If you use ThinLinc on a Kerberos capable system then the user will get a TGT as part of the session creation (assuming a password was available for SSO). However this TGT will eventually expire and become useless. At this point many things might break for the user.
The responsibility of refreshing this ticket lies at least partially with ThinLinc as with a local login unlocking the screensaver would yield a fresh TGT for the user. Since the screen saver is generally not used with ThinLinc, instead replaced with a idle timer and reconnect, the normal mechanism doesn't work.
Refreshing is now commonly handled by a central daemon, generally sssd. This is done by letting it own the ticket cache via the KCM cache method:
This doesn't solve the issue if the TGT is completely expired and needs a new full authentication though.
Note that this also means a shared credentials cache, rather than one per session. If you configure some other service (e.g. sshd) to clean out the cache on logout then it can affect ThinLinc adversely. We need to decide if we consider that a ThinLinc problem or a sshd problem.
OpenSSH does indeed nuke those shared credentials by default. Red Hat/Fedora noticed that here and changed their default:
We probably need to check the different distributions here.