diff --git a/lib/kadm5/set_keys.c b/lib/kadm5/set_keys.c
index a5c61c893..1ed6bb5b0 100644
--- a/lib/kadm5/set_keys.c
+++ b/lib/kadm5/set_keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -72,10 +72,11 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
     /* for each entry in `default_keys' try to parse it as a sequence
        of etype:salttype:salt, syntax of this if something like:
        [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
-       means everything, and if string is omitted is means the default
+       means all etypes, and if string is omitted is means the default
        string (for that principal). Additional special values:
        v5 == pw-salt, and
-       v4 == pw-salt:
+       v4 == des:pw-salt:
+       afs or afs3 == des:afs3-salt
     */
 
     if (ktypes == NULL
@@ -98,6 +99,8 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    p = "pw-salt";
 	else if(strcmp(p, "v4") == 0)
 	    p = "des:pw-salt:";
+	else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
+	    p = "des:afs3-salt";
 	
 	/* split p in a list of :-separated strings */
 	for(num_buf = 0; num_buf < 3; num_buf++)
@@ -165,11 +168,35 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    continue;
 	}
 
-	if(!salt_set && salt.salttype == KRB5_PW_SALT)
+	if(!salt_set) {
 	    /* make up default salt */
-	    ret = krb5_get_pw_salt(context, principal, &salt);
+	    if(salt.salttype == KRB5_PW_SALT)
+		ret = krb5_get_pw_salt(context, principal, &salt);
+	    else if(salt.salttype == KRB5_AFS3_SALT) {
+		krb5_realm *realm = krb5_princ_realm(context, principal);
+		salt.saltvalue.data = strdup(*realm);
+		if(salt.saltvalue.data == NULL) {
+		    krb5_set_error_string(context, "out of memory while "
+					  "parsinig salt specifiers");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		strlwr(salt.saltvalue.data);
+		salt.saltvalue.length = strlen(*realm);
+	    }
+	}
 	memset(&key, 0, sizeof(key));
 	for(i = 0; i < num_etypes; i++) {
+	    Key *k;
+	    for(k = keys; k < keys + num_keyts; k++) {
+		if(k->key.keytype == etypes[i] &&
+		   k->salt.salttype == salt.salttype &&
+		   k->salt.saltvalue.length == salt.saltvalue.length &&
+		   memcmp(k->salt.saltvalue.data, salt.saltvalue.data, 
+			  salt.saltvalue.length) == 0)
+		    goto next_etype;
+	    }
+		       
 	    ret = krb5_string_to_key_salt (context,
 					   etypes[i],
 					   password,
@@ -210,6 +237,7 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    }
 	    keys = tmp;
 	    keys[num_keys++] = key;
+	  next_etype:;
 	}
     }