Testing confirms that SAM-2 preauth (using the testing "grail" option) does not currently work with a non-default salt. If we add the PA_HARDWARE flag to the etype-info system entries, it still doesn't work, because verify_grail_data() insists on a key with the normal salt type. (verify_securid_data_2() does the same thing.) But if that call to krb5_dbe_find_enctype() is changed to allow any salt type, then it works.