On an active directory domain controller, this is the list of supported encryption types for local running kdc. This allows Samba administrators to remove support for weak/unused encryption types, similar the configuration flexibility provided by the Network security: Configure encryption types allowed for Kerberos GPO/Local Policies/Security Options Value, which results in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes Registry Value on Windows. Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names. Specified values are ORed together bitwise, and those currently supported consist of: arcfour-hmac-md5, rc4-hmac, 0x4, or 4 Known on Windows as Kerberos RC4 encryption aes128-cts-hmac-sha1-96, aes128-cts, 0x8, or 8 Known on Windows as Kerberos AES 128 bit encryption aes256-cts-hmac-sha1-96, aes256-cts, 0x10, or 16 Known on Windows as Kerberos AES 256 bit encryption 0maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96