Dmitry Krasov via FreeIPA-users wrote:
Hi Florence. As far as I understand, it's all because the keytab file become bad in some time.
- Why it's so?
- I know how to fix file manually, but how can I check it in script "if file become bad"?
What makes you think the keytab is bad?
A simple way to validate a keytab is to compare the version number to the one the KDC has.
$ kinit admin $ kvno host/<client host name>
# klist -kt /etc/krb5.keytab
Compare the version numbers. It's ok for the keytab to have multiple versions but one has to match what the KDC version number is.
ro