It seems this attribute is only evaluated for objects with objectClass=computer and not for normal accounts. The presence of a supported encryption type should also have some meaning if a key for that type is not yet stored in the database. But the KDC should notice support for new encryption types and use that for session keys.
Created attachment 13866 [details] Work in progress patches
Created attachment 15761 [details] Work in progress for master
I like our current behaviour where we have a way to control what encryption types are available. Otherwise we have no way to, per user, control the encryption types.