I can see if you use the GSSAPIAuthentication option or KerberosAuthentication, you've validated the user against a KDC
KDC validates the principal
, not user account. (a principal can be created for a user, service etc.. for KDC, it's all principals and it verifies the identify of the same).
Linux require a username and it's corresponding uid
& gid
(and few optional attributes) to consider it as a valid user account. KDC has no idea/can't provide these details, hence the user details must be made available to OS via NSS. Depending on the configuration, it can fetch the user details from files
[local user], ldap
or some other source.
Once OS know it's a valid user account(getent passwd user_name
), then you may use any available authentication mechanism (local passwd, ldap auth, kerberos etc..) to validate the user account.
For kerberos auth: the system maps the principal (abc@REALM
) to user 'abc'
by stripping the REALM
portion(by default) and grants access if kerberos validation is successful for principal abc@REALM
.