When setting up sshd with Kerberos on Ubuntu, one needs to "make sure that each each user has a valid account, either on the local host (via adduser or similar), or through a shared source such as LDAP
Why is that?
I can see if you use the GSSAPIAuthentication option or KerberosAuthentication, you've validated the user against a KDC.
Is this simply a matter of needing to map the username to a userid?
I can see if you use the GSSAPIAuthentication option or KerberosAuthentication, you've validated the user against a KDC
KDC validates the principal, not user account. (a principal can be created for a user, service etc.. for KDC, it's all principals and it verifies the identify of the same).
Linux require a username and it's corresponding uid & gid (and few optional attributes) to consider it as a valid user account. KDC has no idea/can't provide these details, hence the user details must be made available to OS via NSS. Depending on the configuration, it can fetch the user details from files [local user], ldap or some other source.
Once OS know it's a valid user account(getent passwd user_name), then you may use any available authentication mechanism (local passwd, ldap auth, kerberos etc..) to validate the user account.
For kerberos auth: the system maps the principal (abc@REALM) to user 'abc' by stripping the REALM portion(by default) and grants access if kerberos validation is successful for principal abc@REALM.
Kerberos authentication tokens do not give security context, such as group permissions, which ldap provides, only if the credential was valid
