keytab, kvno, ktadd, and existing tickets

[Nico Williams]

ktadd does not "extract" keys.  It sets new ones.  The fact that the
kvno changes is a side issue -- what breaks you is that the keys
change and you didn't expect that.  MIT krb5 has no other tool to
extract keys without changing them.  However, you can use the -keepold
option to make this a little more tolerable.  The MIT kadm5 API does
allow you to extract keys, but only on the KDC proper (i.e, only when
using libkadm5srv).

If you really need this you might try
http://oskt.secure-endpoints.com/krb5_admin.html
(http://oskt.secure-endpoints.com/git/krb5_admin).  krb5_admin allows
you to extract keytabs and works with MIT krb5.  If you don't go with
this approach then I recommend what you suggested: ktadd on one server
and copy the keytab to the others (if need be using ktutil to merge
keytabs).

Incidentally, Heimdal's kadmin client also can extract keys without
setting new ones, but only with Heimdal kadmind.

Nico
--