> > pam-krb5 does exactly the same thing as kinit, which is precisely why it > should not be used for authenticating network services, because in the > Kerberos model kinit should only ever be run on the user's local machine. > right. I see now.