Thanks for the bug report, and apologies for not having time to look 
into this last week.

It looks like ksu's behavior changed in release 1.13 as a result of 
this pull request:

https://github.com/krb5/krb5/pull/170

although it may have been partially broken since referrals support 
was introduced in release 1.6.  Pull request 170 was motivated by a 
bug caused by the referrals changes.  At that time, we didn't realize 
that the fix we arrived at (simplifying the ksu code) created a 
mismatch with the documented behavior.

I can see several possible remedies here:

1. Change the documentation to match the code (talk only about using 
a cached TGT).

2. Restore the documented behavior, but only make it work if the 
canonicalized local hostname matches the host principal in the ccache 
service ticket and the system keytab.

3. Restore the documented behavior, and make it work for any host 
principal in the system keytab.

The serverfault post contains a lot of detail about the test case, 
but doesn't explain why the documented behavior is important in this 
use case.  Is there a reason why it's not sufficient for ksu to look 
for a TGT in the ccache and make a TGS request to verify it?