Also, if you "kdb5_util purge_mkeys" after those two operations, you get a 
bad error message:

  Purging the follwing master key(s) from K/M@KRBTEST.COM:
  KVNO: 1
  kdb5_util: Invalid argument while updating actkvno data for master 
principal entry

This happens because kdb5_purge_mkeys computes an empty active mkvno and 
krb5_db_fetch_mkey_list rejects it with EINVAL.

This is technically a separate bug, but would be difficult to reproduce if 
the update_princ_encryption bug is fixed, so I'm noting it here.