allow nt4 crypto

This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES.
This option was added with Samba 4.2.0. It may lock out clients which worked fine with Samba versions up to 4.1.x. as the effective default was "yes" there, while it is "no" now.
If you have clients without RequireStrongKey = 1 in the registry, you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.
This option yields precedence to the 'reject md5 clients' option.

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

allow nt4 crypto
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Samba\smb_conf\allow nt4 crypto
Value Nameallow nt4 crypto
Value TypeREG_DWORD
Default Value0
True Value1
False Value0

samba.admx

Administrative Templates (Computers)