| 1 | <samba:parameter name="client use spnego principal"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="boolean"
|
|---|
| 4 | deprecated="1"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 | <para>This parameter determines whether or not
|
|---|
| 8 | <citerefentry><refentrytitle>smbclient</refentrytitle>
|
|---|
| 9 | <manvolnum>8</manvolnum></citerefentry> and other samba components
|
|---|
| 10 | acting as a client will attempt to use the server-supplied
|
|---|
| 11 | principal sometimes given in the SPNEGO exchange.</para>
|
|---|
| 12 |
|
|---|
| 13 | <para>If enabled, Samba can attempt to use Kerberos to contact
|
|---|
| 14 | servers known only by IP address. Kerberos relies on names, so
|
|---|
| 15 | ordinarily cannot function in this situation. </para>
|
|---|
| 16 |
|
|---|
| 17 | <para>This is a VERY BAD IDEA for security reasons, and so this
|
|---|
| 18 | parameter SHOULD NOT BE USED. It will be removed in a future
|
|---|
| 19 | version of Samba.</para>
|
|---|
| 20 |
|
|---|
| 21 | <para>If disabled, Samba will use the name used to look up the
|
|---|
| 22 | server when asking the KDC for a ticket. This avoids situations
|
|---|
| 23 | where a server may impersonate another, soliciting authentication
|
|---|
| 24 | as one principal while being known on the network as another.
|
|---|
| 25 | </para>
|
|---|
| 26 |
|
|---|
| 27 | <para>Note that Windows XP SP2 and later versions already follow
|
|---|
| 28 | this behaviour, and Windows Vista and later servers no longer
|
|---|
| 29 | supply this 'rfc4178 hint' principal on the server side.</para>
|
|---|
| 30 |
|
|---|
| 31 | <para>This parameter is deprecated in Samba 4.2.1 and will be removed
|
|---|
| 32 | (along with the functionality) in a later release of Samba.</para>
|
|---|
| 33 | </description>
|
|---|
| 34 | <value type="default">no</value>
|
|---|
| 35 | </samba:parameter>
|
|---|
