Well, Idon't know at all.
In my box, it has configured
/etc/krb5.conf (setting REALM, etc...)
/etc/nsswitch.conf (passwd, group)
... and some other stuff.
It works very well. It's better than Likewise Open from 6 years ago.
I haven't read the whole document, and I don't know if the software uses the best method (NTLM, SPNEGO, Kerberos) every time.
SSO on Apache uses Kerberos and needs a keytab file.
In the other hand, I've found that I can use my AD LDAP using TLS on port 636, and don't need SPNEGO neither Kerberos.
As I'm interested on Apache SSO, I'll continue this way.
Regards,
Javier