Server and Machine Key Version Numbers
When keys are added to the keytab file, each is assigned a version number that ranges from 1 to 255. Whenever server or machine keys change (automatically or explicitly), the key's version number is incremented. Version numbers allow two or more keys to exist for any given server or machine. When keys are changed, any servers or machines that are still using tickets granted under the older unchanged version of the key run without interruption until the ticket expires naturally. When the ticket expires, the server or machine reauthenticates and obtains the new key.
If you use the -registry option to the keytab add command, old keys are automatically deleted, if possible. If you do not use this option, you should occasionally list the contents of the keytab file by using the keytab list command, and use the keytab delete command to delete any old versions that are obsolete.
Note: Take care when you are deleting keys from the keytab file. When principal keys are changed, tickets can exist that are based on the key that you deleted. If you delete a key from the keytab file, any active tickets that are based on the deleted key will not be accepted by servers, and clients holding those tickets will get authentication failures.