KRB5_NOPERM_ETYPE error on kerberos authentication

Joey Collins joeycollins at
Thu Apr 21 03:58:36 GMT 2005

I'm trying to get a Windows 2000 PRO (no service packs) client to
authenticate to samba and I keep getting KRB5_NOPERM_ETYPE.  The WIN2000
PRO system is joined to the domain.  My krb5.conf is real simple:

  kdc =

The relavant parts of smb.conf are:

  realm = DOMAIN
  ads server =
  security = ADS
  encrypt passwords = yes
  netbios name = sambatest
  wins server =

I have another windows 2000 (server) that is able to connect fine (it is
also joined to the domain) -- it is running with service pack 4.  I
narrowed where I'm getting the KRB5_NOPERM_ETYPE to the following in the
MIT krb5 library:

rd_req_dec.c :

245             if ((!krb5_is_permitted_enctype(context,
req->ticket->enc_part.enctype)) ||
247                 (!krb5_is_permitted_enctype(context,
req->ticket->enc_part2->session->enctype)) ||
249                 (((*auth_context)->authentp->subkey) &&
250                  !krb5_is_permitted_enctype(context,
(*auth_context)->authentp->subkey->enctype))) {
252                 retval = KRB5_NOPERM_ETYPE;
253                 goto cleanup;

the encryption type for req->ticket->enc_part.enctype = 23; the enctype
for req->ticket->enc_part2->session->enctype = 23.  But, for the Windows
2000 client that fails, (*auth_context)->authentp->subkey->enctype =
24.  krb5.h knows about all of these:


but, 24 isn't in the list of "permitted enctypes" (confirmed by stepping
through krb5_is_permitted_enctype)  Interestingly enough, for the
Windows 2000 server that works fine, all three of the enctypes above are

So, to cure my ills, I added the following line to my krb5.conf:

permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
des3-cbc-sha1 arcfour-hmac-md5 arcfour-hmac-exp des-cbc-crc des-cbc-md5

the key addition being "arcfour-hmac-exp", and it worked fine.

So, the $64,000 question is, why does some versions of windows choose
the exportable version of ArcFour w/ HMAC/MD5?  Both copies of windows I
am using are U.S. English.

Joey Collins.

More information about the samba-technical mailing list