What am I doing wrong?

[Alexey Toptygin]

I've got sshd successfully authenticating via pam_krb5. my /etc/pam.d/ssh
reads:

auth       required     pam_nologin.so
auth       required     pam_env.so
auth    sufficient      pam_unix.so
auth    required        pam_krb5.so     use_first_pass
account required        pam_unix.so
session required        pam_unix.so
session    optional     pam_motd.so
session    optional     pam_mail.so standard noenv
session    required     pam_limits.so

Now, I'm trying to do the same with apache2. I've got the following in 
/etc/pam.d/apache2:

auth sufficient pam_unix.so
auth required pam_krb5.so debug use_first_pass
account required pam_unix.so

Which should behave identically, right? I can see the error from the 
sufficient pam_unix pop up in auth.log, I can see the debug output from 
pam_krb5 say:

apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): entry:
apache2: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): No such file or directory
apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): exit: success

And then apache returns 401 (Auth Required) and logs:

[error] [client 127.0.0.1] PAM: user 'alexey' - invalid account: 
Authentication service cannot retrieve authentication info.

I've also tried omitting the initial auth pam_unix, but the only 
difference is that the failure message from pam_unix is not printed; 
otherwise the behavior is identical.

WTF? Is there some additional logging I can turn on? How can I even figure 
out if this is a PAM or an apache problem?

 			Alexey