Google ChromeOS restricts the enc types allowed for the kerberos client. If the DC doesn't support these types it returns KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.
Currently Samba doesn't pass this back to the caller as NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated for this error - it gets returned as NT_STATUS_LOGON_FAILURE, which doesn't allow the caller to report the problem to the client GUI.
We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC, this just adds another one to enable users to debug problems.
Patch to follow.
Created attachment 13935 [details]
git-am fix for master.
Created attachment 13937 [details]
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next.
Cherry-pick from master, applies cleanly to 4.8.0rcX, 4.7.next, 4.6.next.