This option is deprecated and will be removed in a future release, as it is a security problem if not set to "yes" (which will be the hardcoded behavior in the future). This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows starting with Server 2008R2 and Windows 7, it's available in Samba starting with 4.0, however third party domain members like NetApp ONTAP still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. The default changed from 'no' to 'yes', with the patches for CVE-2022-38023 see https://bugzilla.samba.org/show_bug.cgi?id=15240. Avoid using this option! Use an explicit per machine account '' instead! Which is available with the patches for CVE-2022-38023 see https://bugzilla.samba.org/show_bug.cgi?id=15240. Samba will log an error in the log files at log level 0 if legacy a client is rejected or allowed without an explicit, 'no' option for the client. The message will indicate the explicit 'no' line to be added, if the legacy client software requires it. (The log level can be adjusted with '1' in order to complain only at a higher log level). This allows admins to use "no" only for a short grace period, in order to collect the explicit 'no' options. When set to 'yes' this option overrides the '' and '' options and implies 'no'. yes If you still have legacy domain members or trusted domains, which required "reject md5 clients = no" before, it is possible to specify an explicit exception per computer account by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. Note that COMPUTERACCOUNT has to be the sAMAccountName value of the computer account (including the trailing '$' sign). Samba will log a complaint in the log files at log level 0 about the security problem if the option is set to "no", but the related computer does not require it. (The log level can be adjusted with '1' in order to complain only at a higher log level). Samba will log a warning in the log files at log level 5 if a setting is still needed for the specified computer account. See CVE-2022-38023, https://bugzilla.samba.org/show_bug.cgi?id=15240. This option overrides the option. When set to 'yes' this option overrides the '' and '' options and implies 'no'. server reject md5 schannel:LEGACYCOMPUTER1$ = no server reject md5 schannel:NASBOX$ = no server reject md5 schannel:LEGACYCOMPUTER2$ = no