The Alfresco documentation seems to consider only LDAP or Active Directory cases.
In my case, all users are in MIT Kerberos, but I don't use LDAP nor Active Directory.
What authentication chain should I use?
ldap1:ldap
is what the documentation seems to suggest, but I guess it won't work as I don't even have an LDAP server.
I think you should configure an LDAP (or AD) server, as Kerberos alone doesn't have any mechanism of allowing users to be in different groups, which allows you to map them to roles in Alfresco's RBAC mechanism.
So you'll need to have some mechanism of user-grouping in your authentication backend, and AD is probably the easiest way to go about that.