Testing confirms that SAM-2 preauth (using the testing "grail" option) 
does not currently work with a non-default salt.

If we add the PA_HARDWARE flag to the etype-info system entries, it 
still doesn't work, because verify_grail_data() insists on a key with 
the normal salt type.  (verify_securid_data_2() does the same thing.)  
But if that call to krb5_dbe_find_enctype() is changed to allow any 
salt type, then it works.