I believe the MIT behavior is correct. You need a way of saying that for a particular local account that the default Kerberos realm's principal by that name is not allowed to log in. Otherwise it is problematic to have machines where the local authorization policy does not map well to the Kerberos realm's account policy. --Sam