The following bugzilla entry documents a patch I submitted to the samba technical list, which Andrew took and made better.
Quoting Andrew from the thread, as he summarized better than myself:
"I would like to improve Samba's security and conformance to match
Windows 2008, by:
- removing the server-sent SPNEGO principal from the server-side
- not honouring it in the client
- using NTLMv2 by default in our client.
This should match the behaviour of Windows 2008 and Vista for avoiding
man-in-the-middle attacks relying on swapping of the target principal,
and in NTLMv2 change it slowly moves us on from the very poor
cryptography of the NTLM era.
This will change behaviour - some broken configurations were windows
does not use Kerberos will now also fall back to NTLMSSP, but as Neil
reported in his original mail, it will also fix real world
In terms of unexpected interoperability issues, all these code paths
should already have been explored with Windows 2008 and Vista clients
and servers. Likewise, all these options can be turned back on with
smb.conf and command line options (see the --option option) if required
on a particular connection.
Patches are available as attachments to the linked URL.