I have found automated jobs that are executed on a KDC using "kinit -kt KDB:" may sometimes fail with:
kinit: Cannot find/read stored master key while setting up KDB key tab for realm XXX
However,if the script is retried, it invariably works. I suspect there is a transient locking condition which may sporadically cause a failure. The k5stash file path is local and the âctimeâ has not changed anytime within the intervals of the run.
FYI - KDB: offers a great way to authenticate using a Kerberos-internal principal (e.g. kadmin/admin) to prove it is the KDC infrastructure, without having to create secondary files which can be copied out-of-band or for which their distribution cannot be deterministically syncâd with respect to Kerberos iprop propagation. For most use-cases, I prefer keytabs but to prove Kerberos infrastructure identity, I prefer not to create extra keytabs and to rotate the keys aggressively to mitigate impact from any unauthorized extraction of Kerberosâ keys.