diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c
index db383d411d..3d4df9e6c0 100644
--- a/src/providers/krb5/krb5_keytab.c
+++ b/src/providers/krb5/krb5_keytab.c
@@ -26,6 +26,8 @@
 #include "util/sss_krb5.h"
 #include "providers/krb5/krb5_common.h"
 
+#include <fcntl.h>
+
 static krb5_error_code do_keytab_copy(krb5_context kctx, krb5_keytab s_keytab,
                                       krb5_keytab d_keytab)
 {
@@ -120,13 +122,6 @@ krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
         return kerr;
     }
 
-    kerr = sss_krb5_kt_have_content(kctx, keytab);
-    if (kerr != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] has not entries.\n",
-                                    keytab_file);
-        goto done;
-    }
-
     kerr = krb5_kt_get_name(kctx, keytab, keytab_name, sizeof(keytab_name));
     if (kerr != 0) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for keytab [%s].\n",
@@ -142,6 +137,21 @@ krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
         goto done;
     }
 
+    if (faccessat(AT_FDCWD, sep+1, R_OK, AT_EACCESS) != 0) {
+	int saved_errno = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] is not readable by us (%s).\n",
+				    keytab_file, sss_strerror(saved_errno));
+	kerr = KRB5KRB_ERR_GENERIC;
+        goto done;
+    }
+
+    kerr = sss_krb5_kt_have_content(kctx, keytab);
+    if (kerr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] has no entries.\n",
+                                    keytab_file);
+        goto done;
+    }
+
     if (strncmp(keytab_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) {
         DEBUG(SSSDBG_TRACE_FUNC, "Keytab [%s] is already memory keytab.\n",
                                  keytab_name);