From https://bugzilla.samba.org/show_bug.cgi?id=7257#c12 :
Ok, I think I see what's happening. The server in this case is sending a
principal name back to the client in the Negotiate Protocol response. smbclient
is using that to get a ticket name.
Note that this is really bad behavior by both the server and client. The
client, in particular since you're essentially trusting the server to tell you
what service principal to use. This allows an attacker to potentially spoof DNS
and redirect the connection to a server that he/she controls.
Not trusting that info was a conscious decision. You can read the thread from a
couple of years ago here:
The correct solution is to fix it so that your KDC holds service principals for
all possible hostnames.
...now, that said, I'm not 100% opposed to patches that turn on this behavior
as an option. I'm not interested in doing that work, but if you or someone else
wants to take it on, I'd be willing to help review them.