--- /dev/null
+<samba:parameter name="disable aes schannel"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd does not try to negotiate
+ aes support (NETLOGON_NEG_SUPPORTS_AES) for netlogon secure channel connections.</para>
+
+ <para>Typically you should never set this.
+ Disabling aes can be useful for debugging purposes.</para>
+
+ <para>Note: "disable aes schannel = yes" might be needed against older
+ Samba versions (before bug #6099 was fixed) and NT 4.0.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'disable aes schannel:NETBIOSDOMAIN = yes' as option.</para>
+
+ <para>This option yields precedence to the 'reject md5 servers' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>