I have a toolset deployed at Carnegie Mellon that attempts to address some of these problems (automatic rekeying of services and purging of old keys from keytabs). https://github.com/cg2v/krb-rekey
The protocol is probably too cute and non-standard for people to want to use, and there isn't nearly enough documentation, but if there's interest, I might be able to work on changes to make it more useful.
