[OpenAFS] afs krb5 migration

[Ken Hornstein]

>I suppose there is a bug in the ktadd command that prevent it from
>obeying the kdc.conf configurations so that no afs-aware keys are
>generated. 

Whoah, hold on a second here.

The "key salt" perhaps the most misunderstood thing in Kerberos.  It
is ONLY used for converting a user's plaintext password into an encryption
key.  Saying it's an "afs-aware" key is a COMPLETE misnomer.  ktadd
doesn't generate those other salted keys, because they're completely
meaningless - there's no plaintext password that corresponds to the
encryption key that ktadd generates (well, there MAY be one, but we
don't know what it is :-) ).  I suspect the larger problem is that the 3DES
key was confusing things in there (but I'm not sure exactly where things
were breaking).

--Ken