So I was fiddling with my replacement TL server at home and I wanted to play a bit more with the Kerberos part of it.
So up until now I’ve been using Kerberos to sign in on my TL server (yes, I know, I’m a nerd 
I run Kerberos at home). Which works absolutely fine, but when logging in on the session itself, it’s ticketless, which then causes login errors on other services that normally authenticate fine when using a password.
So I tried the workaround Karl wrote (see below) in 2018 which works fine. NOTE, I opted to only set this up for a single host instead of all hosts I log in on.
- On the client: Add the following to
~/.thinlinc/config:
Host myhost
GSSAPIDelegateCredentials yes* - On the server, remove
/opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh - Log in, and
forwarded ticket available and I can immediately start using it
So with regards to the caveats posted in that ticket:
- Delay between session and connection without a ticket: I didn’t observe this, but I’ve been using a single-node TL server in this test.
- My system runs with KCM enabled, which means that all Kerberos sessions are handled by SSSD. So all sessions will re-use the same cache, regardless of means of entering the system/session (TL, SSH, sudo, console, etc.). And every time a new login is made (or password prompt is filled in) this ticket will be refreshed.
- Disconnecting destroys the ticket: not true, I logged in on my system with Kerberos and disconnected the session. I then logged in with a different user and
sudo-ed to my own session. The forwarded ticket sticks around and will be until it’s renewal period expires (in my case, that’s 7 days)
So I think this can be used in a stable manner, and given the correct server setup, I think it would be better to add a checkbox in the client that will ‘Enable Kerberos Credential Forwarding’ instead of having to tinker with the config file 
I thought I was nerdy for running a mail server from my lounge. Sounds like I might have to up my game.