Second, you need to configure the server via qmgr similar to this:
set server acl_krb_realm_enable = True
set server acl_krb_realms = *@PBSPRO
set server acl_krb_submit_realms = *@PBSPRO
set server cred_renew_enable = True
set server cred_renew_tool = "/usr/bin/timeout 10 /usr/bin/krb525_renew"
set server cred_renew_period = 12:00:00
set server cred_renew_cache_period = 23:00:00
Once you have the pbs.conf configured, you need to use: PBS_AUTH_METHOD=resvport qmgr for admin access or you can add your host principal as the PBS manager.
Third, I noticed a bug in openpbs. To resolve it the pbs_sched must be run (opposed to the rest of server components) with env like this: PBS_AUTH_METHOD=resvport pbs_sched
Using this configuration, you can submit a job (you need a valid kerberos ticket for submitting). A correctly submitted job has the attribute credential_id, which is principal.
Once the job will start, the credentials will be available and the job will have the attribute credential_validity.
Do you use MIT or Heimdal? Your main issue would probably be the cred_renew_tool. Without this tool, the job can not start. This tool is used for providing kerberos tickets to the jobs. It also provides a new ticket before the validation of the job’s ticket expires. Please, see the part Build a PBS renew-tool in  You can find an example of the renew tool as part of the openpbs source codes here: /openpbs/src/unsupported/renew-test. The example works with both the MIT and the Heimdal Kerberos. It expects the server keytab to provide all the credentials… just for testing.
I can also help you to configure our proper tool krb525 mentioned in . Unfortunately, the server side of krb525 works only with Heimdal…