Revision 3bbedea2-46ba-4ca8-b628-56d50290ef50

I have a working Kerberos authentication tested with `kinit` on Debian Buster. Now I try to use it with [PAM for login with Kerberos](https://wiki.debian.org/LDAP/Kerberos#PAM) and installed `libpam-krb5` and configured it with `pam-auth-update`. But the documentation in `/usr/share/doc/libpam-krb5/README.Debian.gz` noted:
>This configuration will still require that users be listed in /etc/shadow,
since otherwise the pam_unix account module will fail. Normally, accounts
that should only use Kerberos authentication should be created with
adduser --disabled-password. If you don't want the accounts to be listed
in /etc/shadow at all (if, for example, you're using some other source
than files for your nsswitch configuration), you can mark the pam_krb5
account module as sufficient rather than required so that pam_unix isn't
run. This will mean that you won't be able to disable accounts locally.
I don't want the accounts to be listed locally in `/etc/shadow` again in addition to the Kerberos Database because it is redundant work for me. I tried a login with the default setup and get this failure:
Debian GNU/Linux 10 deb10-base ttyS0
deb10-base login: ingo
Password:
Authentication failure
In `journalctl` I find to this:
Oct 06 15:33:08 deb10-base login[374]: pam_krb5(login:auth): user ingo authenticated as [email protected]
Oct 06 15:33:08 deb10-base login[374]: pam_unix(login:account): could not identify user (from getpwnam(ingo))
Oct 06 15:33:08 deb10-base login[374]: Authentication failure
That is exactly expected from the quoted documentation above. But I don't understand the comment where and what to modify the PAM configuration files. The current configuration files does not match the documentation.
What entry in what PAM configuration file I have to modify from **required** to **sufficient**? Are there maybe other things to do? If possible I would like to preserve the pam-auth-update config sections.
**Update:**
Forgot to mention that I started `pam-auth-update` and checked the options:
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login
I tried to uncheck "*Unix authentication*" but that makes the login unusable. I wasn't able to login again, even not as root. I had to recover from a snapshot.