On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:

>
> >> Extracting the keys from AD is not possible [1].

>
> > Nor ist it possible to extract them from MIT krb5 KDCs.

>
> It is as of 1.6 using kadmin.local (not that this changes the rest of your
> point).


Right, it doesn't -- running kadmin.local on the KDC with sufficient
privilege qualifies as "privileged access to a KDC"