This parameter determines the encryption types to use when operating as a Kerberos client. Possible values are all, strong, and legacy. Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos tickets. This library is normally configured outside of Samba, using the krb5.conf file. This file may also include directives to configure the encryption types to be used. However, Samba implements Active Directory protocols and algorithms to locate a domain controller. In order to force the Kerberos library into using the correct domain controller, some Samba processes, such as winbindd 8 and net 8, build a private krb5.conf file for use by the Kerberos library while being invoked from Samba. This private file controls all aspects of the Kerberos library operation, and this parameter controls how the encryption types are configured within this generated file, and therefore also controls the encryption types negotiable by Samba. When set to all, all active directory encryption types are allowed. When set to strong, only AES-based encryption types are offered. This can be used in hardened environments to prevent downgrade attacks. When set to legacy, only RC4-HMAC-MD5 is allowed. Avoiding AES this way has one a very specific use. Normally, the encryption type is negotiated between the peers. However, there is one scenario in which a Windows read-only domain controller (RODC) advertises AES encryption, but then proxies the request to a writeable DC which may not support AES encryption, leading to failure of the handshake. Setting this parameter to legacy would cause samba not to negotiate AES encryption. It is assumed of course that the weaker legacy encryption types are acceptable for the setup. all