One thing I'm not clear on having read that is how deep the problem is. If you're not using krb524d, does that mean you are not vulnerable if you are using 1.2.7, even if you have enabled v4 keys as a "supported_enctype" in kdc.conf ? Darren.