When ktadmin is used to put a principal with kvno 320 into a file, klist and kutil both show that the file has a kvno of 64. Kaduk states "It is almost certain that klist is assuming the kvno is an 8-bit field, so 320 wraps around to 64. (In krb4, the kvno field actually was 8 bits.)" which would be consistent with both getprinc and klist's kvno incrementing 'independently' Sample log: kadmin.local: getprinc cfengine-policyhost/admin@EXAMPLE.COM Principal: cfengine-policyhost/admin@EXAMPLE.COM Expiration date: [never] Last password change: Sat Jan 05 00:46:15 GMT 2013 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Jan 05 00:46:15 GMT 2013 (root/admin@EXAMPLE.COM) Last successful authentication: Sat Jan 05 00:16:01 GMT 2013 Last failed authentication: Sat Jan 05 00:14:55 GMT 2013 Failed password attempts: 0 Number of keys: 4 Key: vno 319, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 319, ArcFour with HMAC/md5, no salt Key: vno 319, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 319, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: service kadmin.local: ktadd -k /tmp/newfile cfengine-policyhost/admin Entry for principal cfengine-policyhost/admin with kvno 320, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/newfile. kadmin.local: 0 root@caffeine:/var/cfengine/inputs[2] klist -k /tmp/newfile Keytab name: WRFILE:/tmp/newfile KVNO Principal ---- -------------------------------------------------------------------------- 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 0 root@caffeine:/var/cfengine/inputs[2]