I run a local svn repository and it was adrenaline pumping action the time I discovered you could use the Windows Active directory as a kerbreos KDC for authentication. Some helpful links:

• MS KB article 1: Talks of ktpass.exe to create service principal mapping
• Little tutorial on getting mod_auth_kerb

What these leave out (at least when it comes to educating a n00b) is that active directory is needed only for setting up the service principal not necessarily in creating the keytab. I could create the keytab with ktutil on linux with the command:

bash$ ktutil
ktutil: addent -password -p 'serv/yadayada@REALM' -k kvno -e <enctype>
ktutil: wkt xyz.keytab

The info needed here is the password to the user account to which the service principal is mapped, the kvno for the key given by KDC (which you can find using ‘kvno principal’ after getting authenticated). The enctype is the same as the one reported by ktpass while creating (or if you have specified one, then that one) it was des-cbc-md5 in my case. The kvno should match the one sent by KDC (for mod_auth_kerb in apache to work). The Active directory server I was dealing with would increment the kvno if I so much as sneeze while thinking of the user account involved. Looks like its a Win 2003 behavior.