This option controls the way Samba handles evaluation of security descriptors in Samba, with regards to Active Directory Claims. AD Claims, introduced with Windows 2012, are essentially administrator-defined key-value pairs that can be set both in Active Directory (communicated via the Kerberos PAC) and in the security descriptor themselves. Active Directory claims are new with Samba 4.20. Because the claims are evaluated against a very flexible expression language within the security descriptor, this option provides a mechanism to disable this logic if required by the administrator. This default behaviour is that claims evaluation is enabled in the AD DC only. Additionally, claims evaluation on the AD DC is only enabled if the DC functional level is 2012 or later. See . Possible values are : AD DC only: Enabled for the Samba AD DC (for DC functional level 2012 or higher). never: Disabled in all cases. This option disables some but not all of the Authentication Policies and Authentication Policy Silos features of the Windows 2012R2 functional level in the AD DC. AD DC only