Heimdal tries to find the intersection of the client-specified encryption types in the AS-REQ vs the target server (typically the krbtgt account)'s supported encryption types to create a session key. However Heimdal historically has examined only the AS-REQ specified encryption types vs the keys stored by the user on the account (which really should only matter for a password-based AS-REQ like ENC-TIMESTAMP).
This bug was referenced in samba master: 975e43fc45531fdea14b93a3b1529b3218a177e6 4bb50c868c8ed14372cb7d27e53cdaba265fc33d f1c5fa28c460f7e011049606b1b9ef96443e5e1f
This bug was referenced in samba v4-15-test: 1e32bfc0fdd5394268eb86f60de521722f783a50 a7e2f5d32e59758ca714e292e3aa0e51821a9d43 0d7dc04404dee3f1ddce219f3ed1db736716eef7
This bug was referenced in samba v4-16-test: a836bcf22ce87cf93e7d3cbf975d1baaa8f32c3b c13c60ffbf7f86011594268cc48a1f9f1991f664 b40b03d0601394cc3a8e7923229aa8d53b2d815f
This bug was referenced in samba v4-17-test: 71e538e7e03b0624a8f094c506cde7a3e604bf3e 82f3c2876a80fa58425db3ee0ab15900680fe0ba d7efa582a41082d87c844461342e1f9e3ca932a3
This bug was referenced in samba v4-16-stable (Release samba-4.16.8): a836bcf22ce87cf93e7d3cbf975d1baaa8f32c3b c13c60ffbf7f86011594268cc48a1f9f1991f664 b40b03d0601394cc3a8e7923229aa8d53b2d815f
This bug was referenced in samba v4-17-stable (Release samba-4.17.4): 71e538e7e03b0624a8f094c506cde7a3e604bf3e 82f3c2876a80fa58425db3ee0ab15900680fe0ba d7efa582a41082d87c844461342e1f9e3ca932a3
This bug was referenced in samba v4-15-stable (Release samba-4.15.13): 1e32bfc0fdd5394268eb86f60de521722f783a50 a7e2f5d32e59758ca714e292e3aa0e51821a9d43 0d7dc04404dee3f1ddce219f3ed1db736716eef7