Comment 4 for bug 275169

Or you could just put your own config for krb5 in place such as I did:

$ cat /usr/share/pam-configs/krb5
Name: Kerberos Authentication
Default: yes
Priority: 300
Auth-Type: Primary
Auth-Initial:
 [success=end default=ignore] pam_krb5.so
Auth-Final:
 [success=end default=ignore] pam_krb5.so use_first_pass
Account-Type: Primary
Account-Final:
 [success=end default=ignore] pam_krb5.so
Password-Type: Primary
Password-Initial:
 [success=end user_unknown=ignore default=die] pam_krb5.so
Password-Final:
 [success=end user_unknown=ignore default=die] pam_krb5.so use_authtok try_first_pass
Session-Type: Additional
Session-Final:
 optional pam_krb5.so

No guarantees to how correct it is, but it seems to work here.