This option is deprecated with Samba 4.8 and will be removed in future. At the same time the default changed to yes, which will be the hardcoded behavior in future. If you have the need for the behavior of "auto" to be kept, please file a bug at https://bugzilla.samba.org.
This controls whether the server offers or even demands the use of the netlogon schannel. no does not offer the schannel, auto offers the schannel but does not enforce it, and yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.
Please note that with this set to no, you will have to apply the WindowsXP WinXP_SignOrSeal.reg registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
|Registry Path||Software\Policies\Samba\smb_conf\server schannel|
|Value Name||server schannel|