I was helping a colleague who was trying to rekey his TGS key with more
enctypes. He used "cpw -keepold", but he was immediately getting classic
errors on his KDC which indicated that it couldn't find the right TGT key.
When I couldn't reproduce the problem, he dug into it a little more and
found out that the problem was that his original TGS key has a kvno of
zero. When the zero kvno gets passed down into krb5_dbe_search_enctype(),
it sets the kvno to the maximum kvno. This works fine normally ... but
in this case, it always returns the TGT with the higher kvno, rather
than the kvno of zero. What he's going to try is to manually duplicate
his current TGS key so it has a kvno of 1, and then do his rekey.
I'm not sure what the right solution is here, except maybe to make sure
that you never have a key with a kvno of zero.