At UC Berkeley, our local security group considers single-step Kerberos authentication (which just checks the user's ID and password) insufficient. Instead, they ask for a handshake between the user's password-based authentication and the service's keytab-based authentication, ensuring that both parties in the deal are known.
At the moment, we're integrating Sakai and Kerberos via some very in-house-only code. However, we'd like to see a handshaking provider made available in the trunk, especially since it seems difficult currently to find any good examples of the approach on the web. (Sun's sample code tends to emphasize desktop Kerberos clients used to implement single sign-on, rather than the web server authentication needed by something like Sakai.)