diff --git a/kadmin/server.c b/kadmin/server.c
index c207b5515..28d0f2197 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -293,10 +293,14 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	}
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+#if 0
 	/* anyone can change her/his own password */
+	/* but not until there is a way to ensure that the
+           authentication was done via an initial ticket request */
 	if(!krb5_principal_compare(context->context, context->caller, princ))
 	    ret = KADM5_AUTH_INSUFFICIENT;
 	if(ret)
+#endif
 	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
@@ -317,10 +321,14 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	    goto fail;
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+#if 0
 	/* anyone can change her/his own password */
+	/* but not until there is a way to ensure that the
+           authentication was done via an initial ticket request */
 	if(!krb5_principal_compare(context->context, context->caller, princ))
 	    ret = KADM5_AUTH_INSUFFICIENT;
 	if(ret)
+#endif
 	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
diff --git a/lib/kadm5/server.c b/lib/kadm5/server.c
index c207b5515..28d0f2197 100644
--- a/lib/kadm5/server.c
+++ b/lib/kadm5/server.c
@@ -293,10 +293,14 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	}
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+#if 0
 	/* anyone can change her/his own password */
+	/* but not until there is a way to ensure that the
+           authentication was done via an initial ticket request */
 	if(!krb5_principal_compare(context->context, context->caller, princ))
 	    ret = KADM5_AUTH_INSUFFICIENT;
 	if(ret)
+#endif
 	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
@@ -317,10 +321,14 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	    goto fail;
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+#if 0
 	/* anyone can change her/his own password */
+	/* but not until there is a way to ensure that the
+           authentication was done via an initial ticket request */
 	if(!krb5_principal_compare(context->context, context->caller, princ))
 	    ret = KADM5_AUTH_INSUFFICIENT;
 	if(ret)
+#endif
 	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);