diff -Naurp krb5-1.8.1/src/kdc/kdc_preauth.c krb5-1.8.1.oden/src/kdc/kdc_preauth.c
--- krb5-1.8.1/src/kdc/kdc_preauth.c	2010-02-12 20:28:39.000000000 +0000
+++ krb5-1.8.1.oden/src/kdc/kdc_preauth.c	2012-08-01 10:02:01.000000000 +0000
@@ -1648,7 +1648,8 @@ etype_info_helper(krb5_context context, 
                 continue;
 
             }
-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);
diff -Naurp krb5-1.8.1/src/kdc/kdc_util.c krb5-1.8.1.oden/src/kdc/kdc_util.c
--- krb5-1.8.1/src/kdc/kdc_util.c	2010-02-12 20:28:39.000000000 +0000
+++ krb5-1.8.1.oden/src/kdc/kdc_util.c	2012-08-01 10:02:01.000000000 +0000
@@ -2687,6 +2687,7 @@ kdc_handle_protected_negotiation(krb5_da
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)
diff -Naurp krb5-1.8.1/src/lib/kdb/kdb_default.c krb5-1.8.1.oden/src/lib/kdb/kdb_default.c
--- krb5-1.8.1/src/lib/kdb/kdb_default.c	2010-02-08 21:22:18.000000000 +0000
+++ krb5-1.8.1.oden/src/lib/kdb/kdb_default.c	2012-08-01 10:02:01.000000000 +0000
@@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, db
     krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
     if (kvno == -1 && stype == -1 && ktype == -1)
         kvno = 0;