got incremented! What just happened?
The protocol that kadmin uses has no way of extracting a key from the database. That was a deliberate design decision; it prevents a compromised admin account from being able to read out all of the keys from the database. However, there is a way to create a new random key and return this key to the client program. This is used by the ktadd command of kadmin to get a new key to add to a keytab. A new random key is created for the principal, and as a result, the kvno gets incremented (just like when a user changes their password). The returned random key then gets added to the keytab. This has a couple of noteworthy side effects. You can’t use ktadd to add the same key to more than one host, because the key will be changed on the second host you add it to. Also, since you’ll be creating a new key, tickets created with the old key will no longer be valid. You can work around this by saving the old key in the keytab, but if you’re regenerating a key because the previous one didn’t match th
