The protocol that kadmin uses has no way of extracting a key from the
database. That was a deliberate design decision; it prevents a compromised
admin account from being able to read out all of the keys from the database.

However, there is a way to create a new random key and return this key to
the client program. This is used by the ktadd command of kadmin to get a new
key to add to a keytab. A new random key is created for the principal, and
as a result, the kvno gets incremented (just like when a user changes their
password). The returned random key then gets added to the keytab.

This has a couple of noteworthy side effects. You can't use ktadd to add the
same key to more than one host, because the key will be changed on the
second host you add it to. Also, since you'll be creating a new key, tickets
created with the old key will no longer be valid. You can work around this
by saving the old key in the keytab, but if you're regenerating a key
because the previous one didn't match the one in the KDC, you will need to
have your users acquire new service tickets (by running kinit or the
equivalent) before they will get tickets encrypted with the new key.