Fix check-des

The previous fix was incomplete.  But it also finally uncovered an
    old check-des problem that I'd had once and which may have gotten
    papered over by changing the default of one of the *strongest* KDC
    parameters.  The old problem is that we were passing the wrong
    enctype to _kdc_encode_reply(): we were passing the session key
    enctype where the ticket enc-part key's enctype was expected.

    The whole enctype being passed in is superfluous anyways.  Let's
    clean that up next.

kdc/krb5tgs.c

@@ -988,7 +988,7 @@ tgs_make_reply(krb5_context context,
        etype list, even if we don't want a session key with
        DES3? */
     ret = _kdc_encode_reply(context, config,
-			    &rep, &et, &ek, et.key.keytype,
+			    &rep, &et, &ek, serverkey->keytype,
 			    kvno,
 			    serverkey, 0, replykey, rk_is_subkey,
 			    e_text, reply);
@@ -1699,13 +1699,22 @@ server_lookup:
 	} else {
 	    Key *skey;
 
-	    ret = _kdc_get_preferred_key(context, config, server, spn,
-					 &etype, &skey);
+	    ret = _kdc_find_etype(context,
+				  config->tgs_use_strongest_session_key, FALSE,
+				  server, b->etype.val, b->etype.len, &etype,
+				  NULL);
 	    if(ret) {
 		kdc_log(context, config, 0,
 			"Server (%s) has no support for etypes", spn);
 		goto out;
 	    }
+	    ret = _kdc_get_preferred_key(context, config, server, spn,
+					 NULL, &skey);
+	    if(ret) {
+		kdc_log(context, config, 0,
+			"Server (%s) has no supported etypes", spn);
+		goto out;
+	    }
 	    ekey = &skey->key;
 	    kvno = server->entry.kvno;
 	}