From 28124e928ef99dec84a2f6699e6814aa567a34fa Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 14 Jun 2011 22:16:02 +1000
Subject: [PATCH] s3-docs Add documentation for 'client use spnego principal'

---
 .../security/clientusepsnegoprincipal.xml          |   28 ++++++++++++++++++++
 1 files changed, 28 insertions(+), 0 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml

diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000..6ec1eb1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client use spnego principal"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not
+    <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba components
+    acting as a client will attempt to use the server-supplied
+    principal sometimes given in the SPNEGO exchange.</para>
+
+    <para>If enabled, Samba can attempt to use Kerberos to contact
+    servers known only by IP address.  Kerberos relies on names, so
+    ordinarily cannot function in this situation. </para>
+
+    <para>If disabled, Samba will use the name used to look up the
+    server when asking the KDC for a ticket.  This avoids situations
+    where a server may impersonate another, soliciting authentication
+    as one principal while being known on the network as another.
+    </para>
+
+    <para>Note that Windows XP SP2 and later versions already follow
+    this behaviour, and Windows Vista and later servers no longer
+    supply this 'rfc4178 hint' principal on the server side.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
-- 
1.7.5.2