The original /etc/pam.d/vsftpd like this:
auth required pam_listfile.so item=user sense=deny file=/
etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

I can logs in vsftpd:
# tail /var/log/messages
Apr 20 15:08:26 docs vsftpd(pam_unix)[341]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=192.168.0.125 user=rocky
Apr 20 15:08:26 docs vsftpd[341]: pam_krb5[341]: The "hosts"
configuration directive is not supported with your release of
Kerberos. Please check if your release supports an `extra_addresses'
directive instead.
Apr 20 15:08:26 docs vsftpd[341]: pam_krb5[341]: authentication
succeeds for 'rocky' (rocky@SAMPLE.CN)

Now I want to seperate the vsftpd login from system login, by adding a
new server principal such as 'vsftpd/docs.sample.com'. So at the
first, I think I must seperate the pam auth:

auth required pam_listfile.so item=user sense=deny file=/
etc/vsftpd.ftpusers onerr=succeed
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required pam_shells.so
account [default=bad success=ok user_unknown=ignore] /lib/security/
$ISA/pam_krb5.so
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
session optional /lib/security/$ISA/pam_krb5.so

But I get the logs like this:
Apr 20 17:36:03 docs vsftpd[1924]: pam_krb5[1924]: The "hosts"
configuration directive is not supported with your release of
Kerberos. Please check if your release supports an `extra_addresses'
directive instead.
Apr 20 17:36:03 docs vsftpd[1924]: pam_krb5[1924]: authentication
fails for 'rocky' (rocky@SAMPLE.CN): Authentication failure (Generic
error (see e-text))

So what's wrong?

Thanks.