After samba-tool domain exportkeytab --principal, the resulting keytab file only contains arcfour-hmac encryption type, and current klist -ke displays it as DEPRECATED. net ads setenctype shows 0x1f bitmask and all other enctypes enabled. But exportkeytab still gets arcfour-hmac only. It is unclear what to do to get "better" enctypes out of this. Also, it is at least inconsistent to do all manipulations by samba-tool directly and only setting enctypes using net ads over network with auth. Samba-4.13.