Hi Team, I am trying to use safe ciphers only, therefore I restrict the encryption types on the accounts to: msDS-SupportedEncryptionTypes: 16 And in /etc/krb5.conf: [libdefaults] ?? canonicalize = true ???allow_weak_crypto = false ???default_tkt_enctypes = aes256-cts ???default_tgs_enctypes = aes256-cts ???permitted_enctypes = aes256-cts Still an export of the keytab in samba delivers me a keytab that includes arcfour-hmac: samba-tool domain exportkeytab -d 8 --principal=http/webserver.example.com webserver.keytab klist -kte webserver.keytab Keytab name: FILE:web_ravel.keytab KVNO Timestamp?????????? Principal ---- ------------------- ------------------------------------------------------ ?? 2 11/08/2022 00:00:11 http/webserver.example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96) ?? 2 11/08/2022 00:00:11 http/webserver.example.com at EXAMPLE.COM (DEPRECATED:arcfour-hmac) How is that possible with the msDS-SupportedEncryptionTypes set to 16? What can I do to get rid of the arcfour-hmac cipher (other than deleting it with kutil)? (this is with Samba 4.16.2 on Bullseye) - Kees.