Further research and testing is required but it looks like the NETLOGON GetDomainInfo call should update msDS-SupportedEncryptionTypes as well as SPNs.
Samba's NETLOGON server fails to do this update, which might mean services are contacted using a weaker key.
My testing so far indicates that GetDomainInfo does not update the msDS-SupportedEncryptionTypes attribute on Windows. Values placed by the client in NETLOGON_WORKSTATION_INFO.KerberosSupportedEncryptionTypes (aka netr_WorkstationInformation.supported_enc_types) are ignored. Windows just uses that field to return the current value of msDS-SupportedEncryptionTypes, or 0xffffffff if there isn't one.
(In reply to Joseph Sutton from comment #2)
The client should use LDAP modify to update the attribute
and it detects from the GetDomainInfo call that the servers value
Resolving as an INVALID concern per comment 3
Removing embargo on this one, Samba's AD DC behaves like Windows and doesn't miss updates here.