Solved.

Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
even though it was not defined anywhere as "no" (although probably
a default for some reason).

Jeff Blaine wrote:
> Nicolas et al,
>
> ==== SSHD server ================================================== ==
>
> ~:alberta> uname -a
> SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
> ~:alberta>
>
> ~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
> "GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
> "GSSAPIAuthentication yes" -ddd
>
> ==== SSH client ================================================== ===
>
> ~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
> GSSAPIAuthentication yes
> ~:rcf-kerbtest-linux> ls .ssh/config
> ls: .ssh/config: No such file or directory
> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
> Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
> Default principal: jblaine@RCF.FOO.COM
>
> Valid starting Expires Service principal
> 11/01/07 14:30:02 11/08/07 13:30:02 krbtgt/RCF.FOO.COM@RCF.FOO.COM
> Flags: FI
> 11/01/07 14:30:02 11/08/07 13:30:02 afs@RCF.FOO.COM
> Flags: FT
> 11/01/07 14:30:27 11/08/07 13:30:02 host/alberta.foo.com@RCF.FOO.COM
> Flags: FT
>
>
> Kerberos 4 ticket cache: /tmp/tkt26560
> klist: You have no tickets cached
> ~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
> Last login: Mon Nov 5 11:15:47 2007 from rcf-kerbtest-li
> ...
> ~:alberta> /usr/bin/klist
> klist: No credentials cache file found (ticket cache
> FILE:/tmp/krb5cc_26560)
> ~:alberta>
>
> ==== SSHD server reports =======================================
> ...
> debug1: userauth-request for user jblaine service ssh-connection method
> gssapi-with-mic
> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
> debug2: input_userauth_request: try method gssapi-with-mic
> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
> (supported)
> debug2: Mapping initiator GSS-API principal to local username
> debug2: Mapped the initiator to: jblaine
> debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
> debug3: Trying to reverse map address xxx.xx.11.213.
> debug3: Not storing delegated GSS credentials (none delegated)
> Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
> ...
>
>