That's fun. Reminds me of netcat's GAPING_SECURITY_HOLE
Skimming #RedHat Linux docs, it looks like pam_krb5 is deprecated anyway in favor of pam_sssd, and pam_sssd automatically creates a keytab file upon joining the domain -- looks non-optional.
Over in #Ubuntu land, it looks like keytab is similarly required, but you can turn it off manually (according to the man page).
So with those two examples, my bet is that most #Linux domain members are okay by default. Broken #Kerberos is still broken, but you have to go out of your way to break it (and if you have that breaking power, you can do easier things anyway like just straight up suing as someone else).
The above is based purely on documentation, no testing.