Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.507 (Entity 5.507) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 428 Testing confirms that SAM-2 preauth (using the testing "grail" option) does not currently work with a non-default salt. If we add the PA_HARDWARE flag to the etype-info system entries, it still doesn't work, because verify_grail_data() insists on a key with the normal salt type. (verify_securid_data_2() does the same thing.) But if that call to krb5_dbe_find_enctype() is changed to allow any salt type, then it works.