kadmin.local interface should be ideally used only for bootstrapping Kerberos realm container and nothing else. Its use for creation of service principals and their keys is strongly discouraged due to potential risks involved.

There is a groundwork in place intended to replace ad-hoc principal manipulation methods in installer by unified workflow using service-add + ipa-getkeytab (see #6405 and #6409 for more info), however, due to time constraints only DS and HTTP installers were migrated to new workflow.

We should migrate the remaining service installers to use single consistent principal/keytab retrieval method to reduce code duplication and improve the robustness of kerberized service creation during server/replica installation and upgrade.