[Samba] msDS-SupportedEncryptionTypes gets reset on net ads join

van Vloten Kees keesvanvloten at gmail.com
Sun May 2 08:12:06 UTC 2021

Hi Samba-team,

I have setup Samba ad-dc 4.13 and created some computer accounts with
Then I reduced the possible encryption algorithms for kerberos on the
computer accounts by setting this in samba ldap:

msDS-SupportedEncryptionTypes: 16

The same settings are in /etc/krb5.conf on the domain-member to be:


    default_realm = COMPOSERS.LAN
    dns_lookup_kdc = false
    dns_lookup_realm = false
    rdns = false
    allow_weak_crypto =  false
    default_tkt_enctypes = aes256-cts
    default_tgs_enctypes = aes256-cts
    permitted_enctypes = aes256-cts
    ticket_lifetime = 10h

And in /etc/samba/smb.conf

        kerberos method = system keytab
        kerberos encryption types = strong

Now when I join the domain on the member with:

kinit -V join_user
net ads testjoin -k -v

I noticed the encryption algorithms on the computer-account get reset to
the default of 31:

msDS-SupportedEncryptionTypes: 31

Is there anything I can do to prevent less secure encryption algorithms to
get used by computers?

Kees van Vloten

More information about the samba mailing list