Kerberos targets in Active Directory should negotiate with their KDC to use the strongest mutually supported encryption type for their shared key. (This is not normally required in an MIT realm, where the keytab administratively configured and provided to the target).
Samba does this, setting msDS-SupportedEncryptionType at join time. However it is not updated later, so if the join was done over RPC we would still be sent arcfour-hmac-md5 keys.
Samba's winbindd should confirm the current set value for msDS-SupportedEncryptionType using NETLOGON GetDomainInfo and to contact the KDC using LDAP and update the msDS-SupportedEncryptionType if this isn't the strongest common type.
RFC 8429 encourages moving away from arcfour-hmac-md5 (and the DES encryption types), so there is good precedent for making this move.
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-exchange has some code for winbindd to call netlogon_creds_cli_LogonGetDomainInfo(), but the tricky part is that
the netr_OsVersionInfoEx stuff right, as at least for the AD DC it's important
for the exchange installer...
Any automated updates should probably follow whatever values are being pushed out via group policy and consider that some of the other bits here may have been set manually (Resource-SID-compression-disabled for example).