The problem is that kerberos ticket names are restricted to what tickets are available in the ticket cache. This means that you are only allowed to use usernames without domain specified. What I mean is that Linux supports authentication with users in different domains. For example cendio@lab.lkpg.cendio.se is a valid username in a sssd configuration. However if you choose to use kerberos you are not allowed to write the @domain suffix, because the username is the name of the ticket in cache. One solution might be to change the free text editbox for ticket names to a dropdown menu populated with enumerated tickets from the cache for the end user to use for authentication.
