kadm5_decrypt_key returns EINVAL

[SFBZH@aol.com]

I want to get a service's key in a c program. I use the MIT kadm5 api on a linux station (Red hat 6.2) and a MIT kerberos server on the same station.

I have recorded a service in the KDC with a random key. I have recorded a client called admin/admin at DOMAIN.
*/admin have the rights * on the principals * in the KDC's ACL file.

I connect to the admin server as this admin/admin user with kadm5_init_with_password. I krb5_parse_name the service name and get the service principal with kadm5_get_principal, with the options KADM5_KEY_DATA | KADM5_PRINCIPAL.
All these functions return 0 (succes). I'm on the same station as the KDC so I should have the rights to use the KADM5_KEY_DATA function.

When I launch kadm5_decrypt_key with no filter, it returns EINVAL. The key_data array of the kadm5_principal_ent_t returned by kadm5_get_principal is empty. (no key for my service)

I'm sure that the service has a key on the KDC because I have managed to authentify a client on it (so the server has crypted a ticket with his key). And the kadmind log file indicate that the "get_principal" request was a succes.

What have I done wrong?
Best regards

M