On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
today I found out that some entries in a keytab file seemed to have expired:
Request ticket server HTTP/mwc.linux.mydomain.at@LINUX.MYDOMAIN.AT kvno 4 not found in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this happening? Do keytab entries expire? I have not set any custom password or ticket policies.
You did most likely change the key on the KDC side by running ipa-getkeytab at some other place. This is what kvno 4 tells you about -- it is key version number. 4 means there were at least three different changes since that original key issuance time already.