[Samba] Magically increasing KVNO in keytabs

[Peter Serbe]

In my small home network I have the following setup: 

main site at home: 
- AD-DC and 
- one file (member) server
- one windows client and and 
- one Debian box
- one backup server
- router as VPN server

during week near working place connected by VPN:
- AD-DC (set up as VPN client) and 
- one file server
- one windows client

All the AD-DCs and the file servers run Samba 4.2-rc2, 
replication between the DCs looks good, the windows 
client use the correct logon server, i.e. setting up 
the servers and the AD sites looks OK. Both DCs run 
Bind 9.9, on the file servers there are Bind 9.9 slave 
servers. All boxes got fixed IPs. DNS works like a charm. 
All Linux machines are running SSSD 1.11.7, which most 
of the time works great...

The file servers are tyically shut down over night in 
order not to waste unnecessary electrical power. The 
DCs are small machines, one Rasberry Pi and one Cubietruck, 
which are allways on. 

I only have one nasty issue: every couple of days one 
of member servers or the Linux client sssd stops 
working and I have to produce a new keytab file. When 
doing a klist -k /etc/sssd.keytab I see that the KVNO 
of the newly generated keytab is incremented by one. 

Does anybody have a clue on how to troubleshoot this?
Did I miss to copy something from the main DC to the 
secondary one? Any help is greatly appretiated. I did 
try to search, but all the references I found, exceed 
the level of my technical expertise... apparently. 

TIA
Peter