Without a keytab, your host cannot verify that the user who logged in is who they claim to be. a spoofed KDC and the user can cooperate to make kinit work. Some configurations--particularly public workstations with no private data on the workstation--can successfully run in this configuration. So, PAM modules may work without a keytab, but in that configuration they are vulnerable to additional security attacks.
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
