>so in actual usage pretty well everything is going to use >aes256-cts-hmac-sha1-96 (unless you have a really old client out there) >but the KDC is still going to create or update keys of all three types, >and that is whats failing here.
My apologies; going back I realize I conflated the client issues with your kadmind segfault and I was thinking your CLIENTS were segfaulting. I see later on you just transitioned to AES enctypes, which is probably for the best anyway. It sounds like someone could still explicitly use kadmin to ask for arcfour and cause a denial-of-service attack against kadmind though. --Ken