This option is deprecated and will be removed in future, as it is a security problem if not set to "no" (which will be the hardcoded behavior in future). This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which do not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES. This option was added with Samba 4.2.0. It may lock out clients which worked fine with Samba versions up to 4.1.x. as the effective default was "yes" there, while it is "no" now. If you have clients without RequireStrongKey = 1 in the registry, you may need to set "allow nt4 crypto = yes", until you have fixed all clients. "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. Avoid using this option! Use explicit 'yes' instead! Which is available with the patches for CVE-2022-38023 see https://bugzilla.samba.org/show_bug.cgi?id=15240 Samba will log an error in the log files at log level 0 if legacy a client is rejected or allowed without an explicit, 'yes' option for the client. The message will indicate the explicit 'yes' line to be added, if the legacy client software requires it. (The log level can be adjusted with '1' in order to complain only at a higher log level). This allows admins to use "yes" only for a short grace period, in order to collect the explicit 'yes' options. This option is over-ridden by the effective value of 'yes' from the '' and/or '' options. no If you still have legacy domain members which required 'allow nt4 crypto = yes', it is possible to specify an explicit exception per computer account by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. Note that COMPUTERACCOUNT has to be the sAMAccountName value of the computer account (including the trailing '$' sign). Samba will log a complaint in the log files at log level 0 about the security problem if the option is set to "yes", but the related computer does not require it. (The log level can be adjusted with '1' in order to complain only at a higher log level). Samba will log a warning in the log files at log level 5, if a setting is still needed for the specified computer account. See CVE-2022-38023, https://bugzilla.samba.org/show_bug.cgi?id=15240. This option overrides the option. This option is over-ridden by the effective value of 'yes' from the '' and/or '' options. Which means 'yes' is only useful in combination with 'no' allow nt4 crypto:LEGACYCOMPUTER1$ = yes server reject md5 schannel:LEGACYCOMPUTER1$ = no allow nt4 crypto:NASBOX$ = yes server reject md5 schannel:NASBOX$ = no allow nt4 crypto:LEGACYCOMPUTER2$ = yes server reject md5 schannel:LEGACYCOMPUTER2$ = no