Figured this out…maybe this is only because I’ve installed on Ubuntu, but anyway…my /etc/krb5kdc/kadm5.acl was empty, so I added the following line to it to give my admin user’s all privileges:
*/admin@EXAMPLE.COM *
See this page for more info: http://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1a/index.html