In order to allow kerberized NFSv4 to work on older systems e.g. RHEL6 that use “rpc.svcgssd”, the recommendation is to set “NO_AUTH_DATA_REQUIRED” on the computer account object in Active Directory (AD).
When this attribute is set in AD interactive password logins via PAM no longer work. Logging in via PAM gives "error in service module" and logs:
“pam_vas: Authentication <failed> for <Active Directory> user: <username> account: <DOMAIN\username> service: <login> reason: <>”
With "NO_AUTH_DATA_REQUIRED" set, AD returns “Privilege Attribute Certificate” (PAC) data.
PAC data makes the Kerberos response rather large and “rpc.svcgssd” is unable to handle them.
PAC data can be switched off to particular hosts by setting "NO_AUTH_DATA_REQUIRED" for the computer object's "userAccountControl".
Authentication Services needs the PAC because it also contains group memberships. The PAC is not needed for computer objects, but is needed for all other authentications. Therefore having the PAC available is a fundamental requirement.