This option controls whether winbindd requires support for aes support for the netlogon secure channel. The following flags will be required NETLOGON_NEG_ARCFOUR, NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC. You can set this to yes if all domain controllers support aes. This will prevent downgrade attacks. The behavior can be controlled per netbios domain by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. This option takes precedence to the option. no