--- param/loadparm.c	2005-05-09 14:39:09.000000000 +0100
+++ param/loadparm_new.c	2005-05-09 14:16:30.000000000 +0100
@@ -302,6 +302,7 @@
 	BOOL bDisableNetbios;
 	BOOL bKernelChangeNotify;
 	BOOL bUseKerberosKeytab;
+	BOOL bStrictNameChecking;
 	BOOL bDeferSharingViolations;
 	BOOL bEnablePrivileges;
 	int restrict_anonymous;
@@ -892,6 +893,7 @@
 	{"deny hosts", P_LIST, P_LOCAL, &sDefault.szHostsdeny, NULL, NULL, FLAG_HIDE}, 
 	{"preload modules", P_LIST, P_GLOBAL, &Globals.szPreloadModules, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL}, 
 	{"use kerberos keytab", P_BOOL, P_GLOBAL, &Globals.bUseKerberosKeytab, NULL, NULL, FLAG_ADVANCED}, 
+	{"strict name checking", P_BOOL, P_GLOBAL, &Globals.bStrictNameChecking, NULL, NULL, FLAG_ADVANCED}, 
 
 	{N_("Logging Options"), P_SEP, P_SEPARATOR}, 
 
@@ -1591,6 +1593,8 @@
 	Globals.bEnablePrivileges = False;
 	
 	Globals.szServicesList = str_list_make( "Spooler NETLOGON", NULL );
+
+	Globals.bStrictNameChecking = True;
 }
 
 static TALLOC_CTX *lp_talloc;
@@ -1839,6 +1843,7 @@
 FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
 FN_GLOBAL_BOOL(lp_kernel_change_notify, &Globals.bKernelChangeNotify)
 FN_GLOBAL_BOOL(lp_use_kerberos_keytab, &Globals.bUseKerberosKeytab)
+FN_GLOBAL_BOOL(lp_strict_name_checking, &Globals.bStrictNameChecking)
 FN_GLOBAL_BOOL(lp_defer_sharing_violations, &Globals.bDeferSharingViolations)
 FN_GLOBAL_BOOL(lp_enable_privileges, &Globals.bEnablePrivileges)
 FN_GLOBAL_INTEGER(lp_os_level, &Globals.os_level)
--- libads/kerberos_verify.c	2005-05-09 14:40:44.000000000 +0100
+++ libads/kerberos_verify_new.c	2005-05-09 14:27:11.000000000 +0100
@@ -45,6 +45,7 @@
 	krb5_kt_cursor kt_cursor;
 	krb5_keytab_entry kt_entry;
 	char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+	char *valid_service_formats[2] = { "host", "cifs" };
 	char *entry_princ_s = NULL;
 	fstring my_name, my_fqdn;
 	int i;
@@ -94,7 +95,7 @@
 				DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
 				goto out;
 			}
-
+			if (lp_strict_name_checking()) {
 			for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
 				if (strequal(entry_princ_s, valid_princ_formats[i])) {
 					number_matched_principals++;
@@ -113,6 +114,26 @@
 					}
 				}
 			}
+			} else {
+	                        for (i = 0; i < sizeof(valid_service_formats) / sizeof(valid_service_formats[0]); i++) {
+        	                        if (strnequal(entry_princ_s, valid_service_formats[i], strlen(valid_service_formats[i]))) {
+                	                        number_matched_principals++;
+                        	                p_packet->length = ticket->length;
+                                	        p_packet->data = (krb5_pointer)ticket->data;
+                                        	*pp_tkt = NULL;
+	                                        ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+        	                                if (ret) {
+                	                                DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+                        	                                entry_princ_s, error_message(ret)));
+                                	        } else {
+                                        	        DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+                                                	        entry_princ_s));
+	                                                auth_ok = True;
+        	                                        break;
+                	                        }
+                        	        }
+	                        }
+			}
 
 			/* Free the name we parsed. */
 			krb5_free_unparsed_name(context, entry_princ_s);