diff --git a/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
new file mode 100644
index 0000000..5e7fc6c
--- /dev/null
+++ b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
@@ -0,0 +1,38 @@
+From e339ad300caafc2a98e86ab48a9ac278cfe3bb85 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 15 Jul 2020 15:42:20 -0400
+Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
+
+Fixes a problem where the presence of legacy/unrecognized keysalts in
+supported_enctypes would prevent the kadmin programs from starting.
+
+[ghudson@mit.edu: ideally we would put a warning in the kadmind log,
+but that is difficult to do when the parsing is done inside a library.
+Even adding a trace log is difficult because the kadm5 str_conv
+functions do not accept contexts.]
+
+ticket: 8929 (new)
+(cherry picked from commit be5396ada0e8dabd68bd0aceb733cfca39a609bc)
+(cherry picked from commit 3f873868fb08b77da2d30e164a0ef6c71c17c607)
+---
+ src/lib/kadm5/str_conv.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
+index 7cf51d316..798295606 100644
+--- a/src/lib/kadm5/str_conv.c
++++ b/src/lib/kadm5/str_conv.c
+@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps,
+     while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) {
+         /* Pass a null pointer to subsequent calls to strtok_r(). */
+         p = NULL;
+-        ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype);
+-        if (ret)
+-            goto cleanup;
++
++        /* Discard unrecognized keysalts. */
++        if (string_to_keysalt(ksp, ksaltseps, &etype, &stype) != 0)
++            continue;
+ 
+         /* Ignore duplicate keysalts if caller asks. */
+         if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype))
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 3f0049c..d154ab4 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -71,6 +71,7 @@ Patch125: Implement-KERB_AP_OPTIONS_CBT-server-side.patch
 Patch126: Add-client_aware_channel_bindings-option.patch
 Patch127: Pass-channel-bindings-through-SPNEGO.patch
 Patch128: Add-channel-bindings-tests.patch
+Patch129: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -681,6 +682,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Jul 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-4
+- Ignore bad enctypes in krb5_string_to_keysalts()
+- Resolves: #1858322
+
 * Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-3
 - Match Heimdal behavior for channel bindings
 - Code hygiene + test stability fix included