ktadd does not "extract" keys. It sets new ones. The fact that the kvno changes is a side issue -- what breaks you is that the keys change and you didn't expect that. MIT krb5 has no other tool to extract keys without changing them. However, you can use the -keepold option to make this a little more tolerable. The MIT kadm5 API does allow you to extract keys, but only on the KDC proper (i.e, only when using libkadm5srv).
If you really need this you might try http://oskt.secure-endpoints.com/krb5_admin.html (http://oskt.secure-endpoints.com/git/krb5_admin). krb5_admin allows you to extract keytabs and works with MIT krb5. If you don't go with this approach then I recommend what you suggested: ktadd on one server and copy the keytab to the others (if need be using ktutil to merge keytabs). Incidentally, Heimdal's kadmin client also can extract keys without setting new ones, but only with Heimdal kadmind. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
