A few possibilities:
- Clock skew. Make sure ntp is installed.
- OpenSSH versions differ too greatly, install the same version on both ends
- You do not have both ‘GSSAPIAuthentication yes’ and ‘GSSAPIDelegateCredentials yes’ on the client ssh_config
- The server does not have a /etc/krb5.keytab containing the key for host/server.fqdn.com
- The server does not have ‘GSSAPIAuthentication yes’ and ‘GSSAPIKeyExchange yes’ in sshd_config
- The client has a different reverse-DNS idea of the server’s fully-qualified domain name than the server does. Very common if the server is using a private DNS server but the client is using a public one. In this case, the client needs a ticket for host/server.domain.com but due to the reverse DNS lookup, requests one for host/ipaddr.isp.net instead. Either the same name server needs to be used by both server and client, or client needs to add server to his hosts file.
- The server has an incorrect ordering on the 127.0.0.1 line in the hosts file. It should be 127.0.0.1 followed by FQDN followed by hostname followed by localhost.