This option controls whether winbindd requires support for aes support for the netlogon secure channel.
The following flags will be required NETLOGON_NEG_ARCFOUR, NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.
You can set this to yes if all domain controllers support aes. This will prevent downgrade attacks.
The behavior can be controlled per netbios domain by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.
This option takes precedence to the option.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Samba\smb_conf\reject md5 servers |
Value Name | reject md5 servers |
Value Type | REG_DWORD |
Default Value | 0 |
True Value | 1 |
False Value | 0 |