Why does changing supported_enctypes not work?

[John Hascall]

The instructions for our VPN server say to
add des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
to the supported_enctypes line in our realm in our krb5.conf
file, then restart the daemons and change a principal's password
and then that principal should have the proper
"DES cbc mode with RSA-MD5, Version 5" key that the VPN needs.

But when I do this, getprinc still just shows:
   ...
Number of keys: 1                                                               
Key: vno 165, DES cbc mode with CRC-32, Version 4                               


I don't see any errors in the kdc.log or kad.log

Any ideas?

Thanks,
John
PS, this is krb5-1.2.6 (with patches) on NetBSD if that matters