There's also a race in normal service key rotation. Observed by thinking about the code. This is less severe than: 5338 (which I just filed) but still should be fixed. When you use ktadd via kadmin: 1. the interface provides a WO interface to the Kerberos DB, 2. the KDC updates its database to have the new key, 3. the KDC tells you what the new key is, 4. you install the new key in your keytab. If a client beats you between steps 2 and 4 then it will have a fatal error (for any reason, including network lossage, kadmin client crash, etc.) The solution to this is to write your own key rotation program which sets the password over kadmin AFTER you update your keytab.