Kerberos AES encryption and older samba versions

[Uri Simchoni]

Hi,

I see that for a samba 3.3.x-based setup working against a Server
2008R2 RODC, sometimes the Kerberos AS request with pre-authentication
data gets a reply of KRB5KDC_ERR_ETYPE_NOSUPP. The PA-DATA is
encrypted with eTYPE-AES256-CTS-HMAC-SHA1-96, although this machine
does not have the msDS-SupportedEncryptionTypes attribute set -
Heimdal is supporting AES, does not honor "default_tgs_enctypes" (at
least the version used), and just goes ahead and tries AES.

The strange thing is that it mostly works, except when it isn't
working. Does anyone know if it's a known issue (RODC being picky
about encryption types in preauth, validating them against
msDS-SupportedEncryptionTypes)?

If that's the cause of the issue, what's the best course of action
(e.g. just set msDS-SupportedEncryptionTypes, or is it more involved
than that. Perhaps I should just disable AES in the KRB lib)

Thanks,
Uri.