Our paranoid security folks are saying that we must only allow the use of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96. I notice that the krb5.conf file generated during net ads join includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc and they suggest that we should remove them from the generated krb5.conf. Of course, as asked on samba-technical, why are we generating this file at all? Secondly, for those who want to join domains with W2K03 DCs, an RC4 enc type will be needed.
Fixed in commit 3fff2667ec3f12fe1263735095c1a39182b0d351 in master, will be fixed in Samba 4.6 with the new "kerberos encryption types" parameter.