<samba:parameter name="client use spnego principal" context="G" type="boolean" advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> <manvolnum>8</manvolnum></citerefentry> and other samba components acting as a client will attempt to use the server-supplied principal sometimes given in the SPNEGO exchange.</para> <para>If enabled, Samba can attempt to use Kerberos to contact servers known only by IP address. Kerberos relies on names, so ordinarily cannot function in this situation. </para> <para>If disabled, Samba will use the name used to look up the server when asking the KDC for a ticket. This avoids situations where a server may impersonate another, soliciting authentication as one principal while being known on the network as another. </para> <para>Note that Windows XP SP2 and later versions already follow this behaviour, and Windows Vista and later servers no longer supply this 'rfc4178 hint' principal on the server side.</para> </description> <value type="default">no</value> </samba:parameter>