diff --git a/kdc/kdc.h b/kdc/kdc.h
index ad5e76433..5953c23aa 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -62,6 +62,14 @@ typedef struct krb5_kdc_configuration {
 
     krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
 
+    /*
+     * Windows 2019 (and earlier versions) always sends the salt
+     * and Samba has testsuites that check this behaviour, so a
+     * Samba AD DC will set this flag to match the AS-REP packet
+     * exactly.
+     */
+    krb5_boolean force_include_pa_etype_salt;
+
     krb5_boolean tgt_use_strongest_session_key;
     krb5_boolean preauth_use_strongest_session_key;
     krb5_boolean svc_use_strongest_session_key;
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index c57c1c3a7..b1e65e2ea 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1403,6 +1403,15 @@ get_pa_etype_info_both(krb5_context context,
 {
     krb5_error_code ret;
 
+    /*
+     * Windows 2019 (and earlier versions) always sends the salt
+     * and Samba has testsuites that check this behaviour, so a
+     * Samba AD DC will set this flag to match the AS-REP packet
+     * more closely.
+     */
+    if (config->force_include_pa_etype_salt)
+	include_salt = TRUE;
+
     /*
      * RFC4120 requires:
      *   When the AS server is to include pre-authentication data in a