> On Nov 13, 2017, at 12:50 PM, Patrik Lundin <patrik.lun...@su.se> wrote:
> Maby it is just me but I was surprised to have "get" not reflect the
> actual contents in the database.
IIRC that was needed to reliably get pruning to work, since some
kadmin clients add keys by doing get + add + set. We also did not
want users with "get" privileges on the key values to get old keys
that can only be used to compromise captured traffic, and are not
needed for live keytab files. Perhaps I am not recalling the
details quite right, but it made sense at the time...