diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9cca7a71..e84062db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,12 @@ All notable changes to this project will be documented in this file.
 
 - Active Directory's `samAccountName` generation can now be customized ([#454]).
 
+### Fixed
+
+- Fixed Kerberos keytab provisioning reusing its credential cache ([#490]).
+
 [#454]: https://github.com/stackabletech/secret-operator/pull/454
+[#490]: https://github.com/stackabletech/secret-operator/pull/490
 
 ## [24.7.0] - 2024-07-24
 
diff --git a/rust/krb5-provision-keytab/src/lib.rs b/rust/krb5-provision-keytab/src/lib.rs
index 511af183..caa5a090 100644
--- a/rust/krb5-provision-keytab/src/lib.rs
+++ b/rust/krb5-provision-keytab/src/lib.rs
@@ -75,7 +75,7 @@ pub async fn provision_keytab(krb5_config_path: &Path, req: &Request) -> Result<
         // ldap3 uses the default client keytab to authenticate to the LDAP server
         .env("KRB5_CLIENT_KTNAME", &req.admin_keytab_path)
         // avoid leaking credentials between secret volumes/secretclasses
-        .env("KRB5CCNAME", "MEMORY")
+        .env("KRB5CCNAME", "MEMORY:")
         .stdin(Stdio::piped())
         .stdout(Stdio::piped())
         .spawn()