diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp
index 248a8e7..614c04b 100644
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@@ -17,7 +17,13 @@
 #       Kerberos password change server address. Defaults to first
 #       KDC server.
 #
-class kerberos::client {
+# === Parameters
+#
+#   $enctypes:
+#       Array containing encryption types used. Mainly needed due to
+#       older samba not getting AES keys from AD.
+#
+class kerberos::client($enctypes=[]) {
 
     if !$kerberos_kadmin and $kerberos_kdc {
         $kerberos_kadmin = $kerberos_kdc[0]
diff --git a/kerberos/templates/krb5.conf.erb b/kerberos/templates/krb5.conf.erb
index 4533145..c03a49c 100644
--- a/kerberos/templates/krb5.conf.erb
+++ b/kerberos/templates/krb5.conf.erb
@@ -8,6 +8,10 @@
 <% end -%>
   ticket_lifetime = 24h
   forwardable = yes
+<% if @enctypes.count > 0 -%>
+  default_tgs_enctypes = <%= @enctypes.join(' ') %>
+  default_tkt_enctypes = <%= @enctypes.join(' ') %>
+<% end -%>
 
 [domain_realm]
   <%= @kerberos_realm.downcase %> = <%= @kerberos_realm %>