Bug found!
Missed a line in two of the files, as they weren't at the end of the text like most files modified by zentyal. The problem is in following line in common-auth:
auth [success=1 default=ignore] pam_ldap.so use_first_passauth [success=2 default=ignore] pam_krb5.so minimum_uid=2000
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
The 'success=1' in common jumps the next line in the stack. But it doesn't even get that far, as the use_first_pass option tries to use a password that was never entered as this line is the first in the stack and fails without a prompt. The success=1 takes it to pam_unix where it fails authentication. success=3 is correct option and removal of use_first_pass makes it prompt for a password.
Then there's this line in common-account:
account [success=1 default=ignore] pam_ldap.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=2000
This jumps the success straight to a pam_deny module and so account verification fails. Change it to success=2 and it jumps to pam_permit like it should. Looks like that Kerberos line should be up there above pam_deny too.
After these changes thinclients can login fine.
My first bug found! Didn't know anything about PAM yesterday before I tried to fix this so I'm pretty happy