diff --git a/kadmind.init b/kadmind.init
index 5e97a91..d4b4949 100755
--- a/kadmind.init
+++ b/kadmind.init
@@ -38,15 +38,7 @@ start() {
 	    echo $"Error. This appears to be a slave server, found kpropd.acl"
 	    exit 6
 	else
-	[ -x $kadmind ] || exit 5
-  	    if [ ! -f /var/kerberos/krb5kdc/kadm5.keytab ] ; then
-		echo -n $"Extracting kadm5 Service Keys: "
-		# This should always work.
-		/usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" && success || failure
-		# It's probably okay if this fails.
-		/usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success
-		echo
-	    fi
+	    [ -x $kadmind ] || exit 5
 	fi
 	echo -n $"Starting $prog: "
 	daemon ${kadmind} ${KRB5REALM:+-r ${KRB5REALM}} $KADMIND_ARGS
diff --git a/kdc.conf b/kdc.conf
index 3ce8d3d..ceac49a 100644
--- a/kdc.conf
+++ b/kdc.conf
@@ -5,9 +5,9 @@
 
 [realms]
  EXAMPLE.COM = {
-  #master_key_type = des3-hmac-sha1
+  #master_key_type = aes256-cts
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
-  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
+  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  }
diff --git a/krb5.spec b/krb5.spec
index 62703a6..50efbf8 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -16,7 +16,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -231,6 +231,11 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.
 
 %changelog
+* Fri Apr  4 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-12
+- stop exporting kadmin keys to a keytab file when kadmind starts -- the
+  daemon's been able to use the database directly for a long long time now
+- belatedly add aes128,aes256 to the default set of supported key types
+
 * Tue Apr  1 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-11
 - libgssapi_krb5: properly export the acceptor subkey when creating a lucid
   context (Kevin Coffman, via the nfs4 mailing list)