A very minor nit, the client (user) does not require bootstrapping or pre-shared keys. If your DNS for the realm you are kiniting to are correct, you can get your client keys without any client side configuration.
When a client kinits, no validation of the kdc is performed. As the kdc never gets the password, the most an invalid can do is issue you invalid keys, which will get denied by any service that sees them.
Severs require keytabs to validate user keys, and these can be much harder to distribute to all your servers that need to authenticate users.
When a client kinits, no validation of the kdc is performed. As the kdc never gets the password, the most an invalid can do is issue you invalid keys, which will get denied by any service that sees them.
Severs require keytabs to validate user keys, and these can be much harder to distribute to all your servers that need to authenticate users.