Additional info: Local login works using pam_unix... Even if I put pam_unix to be optional (ie all passwords are accepted) it works - except if I put in the right password from the AD. So its something with the kerberos process in pam_krb5... j-