[OpenAFS] home dir in afs, debian

[Christian]

Dear all,

this may be a silly question, but I wanted to ask before I dig depper. 
We use debian trixie with openafs. Kerberos is a Samba AD. All stock 
distribution packages. User accounts are made available to clients using 
winbind. Using ssh or the console, an AD user with home directory in AFS 
can log in just fine. libpam-afs-session takes care of the tokens. 
Tickets and tokens are there. But logging in to gnome via gdm3 fails. 
Tickets are there, but tokens get lost somewhere in the process. I have 
tried other display managers or window managers without success.

Interesting enough, if the user then acquires tokens, logs out and in 
again, tokens are still there (!).

I have tested this on a fresh install. Is there any recipe out there how 
to do this or debug this? Thanks for sharing any insights,

Christian

PS: pam-auth-update has the following modules enabled:

Kerberos authentication
Unix authentication
Winbind NT/Active Directory authentication
AFS session management
Register user sessions in the systemd control group hierarchy
GNOME Keyring Daemon - Login keyring management

I guess the Kerberos and Winbind auth are somewhat redundant...