Kerberos depends on names it can map to realms through one of many mechanisms. When you use localhost Kerberos gets lost.

SSH will reject login using GSSAPI if the hosts file is wrong or incomplete, mostly make sure the hostname is listed correctly. Try turning on debugging "LogLevel DEBUG" and if you see this message, it's a sign of this problem:

debug1:  No credentials were supplied, or the credentials were unavailable or inaccessible.

Samba tools will also use Kerberos tickets as long as this is not a problem.

I was reminded of this when using samba-tool on the DC and specifying localhost instead of the hostname and had to authenticate instead of the valid ticket being used.

As an aside, samba-tool has a -k KERBEROS or --kerberos KERBEROS option, but neglects to indicate what the valid values for KERBEROS is. Here they are:

  • true
  • false
  • yes
  • no
  • auto (the default)

If kerberos is not working, it's not this option.