In short, there appears to be no way to control the keytab created by adcli join / adcli update. It will always write all five keys per principals as though msDS-supportedEncryptionTypes were set to 31.
“This attribute specifies the encryption algorithms supported by user, computer, or trust accounts. The Key Distribution Center (KDC) uses this information while generating a service ticket for this account. Services and computers can automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.“ (p. 184, sect. 2.464)
I. e. this attribute is the means by which the client tells the KDC which enctypes it wants to support.
Thus, a join with adcli should set the value corresponding to what the client wishes to support, preferably the “permitted_enctypes” value of /etc/krb5.conf. Being able to override this by specifying a list of enctypes in a command line parameter would be handy as well.
Also, the keytab created on the client should contain only the keys for the enctypes specified in AD through msDS-supportedEncryptionTypes. If the value changes in LDAP (e. g. by editing the computer account), the next adcli update should create a keytab containing the keys for the new set of enctypes.
-- GitLab Migration Automatic Message --
This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.
You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/realmd/adcli/issues/3.