It turns out that the default enctype for a typed-in password in the KDC is still des-cbc-crc. So the remainder of this ticket is probably not a pressing 1.8 issue; we've had problems in that department since the default enctype changed to triple DES.