[SCM] Samba Shared Repository - branch v3-6-test updated

Karolin Seeger kseeger at samba.org
Fri Jun 17 13:14:22 MDT 2011 

The branch, v3-6-test has been updated
       via  b08149c s3: improve WHATSNEW around kerberos changes
      from  df0a827 s3:wb_lookupsids: add some paranoia checks to wb_lookupsids_recv()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit b08149c6b8ddcac1399808b1b96e1fc08d382318
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 14 21:51:36 2011 +1000

    s3: improve WHATSNEW around kerberos changes

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c3c514c..813d5b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -30,15 +30,16 @@ released in-kernel CIFS client.  To re-enable the poorer NTLM encryption
 set '--option=clientusentlmv2auth=no' on your smbclient command line, or
 set 'client ntlmv2 auth = no' in your smb.conf
 
-The impact of 'client use spnego principal = no' is that we may be able
-to use Kerberos to communicate with a server less often in smbclient,
-winbind and other Samba client tools.  We may fall back to NTLMSSP in
-more situations where we would previously rely on the insecure
-indication from the 'NegProt' CIFS packet.  This mostly occursed when
-connecting to a name alias not recorded as a servicePrincipalName for
-the server.  This indication is not available from Windows 2008 or later
-in any case, and is not used by modern Windows clients, so this makes
-Samba's behaviour consistent with other clients and against all servers.
+The impact of 'client use spnego principal = no' is that Samba will
+use CIFS/hostname to obtain a kerberos ticket, acting more like
+Windows when using Kerberos against a CIFS server in smbclient,
+winbind and other Samba client tools.  This will change which servers
+we will successfully negotiate kerberos connections to.  This is due
+to Samba no longer trusting a server-provided hint which is not
+available from Windows 2008 or later.  For correct operation with all
+clients, all aliases for a server should be recorded as a as a
+servicePrincipalName on the server's record in AD.  (For this reason,
+this behavior change and parameter was also made in Samba 3.5.9)
 
 The impact of 'send spnego principal = no' is to match Windows 2008 and
 not to send this principal, making existing clients give more consistent


-- 
Samba Shared Repository

More information about the samba-cvs mailing list