From what I understand, a user's password hash is never sent between the client and DC when using kerberos in active directory.
This is my understading of the login process in kerberos.
When a user types in the password to login to the computer, it sends the username (not the password) in plaint text to the DC (KDC) and the DC (KDC) checks the username against its active directory DB and when it finds the matching username, it encrypts the session key with the user's password hash along with the TGT and sends them to the client. And if the client is able to decrypt the session key using the user's password hash, the authentication is successful.
But how does the DC(KDC) have the users' password hashes in the first place if kerberos was used as the default authentication technology in the domain?
I thought that in kerberos, the password hashes are not sent.