The following bugzilla entry documents a patch I submitted to the samba technical list, which Andrew took and made better. Quoting Andrew from the thread, as he summarized better than myself: "I would like to improve Samba's security and conformance to match Windows 2008, by: - removing the server-sent SPNEGO principal from the server-side reply, - not honouring it in the client - using NTLMv2 by default in our client. This should match the behaviour of Windows 2008 and Vista for avoiding man-in-the-middle attacks relying on swapping of the target principal, and in NTLMv2 change it slowly moves us on from the very poor cryptography of the NTLM era. This will change behaviour - some broken configurations were windows does not use Kerberos will now also fall back to NTLMSSP, but as Neil reported in his original mail, it will also fix real world inconsistencies. In terms of unexpected interoperability issues, all these code paths should already have been explored with Windows 2008 and Vista clients and servers. Likewise, all these options can be turned back on with smb.conf and command line options (see the --option option) if required on a particular connection. " Patches are available as attachments to the linked URL.