From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted as needed to apply to 1.10. FIXME: I'd like to better handle cases where we have a new key with the right version stored later in the keytab file. Currently, we're setting up to overlook that possibility. Note that this only affects the path taken when krb5_rd_rep() is passed a server principal name, as without a server principal name it already tries all of the keys it finds in the keytab, regardless of version numbers. Index: krb5/src/kadmin/ktutil/ktutil.c =================================================================== --- krb5/src/kadmin/ktutil/ktutil.c (revision 3367) +++ krb5/src/kadmin/ktutil/ktutil.c (working copy) @@ -155,7 +155,7 @@ char *princ = NULL; char *enctype = NULL; krb5_kvno kvno = 0; - int use_pass = 0, use_key = 0, i; + int use_pass = 0, use_key = 0, use_kvno = 0, i; for (i = 1; i < argc; i++) { if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { @@ -164,6 +164,7 @@ } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { kvno = (krb5_kvno) atoi(argv[++i]); + use_kvno++; continue; } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { @@ -180,7 +181,7 @@ } } - if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { + if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { fprintf(stderr, _("usage: %s (-key | -password) -p principal " "-k kvno -e enctype\n"), argv[0]); return; Index: krb5/src/lib/krb5/keytab/kt_file.c =================================================================== --- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367) +++ krb5/src/lib/krb5/keytab/kt_file.c (working copy) @@ -349,7 +349,7 @@ higher than that. Short-term workaround: only compare the low 8 bits. */ - if (new_entry.vno == (kvno & 0xff)) { + if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { krb5_kt_free_entry(context, &cur_entry); cur_entry = new_entry; break;