diff --git a/krb5/src/build-tools/krb5-config.in b/krb5/src/build-tools/krb5-config.in
index f6184da..937b365 100755
--- a/krb5/src/build-tools/krb5-config.in
+++ b/krb5/src/build-tools/krb5-config.in
@@ -40,6 +40,7 @@ PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
 DL_LIB='@DL_LIB@'
 DEFCCNAME='@DEFCCNAME@'
 DEFKTNAME='@DEFKTNAME@'
+DEFKTGROUP='@DEFKTGROUP@'
 DEFCKTNAME='@DEFCKTNAME@'
 
 LIBS='@LIBS@'
@@ -70,6 +71,9 @@ while test $# != 0; do
 	--defktname)
 	    do_defktname=1
 	    ;;
+	--defktgroup)
+	    do_defktgroup=1
+	    ;;
	--deps) # historically a no-op
	    ;;
	--exec-prefix)
@@ -120,7 +124,7 @@ done
 if test -z "$do_all" -a -z "$do_version" -a -z "$do_vendor" -a \
     -z "$do_prefix" -a -z "$do_vendor" -a -z "$do_exec_prefix" -a \
     -z "$do_defccname" -a -z "$do_defktname" -a -z "$do_defcktname" -a \
-    -z "$do_cflags" -a -z "$do_libs"; then
+    -z "$do_defktgroup" -a -z "$do_cflags" -a -z "$do_libs"; then
     do_help=1
 fi
 
@@ -136,6 +140,7 @@ if test -n "$do_help"; then
     echo "        [--exec-prefix]   Kerberos installed exec_prefix"
     echo "        [--defccname]     Show built-in default ccache name"
     echo "        [--defktname]     Show built-in default keytab name"
+    echo "        [--defktgroup]    Show built-in default keytab group name"
     echo "        [--defcktname]    Show built-in default client keytab name"
     echo "        [--cflags]        Compile time CFLAGS"
     echo "        [--libs]          List libraries required to link [LIBRARIES]"
@@ -193,6 +198,11 @@ if test -n "$do_defktname"; then
     $all_exit
 fi
 
+if test -n "$do_defktgroup"; then
+    echo "$DEFKTGROUP"
+    $all_exit
+fi
+
 if test -n "$do_defcktname"; then
     echo "$DEFCKTNAME"
     $all_exit
diff --git a/krb5/src/configure.ac b/krb5/src/configure.ac
index 10f45eb..6640fef 100644
--- a/krb5/src/configure.ac
+++ b/krb5/src/configure.ac
@@ -1325,6 +1325,7 @@ AC_SUBST(OSX)
 # krb5-config if we can, or fall back to hardcoded defaults.
 AC_ARG_VAR(DEFCCNAME, [Default ccache name])
 AC_ARG_VAR(DEFKTNAME, [Default keytab name])
+AC_ARG_VAR(DEFKTGROUP, [Default keytab group])
 AC_ARG_VAR(DEFCKTNAME, [Default client keytab name])
 AC_ARG_WITH([krb5-config],
 	AC_HELP_STRING([--with-krb5-config=PATH],
@@ -1361,15 +1362,21 @@ fi
 if test "${DEFKTNAME+set}" != set; then
 	DEFKTNAME=FILE:/etc/krb5.keytab
 fi
+if test "${DEFKTGROUP+set}" != set; then
+	DEFKTGROUP=_keytab
+fi
 if test "${DEFCKTNAME+set}" != set; then
 	AX_RECURSIVE_EVAL($localstatedir, exp_localstatedir)
 	DEFCKTNAME=FILE:$exp_localstatedir/krb5/user/%{euid}/client.keytab
 fi
 AC_MSG_NOTICE([Default ccache name: $DEFCCNAME])
 AC_MSG_NOTICE([Default keytab name: $DEFKTNAME])
+AC_MSG_NOTICE([Default keytab group name: $DEFKTGROUP])
 AC_MSG_NOTICE([Default client keytab name: $DEFCKTNAME])
 AC_DEFINE_UNQUOTED(DEFCCNAME, ["$DEFCCNAME"], [Define to default ccache name])
 AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
+AC_DEFINE_UNQUOTED(DEFKTGROUP, ["$DEFKTGROUP"],
+                   [Define to default keytab group name])
 AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
                    [Define to default client keytab name])
 
diff --git a/krb5/src/lib/krb5/os/krbfileio.c b/krb5/src/lib/krb5/os/krbfileio.c
index 41cd40f..b490128 100644
--- a/krb5/src/lib/krb5/os/krbfileio.c
+++ b/krb5/src/lib/krb5/os/krbfileio.c
@@ -48,6 +48,11 @@ static char *VersionID = "@(#)krbfileio.c       2 - 08/22/91";
 #   define OPEN_MODE_NOT_TRUSTWORTHY
 #endif
 
+#include <sys/types.h>
+#include <errno.h>
+#include <grp.h>
+#define GETGRNAM_BUFFER_SIZE 1024
+
 krb5_error_code
 k5_create_secure_file(krb5_context context, const char *pathname)
 {
@@ -58,6 +63,22 @@ k5_create_secure_file(krb5_context context, const char *pathname)
      */
     fd = THREEPARAMOPEN(pathname, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
 
+    /*
+     * Change group and permisions for default keytab
+     */
+    if (fd > -1 && strncmp("FILE:", DEFKTNAME, 5) == 0 && strcmp(pathname, DEFKTNAME + 5) == 0) {
+        struct group grp, *grp_ptr;
+        char buffer[GETGRNAM_BUFFER_SIZE];
+        errno = 0;
+
+        if (getgrnam_r(DEFKTGROUP, &grp, buffer, GETGRNAM_BUFFER_SIZE, &grp_ptr) == 0) {
+            if (errno == 0 && grp_ptr != NULL) {
+                fchown(fd, -1, grp.gr_gid);
+                fchmod(fd, 0640);
+            }
+        }
+    }
+
 #ifdef OPEN_MODE_NOT_TRUSTWORTHY
     /*
      * Some systems that support default acl inheritance do not
diff --git a/krb5/src/man/krb5-config.man b/krb5/src/man/krb5-config.man
index 2899808..e1d8ed5 100644
--- a/krb5/src/man/krb5-config.man
+++ b/krb5/src/man/krb5-config.man
@@ -33,7 +33,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH SYNOPSIS
 .sp
 \fBkrb5\-config\fP
-[\fB\-\fP\fB\-help\fP | \fB\-\fP\fB\-all\fP | \fB\-\fP\fB\-version\fP | \fB\-\fP\fB\-vendor\fP | \fB\-\fP\fB\-prefix\fP | \fB\-\fP\fB\-exec\-prefix\fP | \fB\-\fP\fB\-defccname\fP | \fB\-\fP\fB\-defktname\fP | \fB\-\fP\fB\-defcktname\fP | \fB\-\fP\fB\-cflags\fP | \fB\-\fP\fB\-libs\fP [\fIlibraries\fP]]
+[\fB\-\fP\fB\-help\fP | \fB\-\fP\fB\-all\fP | \fB\-\fP\fB\-version\fP | \fB\-\fP\fB\-vendor\fP | \fB\-\fP\fB\-prefix\fP | \fB\-\fP\fB\-exec\-prefix\fP | \fB\-\fP\fB\-defccname\fP | \fB\-\fP\fB\-defktname\fP | \fB\-\fP\fB\-defktgroup\fP | \fB\-\fP\fB\-defcktname\fP | \fB\-\fP\fB\-cflags\fP | \fB\-\fP\fB\-libs\fP [\fIlibraries\fP]]
 .SH DESCRIPTION
 .sp
 krb5\-config tells the application programmer what flags to use to compile
@@ -67,6 +67,9 @@ prints the built\-in default credentials cache location.
 \fB\-\fP\fB\-defktname\fP
 prints the built\-in default keytab location.
 .TP
+\fB\-\fP\fB\-defktgroup\fP
+prints the built\-in default keytab group name.
+.TP
 \fB\-\fP\fB\-defcktname\fP
 prints the built\-in default client (initiator) keytab location.
 .TP