> So, shouldn't use of Kerberos for password changing depend on presence
> of DNS in the nsswitch.conf entry for password?  

No.  the "passwd" line in nsswitch.conf concerns /etc/passwd file
lookups (a.k.a "gethostbyname()"), and the "dns" source for password
lookups is hesiod (a thin veneer over DNS), not kerberos.

Kerberos does not manage passwd file entries; it just does user
authentication.

Control of the use of kerberos for user authentication should be done
by something which fits in the same niche as PAM or the BSDI
authentication extensions.

					- Bill