It seems this attribute is only evaluated for objects with objectClass=computer
and not for normal accounts.
The presence of a supported encryption type should also have some meaning if
a key for that type is not yet stored in the database.
But the KDC should notice support for new encryption types and use
that for session keys.
Created attachment 13866 [details]
Work in progress patches
Created attachment 15761 [details]
Work in progress for master
I like our current behaviour where we have a way to control what encryption types are available. Otherwise we have no way to, per user, control the encryption types.