Sometimes, the key version number (KVNO) used by the KDC and the service principal keys stored in /etc/krb5/krb5.keytab for services hosted on the system do not match. The KVNO can get out of synchronization when a new set of keys are created on the KDC without updating the keytab file with the new keys. After diagnosing the problem, refresh the krb5.keytab file.
List the keytab entries.
The KVNO for each principal is the first item in each entry.
# klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/denver.example.com@EXAMPLE.COM 2 host/denver.example.com@EXAMPLE.COM 2 host/denver.example.com@EXAMPLE.COM 2 nfs/denver.example.com@EXAMPLE.COM 2 nfs/denver.example.com@EXAMPLE.COM 2 nfs/denver.example.com@EXAMPLE.COM 2 nfs/denver.example.com@EXAMPLE.COM
Acquire an initial credential by using the host key.
# kinit -k
Determine the KVNO that is used by the KDC.
# kvno nfs/denver.example.com nfs/denver.example.com@EXAMPLE.COM: kvno = 3
Note that the KVNO listed here is 3 instead of 2.