So, you can't really do this securely without having read access to /etc/krb5.keytab. The problem is that you cannot verify the TGT you get back so someone could be spoofing your Kerberos session. If you are willing to ignore that, it should be possible to make the code work; open a wishlist bug against libpam-krb5 that it should consider permission denied reading the keytab to be equivelent to no keytab present.