Comment 5 for bug 849349

The discussion was via private email.

In short, the existing code's call to krb5_set_default_in_tkt_etypes() with a second argument that may be NULL is a sneaky way of avoiding the situation where using a restricted credential will restrict all credentials in the current thread. It fixes one bit of undesirable behaviour in a way that causes different undesirable behaviour.

Upstream believes that the current behaviour (not over-restricting credentials in a thread) is more desirable than not throwing away the list of configured enctypes, but agrees that both problems need to be solved the right way, simultaneously. So we're kind of stuck until one of us gets around to creating a better patch.