The Kerberos service provides a default mapping of GSS credential names to UNIX user IDs (UIDs) for GSS applications that require this mapping, such as NFS. GSS credential names are equivalent to Kerberos principal names when using the Kerberos service. Also, UNIX users who do not have valid user accounts in the default Kerberos realm can be automatically migrated by using the PAM framework.
UNIX users who do not have valid user accounts in the default Kerberos realm can be automatically migrated by using the PAM framework. Specifically, you add the pam_krb5_migrate.so module to the authentication stack of the PAM service. Services are then configured so that whenever a user who does not have a Kerberos principal performs a successful password login to a system, a Kerberos principal would be automatically created for that user. The new principal password is then the same as the UNIX password. For instructions about using the pam_krb5_migrate.so module, see How to Configure Automatic Migration of Users in a Kerberos Realm.