Using ktadd seems to invalidate the passwd

[Phillip Moore]

I'm using the pre-packaged MIT Kerberos 1.6.1 on CentOS 5.5 to set up a test
environment, where I am lazy, and simply set the various passwords to match
the usernames (I have no need for "real" security here -- this is just a
dataless test environment).

I do this, so that I can debug problems by acquiring tickets/tokens as any
of the test env users trivially.  However, in the server software I'm
developing, I obviously don't make such an assumption.   That software uses
keytabs files for each user to acquire tickets and/or tokens.

When setting up the environment, I create the principals using:

   add_principal -pw $principal $principal@$realm

Then I extract the keytab file for use in the test suite using:

   ktadd -k /path/to/$principal.keytab $principal

I've discovered that as soon as I run ktadd, then I can no longer manually
authenticate as that principal anymore.

kinit(v5): Password incorrect while getting initial credentials

I create 8 different users, and extract keytab files for only 3 of them.
They are all created with the same add_principal command, and I can only
manually authenticate as the 5 that have NOT had a keytab extracted.

Now, I'm assuming that the act of extracting the keytab has a side effect,
but it's not clear how to workaround it.   If I reset the password using
kadmin, that increments the kvno, which will mean I have to re-extract the
keytab files, which will make the password invalid, which means....

There's something simple and subtle here I'm missing.  I don't see a means
of setting the password and extracting the keytab file in a single kadmin
operation, for example.

What am I doing wrong?