From 45d784e929b37edddea4c472d288a46b37aa7415 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 9 Dec 2010 17:37:14 +1100
Subject: s3-docs Add docs for 'client use spnego principal' and 'send spengo
 principal'

Andrew Bartlett
---
 .../security/clientusepsnegoprincipal.xml          | 28 ++++++++++++++++++++++
 .../smbdotconf/security/sendspengoprincipal.xml    | 28 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
 create mode 100644 docs-xml/smbdotconf/security/sendspengoprincipal.xml

diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000000..6ec1eb1116
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client use spnego principal"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not
+    <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba components
+    acting as a client will attempt to use the server-supplied
+    principal sometimes given in the SPNEGO exchange.</para>
+
+    <para>If enabled, Samba can attempt to use Kerberos to contact
+    servers known only by IP address.  Kerberos relies on names, so
+    ordinarily cannot function in this situation. </para>
+
+    <para>If disabled, Samba will use the name used to look up the
+    server when asking the KDC for a ticket.  This avoids situations
+    where a server may impersonate another, soliciting authentication
+    as one principal while being known on the network as another.
+    </para>
+
+    <para>Note that Windows XP SP2 and later versions already follow
+    this behaviour, and Windows Vista and later servers no longer
+    supply this 'rfc4178 hint' principal on the server side.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/sendspengoprincipal.xml b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
new file mode 100644
index 0000000000..03794debc2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="send spnego principal"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will send the
+    server-supplied principal sometimes given in the SPNEGO
+    exchange.</para>
+
+    <para>If enabled, Samba can attempt to help clients to use
+    Kerberos to contact it, even when known only by IP address or a
+    name not registered with our KDC as a service principal name.
+    Kerberos relies on names, so ordinarily cannot function in this
+    situation. </para>
+
+    <para>If disabled, Samba will send the string
+    not_defined_in_RFC4178@please_ignore as the 'rfc4178 hint',
+    following the updated RFC and Windows 2008 behaviour in this area.
+    </para>
+
+    <para>Note that Windows XP SP2 and later versions already ignored
+    this value in all circumstances. </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
-- 
cgit