Automatic etype fallback on KDC_ERR_ETYPE_NOSUPP

[StrongWind1]

What problem does this solve?

When KDC_ERR_ETYPE_NOSUPP is returned during credential validation, CredWolf reports the error and moves on. The operator must then manually re-run the entire spray with --etype aes256 to test users whose accounts reject RC4 (e.g. Protected Users group members, accounts with "This account supports AES256 encryption" enforced, or DES-only legacy accounts). This wastes time and risks missing valid credentials on a mixed-etype domain.

Proposed solution

When a user returns KDC_ERR_ETYPE_NOSUPP, automatically retry that user with the next strongest etype in the fallback chain: RC4 → AES128 → AES256. This would catch Protected Users members and etype-restricted accounts in a single pass without operator intervention.

Key considerations:

• Only retry on KDC_ERR_ETYPE_NOSUPP, not on other errors
• The fallback should be per-user, not global — most accounts will work with the requested etype
• Log the fallback at verbose level so the operator knows it happened
• For password-based auth with AES fallback, a salt retrieval request is needed (the salt request should also use the fallback etype)
• Cache the working etype per user so subsequent passwords for the same user skip the failed etype

Alternatives considered

• Always requesting all three etypes in the AS-REQ — the KDC would pick the strongest it supports, but this changes the etype of the encrypted timestamp and may not match what the operator intended
• Documenting "run twice with different etypes" — current workaround, but doubles the runtime and bad-password counter impact