This is something I've been working on. I'm using pam_winbind.so rather than pam_krb5, which works with caveats...
I discovered that the services on Linux don't have consistent authentication behaviour. Some use PAM but a number of the big-name services don't, and handle authentication themselves. Those that do support PAM aren't guaranteed to support all of the modules.
SSH turns out to be a bad test case because it will fail unless the user has a valid home directory, so I initially added pam_mkhomedir.so to the PAM stack as well. Not all of the other services that require home directories support pam_mkhomedir.so, so I ended up abandoning the pam_mkhomedir.so approach and wrote a script that creates home directories on the Linux box for all AD users.
My (more or less final) notes are here: