> As a function of binding a Mac OS X machine to the domain, as of 10.4 and lat

er, the directory service plug-in creates a /etc/krb5.keytab with service princ
ipals for the machine. Now, in theory, there are at least two services (neither
of which are available at the moment), where the machine itself is the client
and needs to authenticate itself to another machine: (1) Dynamic DNS via GSS-TS
IG, and (2) other machines running IPsec via Kerberos-based IKE. If this were a
user principal, I'd have thought I'd need a TGT for the user for which a servi
ce principal for the remote machine (either a DNS box or a IPsec-running peer)
in order to perform the authentication, and then subsequently have to renew and
/or refresh the TGT as it neared or reached its expiration date so as to contin
ue to perform these operations over time (as a service).
> In the keytab world, do you still have to get a TGT for the machine in order

to get a service ticket for the remote machines? Can you get it directly via th
e keytab without entering a password? Or can you go directly from keytab to rem
ote machine service ticket without having to deal with a TGT?

A keytab is just that, a 'table' of keys.
(ignoring preauth for simplicity's sake),
talking to any service is pretty much:

client KDC foo server
----- "I want a TGT" ---->
<---- {TGT}key -----------
[string2key(password) => key] <*>
[decrypt and store TGT]
--- gimme foo ticket, TGT --->
<---- {foo}k -------------
[store foo ticket]
---------- hi, {foo} -------------------------->
<---------------------- "howdy, dude!" ---------

<*> All a keytab does is provide the machine with a key directly --
bypassing the need to store/ask-for a password and convert
it into a key. That's it. There's no more magic than that.