I would like to be able to force all users on my HP-UX system to use
Kerberos passwords. For any special users that do not have AD users
(oracle, etc.) I would like these types of users to only be able to su -
from a Kerberos enabled ID.

In the case of root I would like the something like pam_user.conf to
allow root with password from /etc/passwd.

Is this possible? I cannot get it to work. It seems that if I only
have krb5 in pam.conf then I cannot create an entry in pam_user.conf
that allows root to use /etc/passwd.

Any help is greatly appreciated.