You are right. A user is able to change its Kerberos 5 password with one of the following methods:
1) Login in the web interface of Zeroshell with its username and password;
2) using the Unix kpasswd command
3) using the passwd command if the PAM modulea are Kerberos 5 compliant
4) Pressing [CTRL][ALT][DEL] on a Windows 2000/XP/Vista workstation that can use the Kerberos REALM to authenticate the user.