Also related is the MIT "ktadd problem." The MIT kadmin ktadd command does not extract keys from the KDC; rather, it generates new keys, writes them into the keytab, then replaces the keys for the principal in the KDC. Only kadmin.local has the ability to extract keys; the kadmin RPC interface simply will not return them. This is touted as a security feature, preventing a compromised kadmin account from reading out everyone's keys. The problem is that this means that a single errant ktadd command will break a running service: if it doesn't update the right keytab, the KDC immediately starts issuing tickets with new keys the service doesn't have. If you have multiple servers for the same service (say behind a load balancer), you can't just go to them one after another and use ktadd to create or update their keytabs: each time you run it, you change the keys and break all the other service instances. You have to create the keytab once and then distribute it separately (e.g. with scp).
The operational hazard of this security feature is so dire that years ago I hacked our MIT KDC to add key extraction to the RPC protocol and make it the default for our ktadd command. Heimdal doesn't have this issue.