kadm5.acl rights for foreign principals

[Ken Hornstein]

>If only GSS-API had a concept of "initial" credentials so that acceptors
>could request initial credentials. But that would necessitate a
>gss_acquire_cred() API that could handle user prompting.

I don't even think this is a GSSAPI issue.  I mean, you can't do cross-realm
unless you're doing a TGS_REQ, and you're prohibited from using a TGS_REQ
to get a kadmin/admin ticket.  You couldn't fix this even with raw Kerberos.

--Ken