When there is a valid Administrator@REALM krb5 ticket in the credentials cache, net ads join should use that instead of asking for a password again.
Very good point :-) I'm looking into that.
Kerberized join is implemented in 3-3-test now, just you need to give the "-k" switch. I'm a bit reluctant to magically detect krb5 tickets around (what we don't do for other samba client tools neither), so resolving this as fixed.