1 files changed, 28 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000000..6ec1eb1116
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client use spnego principal"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not
+    <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba components
+    acting as a client will attempt to use the server-supplied
+    principal sometimes given in the SPNEGO exchange.</para>
+
+    <para>If enabled, Samba can attempt to use Kerberos to contact
+    servers known only by IP address.  Kerberos relies on names, so
+    ordinarily cannot function in this situation. </para>
+
+    <para>If disabled, Samba will use the name used to look up the
+    server when asking the KDC for a ticket.  This avoids situations
+    where a server may impersonate another, soliciting authentication
+    as one principal while being known on the network as another.
+    </para>
+
+    <para>Note that Windows XP SP2 and later versions already follow
+    this behaviour, and Windows Vista and later servers no longer
+    supply this 'rfc4178 hint' principal on the server side.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>