Comment 38 for bug 369575

ignore_root won't work.

The first user—the local admin—is UID 1000. If you ever try to passwd that user, it asks for the user's Kerberos password. If you try to `passwd -r files`, it ... asks for the user's Kerberos password, because the -r option doesn't work.

The root user generally is locked without a password.

Honestly the right option is probably to patch pam_krb5 to allow overriding in krb5.conf (possibly by an option, possibly by default).