Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 633 krb5_dbe_def_search_enctype does not currently treat kvno 0 the same way as kvno -1. kvno -1 means "ignore the kvno", while kvno 0 means "search only in the highest kvno". (Confusingly, if you pass kvno, stype, and ktype all as -1, the code optimizes by setting kvno to 0 in order to look only at entries of highest kvno, without a comment explaining what it's doing.) It may be that we don't need both modes of operation. Offhand, I can't imagine a situation where you want to search for a particular enctype and/or salt type across all key versions. But we'd need to analyze all of the call sites to make sure of that.