pam_krb5 does not get credentials when using ssh

[Andrew Bovill]

pam_krb5 gives credentials (using a 'random' cache) just fine when loging
in on the local machine. However, if I log in over ssh, it does not get
the krb5 tickets, though it authenticates off kerberos just fine. I am
appending my pam config for system authentication:

#%PAM-1.0

auth       required     pam_env.so
#auth       sufficient   pam_krb5.so forwardable debug
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_krb5.so try_first_pass forwardable debug
auth       required     pam_deny.so

account    sufficient   pam_krb5.so debug
account    required     pam_unix.so


password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_krb5.so use_authtok debug
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so


session    required     pam_limits.so
session    optional     pam_krb5.so debug
session    required     pam_unix.so

when I connect over ssh, this is what get's spit out over
/var/log/auth.log

Nov  8 01:02:14 bloo sshd(pam_unix)[22884]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=mason.gmu.edu  user=andy
Nov  8 01:02:14 bloo sshd[22884]: pam_krb5: authentication succeeds for
`andy'
Nov  8 01:02:14 bloo sshd[22884]: pam_krb5: pam_sm_authenticate
returning 0 (Success)
Nov  8 01:02:14 bloo sshd[22880]: Accepted keyboard-interactive/pam for
andy from 129.174.1.13 port 44164 ssh2
Nov  8 01:02:14 bloo sshd(pam_unix)[22885]: session opened for user andy
by andy(uid=0)

it says nothing from session pam_krb5.

if I change pam_krb5 (in session) from optional to required, the login
fails alltogether over ssh.

Thanks for the help!
--Andrew