This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connecting to a service. Possible option settings are: desired - Kerberos authentication will be tried first and if it fails it automatically fallback to NTLM. required - Kerberos authentication will be required. There will be no fallback to NTLM or a different alternative. off - Don't use Kerberos, use NTLM instead or another alternative. In case that weak cryptography is not allowed (e.g. FIPS mode) the default will be forced to required. desired