It seems this attribute is only evaluated for objects with objectClass=computer and not for normal accounts. The presence of a supported encryption type should also have some meaning if a key for that type is not yet stored in the database. But the KDC should notice support for new encryption types and use that for session keys.
Created attachment 13866 [details] Work in progress patches
Created attachment 15761 [details] Work in progress for master
I like our current behaviour where we have a way to control what encryption types are available. Otherwise we have no way to, per user, control the encryption types.
Comment on attachment 15761 [details] Work in progress for master The current patches are on https://gitlab.com/samba-team/samba/-/merge_requests/2459
This bug was referenced in samba master: d7ea197ed1a9903f601030e6466cc822f9b8f794 1dfa91682efd3b12d7d6af75287efb12ebd9e526 fde745ec3491a4fd7b23e053a67093a2ccaf0905
This bug was referenced in samba v4-15-test: 527a164b410f87c6f2a9b508d8261214819f8ef3 1815d339417261605820cb17f240c75fae01289a ee9ffe50e99d2778d0d17fb65d6b27911d211f91
This bug was referenced in samba v4-16-test: ec1a2225a0f73f81c46530203775fd5ac703858a c8afae7869a8aa53da90bf1748eb8ce2e8d763aa 906dbd0a4bdc89d14c971c1bd4e6c3059eefb2c6
This bug was referenced in samba v4-17-test: 42c12b8c36d6466cae5197b84650a27944e059cd 8273935239846045477f99f7dd655d9d37c8c43e 2d1f56c67e604288939f1dba0d8b338fbaedd5a9
This bug was referenced in samba v4-15-stable (Release samba-4.15.13): 527a164b410f87c6f2a9b508d8261214819f8ef3 1815d339417261605820cb17f240c75fae01289a ee9ffe50e99d2778d0d17fb65d6b27911d211f91
This bug was referenced in samba v4-17-stable (Release samba-4.17.4): 42c12b8c36d6466cae5197b84650a27944e059cd 8273935239846045477f99f7dd655d9d37c8c43e 2d1f56c67e604288939f1dba0d8b338fbaedd5a9
This bug was referenced in samba v4-16-stable (Release samba-4.16.8): ec1a2225a0f73f81c46530203775fd5ac703858a c8afae7869a8aa53da90bf1748eb8ce2e8d763aa 906dbd0a4bdc89d14c971c1bd4e6c3059eefb2c6