Tom Yu via RT wrote: >>>>>> "jaltman" == Jeffrey Altman via RT writes: > > jaltman> + if (ktype == -1) > jaltman> + keyblock->enctype = ktype; > > Isn't this backwards if you want -1 to mean the enctype doesn't get > coerced? > You are correct. I manually copied the patch backward. The problem with manually pulling patches by eyeballing them from other systems. Corrected patch: Index: svr_principal.c =================================================================== --- svr_principal.c (revision 20163) +++ svr_principal.c (working copy) @@ -2156,7 +2156,8 @@ * inexact match on the enctype; this behavior will go away when * the key storage architecture gets redesigned for 1.3. */ - keyblock->enctype = ktype; + if (ktype != -1) + keyblock->enctype = ktype; if (kvnop) *kvnop = key_data->key_data_kvno;