diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml deleted file mode 100644 index 8e9edd2730d..00000000000 --- a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - This parameter determines whether or not - smbclient - 8 and other samba components - acting as a client will attempt to use the server-supplied - principal sometimes given in the SPNEGO exchange. - - If enabled, Samba can attempt to use Kerberos to contact - servers known only by IP address. Kerberos relies on names, so - ordinarily cannot function in this situation. - - This is a VERY BAD IDEA for security reasons, and so this - parameter SHOULD NOT BE USED. It will be removed in a future - version of Samba. - - If disabled, Samba will use the name used to look up the - server when asking the KDC for a ticket. This avoids situations - where a server may impersonate another, soliciting authentication - as one principal while being known on the network as another. - - - Note that Windows XP SP2 and later versions already follow - this behaviour, and Windows Vista and later servers no longer - supply this 'rfc4178 hint' principal on the server side. - - This parameter is deprecated in Samba 4.2.1 and will be removed - (along with the functionality) in a later release of Samba. - -no - diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 0984ca7195b..f779affe54a 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2796,7 +2796,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only"); lpcfg_do_global_parameter(lp_ctx, "NT hash store", "always"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); - lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "False");