GSSAPIDelegateCredentials no longer works for me. Example:
themel@socrates:~$ kinit -f5
Password for themel@CERN.CH:
themel@socrates:~$ grep -A4 lxplus .ssh/config
Host lxplus
ForwardX11 yes
HostName lxplus.cern.ch
GSSAPITrustDns yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Host lxplus*
ForwardX11 yes
GSSAPITrustDns yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
themel@socrates:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:42:39 03/14/10 15:42:38 krbtgt/CERN.CH@CERN.CH
renew until 03/18/10 14:42:38
themel@socrates:~$ ssh lxplus249.cern.ch
[.. banner ..]
/usr/X11R6/bin/xauth: timeout in locking authority file /afs/cern.ch/user/t/themel/.Xauthority
hepix: E: /usr/bin/fs returned error, no tokens?
-bash: /afs/cern.ch/user/t/themel/.bash_profile: Permission denied
[lxplus249] /afs/cern.ch/user/t/themel > klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_32651)
Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >
On an ancient etch machine (OpenSSH 4.3p2):
themel@eristoteles:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:49:31 03/14/10 14:49:31 krbtgt/CERN.CH@CERN.CH
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
themel@eristoteles:~$ ssh lxplus249.cern.ch
[.. banner ..]
[lxplus249] /afs/cern.ch/user/t/themel > klist
Ticket cache: FILE:/tmp/krb5cc_32651_WIyiRn3073
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:49:38 03/14/10 14:49:31 krbtgt/CERN.CH@CERN.CH
Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >
My somewhat unreliable memory is that this broke with the 5.3 upgrade, but I'm
not a 100% sure about it.