That's exactly the reason. The Kerberos ticket cache is a file and the user running klist needs to have access to the credential cache or better yet from a security perspective, the users that need tickets for a principal should have read access to the keytab. These users can then kinit with the keytab.
↧