See attached, untested patch. This could be optimised by mapping the checksum type to an enctype (is there API for this?) and then calling krb5_kt_get_entry() rather than enumerating the keytab, but we still need to enumerate the keytab if server == NULL to handle aliases. -- Luke