This change had the unintended consequence of restricting the ticket 
session key to the enctypes in the keytab.  The change was amended by 
#7190 to include all of the default_tkt_enctypes list in the request, but 
sorted with the keytab's enctypes appearing first.  That way the session 
key enctype is not constrained, but the KDC is very likely to use a reply 
key which exists in the keytab.

Nico has also suggested doing encrypted timestamp preauth with one of the 
keytab keys, and having the KDC use the encrypted timestamp key as the 
reply key.  These are probably good ideas but the former may have some 
edge cases given the current state of the client preauth code.  See also:

http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html