Comment 12 for bug 1336663

Yes, if KRB5CCNAME were set in the environment of the screen saver, it would fix this problem.

To be clear, this isn't a bug in libpam-krb5, but in the means by which the screen saver is launched without the user's environment set properly (which should be created via the pam_setcred and pam_open_session steps of the PAM call sequence, and the new user environment generated by PAM). Without KRB5CCNAME, there's no way for the PAM module to find the user's ticket cache to renew it on subsequent unlocks; somehow, it does need that information conveyed to it.

You can work around this by using a predictable ticket cache name that embeds only the user's UID and setting that as the default ticket cache (in various ways -- PAM configuration, Kerberos configuration, etc.). But this isn't a general solution that can be adapted by the package because it means every user session for the same user uses the same Kerberos ticket cache, which means that, say, logging on to the system via ssh and then logging out will delete the ticket cache underneath the local console login.