Rolling in VL's changes.

(This used to be commit 02244dac83623dabe927f79780cf4b7313022495)

1 files changed, 12 insertions, 8 deletions

diff --git a/docs/docbook/projdoc/ServerType.xml b/docs/docbook/projdoc/ServerType.xml
index 73c7d05212..ecfeb41735 100644
--- a/docs/docbook/projdoc/ServerType.xml
+++ b/docs/docbook/projdoc/ServerType.xml
@@ -342,17 +342,21 @@ in this HOWTO collection.
 <title>ADS Security Mode (User Level Security)</title>
 
 <para>
-Samba-2.2.x could join and Active Directory domain so long as the Active Directory domain
-controller is configured for mixed mode operation, and is running NetBIOS over TCP/IP. MS
-Windows 2000 and later can be configured to run without NetBIOS over TCP/IP, instead it
-can run SMB natively over TCP/IP.
+Both Samba 2.2 and 3.0 can join an active directory domain. This is
+possible even if the domain is run in native mode. Active Directory in
+native mode perfectly allows NT4-style domain members, contrary to
+popular belief. The only thing that Active Directory in native mode
+prohibits is Backup Domain Controllers running NT4.
 </para>
 
 <para>
-The ability to natively join an Active Directory domain requires the use of Kerberos
-based authentication. The Kerberos protocols have been extended by Microsoft so that
-a plain MIT Kerberos, or a Heimdal client is not sufficient. Samba-3 now has the ability
-to be a native Active Directory member server.
+If you are running Active Directory starting with Samba 3.0 you can
+however join as a native AD member. Why would you want to do that?
+Your security policy might prohibit the use of NT-compatible
+authentication protocols. All your machines are running Windows 2000
+and above and all use full Kerberos. In this case Samba as a NT4-style
+domain would still require NT-compatible authentication data. Samba in
+AD-member mode can accept Kerberos.
 </para>
 
 <sect3>