PAM configuration with Kerberos authentication but without need of local accounts

I have a working Kerberos authentication tested with kinit on Debian Buster. Now I try to use it with [PAM for login with Kerberos](https://wiki.debian.org/LDAP/Kerberos#PAM) and installed libpam-krb5 and configured it with pam-auth-update. But the documentation in /usr/share/doc/libpam-krb5/README.Debian.gz noted: >This configuration will still require that users be listed in /etc/shadow, since otherwise the pam_unix account module will fail. Normally, accounts that should only use Kerberos authentication should be created with adduser --disabled-password. If you don't want the accounts to be listed in /etc/shadow at all (if, for example, you're using some other source than files for your nsswitch configuration), you can mark the pam_krb5 account module as sufficient rather than required so that pam_unix isn't run. This will mean that you won't be able to disable accounts locally. I don't want the accounts to be listed locally in /etc/shadow again in addition to the Kerberos Database because it is redundant work for me. I tried a login with the default setup and get this failure: Debian GNU/Linux 10 deb10-base ttyS0 deb10-base login: ingo Password: Authentication failure In journalctl I find to this: Oct 06 15:33:08 deb10-base login: pam_krb5(login:auth): user ingo authenticated as ingo@EXAMPLE.COM Oct 06 15:33:08 deb10-base login: pam_unix(login:account): could not identify user (from getpwnam(ingo)) Oct 06 15:33:08 deb10-base login: Authentication failure That is exactly expected from the quoted documentation above. But I don't understand the comment where and what to modify the PAM configuration files. The current configuration files does not match the documentation. What entry in what PAM configuration file I have to modify from **required** to **sufficient**? Are there maybe other things to do? If possible I would like to preserve the pam-auth-update config sections. **Update:** Forgot to mention that I started pam-auth-update and checked the options: [*] Kerberos authentication [*] Unix authentication [*] Create home directory on login I tried to uncheck "*Unix authentication*" but that makes the login unusable. I wasn't able to login again, even not as root. I had to recover from a snapshot.