diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 07ed841f6a..1d64c7c0a3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4245,7 +4245,8 @@ export {
 
 module KRB;
 export {
-	const keytab = "/etc/krb5.keytab" &redef;
+	## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+	const keytab = "" &redef;
 	## KDC Options. See :rfc:`4120`
 	type KRB::KDC_Options: record {
 		## The ticket to be issued should have its forwardable flag set.
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 4a13aec425..5a41b0b99b 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -13,6 +13,9 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
 	interp = new binpac::KRB::KRB_Conn(this);
 
 #ifdef USE_KRB5
+	if ( BifConst::KRB::keytab->Len() == 0 )
+		return; // no keytab set
+
 	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
 	if ( access(keytab_filename, R_OK) != 0 )
 		{
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
new file mode 100644
index 0000000000..cf84443e49
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
@@ -0,0 +1 @@
+F
diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
new file mode 100644
index 0000000000..0d2c68d142
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
@@ -0,0 +1,20 @@
+# This test verifies that without a keytab file no entries are
+# created and no errors happen.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket?$authenticationinfo;
+}
+