Missing encryption type in keytab entry.

[Dewayne]

I seem to be missing encryption types aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 
during manual keytab generation?

The correct keytab that I have for dns.keytab, verified with 
ktutil -k /usr/local/samba/private/dns.keytab list
/usr/local/samba/private/dns.keytab:

Vno  Type                     Principal             Aliases
  1  des-cbc-crc              DNS/t4.as.lan at AS.LAN
  1  des-cbc-crc              dns-t4 at AS.LAN
  1  des-cbc-md5              DNS/t4.as.lan at AS.LAN
  1  des-cbc-md5              dns-t4 at AS.LAN
  1  arcfour-hmac-md5         DNS/t4.as.lan at AS.LAN
  1  arcfour-hmac-md5         dns-t4 at AS.LAN
  1  aes128-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
  1  aes128-cts-hmac-sha1-96  dns-t4 at AS.LAN
  1  aes256-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
  1  aes256-cts-hmac-sha1-96  dns-t4 at AS.LAN

However when I generate another keytab using:

/usr/local/samba/bin/samba-tool user create dns-t2 --random-password
/usr/local/samba/bin/samba-tool spn add DNS/t2.as.lan dns-t2
/usr/local/samba/bin/samba-tool domain exportkeytab --principal=dns-t2 at as.lan dns-t2.keytab
/usr/local/samba/bin/samba-tool domain exportkeytab --principal=DNS/t2.as.lan dns-t2.keytab
ktutil -k dns-t2.keytab list
dns-t2.keytab:

Vno  Type                     Principal             Aliases
  1  des-cbc-crc              dns-t2 at as.lan
  1  des-cbc-md5              dns-t2 at as.lan
  1  aes128-cts-hmac-sha1-96  dns-t2 at as.lan
  1  aes256-cts-hmac-sha1-96  dns-t2 at as.lan
  1  arcfour-hmac-md5         dns-t2 at as.lan
  1  des-cbc-crc              DNS/t2.as.lan at AS.LAN
  1  des-cbc-md5              DNS/t2.as.lan at AS.LAN
  1  arcfour-hmac-md5         DNS/t2.as.lan at AS.LAN

Have I made an error, or am I incorrectly performing a step.  I expected all principles to include enc-types of aes128 & aes256?  I
suspect the SPN option in samba-tool to be missing some pieces?

The installation was provisioned as follows:
REALM=AS.LAN; DOM=AS; ADMIN_PWD="AnAdmin27"; LDAP_PWD="ASimplePwd27"

/usr/local/samba/bin/samba-tool domain provision --realm=${REALM} --domain=${DOM} \
  --adminpass="${ADMIN_PWD}" --server-role=dc --host-ip=${S4SVR_IP} --debuglevel=2 \
  --ldapadminpass=${LDAP_PWD} --host-name=${HOSTNAME} --use-rfc2307 \
  --function-level=2008_R2 --use-xattrs=yes --dns-backend=BIND9_FLATFILE

I performed the same steps for other users/spn's with similar results, missing aes* 

Regards, Dewayne.
Sydney, Australia (GMT +11 hours)