Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-RT-Original-Encoding: iso-8859-1 Content-Length: 1268 I was experimenting with a Kerberos database which was constructed in the early 1990s when the db_creation would create krbtgt with kvno = 0. If you try to update the krbtgt, using "cpw -randkey -keepold krbtgt/XXX", the old key cannot effectively be used by clients. *_search_enctypes and *_find_enctypes allow kvno to be passed in as a search criteria, but the default routine (in lib/kdb/kdb_default.c) will treat kvno=0 as a flag to return the latest kvno. Ironically, it also treats -1 the same way. This problem with krbtgt key rotation only occurs when you have a krbtgt with kvno=0 (which again can happen if the database was created long ago but the key was never updated). A quick fix is to change the KDC code to pass in kvno=-1 when searching for "latest key" and change the routine such that kvno=0 will return kvno 0 if found or latest key if not found (that way, the API is relatively cleanly preserved). lib/kdb/kdb_default.c Fix calls from: plugins/kdb/hdb/kdb_windc.c kdc/kdc_preauth.c kdc/kdc_preauth_encts.c kdc/do_as_req.c kdc/do_tgs_req.c kdc/kdc_util.c If you agree with the above approach, I will send in a patch. (though it is probably not difficult to re-implement with the above description of the framework).