0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?

[<allbery@kf8nh.apk.net>]

Having managed to get our kaserver.DB0 hprop'ed into a heimdal KDC, I
discovered that it "didn't work".  I then ran out of time to look into
it until today, when I discovered the reason.

It seems that when krb4 or kaserver principals are hprop'ed over, they
get keys with krb4 enctypes.  These keys cannot be used by krb5,
apparently:  while I can still authenticate against heimdal's KDC with
krb4 utilities (kaserver is as yet untested), I cannot authenticate 
as one of the transferred principals using heimdal's kinit --- or
kauth, or hprop, or anything else that want to use krb5-style
authentication.  Principals added via "kadmin -l" get both krb4 and
krb5 enctypes, and work properly with both.

What would it take to get the transferred keys re-encoded with
des3-cbc-sha1 as well as with the krb4-compatible enctypes? 
Preferably without having to change everyone's password (which also
fails)?

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.