AD keytabs for unix host

[Sam Hartman]

Without a keytab, your host cannot verify that the user who logged in
is who they claim to be.  a spoofed KDC and the user can cooperate to
make kinit work.  Some configurations--particularly public
workstations with no private data on the workstation--can successfully
run in this configuration.  So, PAM modules may work without a keytab,
but in that configuration they are vulnerable to additional security
attacks.