[Samba] Samba4: winbind does not grant kerberos authentication

[steve]

Hi
I have winbind setup and authentication is OK. auth_check_password_send:
Checking password for
samba4 log:
unmapped user [ALTEA]\[lynn2]@[HH30]
auth_check_password_send: mapped user is: [ALTEA]\[lynn2]@[HH30]

Linux log:
Aug 12 09:05:00 hh30 su: pam_winbind(su:auth): getting password (0x00000000)
Aug 12 09:05:01 hh30 su: pam_winbind(su:auth): user 'ALTEA\lynn2' granted
access
Aug 12 09:05:01 hh30 su: pam_winbind(su:account): user 'ALTEA\lynn2' granted
access
Aug 12 09:05:01 hh30 su: (to ALTEA\lynn2) steve on /dev/pts/2

However, the user cannot access his kerberized nfs home directory because he
does not have a ticket. He has to do a kinit before he can access the nfs
share.

Here are the pam settings:
auth    required    pam_env.so
auth sufficient pam_winbind.so
auth    sufficient    pam_unix2.so    use_first_pass
auth    sufficient    pam_krb5.so    use_first_pass
auth    required    pam_deny.so

account sufficient pam_winbind.so
account    requisite    pam_unix2.so
account    required    pam_krb5.so    use_first_pass
ignore_unknown_principals
account    required    pam_localuser.so

session required pam_winbind.so
session    required    pam_limits.so
session    required    pam_unix2.so
session    optional    pam_krb5.so
session    optional    pam_umask.so
session    optional    pam_systemd.so

in /etc/nsswitch.conf:
passwd: files winbind
group: files winbind

I've tried putting the pam_krb5.so entry before the winbind entry but then
we cannot authenticate because ALTEAlynn2 (not lynn2 nor ALTEA\lynn2) is
passed to Kerberos and of course ALTEAlynn2 is not found in the database.

How do I get winbind authentication and Kerberos authentication at the same
time?
Cheers,
Steve