Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RT-Original-Encoding: iso-8859-1 Content-Length: 708 Please review this patch to kadm5_decrypt_key(). This patch prevents the returned keyblock's enctype from being coerced to the requested 'ktype' if the requested 'ktype' == -1. A ktype of -1 is to be ignored. Index: svr_principal.c =================================================================== --- svr_principal.c (revision 20163) +++ svr_principal.c (working copy) @@ -2156,7 +2156,8 @@ * inexact match on the enctype; this behavior will go away when * the key storage architecture gets redesigned for 1.3. */ - keyblock->enctype = ktype; + if (ktype == -1) + keyblock->enctype = ktype; if (kvnop) *kvnop = key_data->key_data_kvno;