I have proved that UNIX/AD Kerberos authentication works without the presence of a keytab file so I'd like to know whether I should worry about it (given I'll need an individual keytab for each server I want to provide AD authentication services on).
The primary use of the local keytab during local authentication is to protect against KDC spoofing.
Kerberos login authentication works by requesting a TGT from the Kerberos KDC and then decrypting it with a key formed from the password entered locally. If that decryption works, the login is considered successful (if there's no keytab). The problem with this approach is that the attacker could be simultaneously spoofing the KDC reply with a TGT encrypted in the password the attacker chose. If the system gets that reply before the real reply, it will happily decrypt it with the attacker's password and then consider the authentication successful. This is fairly easy to do if one has a system on the same local network, given that Kerberos is a UDP protocol.
If there is a local keytab, the login process takes one more step: it asks the KDC for a service ticket for the principal stored in the local keytab, and then validates that ticket by decrypting it with the key in the keytab. The attacker's KDC has no knowledge of the private key of the keytab on the system, and therefore will fail this step. (This means, of course, that the system keytab needs to be locked down to only be accessible by root, since anyone who can access the keytab can still successfully attack the system.)
(Qualifications: I'm the author of the Kerberos PAM module used in Debian and Ubuntu.)