samba - May 2021 - msDS-SupportedEncryptionTypes gets reset on net ads join

Hi Samba-team,


I have setup Samba ad-dc 4.13 and created some computer accounts with
samba-tool.
Then I reduced the possible encryption algorithms for kerberos on the
computer accounts by setting this in samba ldap:

msDS-SupportedEncryptionTypes: 16

The same settings are in /etc/krb5.conf on the domain-member to be:

/etc/krb5.conf

[libdefaults]
    default_realm = COMPOSERS.LAN
    dns_lookup_kdc = false
    dns_lookup_realm = false
    rdns = false
    allow_weak_crypto =  false
    default_tkt_enctypes = aes256-cts
    default_tgs_enctypes = aes256-cts
    permitted_enctypes = aes256-cts
    ticket_lifetime = 10h

And in /etc/samba/smb.conf

[global]
        kerberos method = system keytab
        kerberos encryption types = strong


Now when I join the domain on the member with:

kinit -V join_user
net ads testjoin -k -v

I noticed the encryption algorithms on the computer-account get reset to
the default of 31:


msDS-SupportedEncryptionTypes: 31

Is there anything I can do to prevent less secure encryption algorithms to
get used by computers?

--
Kees van Vloten