mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
99d0c3b0dc
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
36 lines
1.6 KiB
XML
36 lines
1.6 KiB
XML
<samba:parameter name="client use spnego principal"
|
|
context="G"
|
|
type="boolean"
|
|
deprecated="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This parameter determines whether or not
|
|
<citerefentry><refentrytitle>smbclient</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> and other samba components
|
|
acting as a client will attempt to use the server-supplied
|
|
principal sometimes given in the SPNEGO exchange.</para>
|
|
|
|
<para>If enabled, Samba can attempt to use Kerberos to contact
|
|
servers known only by IP address. Kerberos relies on names, so
|
|
ordinarily cannot function in this situation. </para>
|
|
|
|
<para>This is a VERY BAD IDEA for security reasons, and so this
|
|
parameter SHOULD NOT BE USED. It will be removed in a future
|
|
version of Samba.</para>
|
|
|
|
<para>If disabled, Samba will use the name used to look up the
|
|
server when asking the KDC for a ticket. This avoids situations
|
|
where a server may impersonate another, soliciting authentication
|
|
as one principal while being known on the network as another.
|
|
</para>
|
|
|
|
<para>Note that Windows XP SP2 and later versions already follow
|
|
this behaviour, and Windows Vista and later servers no longer
|
|
supply this 'rfc4178 hint' principal on the server side.</para>
|
|
|
|
<para>This parameter is deprecated in Samba 4.2.1 and will be removed
|
|
(along with the functionality) in a later release of Samba.</para>
|
|
</description>
|
|
<value type="default">no</value>
|
|
</samba:parameter>
|