Alfresco authentication chain for (MIT) Kerberos only? (no LDAP, no AD)
Solution 1:
I think you should configure an LDAP (or AD) server, as Kerberos alone doesn't have any mechanism of allowing users to be in different groups, which allows you to map them to roles in Alfresco's RBAC mechanism.
So you'll need to have some mechanism of user-grouping in your authentication backend, and AD is probably the easiest way to go about that.