If you use an afs3 salt on an aes enctype you will segfault within krb5_c_string_to_key because the salt length passed in is -1.