The sequence:
addprinc -randkey -e des-cbc-md5:normal test
cpw -randkey -keepold -e aes256-cts-hmac-sha1-96:normal test
ktad -norandkey test

will produce a keytab containing both the DES key and the AES key, but both keys are marked as 
kvno 2 (whereas the DES key should be kvno 1).

src/kadmin/cli/keytab.c's add_principal() (in the norandkey case) goes and gets the principal 
keys, and then separately gets the principal from the DB, and then uses the kvno from the 
get_principal output for all keys.

Reported by Peter Grandi (pg@afs.list.sabi.co.UK) on openafs-info@openafs.org.