[krbdev.mit.edu #7646] PAC checksum verification failed with enterprise principals

[Greg Hudson via RT]

Huh.  Our KDC always canonicalizes AS requests with request->client->type 
== KRB5_NT_ENTERPRISE_PRINCIPAL (well, if the KDB module supports it), 
and has a comment saying "according to the referrals draft we should 
always canonicalize enterprise principal names."  But perhaps AD doesn't 
behave that way.

Anyway, closing the ticket.  Thanks for investigating further.