In a test environment, even with krb5-1.11.3, I noticed a database reload (full resync) may still fail and result in the ulog being updated with the new serial number, resulting in an inconsistent environment.

 

I have another patch available which seems to fix the condition. Specifically, I have seen the condition occur with an accompanying log message:

…/kdb5_util returned a bad exit status (2)

 

krb5-1.11

https://github.com/rbasch/krb5/commit/83c34de8a740711961d05fde150cc8b16e68f9e1

 

krb5-1.10

https://github.com/rbasch/krb5/commit/638b2e299157b1c2e637cb992bc07cf9f5598594