diff --git a/daemon/libvirtd.sasl b/daemon/libvirtd.sasl
index e24a130853..bfa056fd49 100644
--- a/daemon/libvirtd.sasl
+++ b/daemon/libvirtd.sasl
@@ -18,9 +18,12 @@ mech_list: digest-md5
# qemu+tcp://hostname/system?auth=sasl.gssapi
#mech_list: digest-md5 gssapi
-# MIT kerberos ignores this option & needs KRB5_KTNAME env var.
-# May be useful for other non-Linux OS though....
-keytab: /etc/libvirt/krb5.tab
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+#
+# There is no default value here, uncomment if you need this
+#keytab: /etc/libvirt/krb5.tab
# If using digest-md5 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
diff --git a/docs/auth.html.in b/docs/auth.html.in
index 60e4f11b50..d792eb1c85 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -233,7 +233,8 @@ The SASL mechanism configured by default is DIGEST-MD5, which provides a basic
username+password style authentication. To enable Kerberos single-sign-on instead,
the libvirt SASL configuration file must be changed. This is /etc/sasl2/libvirt.conf
.
The mech_list
parameter must first be changed to gssapi
-instead of the default digest-md5
. If SASL is enabled on the UNIX
+instead of the default digest-md5
, and keytab should be set to
+/etc/libvirt/krb5.tab
. If SASL is enabled on the UNIX
and/or TLS sockets, Kerberos will also be used for them. Like DIGEST-MD5, the Kerberos
mechanism provides data encryption of the session.