net ads keytab add nfs -P -d10 on a system with MIT kerberos 1.13 shows this behavior: ../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/SERVER@EXAMPLE.COM) with encryption type (18) and version (989) ../lib/krb5_wrap/krb5_samba.c:1477: Will try to delete old keytab entries ../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/SERVER@EXAMPLE.COM, kvno = 221 ../lib/krb5_wrap/krb5_samba.c:1563: Found old entry for principal: nfs/server.example.com@EXAMPLE.COM (kvno 221) - trying to remove it. ../lib/krb5_wrap/krb5_samba.c:1580: removed old entry for principal: nfs/server.example.com@EXAMPLE.COM (kvno 221). ../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/SERVER@EXAMPLE.COM, kvno = 221 ../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/server.example.com@EXAMPLE.COM) with encryption type (23) and version (989) ../lib/krb5_wrap/krb5_samba.c:1477: Will try to delete old keytab entries ../lib/krb5_wrap/krb5_samba.c:1563: Found old entry for principal: nfs/SERVER@EXAMPLE.COM (kvno 221) - trying to remove it. ../lib/krb5_wrap/krb5_samba.c:1580: removed old entry for principal: nfs/SERVER@EXAMPLE.COM (kvno 221). ../lib/krb5_wrap/krb5_samba.c:1504: ignoring keytab entry principal nfs/server.example.com@EXAMPLE.COM, kvno = 221 ../lib/krb5_wrap/krb5_samba.c:1719: adding keytab entry for (nfs/SERVER@EXAMPLE.COM) with encryption type (23) and version (989) An entry is added with the current KVNO (989 == 0x3DD). The next check then only finds the KVNO stored with the lower 8 bit (221 == 0xDD) and removes it again, resulting in an incomplete keytab file that has only one enctype per entry. MIT Kerberos 1.14 introduced larger KVNOs, so the problem affects only systems with kerberos libraries 1.13 or older. The fix would be to limit the check to the lower 8 bits of the KVNO.
Created attachment 14254 [details] patch for 4.7
Created attachment 14255 [details] patch for 4.8
Comment on attachment 14254 [details] patch for 4.7 LGTM.
Comment on attachment 14255 [details] patch for 4.8 LGTM.
Karolin, please commit these two changes to 4-8 and 4-7.
(In reply to Alexander Bokovoy from comment #5) Pushed to autobuild-v4-[8,7]-test.
(In reply to Karolin Seeger from comment #6) Pushed to both branches. Closing out bug report. Thanks!