Moving docs tree to docs-xml to make room for generated docs in the release tarball.

(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)

70 files changed, 2478 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
new file mode 100644
index 0000000000..e2600ca9da
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="acl group control"
+                 context="S"
+		 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
+	and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
+ 	 <emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs
+	on that file.
+	</para>
+	<para>
+	On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in
+	that group to modify the permissions on it. This allows the delegation of security controls
+	on a point in the filesystem to the group owner of a directory and anything below it also owned
+	by that group. This means there are multiple people with permissions to modify ACLs on a file
+	or directory, easing managability.
+	</para>
+	<para>
+	This parameter allows Samba to also permit delegation of the control over a point in the exported
+	directory hierarchy in much the same way as Windows. This allows all members of a UNIX group to
+	control the permissions on a file or directory they have group ownership on.
+	</para>
+
+	<para>
+	This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
+	on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
+	on them, which causes new files and directories created within it to inherit the group
+	ownership from the containing directory. 
+	</para>
+
+	<para>
+	This is parameter has been marked deprecated in Samba 3.0.23.  The same behavior is now
+	implemented by the <parameter moreinfo="none">dos filemode</parameter> option.
+	</para>
+
+</description>
+
+<related>inherit owner</related>
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml
new file mode 100644
index 0000000000..d8f14b6d74
--- /dev/null
+++ b/docs-xml/smbdotconf/security/adminusers.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="admin users"
+                 context="S"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This is a list of users who will be granted 
+    administrative privileges on the share. This means that they 
+    will do all file operations as the super-user (root).</para>
+
+    <para>You should use this option very carefully, as any user in 
+    this list will be able to do anything they like on the share, 
+    irrespective of file permissions.</para>
+
+    <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
+    Samba 3.0.  This is by design.</para>
+
+</description>
+
+<value type="default"/>
+<value type="example">jason</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/algorithmicridbase.xml b/docs-xml/smbdotconf/security/algorithmicridbase.xml
new file mode 100644
index 0000000000..24a3150024
--- /dev/null
+++ b/docs-xml/smbdotconf/security/algorithmicridbase.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="algorithmic rid base"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="integer"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This determines how Samba will use its
+    algorithmic mapping from uids/gid to the RIDs needed to construct
+    NT Security Identifiers.
+    </para>
+
+    <para>Setting this option to a larger value could be useful to sites
+    transitioning from WinNT and Win2k, as existing user and 
+    group rids would otherwise clash with sytem users etc. 
+    </para>
+
+    <para>All UIDs and GIDs must be able to be resolved into SIDs for  
+    the correct operation of ACLs on the server.  As such the algorithmic
+    mapping can't be 'turned off', but pushing it 'out of the way' should
+    resolve the issues.  Users and groups can then be assigned 'low' RIDs
+    in arbitrary-rid supporting backends.
+    </para>
+</description>
+
+<value type="default">1000</value>
+<value type="example">100000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowtrusteddomains.xml b/docs-xml/smbdotconf/security/allowtrusteddomains.xml
new file mode 100644
index 0000000000..57bf1d2422
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowtrusteddomains.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="allow trusted domains"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to 
+    <constant>server</constant>, <constant>domain</constant> or <constant>ads</constant>.  
+    If it is set to no, then attempts to connect to a resource from 
+    a domain or workgroup other than the one which smbd is running 
+    in will fail, even if that domain is trusted by the remote server 
+    doing the authentication.</para>
+		
+    <para>This is useful if you only want your Samba server to 
+    serve resources to users in the domain it is a member of. As 
+    an example, suppose that there are two domains DOMA and DOMB.  DOMB 
+    is trusted by DOMA, which contains the Samba server.  Under normal 
+    circumstances, a user with an account in DOMB can then access the 
+    resources of a UNIX account with the same account name on the 
+    Samba server even if they do not have an account in DOMA.  This 
+    can make implementing a security boundary difficult.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/authmethods.xml b/docs-xml/smbdotconf/security/authmethods.xml
new file mode 100644
index 0000000000..39d211dbd3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/authmethods.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="auth methods"
+                 context="G"
+				 type="list"
+                 basic="1" advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>
+    This option allows the administrator to chose what authentication methods <command  moreinfo="none">smbd</command> 
+    will use when authenticating a user. This option defaults to sensible values based on <smbconfoption name="security"/>.  
+    This should be considered a developer option and used only in rare circumstances.  In the majority (if not all) 
+    of production servers, the default setting should be adequate.
+    </para>
+
+    <para>
+    Each entry in the list attempts to authenticate the user in turn, until
+    the user authenticates.  In practice only one method will ever actually 
+    be able to complete the authentication.
+    </para>
+
+    <para>
+    Possible options include <constant>guest</constant> (anonymous access), 
+    <constant>sam</constant> (lookups in local list of accounts based on netbios 
+    name or domain name), <constant>winbind</constant> (relay authentication requests
+    for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd 
+    method of authentication for remote domain users; deprecated in favour of winbind method), 
+    <constant>trustdomain</constant> (authenticate trusted users by contacting the 
+    remote DC directly from smbd; deprecated in favour of winbind method).
+    </para>
+
+</description>
+<value type="default"/>
+<value type="example">guest sam winbind</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml
new file mode 100644
index 0000000000..9169891c29
--- /dev/null
+++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="check password script"
+                 context="G"
+				 type="string"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>The name of a program that can be used to check password
+    complexity. The password is sent to the program's standrad input.</para>
+ 
+    <para>The program must return 0 on good password any other value otherwise.
+    In case the password is considered weak (the program do not return 0) the
+    user will be notified and the password change will fail.</para>
+
+    <para>Note: In the example directory there is a sample program called crackcheck
+    that uses cracklib to checkpassword quality.</para>
+
+</description>
+
+<value type="default">Disabled</value>
+<value type="example">check password script = /usr/local/sbin/crackcheck</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml
new file mode 100644
index 0000000000..5266fef6a2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client lanman auth"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba client
+    tools will attempt to authenticate itself to servers using the
+    weaker LANMAN password hash. If disabled, only server which support NT 
+    password hashes (e.g. Windows NT/2000, Samba, etc... but not 
+    Windows 95/98) will be able to be connected from the Samba client.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Clients
+    without Windows 95/98 servers are advised to disable
+    this option.  </para>
+
+    <para>Disabling this option will also disable the <command
+    moreinfo="none">client plaintext auth</command> option</para>
+
+    <para>Likewise, if the <command moreinfo="none">client ntlmv2
+    auth</command> parameter is enabled, then only NTLMv2 logins will be
+    attempted.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
new file mode 100644
index 0000000000..9f0627abbf
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -0,0 +1,32 @@
+<samba:parameter name="client ntlmv2 auth"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate itself to servers using the NTLMv2 encrypted password
+    response.</para>
+
+    <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+    secure than earlier versions) will be sent.  Many servers
+    (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
+    NTLMv2.  </para>
+
+    <para>Similarly, if enabled, NTLMv1, <command
+    moreinfo="none">client lanman auth</command> and <command
+    moreinfo="none">client plaintext auth</command>
+    authentication will be disabled.  This also disables share-level 
+    authentication. </para>
+
+    <para>If disabled, an NTLM response (and possibly a LANMAN response)
+    will be sent by the client, depending on the value of <command
+    moreinfo="none">client lanman auth</command>.  </para>
+
+    <para>Note that some sites (particularly
+    those following 'best practice' security polices) only allow NTLMv2
+	responses, and not the weaker LM or NTLM.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml
new file mode 100644
index 0000000000..c4061559db
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="client plaintext auth"
+                 context="G"
+				 type="boolean"
+                 basic="1" advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>Specifies whether a client should send a plaintext 
+		password if the server does not support encrypted passwords.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
+
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
new file mode 100644
index 0000000000..e229182f97
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="client schannel"
+                 context="G"
+                 basic="1"
+				 type="boolean-auto"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>
+    This controls whether the client offers or even demands the use of the netlogon schannel.
+    <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel, 
+    <smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
+    enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access 
+    if the server is not able to speak netlogon schannel. 
+    </para>
+</description>
+<value type="default">auto</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
new file mode 100644
index 0000000000..bf37cbb874
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="client signing"
+                 context="G"
+				 type="boolean-auto"
+                 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This controls whether the client offers or requires
+    the server it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+	to disabled, SMB signing is not offered either.
+</para>
+</description>
+
+<value type="default">auto</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml
new file mode 100644
index 0000000000..cf6864c78e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="create mask"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<synonym>create mode</synonym>
+<description>
+    <para>
+	When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to
+	UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may
+	be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will
+	be removed from the modes set on a file when it is created.
+	</para>
+
+    <para>
+	The default value of this parameter removes the <literal>group</literal> and <literal>other</literal>
+	write and execute bits from the UNIX modes.
+	</para>
+
+    <para>
+	Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
+	<smbconfoption name="force create mode"/> parameter which is set to 000 by default.
+	</para>
+
+    <para>
+	This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
+	for details.
+	</para>
+
+    <para>
+	Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
+	administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
+	name="security mask"/>.
+	</para>
+</description>
+
+<related>force create mode</related>
+<related>directory mode</related>
+<related>inherit permissions</related>
+
+<value type="default">0744</value>
+<value type="example">0775</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml
new file mode 100644
index 0000000000..7b67f79214
--- /dev/null
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="directory mask"
+	context="S"
+	type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>directory mode</synonym>
+<description>
+    <para>This parameter is the octal modes which are 
+    used when converting DOS modes to UNIX modes when creating UNIX 
+    directories.</para>
+
+    <para>When a directory is created, the necessary permissions are 
+    calculated according to the mapping from DOS modes to UNIX permissions, 
+    and the resulting UNIX mode is then bit-wise 'AND'ed with this 
+    parameter. This parameter may be thought of as a bit-wise MASK for 
+    the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set 
+    here will be removed from the modes set on a directory when it is 
+    created.</para>
+
+    <para>The default value of this parameter removes the 'group' 
+    and 'other' write bits from the UNIX mode, allowing only the 
+    user who owns the directory to modify it.</para>
+		
+    <para>Following this Samba will bit-wise 'OR' the UNIX mode 
+    created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. 
+    This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
+
+    <para>Note that this parameter does not apply to permissions
+    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+    a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
+</description>
+
+<related>force directory mode</related>
+<related>create mask</related>
+<related>directory security mask</related>
+<related>inherit permissions</related>
+<value type="default">0755</value>
+<value type="example">0775</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml
new file mode 100644
index 0000000000..5ed85ae3f8
--- /dev/null
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="directory security mask"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter controls what UNIX permission bits
+    will be set when a Windows NT client is manipulating the UNIX
+    permission on a directory using the native NT security dialog
+    box.</para>
+
+    <para>
+	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
+        any bits not in this mask.  Make sure not to mix up this parameter with <smbconfoption name="force
+	directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
+	Essentially, zero bits in this mask are a set of bits that will always be set to zero.
+	</para>
+
+    <para>
+	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
+	file permissions regardless of the previous status of this bits on the file.
+    </para>
+
+    <para>If not set explicitly this parameter is set to 0777
+    meaning a user is allowed to set all the user/group/world
+    permissions on a directory.</para>
+
+    <para><emphasis>Note</emphasis> that users who can access the 
+    Samba server through other means can easily bypass this restriction, 
+    so it is primarily useful for standalone &quot;appliance&quot; systems.  
+    Administrators of most normal systems will probably want to leave
+	it as the default of <constant>0777</constant>.</para>
+</description>
+
+<related>force directory security mode</related>
+<related>security mask</related>
+<related>force security mode</related>
+<value type="default">0777</value>
+<value type="example">0700</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml
new file mode 100644
index 0000000000..1a631fd098
--- /dev/null
+++ b/docs-xml/smbdotconf/security/encryptpasswords.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="encrypt passwords"
+                 context="G"
+				 type="boolean"
+                 basic="1" advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This boolean controls whether encrypted passwords 
+    will be negotiated with the client. Note that Windows NT 4.0 SP3 and 
+    above and also Windows 98 will by default expect encrypted passwords 
+    unless a registry entry is changed. To use encrypted passwords in 
+    Samba see the chapter "User Database" in the Samba HOWTO Collection.
+    </para>
+
+    <para>
+    MS Windows clients that expect Microsoft encrypted passwords and that
+    do not have plain text password support enabled will be able to
+    connect only to a Samba server that has encrypted password support
+    enabled and for which the user accounts have a valid encrypted password.
+    Refer to the smbpasswd command man page for information regarding the
+    creation of encrypted passwords for user accounts.
+    </para>
+
+    <para>
+    The use of plain text passwords is NOT advised as support for this feature
+    is no longer maintained in Microsoft Windows products. If you want to use
+    plain text passwords you must set this parameter to no.
+    </para>
+
+    <para>In order for encrypted passwords to work correctly
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> must either 
+    have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+    <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> program for information on how to set up 
+    and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which 
+    causes <command moreinfo="none">smbd</command> to authenticate against another 
+	server.</para>
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml
new file mode 100644
index 0000000000..8a6449fe21
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="force create mode"
+                 context="S"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter specifies a set of UNIX mode bit 
+    permissions that will <emphasis>always</emphasis> be set on a 
+    file created by Samba. This is done by bitwise 'OR'ing these bits onto 
+    the mode bits of a file that is being created or having its 
+    permissions changed. The default for this parameter is (in octal) 
+    000. The modes in this parameter are bitwise 'OR'ed onto the file 
+    mode after the mask set in the <parameter moreinfo="none">create mask</parameter> 
+    parameter is applied.</para>
+
+	<para>The example below would force all created files to have read and execute 
+    permissions set for 'group' and 'other' as well as the 
+    read/write/execute bits set for the 'user'.</para>
+
+</description>
+
+<related>create mask</related>
+<related>inherit permissions</related>
+
+<value type="default">000</value>
+<value type="example">0755</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml
new file mode 100644
index 0000000000..7effc0e399
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="force directory mode"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter specifies a set of UNIX mode bit 
+    permissions that will <emphasis>always</emphasis> be set on a directory 
+    created by Samba. This is done by bitwise 'OR'ing these bits onto the 
+    mode bits of a directory that is being created. The default for this 
+    parameter is (in octal) 0000 which will not add any extra permission 
+    bits to a created directory. This operation is done after the mode 
+    mask in the parameter <parameter moreinfo="none">directory mask</parameter> is 
+    applied.</para>
+
+	<para>The example below would force all created directories to have read and execute
+    permissions set for 'group' and 'other' as well as the
+    read/write/execute bits set for the 'user'.</para>
+</description>
+
+<value type="default">000</value>
+<value type="example">0755</value>
+
+<related>directory mask</related>
+<related>inherit permissions</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
new file mode 100644
index 0000000000..2c15ec2753
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="force directory security mode"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+	the UNIX permission on a directory using the native NT security dialog box.
+	</para>
+
+    <para>
+	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
+	name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
+	of an OR. 
+	</para>
+
+	<para>
+	Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 
+	to will enable (1) any flags that are off (0) but which the mask has set to on (1).
+	</para>
+
+    <para>
+	If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
+	permissions on a directory without restrictions.
+	</para>
+
+    <note><para>
+	Users who can access the Samba server through other means can easily bypass this restriction, so it is
+	primarily useful for standalone &quot;appliance&quot; systems.  Administrators of most normal systems will
+	probably want to leave it set as 0000.
+	</para></note>
+
+</description>
+
+<value type="default">0</value>
+<value type="example">700</value>
+
+<related>directory security mask</related>
+<related>security mask</related>
+<related>force security mode</related>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcegroup.xml b/docs-xml/smbdotconf/security/forcegroup.xml
new file mode 100644
index 0000000000..f6c9974f99
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcegroup.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="force group"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>group</synonym>
+<description>
+    <para>This specifies a UNIX group name that will be 
+    assigned as the default primary group for all users connecting 
+    to this service. This is useful for sharing files by ensuring 
+    that all access to files on service will use the named group for 
+    their permissions checking. Thus, by assigning permissions for this 
+    group to the files and directories within this service the Samba 
+    administrator can restrict or allow sharing of these files.</para>
+
+    <para>In Samba 2.0.5 and above this parameter has extended 
+    functionality in the following way. If the group name listed here 
+    has a '+' character prepended to it then the current user accessing 
+    the share only has the primary group default assigned to this group 
+    if they are already assigned as a member of that group. This allows 
+    an administrator to decide that only users who are already in a 
+    particular group will create files with group ownership set to that 
+    group. This gives a finer granularity of ownership assignment. For 
+    example, the setting <filename moreinfo="none">force group = +sys</filename> means 
+    that only users who are already in group sys will have their default
+    primary group assigned to sys when accessing this Samba share. All
+    other users will retain their ordinary primary group.</para>
+
+    <para>
+	If the <smbconfoption name="force user"/> parameter is also set the group specified in 
+    <parameter moreinfo="none">force group</parameter> will override the primary group
+    set in <parameter moreinfo="none">force user</parameter>.</para>
+
+</description>
+
+<related>force user</related>
+
+<value type="default"/>
+<value type="example">agroup</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml
new file mode 100644
index 0000000000..7451ef91ae
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -0,0 +1,41 @@
+<samba:parameter name="force security mode"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 
+    the UNIX permission on a file using the native NT security dialog box.
+	</para>
+		
+    <para>
+	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
+	name="security mask"/>, which works similar like this one but uses logical AND instead of OR. 
+	</para>
+
+	<para>
+	Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
+	the user has always set to be on.
+	</para>
+
+    <para>
+	If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
+	permissions on a file, with no restrictions.
+	</para>
+		
+    <para><emphasis>
+	Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+	restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
+	normal systems will probably want to leave this set to 0000.
+	</para>
+
+</description>
+
+<value type="default">0</value>
+<value type="example">700</value>
+
+<related>force directory security mode</related>
+<related>directory security mask</related>
+<related>security mask</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forceunknownacluser.xml b/docs-xml/smbdotconf/security/forceunknownacluser.xml
new file mode 100644
index 0000000000..4c0949f052
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forceunknownacluser.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="force unknown acl user"
+                 context="S"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+    <para>
+    If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or 
+    representation of a user or group id) as the owner or group owner of the file will be silently
+    mapped into the current UNIX uid or gid of the currently connected user.
+    </para>
+
+    <para>
+    This is designed to allow Windows NT clients to copy files and folders containing ACLs that were 
+    created locally on the client machine and contain users local to that machine only (no domain
+    users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and 
+    groupid of the file owner map to the current connected user.  This can only be fixed correctly
+    when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
+    </para>
+
+    <para>
+    Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
+    </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forceuser.xml b/docs-xml/smbdotconf/security/forceuser.xml
new file mode 100644
index 0000000000..f1ec5d449c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forceuser.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="force user"
+				 type="string"
+                 context="S"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This specifies a UNIX user name that will be 
+    assigned as the default user for all users connecting to this service. 
+    This is useful for sharing files. You should also use it carefully 
+    as using it incorrectly can cause security problems.</para>
+
+    <para>This user name only gets used once a connection is established. 
+    Thus clients still need to connect as a valid user and supply a 
+    valid password. Once connected, all file operations will be performed 
+    as the &quot;forced user&quot;, no matter what username the client connected 
+    as.  This can be very useful.</para>
+
+    <para>In Samba 2.0.5 and above this parameter also causes the 
+    primary group of the forced user to be used as the primary group 
+    for all file activity. Prior to 2.0.5 the primary group was left 
+    as the primary group of the connecting user (this was a bug).</para>
+
+</description>
+
+<related>force group</related>
+<value type="default"/>
+<value type="example">auser</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestaccount.xml b/docs-xml/smbdotconf/security/guestaccount.xml
new file mode 100644
index 0000000000..8132835a82
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestaccount.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="guest account"
+                 context="G"
+				 type="string"
+                 basic="1" advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This is a username which will be used for access 
+    to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this 
+    user has will be available to any client connecting to the guest service. 
+    This user must exist in the password file, but does not require
+    a valid login. The user account &quot;ftp&quot; is often a good choice 
+    for this parameter. 
+    </para>
+
+    <para>On some systems the default guest account &quot;nobody&quot; may not 
+    be able to print. Use another account in this case. You should test 
+    this by trying to log in as your guest user (perhaps by using the 
+    <command moreinfo="none">su -</command> command) and trying to print using the 
+    system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
+    lp(1)</command>.</para>
+
+    <para>This parameter does not accept % macros, because
+    many parts of the system require this value to be
+	constant for correct operation.</para>
+</description>
+<value type="default">nobody<comment>default can be changed at compile-time</comment></value>
+<value type="example">ftp</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestok.xml b/docs-xml/smbdotconf/security/guestok.xml
new file mode 100644
index 0000000000..7cbf4e50bb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestok.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="guest ok"
+				 type="boolean"
+                 context="S"
+                 basic="1" advanced="1" print="1" developer="1"
+				 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>public</synonym>
+<description>
+    <para>If this parameter is <constant>yes</constant> for 
+    a service, then no password is required to connect to the service. 
+    Privileges will be those of the <smbconfoption name="guest account"/>.</para>
+
+    <para>This paramater nullifies the benifits of setting
+    <smbconfoption name="restrict anonymous">2</smbconfoption>
+	</para>
+
+    <para>See the section below on <smbconfoption name="security"/> for more information about this option.
+	</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestonly.xml b/docs-xml/smbdotconf/security/guestonly.xml
new file mode 100644
index 0000000000..258eba9267
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestonly.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="guest only"
+                 context="S"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>only guest</synonym>
+<description>
+    <para>If this parameter is <constant>yes</constant> for 
+    a service, then only guest connections to the service are permitted. 
+    This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para>
+
+    <para>See the section below on <smbconfoption name="security"/> for more information about this option.
+	</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml
new file mode 100644
index 0000000000..849b515f46
--- /dev/null
+++ b/docs-xml/smbdotconf/security/hostsallow.xml
@@ -0,0 +1,63 @@
+<samba:parameter name="hosts allow"
+                 context="S"
+				 type="list"
+                 basic="1" advanced="1" print="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>allow hosts</synonym>
+<description>
+    <para>A synonym for this parameter is <smbconfoption name="allow hosts"/>.</para>
+		
+    <para>This parameter is a comma, space, or tab delimited 
+    set of hosts which are permitted to access a service.</para>
+
+    <para>If specified in the [global] section then it will
+    apply to all services, regardless of whether the individual 
+    service has a different setting.</para>
+
+    <para>You can specify the hosts by name or IP number. For 
+    example, you could restrict access to only the hosts on a 
+    Class C subnet with something like <command>allow hosts = 150.203.5.</command>.
+	The full syntax of the list is described in the man 
+    page <filename>hosts_access(5)</filename>. Note that this man
+    page may not be present on your system, so a brief description will
+    be given here also.</para>
+
+    <para>Note that the localhost address 127.0.0.1 will always 
+    be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para>
+
+    <para>You can also specify hosts by network/netmask pairs and 
+    by netgroup names if your system supports netgroups. The 
+    <emphasis>EXCEPT</emphasis> keyword can also be used to limit a 
+    wildcard list. The following examples may provide some help:</para>
+
+<para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+    <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+    <para>Example 2: allow hosts that match the given network/netmask</para>
+
+    <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+    <para>Example 3: allow a couple of hosts</para>
+
+    <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+
+    <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but 
+    deny access from one particular host</para>
+
+    <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+    <para><command moreinfo="none">hosts deny = pirate</command></para>
+
+    <note><para>Note that access still requires suitable user-level passwords.</para></note>
+
+    <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
+    <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access 
+    to see if it does what you expect.</para>
+
+		
+</description>
+
+<value type="example">150.203.5. myhost.mynet.edu.au</value>
+<value type="default"><comment>none (i.e., all hosts permitted access)</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/hostsdeny.xml b/docs-xml/smbdotconf/security/hostsdeny.xml
new file mode 100644
index 0000000000..136f86c9c8
--- /dev/null
+++ b/docs-xml/smbdotconf/security/hostsdeny.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="hosts deny"
+                 context="S"
+				 type="list"
+                 basic="1" advanced="1" print="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>deny hosts</synonym>
+<description>
+    <para>The opposite of <parameter moreinfo="none">hosts allow</parameter> 
+    - hosts listed here are <emphasis>NOT</emphasis> permitted access to 
+    services unless the specific services have their own lists to override 
+    this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter> 
+	list takes precedence.</para>
+
+	<para>
+	In the event that it is necessary to deny all by default, use the keyword
+	ALL (or the netmask <literal>0.0.0.0/0</literal>) and then explicitly specify
+	to the <smbconfoption name="hosts allow">hosts allow</smbconfoption> parameter those hosts
+	that should be permitted access.
+	</para>
+</description>
+
+<value type="default"><comment>none (i.e., no hosts specifically excluded)</comment></value>
+
+<value type="example">150.203.4. badhost.mynet.edu.au</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml
new file mode 100644
index 0000000000..44afa8a3e2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritacls.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="inherit acls"
+                 context="S"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter can be used to ensure that if default acls
+    exist on parent directories, they are always honored when creating a
+    new file or subdirectory in these parent directories. The default 
+    behavior is to use the unix mode specified when creating the directory. 
+    Enabling this option sets the unix mode to 0777, thus guaranteeing that 
+    default directory acls are propagated.
+</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritowner.xml b/docs-xml/smbdotconf/security/inheritowner.xml
new file mode 100644
index 0000000000..ba4fc617cb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritowner.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="inherit owner"
+                 context="S"
+		 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>The ownership of new files and directories 
+	is normally governed by effective uid of the connected user.
+	This option allows the Samba administrator to specify that
+	the ownership for new files and directories should be controlled
+	by the ownership of the parent directory.</para>
+	
+	<para>Common scenarios where this behavior is useful is in 
+	implementing drop-boxes where users can create and edit files but not 
+	delete them and to ensure that newly create files in a user's
+	roaming profile directory are actually owner by the user.</para>
+</description>
+
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritpermissions.xml b/docs-xml/smbdotconf/security/inheritpermissions.xml
new file mode 100644
index 0000000000..6e09f4f033
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritpermissions.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="inherit permissions"
+                 context="S"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>,
+	<smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption
+	name="force directory mode"/> but the boolean inherit permissions parameter overrides this.
+	</para>
+		
+    <para>New directories inherit the mode of the parent directory,
+    including bits such as setgid.</para>
+
+    <para>
+	New files inherit their read/write bits from the parent directory.  Their execute bits continue to be
+	determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption
+	name="map system"/> as usual.
+	</para>
+
+    <para>Note that the setuid bit is <emphasis>never</emphasis> set via 
+    inheritance (the code explicitly prohibits this).</para>
+
+    <para>This can be particularly useful on large systems with 
+    many users, perhaps several thousand, to allow a single [homes] 
+    share to be used flexibly by each user.</para>
+</description>
+
+<related>create mask</related>
+<related>directory mask</related>
+<related>force create mode</related>
+<related>force directory mode</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
new file mode 100644
index 0000000000..f4ed66f314
--- /dev/null
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="invalid users"
+                 context="S"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This is a list of users that should not be allowed 
+    to login to this service. This is really a <emphasis>paranoid</emphasis> 
+    check to absolutely ensure an improper setting does not breach 
+    your security.</para>
+		
+    <para>A name starting with a '@' is interpreted as an NIS 
+    netgroup first (if your system supports NIS), and then as a UNIX 
+    group if the name was not found in the NIS netgroup database.</para>
+
+    <para>A name starting with '+' is interpreted only 
+    by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 
+    '&amp;' is interpreted only by looking in the NIS netgroup database 
+    (this requires NIS to be working on your system). The characters 
+    '+' and '&amp;' may be used at the start of the name in either order 
+    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
+    UNIX group database, followed by the NIS netgroup database, and 
+    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+    netgroup database, followed by the UNIX group database (the 
+    same as the '@' prefix).</para>
+
+    <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
+		This is useful in the [homes] section.</para>
+</description>
+
+<related>valid users</related>
+
+<value type="default"><comment>no invalid users</comment></value>
+<value type="example">root fred admin @wheel</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
new file mode 100644
index 0000000000..341952205f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="lanman auth"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users or permit password changes
+    using the LANMAN password hash. If disabled, only clients which support NT 
+    password hashes (e.g. Windows NT/2000 clients, smbclient, but not 
+    Windows 95/98 or the MS DOS network client) will be able to
+    connect to the Samba host.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Servers
+    without Windows 95/98/ME or MS DOS clients are advised to disable
+    this option.  </para>
+		
+    <para>Unlike the <command moreinfo="none">encrypt
+    passwords</command> option, this parameter cannot alter client
+    behaviour, and the LANMAN response will still be sent over the
+    network.  See the <command moreinfo="none">client lanman
+    auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+    <para>If this option, and <command moreinfo="none">ntlm
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to use it.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml
new file mode 100644
index 0000000000..0f680ae71c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/maptoguest.xml
@@ -0,0 +1,76 @@
+<samba:parameter name="map to guest"
+				 type="enum"
+                 context="G"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter is only useful in <smbconfoption name="SECURITY">
+    security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> 
+    and <parameter moreinfo="none">security = server</parameter>
+    - i.e. <constant>user</constant>, and <constant>domain</constant>.</para>
+
+    <para>This parameter can take four different values, which tell
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> what to do with user 
+    login requests that don't match a valid UNIX user in some way.</para>
+
+    <para>The four settings are :</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para><constant>Never</constant> - Means user login 
+	    requests with an invalid password are rejected. This is the 
+	    default.</para>
+	</listitem>
+			
+	<listitem>
+	    <para><constant>Bad User</constant> - Means user
+	    logins with an invalid password are rejected, unless the username 
+	    does not exist, in which case it is treated as a guest login and 
+	    mapped into the <smbconfoption name="guest account"/>.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>Bad Password</constant> - Means user logins 
+	    with an invalid password are treated as a guest login and mapped 
+	    into the <smbconfoption name="guest account"/>. Note that 
+	    this can cause problems as it means that any user incorrectly typing 
+	    their password will be silently logged on as &quot;guest&quot; - and 
+	    will not know the reason they cannot access files they think
+	    they should - there will have been no message given to them
+	    that they got their password wrong. Helpdesk services will
+	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
+	    guest</parameter> parameter this way :-).</para>
+	</listitem>
+	<listitem>
+	    <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
+	    in some type of domain mode security (security = {domain|ads}) and means that
+	    user logins which are successfully authenticated but which have no valid Unix
+	    user account (and smbd is unable to create one) should be mapped to the defined
+	    guest account. This was the default behavior of Samba 2.x releases.  Note that 
+	    if a member server is running winbindd,  this option should never be required
+	    because the nss_winbind library will export the Windows domain users and groups
+	    to the underlying OS via the Name Service Switch interface.</para>
+	</listitem>
+    </itemizedlist>
+
+    <para>Note that this parameter is needed to set up &quot;Guest&quot; 
+    share services when using <parameter moreinfo="none">security</parameter> modes other than 
+    share and server. This is because in these modes the name of the resource being
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client so the server 
+    cannot make authentication decisions at the correct time (connection 
+    to the share) for &quot;Guest&quot; shares. This parameter is not useful with
+    <parameter moreinfo="none">security = server</parameter> as in this security mode
+    no information is returned about whether a user logon failed due to
+    a bad username or bad password, the same error is returned from a modern server
+    in both cases.</para>
+
+    <para>For people familiar with the older Samba releases, this 
+    parameter maps to the old compile-time setting of the <constant>
+		GUEST_SESSSETUP</constant> value in local.h.</para>
+</description>
+
+<value type="default">Never</value>
+<value type="example">Bad User</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
new file mode 100644
index 0000000000..ebcdad72a1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="ntlm auth"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
+
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+	special configuration to us it.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/nullpasswords.xml b/docs-xml/smbdotconf/security/nullpasswords.xml
new file mode 100644
index 0000000000..402114e259
--- /dev/null
+++ b/docs-xml/smbdotconf/security/nullpasswords.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="null passwords"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="boolean"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>Allow or disallow client access to accounts that have null passwords. </para>
+
+    <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+			<manvolnum>5</manvolnum></citerefentry>.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/obeypamrestrictions.xml b/docs-xml/smbdotconf/security/obeypamrestrictions.xml
new file mode 100644
index 0000000000..40777f4f5d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/obeypamrestrictions.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="obey pam restrictions"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>When Samba 3.0 is configured to enable PAM support
+    (i.e. --with-pam), this parameter will control whether or not Samba
+    should obey PAM's account and session management directives.  The 
+    default behavior is to use PAM for clear text authentication only
+    and to ignore any account or session management.  Note that Samba
+    always ignores PAM for authentication in the case of <smbconfoption 
+	name="encrypt passwords">yes</smbconfoption>.  The reason 
+    is that PAM modules cannot support the challenge/response
+    authentication mechanism needed in the presence of SMB password encryption.
+</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/onlyuser.xml b/docs-xml/smbdotconf/security/onlyuser.xml
new file mode 100644
index 0000000000..b1ef1b7606
--- /dev/null
+++ b/docs-xml/smbdotconf/security/onlyuser.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="only user"
+					type="boolean"
+                 context="S"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This is a boolean option that controls whether 
+    connections with usernames not in the <parameter moreinfo="none">user</parameter> 
+    list will be allowed. By default this option is disabled so that a 
+    client can supply a username to be used by the server.  Enabling
+    this parameter will force the server to only use the login 
+    names from the <parameter moreinfo="none">user</parameter> list and is only really
+    useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
+
+    <para>Note that this also means Samba won't try to deduce 
+    usernames from the service name. This can be annoying for 
+    the [homes] section. To get around this you could use <command moreinfo="none">user =
+    %S</command> which means your <parameter moreinfo="none">user</parameter> list
+    will be just the service name, which for home directories is the 
+    name of the user.</para>
+</description>
+
+<related>user</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/pampasswordchange.xml b/docs-xml/smbdotconf/security/pampasswordchange.xml
new file mode 100644
index 0000000000..e5c04d405c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/pampasswordchange.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="pam password change"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>With the addition of better PAM support in Samba 2.2, 
+    this parameter, it is possible to use PAM's password change control 
+    flag for Samba.  If enabled, then PAM will be used for password
+    changes when requested by an SMB client instead of the program listed in 
+    <smbconfoption name="passwd program"/>. 
+    It should be possible to enable this without changing your 
+    <smbconfoption name="passwd chat"/> parameter for most setups.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passdbbackend.xml b/docs-xml/smbdotconf/security/passdbbackend.xml
new file mode 100644
index 0000000000..487d8b8a9d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passdbbackend.xml
@@ -0,0 +1,64 @@
+<samba:parameter name="passdb backend"
+                 context="G"
+		 type="list"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>This option allows the administrator to chose which backend
+    will be used for storing user and possibly group information.  This allows 
+    you to swap between different storage mechanisms without recompile. </para>
+
+    <para>The parameter value is divided into two parts, the backend's name, and a 'location'
+    string that has meaning only to that particular backed.  These are separated
+    by a : character.</para>
+
+    <para>Available backends can include:
+	<itemizedlist>
+	    <listitem>
+		<para><command moreinfo="none">smbpasswd</command> - The default smbpasswd
+		backend. Takes a path to the smbpasswd file as an optional argument.
+		</para>
+	    </listitem>
+			
+	    <listitem>
+		<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
+                backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb 
+                in the <smbconfoption name="private dir"/> directory.</para>
+	    </listitem>
+			
+	    <listitem>
+		<para><command moreinfo="none">ldapsam</command> - The LDAP based passdb 
+                backend.  Takes an LDAP URL as an optional argument (defaults to 
+                <command moreinfo="none">ldap://localhost</command>)</para>
+			
+		<para>LDAP connections should be secured where possible.  This may be done using either
+                Start-TLS (see <smbconfoption name="ldap ssl"/>) or by
+                specifying <parameter moreinfo="none">ldaps://</parameter> in
+                the URL argument. </para>
+
+                <para>Multiple servers may also be specified in double-quotes.
+		Whether multiple servers are supported or not and the exact
+		syntax depends on the LDAP library you use.
+		</para>
+
+	    </listitem>
+	</itemizedlist>
+
+    </para>
+	Examples of use are:
+<programlisting>
+passdb backend = tdbsam:/etc/samba/private/passdb.tdb 
+
+or multi server LDAP URL with OpenLDAP library:
+
+passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
+
+or multi server LDAP URL with Netscape based LDAP library:
+
+passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
+</programlisting>
+</description>
+
+<value type="default">smbpasswd</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passdbexpandexplicit.xml b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml
new file mode 100644
index 0000000000..08c893191a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="passdb expand explicit"
+                 context="G"
+                 advanced="1" developer="0"
+				 type="boolean"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We
+	used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable
+	%G_osver% in which %G would have been substituted by the user's primary group.
+    </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchat.xml b/docs-xml/smbdotconf/security/passwdchat.xml
new file mode 100644
index 0000000000..da18142dfa
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchat.xml
@@ -0,0 +1,60 @@
+<samba:parameter name="passwd chat"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This string controls the <emphasis>&quot;chat&quot;</emphasis> 
+    conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and the local password changing
+    program to change the user's password. The string describes a 
+    sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the 
+    <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not 
+    received then the password is not changed.</para>
+
+    <para>This chat sequence is often quite site specific, depending 
+    on what local methods are used for password control (such as NIS 
+    etc).</para>
+
+    <para>Note that this parameter only is only used if the <smbconfoption
+    name="unix password sync"/> parameter is set  to <constant>yes</constant>. This sequence is 
+    then called <emphasis>AS ROOT</emphasis> when the SMB password  in the 
+    smbpasswd file is being changed, without access to the old password
+    cleartext. This means that root must be able to reset the user's password without
+    knowing the text of the previous password. In the presence of
+    NIS/YP,  this means that the <smbconfoption name="passwd program"/> must
+    be executed on the NIS master.
+    </para>
+
+    <para>The string can contain the macro <parameter
+    moreinfo="none">%n</parameter> which is substituted 
+    for the new password.  The old passsword (<parameter 
+    moreinfo="none">%o</parameter>) is only available when
+    <smbconfoption name="encrypt passwords"/> has been disabled.
+    The chat sequence can also contain the standard macros 
+    \n, \r, \t and \s to give line-feed, carriage-return, tab 
+    and space.  The chat sequence string can also contain 
+    a '*' which matches any sequence of characters. Double quotes can 
+    be used to collect strings with spaces in them into a single 
+    string.</para>
+
+    <para>If the send string in any part of the chat sequence  is a full
+    stop &quot;.&quot;,  then no string is sent. Similarly,  if the
+    expect string is a full stop then no string is expected.</para>
+
+    <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the
+	chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
+	output. The \n macro is ignored for PAM conversions.
+    </para>
+
+</description>
+
+<related>unix password sync</related>
+<related>passwd program</related>
+<related>passwd chat debug</related>
+<related>pam password change</related>
+
+<value type="default">*new*password* %n\n*new*password* %n\n *changed*</value>
+<value type="example">&quot;*Enter NEW password*&quot; %n\n &quot;*Reenter NEW password*&quot; %n\n &quot;*Password changed*&quot;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchatdebug.xml b/docs-xml/smbdotconf/security/passwdchatdebug.xml
new file mode 100644
index 0000000000..24bcbdba10
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchatdebug.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="passwd chat debug"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This boolean specifies if the passwd chat script 
+    parameter is run in <emphasis>debug</emphasis> mode. In this mode the 
+    strings passed to and received from the passwd chat are printed 
+    in the <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> log with a 
+    <smbconfoption name="debug level"/> 
+    of 100. This is a dangerous option as it will allow plaintext passwords 
+    to be seen in the <command moreinfo="none">smbd</command> log. It is available to help 
+    Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts 
+    when calling the <parameter moreinfo="none">passwd program</parameter> and should 
+    be turned off after this has been done. This option has no effect if the 
+    <smbconfoption name="pam password change"/>
+	parameter is set. This parameter is off by default.</para>
+</description>
+
+<related>passwd chat</related>
+<related>pam password change</related>
+<related>passwd program</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchattimeout.xml b/docs-xml/smbdotconf/security/passwdchattimeout.xml
new file mode 100644
index 0000000000..c371aa2c88
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchattimeout.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="passwd chat timeout"
+                 context="G"
+				 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This integer specifies the number of seconds smbd will wait for an initial
+    answer from a passwd chat script being run. Once the initial answer is received
+    the subsequent answers must be received in one tenth of this time. The default it
+    two seconds.</para>
+</description>
+
+<value type="default">2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdprogram.xml b/docs-xml/smbdotconf/security/passwdprogram.xml
new file mode 100644
index 0000000000..4158c1b7a6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdprogram.xml
@@ -0,0 +1,37 @@
+<samba:parameter name="passwd program"
+                 context="G"
+				 type="string"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+    <para>The name of a program that can be used to set 
+    UNIX user passwords.  Any occurrences of <parameter moreinfo="none">%u</parameter> 
+    will be replaced with the user name. The user name is checked for 
+    existence before calling the password changing program.</para>
+
+    <para>Also note that many passwd programs insist in <emphasis>reasonable
+    </emphasis> passwords, such as a minimum length, or the inclusion 
+    of mixed case chars and digits. This can pose a problem as some clients 
+    (such as Windows for Workgroups) uppercase the password before sending 
+    it.</para>
+
+    <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix 
+    password sync</parameter> parameter is set to <constant>yes
+    </constant> then this program is called <emphasis>AS ROOT</emphasis> 
+    before the SMB password in the smbpasswd
+    file is changed. If this UNIX password change fails, then 
+    <command moreinfo="none">smbd</command> will fail to change the SMB password also 
+    (this is by design).</para>
+
+    <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter 
+    is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> 
+    for <emphasis>ALL</emphasis> programs called, and must be examined 
+    for security implications. Note that by default <parameter moreinfo="none">unix 
+    password sync</parameter> is set to <constant>no</constant>.</para>
+	</description>
+
+	<related>unix password symc</related>
+
+	<value type="default"></value>
+<value type="example">/bin/passwd %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml
new file mode 100644
index 0000000000..1da11e406b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordlevel.xml
@@ -0,0 +1,48 @@
+<samba:parameter name="password level"
+                 context="G"
+				 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>Some client/server combinations have difficulty 
+    with mixed-case passwords.  One offending client is Windows for 
+    Workgroups, which for some reason forces passwords to upper 
+    case when using the LANMAN1 protocol, but leaves them alone when 
+    using COREPLUS!  Another problem child is the Windows 95/98
+    family of operating systems.  These clients upper case clear
+    text passwords even when NT LM 0.12 selected by the protocol
+    negotiation request/response.</para>
+
+    <para>This parameter defines the maximum number of characters 
+    that may be upper case in passwords.</para>
+
+    <para>For example, say the password given was &quot;FRED&quot;. If <parameter moreinfo="none">
+    password level</parameter> is set to 1, the following combinations 
+    would be tried if &quot;FRED&quot; failed:</para>
+
+    <para>&quot;Fred&quot;, &quot;fred&quot;, &quot;fRed&quot;, &quot;frEd&quot;,&quot;freD&quot;</para>
+
+    <para>If <parameter moreinfo="none">password level</parameter> was set to 2, 
+    the following combinations would also be tried: </para>
+
+    <para>&quot;FRed&quot;, &quot;FrEd&quot;, &quot;FreD&quot;, &quot;fREd&quot;, &quot;fReD&quot;, &quot;frED&quot;, ..</para>
+
+    <para>And so on.</para>
+
+    <para>The higher value this parameter is set to the more likely 
+    it is that a mixed case password will be matched against a single 
+    case password. However, you should be aware that use of this 
+    parameter reduces security and increases the time taken to 
+    process a new connection.</para>
+
+    <para>A value of zero will cause only two attempts to be 
+    made - the password as is and the password in all-lower case.</para>
+
+    <para>This parameter is used only when using plain-text passwords. It is
+    not at all used when encrypted passwords as in use (that is the default
+    since samba-3.0.0). Use this only when <smbconfoption name="encrypt passwords">No</smbconfoption>.</para>
+</description>
+
+<value type="default">0</value>
+<value type="example">4</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..188cea88d1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,99 @@
+<samba:parameter name="password server"
+                 context="G"
+				 type="list"
+                 advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>By specifying the name of another SMB server 
+    or Active Directory domain controller with this option, 
+    and using <command moreinfo="none">security = [ads|domain|server]</command> 
+    it is possible to get Samba to 
+    to do all its username/password validation using a specific remote server.</para>
+
+    <para>This option sets the name or IP address of the password server to use. 
+    New syntax has been added to support defining the port to use when connecting 
+    to the server the case of an ADS realm.  To define a port other than the
+    default LDAP port of 389, add the port number using a colon after the 
+    name or IP address (e.g. 192.168.1.100:389).  If you do not specify a port,
+    Samba will use the standard LDAP port of tcp/389.  Note that port numbers
+    have no effect on password servers for Windows NT 4.0 domains or netbios 
+    connections.</para>
+
+    <para>If parameter is a name, it is looked up using the 
+    parameter <smbconfoption name="name resolve order"/> and so may resolved
+    by any method and order described in that parameter.</para>
+
+    <para>The password server must be a machine capable of using 
+    the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
+    user level security mode.</para>
+
+    <note><para>Using a password server  means your UNIX box (running
+    Samba) is only as secure as your  password server. <emphasis>DO NOT
+    CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
+    </para></note>
+		
+    <para>Never point a Samba server at itself for password serving.
+    This will cause a loop and could lock up your Samba  server!</para>
+
+    <para>The name of the password server takes the standard 
+    substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+    </parameter>, which means the Samba server will use the incoming 
+    client as the password server. If you use this then you better 
+    trust your clients, and you had better restrict them with hosts allow!</para>
+
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+    <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this 
+    option must be a list of Primary or Backup Domain controllers for the
+    Domain or the character '*', as the Samba server is effectively
+    in that domain, and will use cryptographically authenticated RPC calls
+    to authenticate the user logging on. The advantage of using <command moreinfo="none">
+    security = domain</command> is that if you list several hosts in the 
+    <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+    </command> will try each in turn till it finds one that responds.  This
+    is useful in case your primary server goes down.</para>
+
+    <para>If the <parameter moreinfo="none">password server</parameter> option is set 
+    to the character '*', then Samba will attempt to auto-locate the 
+    Primary or Backup Domain controllers to authenticate against by 
+    doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
+    and then contacting each server returned in the list of IP 
+    addresses from the name resolution source. </para>
+
+    <para>If the list of servers contains both names/IP's and the '*'
+    character, the list is treated as a list of preferred 
+    domain controllers, but an auto lookup of all remaining DC's
+    will be added to the list as well.  Samba will not attempt to optimize 
+    this list by locating the closest DC.</para>
+		
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is 
+    set to <constant>server</constant>, then there are different
+    restrictions that <command moreinfo="none">security = domain</command> doesn't 
+    suffer from:</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para>You may list several password servers in 
+	    the <parameter moreinfo="none">password server</parameter> parameter, however if an 
+	    <command moreinfo="none">smbd</command> makes a connection to a password server, 
+	    and then the password server fails, no more users will be able 
+	    to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
+	    restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+	    </command> mode and cannot be fixed in Samba.</para>
+	</listitem>
+	    
+	<listitem>
+	    <para>If you are using a Windows NT server as your 
+	    password server then you will have to ensure that your users 
+	    are able to login from the Samba server, as when in <command moreinfo="none">
+	    security = server</command>  mode the network logon will appear to 
+	    come from there rather than from the users workstation.</para>
+	</listitem>
+    </itemizedlist>
+</description>
+
+<related>security</related>
+<value type="default"></value>
+<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
+<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
+<value type="example">*</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/preloadmodules.xml b/docs-xml/smbdotconf/security/preloadmodules.xml
new file mode 100644
index 0000000000..1d985a1995
--- /dev/null
+++ b/docs-xml/smbdotconf/security/preloadmodules.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="preload modules"
+		type="list"
+		 context="G"
+		 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This is a list of paths to modules that should
+	be loaded into smbd before a client connects. This improves
+	the speed of smbd when reacting to new connections somewhat. </para>
+</description>
+
+<value type="default"></value>
+<value type="example">/usr/lib/samba/passdb/mysql.so</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/printeradmin.xml b/docs-xml/smbdotconf/security/printeradmin.xml
new file mode 100644
index 0000000000..a0dd9929c0
--- /dev/null
+++ b/docs-xml/smbdotconf/security/printeradmin.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="printer admin"
+                 context="S"
+				 type="list"
+		 print="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This lists users who can do anything to printers
+	via the remote administration interfaces offered
+	by MS-RPC (usually using a NT workstation).
+	This parameter can be set per-share or globally.
+	Note: The root user always has admin rights. Use
+	caution with use in the global stanza as this can
+	cause side effects.
+	</para>
+
+	<para>
+	This parameter has been marked deprecated in favor 
+	of using the SePrintOperatorPrivilege and individual
+	print security descriptors.  It will be removed in a future release.
+	</para>
+	
+</description>
+
+<value type="default"></value>
+<value type="example">admin, @staff</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml
new file mode 100644
index 0000000000..d0cbcfad59
--- /dev/null
+++ b/docs-xml/smbdotconf/security/privatedir.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="private dir"
+                 context="G"
+				 type="string"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameters defines the directory
+    smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
+    and <filename moreinfo="none">secrets.tdb</filename>.
+</para>
+</description>
+
+<value type="default">${prefix}/private</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml
new file mode 100644
index 0000000000..df6b4f129b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/readlist.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="read list"
+                 context="S"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This is a list of users that are given read-only access to a service. If the connecting user is in this list
+	then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set
+	to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/>
+	parameter.
+	</para>
+  
+    <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in 
+    Samba 3.0.  This is by design.</para>
+</description>
+
+<related>write list</related>
+<related>invalid users</related>
+
+<value type="default"></value>
+<value type="example">mary, @students</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/readonly.xml b/docs-xml/smbdotconf/security/readonly.xml
new file mode 100644
index 0000000000..6e1f6dd2b8
--- /dev/null
+++ b/docs-xml/smbdotconf/security/readonly.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="read only"
+                 context="S"
+				 type="boolean"
+                 basic="1" advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>An inverted synonym is <smbconfoption name="writeable"/>.</para>
+
+    <para>If this parameter is <constant>yes</constant>, then users 
+    of a service may not create or modify files in the service's 
+    directory.</para>
+
+    <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
+    will <emphasis>ALWAYS</emphasis> allow writing to the directory 
+    (user privileges permitting), but only via spooling operations.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/renameuserscript.xml b/docs-xml/smbdotconf/security/renameuserscript.xml
new file mode 100644
index 0000000000..1ec1dcb6eb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/renameuserscript.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="rename user script"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="boolean"
+				 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This is the full pathname to a script that will be run as root by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> under special circumstances described below.
+	</para>
+
+	<para>
+	When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager
+	for Domains), this script will be run to rename the POSIX user.  Two variables, <literal>%uold</literal> and
+	<literal>%unew</literal>, will be substituted with the old and new usernames, respectively.  The script should
+	return 0 upon successful completion, and nonzero otherwise.
+	</para>
+
+	<note><para>
+	The script has all responsibility to rename all the necessary data that is accessible in this posix method.
+	This can mean different requirements for different backends.  The tdbsam and smbpasswd backends will take care
+	of the contents of their respective files, so the script is responsible only for changing the POSIX username, and
+	other data that may required for your circumstances, such as home directory.  Please also consider whether or
+	not you need to rename the actual home directories themselves.  The ldapsam backend will not make any changes,
+	because of the potential issues with renaming the LDAP naming attribute.  In this case the script is
+	responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that
+	needs to change for other applications using the same directory.
+	</para></note>
+
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml
new file mode 100644
index 0000000000..1fbf983d54
--- /dev/null
+++ b/docs-xml/smbdotconf/security/restrictanonymous.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="restrict anonymous"
+	type="integer"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>The setting of this parameter determines whether user and
+    group list information is returned for an anonymous connection.
+    and mirrors the effects of the
+<programlisting>
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+           Control\LSA\RestrictAnonymous
+</programlisting>
+	registry key in Windows 2000 and Windows NT.  When set to 0, user
+	and group list information is returned to anyone who asks.  When set
+    to 1, only an authenticated user can retrive user and
+    group list information.  For the value 2, supported by
+    Windows 2000/XP and Samba, no anonymous connections are allowed at
+    all.  This can break third party and Microsoft
+    applications which expect to be allowed to perform
+	operations anonymously.</para>
+
+	<para>
+    The security advantage of using restrict anonymous = 1 is dubious,
+    as user and group list information can be obtained using other
+	means.
+	</para>
+
+	<note>
+	<para>
+    The security advantage of using restrict anonymous = 2 is removed
+    by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share.
+	</para>
+	</note>
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/rootdirectory.xml b/docs-xml/smbdotconf/security/rootdirectory.xml
new file mode 100644
index 0000000000..8736598001
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rootdirectory.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="root directory"
+	context="G"
+	type="string"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>root</synonym>
+<synonym>root dir</synonym>
+<description>
+    <para>The server will <command moreinfo="none">chroot()</command> (i.e. 
+    Change its root directory) to this directory on startup. This is 
+    not strictly necessary for secure operation. Even without it the 
+    server will deny access to files not in one of the service entries. 
+    It may also check for, and deny access to, soft links to other 
+    parts of the filesystem, or attempts to use &quot;..&quot; in file names 
+    to access other directories (depending on the setting of the
+	<smbconfoption name="wide smbconfoptions"/> parameter).
+    </para>
+
+    <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other 
+    than &quot;/&quot; adds an extra level of security, but at a price. It 
+    absolutely ensures that no access is given to files not in the 
+    sub-tree specified in the <parameter moreinfo="none">root directory</parameter> 
+    option, <emphasis>including</emphasis> some files needed for 
+    complete operation of the server. To maintain full operability 
+    of the server you will need to mirror some system files 
+    into the <parameter moreinfo="none">root directory</parameter> tree. In particular 
+    you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a 
+    subset of it), and any binaries or configuration files needed for 
+    printing (if required). The set of files that must be mirrored is
+    operating system dependent.</para>
+</description>
+
+<value type="default">/</value>
+<value type="example">/homes/smb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
new file mode 100644
index 0000000000..3ad5175712
--- /dev/null
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -0,0 +1,250 @@
+<samba:parameter name="security"
+                 context="G"
+				 type="enum"
+                 basic="1" advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+		 <when_value value="security">
+			 <requires option="encrypted passwords">/(yes|true)/</requires>
+		 </when_value>
+<description>
+    <para>This option affects how clients respond to 
+    Samba and is one of the most important settings in the <filename moreinfo="none">
+    smb.conf</filename> file.</para>
+
+    <para>The option sets the &quot;security mode bit&quot; in replies to 
+    protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide 
+    based on this bit whether (and how) to transfer user and password 
+    information to the server.</para>
+
+
+    <para>The default is <command moreinfo="none">security = user</command>, as this is
+    the most common setting needed when talking to Windows 98 and 
+    Windows NT.</para>
+
+    <para>The alternatives are <command moreinfo="none">security = share</command>,
+    <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
+    </command>.</para>
+
+    <para>In versions of Samba prior to 2.0.0, the default was 
+    <command moreinfo="none">security = share</command> mainly because that was
+    the only option at one stage.</para>
+
+    <para>There is a bug in WfWg that has relevance to this 
+    setting. When in user or server level security a WfWg client 
+    will totally ignore the username and password you type in the &quot;connect 
+    drive&quot; dialog box. This makes it very difficult (if not impossible) 
+    to connect to a Samba service as anyone except the user that 
+    you are logged into WfWg as.</para>
+
+    <para>If your PCs use usernames that are the same as their 
+    usernames on the UNIX machine then you will want to use 
+    <command moreinfo="none">security = user</command>. If you mostly use usernames 
+    that don't exist on the UNIX box then use <command moreinfo="none">security = 
+    share</command>.</para>
+
+    <para>You should also use <command moreinfo="none">security = share</command> if you 
+    want to mainly setup shares without a password (guest shares). This 
+    is commonly used for a shared printer server. It is more difficult 
+    to setup guest shares with <command moreinfo="none">security = user</command>, see 
+    the <smbconfoption name="map to guest"/>parameter for details.</para>
+		
+    <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
+    hybrid mode</emphasis> where it is offers both user and share 
+    level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
+
+    <para>The different settings will now be explained.</para>
+
+
+    <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> 
+		
+    <para>When clients connect to a share level security server they 
+    need not log onto the server with a valid username and password before 
+    attempting to connect to a shared resource (although modern clients 
+    such as Windows 95/98 and Windows NT will send a logon request with 
+    a username but no password when talking to a <command moreinfo="none">security = share
+    </command> server). Instead, the clients send authentication information 
+    (passwords) on a per-share basis, at the time they attempt to connect 
+    to that share.</para>
+
+    <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> 
+    uses a valid UNIX user to act on behalf of the client, even in
+    <command moreinfo="none">security = share</command> level security.</para>
+
+    <para>As clients are not required to send a username to the server
+    in share level security, <command moreinfo="none">smbd</command> uses several
+    techniques to determine the correct UNIX user to use on behalf
+    of the client.</para>
+
+    <para>A list of possible UNIX usernames to match with the given
+    client password is constructed using the following methods :</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other 
+	    stages are missed and only the <smbconfoption name="guest account"/> username is checked.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>Is a username is sent with the share connection 
+	    request, then this username (after mapping - see <smbconfoption name="username map"/>), 
+	    is added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>If the client did a previous <emphasis>logon
+	    </emphasis> request (the SessionSetup SMB call) then the 
+	    username sent in this SMB will be added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>The name of the service the client requested is 
+	    added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>The NetBIOS name of the client is added to 
+	    the list as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
+	    </para>
+	</listitem>
+    </itemizedlist>
+
+    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
+    not set, then this list is then tried with the supplied password. 
+    The first user for whom the password matches will be used as the 
+    UNIX user.</para>
+
+    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
+    set, or no username can be determined then if the share is marked 
+    as available to the <parameter moreinfo="none">guest account</parameter>, then this 
+    guest user will be used, otherwise access is denied.</para>
+
+    <para>Note that it can be <emphasis>very</emphasis> confusing 
+    in share-level security as to which UNIX username will eventually
+    be used in granting access.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+    <para>This is the default security setting in Samba 3.0. 
+    With user-level security a client must first &quot;log-on&quot; with a 
+    valid username and password (which can be mapped using the <smbconfoption name="username map"/> 
+    parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
+    be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+	name="guest only"/> if set	are then applied and 
+    may change the UNIX user to use on this connection, but only after 
+    the user has been successfully authenticated.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> has been used to add this
+    machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+	parameter to be set to <constant>yes</constant>. In this 
+    mode Samba will try to validate the username/password by passing
+    it to a Windows NT Primary or Backup Domain Controller, in exactly 
+    the same way that a Windows NT Server would do.</para>
+
+    <para><emphasis>Note</emphasis> that a valid UNIX user must still 
+    exist as well as the account on the Domain Controller to allow 
+    Samba to have a valid UNIX account to map file access to.</para>
+
+    <para><emphasis>Note</emphasis> that from the client's point 
+    of view <command moreinfo="none">security = domain</command> is the same 
+    as <command moreinfo="none">security = user</command>. It only 
+    affects how the server deals with the authentication, 
+    it does not in any way affect what the client sees.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para>See also the <smbconfoption name="password server"/> parameter and
+	 the <smbconfoption name="encrypted passwords"/> parameter.</para>
+
+    <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
+
+    <para>
+	In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
+	NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
+	<smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
+	server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
+	revert back to checking the UNIX password file, it must have a valid <filename
+	moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
+	the Samba HOWTO Collection for details on how to set this up.
+</para>
+
+	<note><para>This mode of operation has
+    significant pitfalls since it is more vulnerable to
+    man-in-the-middle attacks and server impersonation.  In particular,
+    this mode of operation can cause significant resource consuption on
+    the PDC, as it must maintain an active connection for the duration
+    of the user's session.  Furthermore, if this connection is lost,
+    there is no way to reestablish it, and futher authentications to the
+    Samba server may fail (from a single client, till it disconnects).
+	</para></note>
+
+	<note><para>From the client's point of 
+    view <command moreinfo="none">security = server</command> is the
+    same as <command moreinfo="none">security = user</command>.  It
+    only affects how the server deals  with the authentication, it does
+	not in any way affect what the  client sees.</para></note>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para>See also the <smbconfoption name="password server"/> parameter and the 
+	<smbconfoption name="encrypted passwords"/> parameter.</para>
+
+	<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
+	
+	<para>In this mode, Samba will act as a domain member in an ADS realm. To operate 
+		in this mode, the machine running Samba will need to have Kerberos installed 
+		and configured and Samba will need to be joined to the ADS realm using the 
+		net utility. </para>
+	
+	<para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
+		Controller. </para>
+	
+	<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+</description>
+
+<related>realm</related>
+<related>encrypt passwords</related>
+
+<value type="default">USER</value>
+<value type="example">DOMAIN</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
new file mode 100644
index 0000000000..23bc2808db
--- /dev/null
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="security mask"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
+	UNIX permission on a file using the native NT security dialog box.
+	</para>
+
+    <para>
+	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
+	any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
+	security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
+	</para>
+
+    <para>
+	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
+	file permissions regardless of the previous status of this bits on the file.
+    </para>
+
+    <para>
+	If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
+    </para>
+
+    <para><emphasis>
+	Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
+    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
+	most normal systems will probably want to leave it set to <constant>0777</constant>.
+	</para>
+</description>
+
+<related>force directory security mode</related>
+<related>directory security mask</related>
+<related>force security mode</related>
+
+<value type="default">0777</value>
+<value type="example">0770</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
new file mode 100644
index 0000000000..6317448fb6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="server schannel"
+                 context="G"
+				 type="boolean-auto"
+                 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This controls whether the server offers or even demands the use of the netlogon schannel.
+	<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
+	name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
+	name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
+	This is only the case for Windows NT4 before SP4.
+	</para>
+
+    <para>
+	Please note that with this set to <literal>no</literal> you will have to apply the WindowsXP
+	<filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
+	</para>
+</description>
+
+<value type="default">auto</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversigning.xml b/docs-xml/smbdotconf/security/serversigning.xml
new file mode 100644
index 0000000000..f2f5629586
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversigning.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="server signing"
+                 context="G"
+				 type="enum"
+                 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>This controls whether the server offers or requires
+    the client it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+	to disabled, SMB signing is not offered either.</para>
+</description>
+
+<value type="default">Disabled</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
new file mode 100644
index 0000000000..eb91ce51fa
--- /dev/null
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -0,0 +1,45 @@
+<samba:parameter name="smb encrypt"
+                 context="S"
+				 type="enum"
+                 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>This is a new feature introduced with Samba 3.2 and above. It is an
+    extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
+    SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
+    and sign every request/response in a SMB protocol stream. When
+    enabled it provides a secure method of SMB/CIFS communication,
+    similar to an ssh protected session, but using SMB/CIFS authentication
+    to negotiate encryption and signing keys. Currently this is only
+    supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
+    and MacOS/X clients. Windows clients do not support this feature.
+    </para>
+
+    <para>This controls whether the server offers or requires
+    the client it talks to to use SMB encryption. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. This may be set on a per-share
+    basis, but clients may chose to encrypt the entire session, not
+    just traffic to a specific share. If this is set to mandatory
+    then all traffic to a share <emphasis>must</emphasis> must
+    be encrypted once the connection has been made to the share.
+    The server would return "access denied" to all non-encrypted
+    requests on such a share. Selecting encrypted traffic reduces
+    throughput as smaller packet sizes must be used (no huge UNIX
+    style read/writes allowed) as well as the overhead of encrypting
+    and signing all the data.
+    </para>
+
+    <para>If SMB encryption is selected, Windows style SMB signing (see
+    the <smbconfoption name="server signing"/> option) is no longer necessary,
+    as the GSSAPI flags use select both signing and sealing of the data.
+    </para>
+
+    <para>When set to auto, SMB encryption is offered, but not enforced. 
+    When set to mandatory, SMB encryption is required and if set 
+    to disabled, SMB encryption can not be negotiated.</para>
+</description>
+
+<value type="default">auto</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbpasswdfile.xml b/docs-xml/smbdotconf/security/smbpasswdfile.xml
new file mode 100644
index 0000000000..209fa74422
--- /dev/null
+++ b/docs-xml/smbdotconf/security/smbpasswdfile.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="smb passwd file"
+	type="string"
+                 context="G"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This option sets the path to the encrypted smbpasswd file. By
+    default the path to the smbpasswd file  is compiled into Samba.</para>
+
+    <para>
+    An example of use is:
+<programlisting>
+smb passwd file = /etc/samba/smbpasswd
+</programlisting>
+    </para>
+</description>
+
+<value type="default">${prefix}/private/smbpasswd</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml
new file mode 100644
index 0000000000..7f30c47d90
--- /dev/null
+++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="unix password sync"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This boolean parameter controls whether Samba 
+    attempts to synchronize the UNIX password with the SMB password 
+    when the encrypted SMB password in the smbpasswd file is changed. 
+    If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
+    program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - 
+    to allow the new UNIX password to be set without access to the 
+    old UNIX password (as the SMB password change code has no 
+	access to the old password cleartext, only the new).</para>
+</description>
+
+<related>passwd program</related>
+<related>passwd chat</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/updateencrypted.xml b/docs-xml/smbdotconf/security/updateencrypted.xml
new file mode 100644
index 0000000000..da493665cf
--- /dev/null
+++ b/docs-xml/smbdotconf/security/updateencrypted.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="update encrypted"
+                 context="G"
+				 type="boolean"
+                 basic="1" advanced="1" developer="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>
+	This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed)
+	password in the smbpasswd file to be updated automatically as they log on. This option allows a site to
+	migrate from plaintext password authentication (users authenticate with plaintext password over the
+	wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB
+	challenge/response authentication mechanism) without forcing all users to re-enter their passwords via
+	smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted
+	passwords to be made over a longer period.  Once all users have encrypted representations of their passwords
+	in the smbpasswd file this parameter should be set to <constant>no</constant>.
+	</para>
+
+    <para>
+	In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must 
+    be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt
+	passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption
+	name="update encrypted"/> to work.
+	</para>
+
+    <para>
+	Note that even when this parameter is set a user authenticating to <command moreinfo="none">smbd</command>
+	must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
+	passwords.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usekerberoskeytab.xml b/docs-xml/smbdotconf/security/usekerberoskeytab.xml
new file mode 100644
index 0000000000..ad6cc88278
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usekerberoskeytab.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="use kerberos keytab"
+                 context="G"
+		 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	Specifies whether Samba should attempt to maintain service principals in the systems
+	keytab file for <constant>host/FQDN</constant> and <constant>cifs/FQDN</constant>.
+	</para>
+
+	<para>
+	When you are using the heimdal Kerberos libraries, you must also specify the following in
+	<filename>/etc/krb5.conf</filename>:
+<programlisting>
+[libdefaults]
+default_keytab_name = FILE:/etc/krb5.keytab
+</programlisting>
+	</para>
+
+</description>
+
+<value type="default">False</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml
new file mode 100644
index 0000000000..3a45d4d72f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/username.xml
@@ -0,0 +1,65 @@
+<samba:parameter name="username"
+	context="S"
+	type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>user</synonym>
+<synonym>users</synonym>
+<description>
+    <para>Multiple users may be specified in a comma-delimited 
+    list, in which case the supplied password will be tested against 
+    each username in turn (left to right).</para>
+
+    <para>The <parameter moreinfo="none">username</parameter> line is needed only when 
+    the PC is unable to supply its own username. This is the case 
+    for the COREPLUS protocol or where your users have different WfWg 
+    usernames to UNIX usernames. In both these cases you may also be 
+    better using the \\server\share%user syntax instead.</para>
+
+    <para>The <parameter moreinfo="none">username</parameter> line is not a great 
+    solution in many cases as it means Samba will try to validate 
+    the supplied password against each of the usernames in the 
+    <parameter moreinfo="none">username</parameter> line in turn. This is slow and 
+    a bad idea for lots of users in case of duplicate passwords. 
+    You may get timeouts or security breaches using this parameter 
+    unwisely.</para>
+
+    <para>Samba relies on the underlying UNIX security. This 
+    parameter does not restrict who can login, it just offers hints 
+    to the Samba server as to what usernames might correspond to the 
+    supplied password. Users can login as whoever they please and 
+    they will be able to do no more damage than if they started a 
+    telnet session. The daemon runs as the user that they log in as, 
+    so they cannot do anything that user cannot do.</para>
+
+    <para>To restrict a service to a particular set of users you 
+    can use the <smbconfoption name="valid users"/> parameter.</para>
+
+    <para>If any of the usernames begin with a '@' then the name 
+    will be looked up first in the NIS netgroups list (if Samba 
+    is compiled with netgroup support), followed by a lookup in 
+    the UNIX groups database and will expand to a list of all users 
+    in the group of that name.</para>
+		
+    <para>If any of the usernames begin with a '+' then the name 
+    will be looked up only in the UNIX groups database and will 
+    expand to a list of all users in the group of that name.</para>
+
+    <para>If any of the usernames begin with a '&amp;' then the name 
+    will be looked up only in the NIS netgroups database (if Samba 
+    is compiled with netgroup support) and will expand to a list 
+    of all users in the netgroup group of that name.</para>
+
+    <para>Note that searching though a groups database can take 
+    quite some time, and some clients may time out during the 
+    search.</para>
+
+    <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+	USERNAME/PASSWORD VALIDATION</link> for more information on how 
+	this parameter determines access to the services.</para>
+</description>
+
+<value type="default"><comment>The guest account if a guest service, 
+		else &lt;empty string&gt;.</comment></value>
+
+<value type="example">fred, mary, jack, jane, @users, @pcgroup</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamelevel.xml b/docs-xml/smbdotconf/security/usernamelevel.xml
new file mode 100644
index 0000000000..adb00134d7
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamelevel.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="username level"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This option helps Samba to try and 'guess' at 
+    the real UNIX username, as many DOS clients send an all-uppercase 
+    username. By default Samba tries all lowercase, followed by the 
+    username with the first letter capitalized, and fails if the 
+    username is not found on the UNIX machine.</para>
+
+    <para>If this parameter is set to non-zero the behavior changes. 
+    This parameter is a number that specifies the number of uppercase
+    combinations to try while trying to determine the UNIX user name. The
+    higher the number the more combinations will be tried, but the slower
+    the discovery of usernames will be. Use this parameter when you have
+    strange usernames on your UNIX machine, such as <constant>AstrangeUser
+    </constant>.</para>
+
+    <para>This parameter is needed only on UNIX systems that have case
+    sensitive usernames.</para>
+</description>
+
+<value type="default">0</value>
+<value type="example">5</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml
new file mode 100644
index 0000000000..54179690be
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamemap.xml
@@ -0,0 +1,130 @@
+<samba:parameter name="username map"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This option allows you to specify a file containing a mapping of usernames from the clients to the server.
+	This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows
+	machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they
+	can more easily share files.
+	</para>
+
+    <para>
+	Please note that for user or share mode security, the username map is applied prior to validating the user
+	credentials.  Domain member servers (domain or ads) apply the username map after the user has been
+	successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g.
+	biddle = <literal>DOMAIN\foo</literal>).
+	</para>
+    
+    <para>
+	The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '='
+	followed by a list of usernames on the right. The list of usernames on the right may contain names of the form
+	@group in which case they will match any UNIX username in that group. The special client name '*' is a
+	wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
+	</para>
+
+    <para>
+	The file is processed on each line by taking the supplied username and comparing it with each username on the
+	right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it
+	is replaced with the name on the left. Processing then continues with the next line.
+	</para>
+
+    <para>
+	If any line begins with a '#' or a ';' then it is ignored.
+	</para>
+
+    <para>
+	If any line begins with an '!' then the processing will stop after that line if a mapping was done by the
+	line.  Otherwise mapping continues with every line being processed.  Using '!' is most useful when you have a
+	wildcard mapping line later in the file.
+	</para>
+
+    <para>
+	For example to map from the name <constant>admin</constant> or <constant>administrator</constant> to the UNIX
+	name <constant> root</constant> you would use:
+<programlisting>
+<command moreinfo="none">root = admin administrator</command>
+</programlisting>
+	Or to map anyone in the UNIX group <constant>system</constant> to the UNIX name <constant>sys</constant> you would use:
+<programlisting>
+<command moreinfo="none">sys = @system</command>
+</programlisting>
+	</para>
+
+    <para>
+	You can have as many mappings as you like in a username map file.
+	</para>
+
+
+    <para>
+	If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+	moreinfo="none">/etc/group </filename> database for matching groups.
+	</para>
+
+    <para>
+	You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
+<programlisting>
+<command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command>
+</programlisting>
+    would map the windows username &quot;Andrew Tridgell&quot; to the unix username &quot;tridge&quot;.
+	</para>
+
+    <para>
+	The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the
+    '!' to tell Samba to stop processing if it gets a match on that line:
+<programlisting format="linespecific">
+!sys = mary fred
+guest = *
+</programlisting>
+    </para>
+
+    <para>
+	Note that the remapping is applied to all occurrences of usernames.  Thus if you connect to \\server\fred and
+	<constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to
+	\\server\mary and will need to supply a password suitable for <constant>mary</constant> not
+	<constant>fred</constant>. The only exception to this is the username passed to the <smbconfoption
+	name="password server"/> (if you have one). The password server will receive whatever username the client
+	supplies without  modification.
+    </para>
+
+    <para>
+	Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
+	mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print
+	job.
+	</para>
+
+   <para>
+	Samba versions prior to 3.0.8 would only support reading the fully qualified username 
+	(e.g.: <literal>DOMAIN\user</literal>) from
+	the username map when performing a kerberos login from a client.  However, when looking up a map entry for a
+	user authenticated by NTLM[SSP], only the login name would be used for matches.  This resulted in inconsistent
+	behavior sometimes even on the same server.
+   </para>
+
+   <para>
+   The following functionality is obeyed in version 3.0.8 and later:
+   </para>
+
+   <para>
+    When performing local authentication, the username map is applied to the login name before attempting to authenticate
+    the connection.
+    </para>
+
+    <para>
+    When relying upon a external domain controller for validating authentication requests, smbd will apply the username map
+    to the fully qualified username (i.e. <literal>DOMAIN\user</literal>) only after the user has been successfully authenticated.
+    </para>
+
+    <para>
+    An example of use is:
+<programlisting>
+username map = /usr/local/samba/lib/users.map
+</programlisting>
+    </para>
+
+</description>
+
+<value type="default"><comment>no username map</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml
new file mode 100644
index 0000000000..6df134c257
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamemapscript.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="username map script"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This script is a mutually exclusive alternative to the 
+	<smbconfoption name="username map"/> parameter.  This parameter 
+	specifies and external program or script that must accept a single 
+	command line option (the username transmitted in the authentication
+	request) and return a line line on standard output (the name to which 
+	the account should mapped).  In this way, it is possible to store
+	username map tables in an LDAP or NIS directory services.
+	</para>
+</description>
+
+<value type="default"/>
+<value type="example">/etc/samba/scripts/mapusers.sh</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
new file mode 100644
index 0000000000..313739d7c1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="valid users"
+                 context="S"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This is a list of users that should be allowed to login to this service. Names starting with 
+    '@', '+' and  '&amp;' are interpreted using the same rules as described in the 
+    <parameter moreinfo="none">invalid users</parameter> parameter.
+    </para>
+
+    <para>
+    If this is empty (the default) then any user can login. If a username is in both this list 
+    and the <parameter moreinfo="none">invalid users</parameter> list then access is denied 
+    for that user.
+    </para>
+
+    <para>
+    The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
+    This is useful in the [homes] section.
+    </para>
+</description>
+
+<related>invalid users</related>
+
+<value type="default"><comment>No valid users list (anyone can login) </comment></value>
+<value type="example">greg, @pcusers</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/writeable.xml b/docs-xml/smbdotconf/security/writeable.xml
new file mode 100644
index 0000000000..f811c47e5c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/writeable.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="writeable"
+                 context="S"
+				 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>writable</synonym>
+<description>
+    <para>Inverted synonym for <smbconfoption name="read only"/>.</para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml
new file mode 100644
index 0000000000..60db3f19f0
--- /dev/null
+++ b/docs-xml/smbdotconf/security/writelist.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="write list"
+                 context="S"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This is a list of users that are given read-write access to a service. If the 
+    connecting user is in this list then they will be given write access, no matter 
+    what the <smbconfoption name="read only"/> option is set to. The list can 
+    include group names using the @group syntax.
+    </para>
+
+    <para>
+    Note that if a user is in both the read list and the write list then they will be 
+    given write access.
+    </para>
+
+    <para>
+    By design, this parameter will not work with the 
+    <smbconfoption name="security">share</smbconfoption> in Samba 3.0.
+    </para>
+
+</description>
+
+<related>read list</related>
+
+<value type="default"></value>
+<value type="example">admin, root, @staff</value>
+</samba:parameter>