krb5_verify_user requires single-DES host key in keytab?

[Thor Lancelot Simon <tls@panix.com>]

I'm using the Heimdal integrated into NetBSD 4.0_BETA2 (I believe this
is from the 0.7 branch of Heimdal).

I have no principals in my database with any single-DES keys, though
kadmin and ktutil don't exactly make this easy.  The keytabs on my hosts
have only 3des keys for host/host.domain@REALM.

When I try to use an application like sudo 1.6.9 that calls krb5_verify_user
to check a user's password, it gets the TGT for the user, but then fails
to find the service key for the host in the keytab, with an error like
this:

sudo: kerb5: host service key not found: Unknown error -1765328203
Jul 28 23:56:46 hostname sudo:      tls : kerb5: host service key not found:
Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
COMMAND=/bin/sh
sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error -1765328203
Sorry, try again.

Is this expected?  Can I patch krb5_verify_user to fix it?  I can't figure
out what that error code actually is.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "The inconsistency is startling, though admittedly, if consistency is to
   be abandoned or transcended, there is no problem."	      - Noam Chomsky