Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-RT-Original-Encoding: iso-8859-1 Content-Length: 454 When kadmind performs a password change on behalf of a principal, it stored kadmind@REALM in the mod_princ data instead of the original principal that authenticated against kadmind. This makes the mod_princ field much less useful as you cannot use it's data to determine who actually performed the password change. Also in the DAL the mod_princ data is the only way to know who operated the password change in order to take decisions based on that datum.