I'm also having trouble configuring PAM in an afs/krb5 environment using 
SL4.2.  On Debian, I've used pam_krb5 and libpam-openafs-session for 
credentials cache/token setup, and I'm looking for similar functionality 
(though putting aklog in a startup script would be fine).  Anyhow, I seem to 
be misunderstanding something.

For now, I'm just trying to authenticate and end up with a credentials cache 
on login (I can kinit fine).  What is strange is the pam_krb5 debug output 
given the setup below.  The results are different based on whether the user 
gives an incorrect password on the first attempt.  This seems to indicate 
something else is reading the password, since pam_krb5 does not appear to 
receive it from the first prompt (see notes below).

Even when pam_krb5 does get a TGT, the session module can't find it.  Thus, 
no credentials cache anyway.  Is KRB5CCNAME not being propogated or 
something?

TIA,
--Doug Fuller
--University of North Texas

/etc/ssh/sshd_config:
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePrivilegeSeparation no
UsePAM yes

/etc/pam.d/sshd:
auth     required pam_krb5.so debug forwardable
account  required pam_unix.so
password required pam_krb.5so
session  required pam_krb5.so forwardable

Local passwords are disabled.

When I log in, here is the output to /var/log/secure:
sshd[30568]: Accepted keyboard-interactive/pam for from  port 34025 ssh2 # 
<-- Who is this?
sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID.  So is this 
session output from pam_krb5?
sshd[30568]: pam_krb5[30568]: flags: forwardable
sshd[30568]: pam_krb5[30568]: flag: ignore_afs
sshd[30568]: pam_krb5[30568]: flag: user_check
sshd[30568]: pam_krb5[30568]: flag: krb4_convert
sshd[30568]: pam_krb5[30568]: flag: warn
sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
sshd[30570]: pam_krb5[30570]: configured realm
sshd[30570]: pam_krb5[30570]: flags: forwardable
sshd[30570]: pam_krb5[30570]: flag: ignore_afs
sshd[30570]: pam_krb5[30570]: flag: user_check
sshd[30570]: pam_krb5[30570]: flag: krb4_convert
sshd[30570]: pam_krb5[30570]: flag: warn
sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
sshd[30570]: pam_krb5[30570]: called to update credentials for
sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)

Here is the output when the user enters his password incorrectly on the 
first attempt:

sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
sshd[30685]: pam_krb5[30685]: configured realm
sshd[30685]: pam_krb5[30685]: flags: forwardable
sshd[30685]: pam_krb5[30685]: flag: ignore_afs
sshd[30685]: pam_krb5[30685]: flag: user_check
sshd[30685]: pam_krb5[30685]: flag: krb4_convert
sshd[30685]: pam_krb5[30685]: flag: warn
sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
sshd[30685]: pam_krb5[30685]: called to authenticate
sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt 
here
sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by other 
modules
sshd[30685]: pam_krb5[30685]: trying newly-entered password for
sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt) returned 
0 (Success)
sshd[30685]: pam_krb5[30685]: got result 0 (Success)
sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
sshd[30685]: pam_krb5[30685]: conversion succeeded
sshd[30685]: pam_krb5[30685]: authentication succeeds  for
sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
sshd[30683]: pam_krb5[30683]: configured realm
sshd[30683]: pam_krb5[30683]: flags: forwardable
sshd[30683]: pam_krb5[30683]: flag: ignore_afs
sshd[30683]: pam_krb5[30683]: flag: user_check
sshd[30683]: pam_krb5[30683]: flag: krb4_convert
sshd[30683]: pam_krb5[30683]: flag: warn
sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
sshd[30686]: pam_krb5[30686]: configured realm
sshd[30686]: pam_krb5[30686]: flags: forwardable
sshd[30686]: pam_krb5[30686]: flag: ignore_afs
sshd[30686]: pam_krb5[30686]: flag: user_check
sshd[30686]: pam_krb5[30686]: flag: krb4_convert
sshd[30686]: pam_krb5[30686]: flag: warn
sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
sshd[30686]: pam_krb5[30686]: called to update credentials for
sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)