if you need further informations from me
Thanks a lot
What happens when you try a manual kinit on host2 with explicitly specifying the principal and the realm, ie:
kinit -kt keytab.file -p user/HDY@HDY
Also, could you share your krb5.conf files from both hosts, as well as the list of keys stored in the keytab you exported (klist -kt keytab.file)? Without this information it's a bit hard to analyze this issue.