For some time now I have noticed that if in krb5.conf you set 
default_tkt_enctypes and default_tgs_enctypes to a single value of 
des-cbc-md5, kinit fails with a KDC has no support for encryption type 
message.  Remove it or add another encryption type and kinit succeeds.  I am 
working with a third party kerberos/gssapi implementation, it receives the 
same error, and there is no workaround for it.

In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a 
hardcoded return value of 0 if the enctype parameter is des-cbc-md5.  The 
function which calls dbentry_supports_enctype is select_session_keytype also 
in kdc_util.c and it then returns 0.  The function which calls 
select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then 
sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for 
the client.  I commented out the hardocded return 0 for des-cbc-md5 in 
dbentry_supports_enctype, and then everything seemed to work.

The code takes this same path with both kinit and the third party kerberos 
implementation.  I happen to have my KDC configured for only the des-cbc-md5 
enctype but I have seen the error message in the past when using multiple 
enctypes.

_________________________________________________________________
Get today's hot entertainment gossip  http://movies.msn.com/movies/hotgossip