I am really getting frustrated on this matter
Say we have two MIT Kerberos Realms X and Y (not hierarchical
related).
The users are defined in realm X and would also like to be
authenticated in realm Y.

1) I have defined the appropriate realm principals in both realms.
krbtgt/X@Y
krbtgt/Y@X
I did this in both realms and the realm principals' passwords are
identically.
2) On the KDC in realms X and Y, krb5.conf looks like (partly):
...
[realms]
Y = {
kdc = someserver.y:88
admin_server = someserver.y.com:749
default_domain = y
}

X = {
kdc = someserver.x:88
default_domain = x
}

[capaths]
Y = {
X = .
}

X = {
Y = .
}
3) The krb5.conf on the clients in realm Y looks like (partly):
...
[realms]
X = {
kdc = someserver.y:88
default_domain = x
}

However when a clients tries to kinit to USER (which is a principal
defined in realm X)
kinit USER@Y
-> Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication
Service database or client locked out.

What am I missing here?
Can someone please help me on this one...

Thnx in advance