"an AD-style back end could contain user passwords rather than enctype-specific key data" This statement isn't false, but for the record the AD information model does actually specify "enctype-specific key data". -- Luke