diff --git a/daemon/libvirtd.sasl b/daemon/libvirtd.sasl
index e24a130853..bfa056fd49 100644
--- a/daemon/libvirtd.sasl
+++ b/daemon/libvirtd.sasl
@@ -18,9 +18,12 @@ mech_list: digest-md5
 #   qemu+tcp://hostname/system?auth=sasl.gssapi
 #mech_list: digest-md5 gssapi
 
-# MIT kerberos ignores this option & needs KRB5_KTNAME env var.
-# May be useful for other non-Linux OS though....
-keytab: /etc/libvirt/krb5.tab
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+#
+# There is no default value here, uncomment if you need this
+#keytab: /etc/libvirt/krb5.tab
 
 # If using digest-md5 for username/passwds, then this is the file
 # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
diff --git a/docs/auth.html.in b/docs/auth.html.in
index ecff0fc462..830a2527ac 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -233,7 +233,8 @@ The SASL mechanism configured by default is DIGEST-MD5, which provides a basic
 username+password style authentication. To enable Kerberos single-sign-on instead,
 the libvirt SASL configuration file must be changed. This is <code>/etc/sasl2/libvirt.conf</code>.
 The <code>mech_list</code> parameter must first be changed to <code>gssapi</code>
-instead of the default <code>digest-md5</code>. If SASL is enabled on the UNIX
+instead of the default <code>digest-md5</code>, and keytab should be set to
+<code>/etc/libvirt/krb5.tab</code> . If SASL is enabled on the UNIX
 and/or TLS sockets, Kerberos will also be used for them. Like DIGEST-MD5, the Kerberos
 mechanism provides data encryption of the session.
 </p>