This option controls whether winbindd requires support for aes support for the netlogon secure channel. The following flags will be required NETLOGON_NEG_ARCFOUR, NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC. You can set this to yes if all domain controllers support aes. This will prevent downgrade attacks. The behavior can be controlled per netbios domain by using 'reject md5 servers:NETBIOSDOMAIN = no' as option. The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, see https://bugzilla.samba.org/show_bug.cgi?id=15240 This option overrides the option. yes