I was experimenting with a Kerberos database which was constructed in the early 1990s when the db_creation would create krbtgt with kvno = 0.
If you try to update the krbtgt, using “cpw –randkey –keepold krbtgt/XXX”, the old key cannot effectively be used by clients. *_search_enctypes and *_find_enctypes allow kvno to be passed in as a search criteria, but the default routine (in lib/kdb/kdb_default.c) will treat kvno=0 as a flag to return the latest kvno. Ironically, it also treats -1 the same way.
This problem with krbtgt key rotation only occurs when you have a krbtgt with kvno=0 (which again can happen if the database was created long ago but the key was never updated).
A quick fix is to change the KDC code to pass in kvno=-1 when searching for “latest key” and change the routine such that kvno=0 will return kvno 0 if found or latest key if not found (that way, the API is relatively cleanly preserved).
lib/kdb/kdb_default.c
Fix calls from:
plugins/kdb/hdb/kdb_windc.c
kdc/kdc_preauth.c
kdc/kdc_preauth_encts.c
kdc/do_as_req.c
kdc/do_tgs_req.c
kdc/kdc_util.c
If you agree with the above approach, I will send in a patch… (though it is probably not difficult to re-implement with the above description of the framework).