alt Hacker Newskerberos solves the problem that you can have short one time tokens using your password.
Add public key infrastructure support, make ldap the default store and you got AD. Even better, you can throw all the OAuth crap down the drain.
now, starting services with a password becomes an issue of booting the machine.
No one would build KRB4/5 today, it makes no sense. It's only advantage over an X.509 cert based system is speed on really really slow CPUs.