gokrb5: Encrypting error - trying to use aes256 instead of rc4-hmac

I am having the same issue as #186 - it is looking for etype 18 (aes256) but I am using 23 (rc4-hmac). I left a comment on that issue but you probably aren’t going to see it since it is closed so am opening a new one.

Here is the full error: Error on AS_REQ: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [<redacted>] realm: <redacted> kvno: 0 etype: 18

Here is what is in the keytab: Keytab name: FILE: redacted.keytab KVNO Timestamp Principal 0 06/09/19 10:50:29 redacted@redacted (arcfour-hmac)

Here are the krb5.conf entries of interest: default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

I cannot modify the krb5.conf and if I try adding an entry for 18/aes256 (add_entry -password -p redacted@redacted -k 0 -e aes256-cts-hmac-sha1-96) to the keytab, I get an error that says… kinit: Preauthentication failed while getting initial credentials …and Kerberos doesn’t work at all. In my setup, Kerberos only works if there is 1 entry in the keytab and it is the rc4-hmac.

Is there a way to force gokrb5 to use rc4-hmac instead of aes256 or another way to get things working?

Note that I am new to Kerberos so apologize if that is a silly question or I am missing something easy.

Thanks