Moving docs tree to docs-xml to make room for generated docs in the release tarball.

(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)

24 files changed, 538 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/winbind/idmapallocbackend.xml b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml
new file mode 100644
index 0000000000..60e20b82d5
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="idmap alloc backend"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap alloc backend provides a plugin interface for Winbind to use
+	when allocating Unix uids/gids for Windows SIDs.  This option is
+	to be used in conjunction with the <smbconfoption name="idmap domains"/> 
+	parameter and refers to the name of the idmap module which will provide
+	the id allocation functionality.  Please refer to the man page 
+	for each idmap plugin to determine whether or not the module implements
+	the allocation feature.  The most common plugins are the tdb (<citerefentry>
+        <refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
+        and ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry>) libraries.
+	</para>
+
+	<para>Also refer to the <smbconfoption name="idmap alloc config"/> option.
+	</para>
+</description>
+
+<value type="example">tdb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml
new file mode 100644
index 0000000000..013904122c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="idmap alloc config"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap alloc config prefix provides a means of managing settings
+	for the backend defined by the <smbconfoption name="idmap alloc backend"/> 
+	parameter.  Refer to the man page for each idmap plugin regarding
+	specific configuration details.
+	</para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml
new file mode 100644
index 0000000000..20e1115c5f
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="idmap backend"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap backend provides a plugin interface for Winbind to use
+	varying backends to store SID/uid/gid mapping tables.  This
+	option is mutually exclusive with the newer and more flexible
+	<smbconfoption name="idmap domains"/> parameter.  The main difference
+	between the &quot;idmap backend&quot; and the &quot;idmap domains&quot;
+	is that the former only allows on backend for all domains while the
+	latter supports configuring backends on a per domain basis.
+	</para>
+
+	<para>Examples of SID/uid/gid backends include tdb (<citerefentry>
+	<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>), rid (<citerefentry>
+	<refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	and ad (<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>).
+	</para>
+</description>
+
+<value type="default">tdb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapcachetime.xml b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
new file mode 100644
index 0000000000..1636cdfa58
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="idmap cache time"
+                 context="G"
+		 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of seconds that Winbind's
+	idmap interface will cache positive SID/uid/gid query results.
+	</para>
+</description>
+
+<value type="default">900</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
new file mode 100644
index 0000000000..63b0a907a8
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -0,0 +1,65 @@
+<samba:parameter name="idmap config"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap config prefix provides a means of managing each domain 
+	defined by the <smbconfoption name="idmap domains"/> option using Samba's
+	parameteric option support.  The idmap config prefix should be 
+	followed by the name of the domain, a colon, and a setting specific to 
+	the chosen backend.  There are three options available for all domains:
+	</para>
+	<variablelist>  
+		<varlistentry>
+		<term>backend = backend_name</term>
+		<listitem><para>
+			Specifies the name of the idmap plugin to use as the 
+			SID/uid/gid backend for this domain.
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>default = [yes|no]</term>
+		<listitem><para>
+			The default domain/backend will be used for searching for 
+			users and groups not belonging to one of the explicitly
+			listed domains (matched by comparing the account SID and the 
+			domain SID).
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>readonly = [yes|no]</term>
+		<listitem><para>
+			Mark the domain as readonly which means that no attempts to
+			allocate a uid or gid (by the <smbconfoption name="idmap alloc 
+			backend"/>) for any user or group in that domain
+			will be attempted.
+		</para></listitem>
+		</varlistentry>
+	</variablelist>
+
+	<para>
+	The following example illustrates how to configure the <citerefentry>
+	<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry> 
+	for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> backend for all other domains.  The 
+	TRUSTEDDOMAINS string is simply a key used to reference the &quot;idmap 
+	config&quot; settings and does not represent the actual name of a domain.
+	</para>
+
+	<programlisting>
+	idmap domains = CORP TRUSTEDDOMAINS
+
+	idmap config CORP:backend  = ad
+	idmap config CORP:readonly = yes
+
+	idmap config TRUSTEDDOMAINS:backend = tdb
+	idmap config TRUSTEDDOMAINS:default = yes
+	idmap config TRUSTEDDOMAINS:range   = 1000 - 9999
+	</programlisting>
+	
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapdomains.xml b/docs-xml/smbdotconf/winbind/idmapdomains.xml
new file mode 100644
index 0000000000..131b9e8167
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapdomains.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="idmap domains"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap domains option defines a list of Windows domains which will each
+	have a separately configured backend for managing Winbind's SID/uid/gid
+	tables.  This parameter is mutually exclusive with the older <smbconfoption 
+	name="idmap backend"/> option.
+	</para>
+
+	<para>
+	Values consist of the short domain name for Winbind's primary or collection
+	of trusted domains.  You may also use an arbitrary string to represent a catchall
+	domain backend for any domain not explicitly listed.
+	</para>
+
+	<para>
+	Refer to the <smbconfoption name="idmap config"/> for details about
+	managing the SID/uid/gid backend for each domain.
+	</para>
+</description>
+
+<value type="example">default AD CORP</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml
new file mode 100644
index 0000000000..28d88b51b0
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapgid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap gid"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+		<synonym>winbind gid</synonym>
+<description>
+	<para>The idmap gid parameter specifies the range of group ids 
+	that are allocated for the purpose of mapping UNX groups to NT group 
+	SIDs. This range of group ids should have no 
+	existing local or NIS groups within it as strange conflicts can 
+	occur otherwise.</para>
+
+	<para>See also the <smbconfoption name="idmap backend"/>, <smbconfoption 
+	name="idmap domains"/>, and <smbconfoption name="idmap config"/> options.
+	</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
new file mode 100644
index 0000000000..6790938d94
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="idmap negative cache time"
+                 context="G"
+		 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of seconds that Winbind's
+	idmap interface will cache negative SID/uid/gid query results.
+	</para>
+</description>
+
+<value type="default">120</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml
new file mode 100644
index 0000000000..de4074cfa4
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapuid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap uid"
+			 type="string"
+                 context="G"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>winbind uid</synonym>
+<description>
+	<para>
+	The idmap uid parameter specifies the range of user ids that are 
+	allocated for use in mapping UNIX users to NT user SIDs. This 
+	range of ids should have no existing local
+	or NIS users within it as strange conflicts can occur otherwise.</para>
+
+	<para>See also the <smbconfoption name="idmap backend"/>, <smbconfoption 
+	name="idmap domains"/>, and <smbconfoption name="idmap config"/> options.
+	</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templatehomedir.xml b/docs-xml/smbdotconf/winbind/templatehomedir.xml
new file mode 100644
index 0000000000..f5965c613c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templatehomedir.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="template homedir"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon  uses this
+	parameter to fill in the home directory for that user. If the
+	string <parameter moreinfo="none">%D</parameter> is present it
+	is substituted  with the user's Windows NT domain name. If the
+	string <parameter  moreinfo="none">%U</parameter> is present it
+	is substituted with the user's Windows  NT user name.</para>
+</description>
+
+<value type="default">/home/%D/%U</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templateshell.xml b/docs-xml/smbdotconf/winbind/templateshell.xml
new file mode 100644
index 0000000000..ce59cd12d0
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templateshell.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="template shell"
+                 context="G"
+				 type="string"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon uses this
+	parameter to fill in the login shell for that user.</para>
+</description>
+
+<value type="string">/bin/false</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindcachetime.xml b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
new file mode 100644
index 0000000000..6bdcf0d06e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="winbind cache time"
+                 context="G"
+				 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of 
+	seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon will cache 
+	user and group information before querying a Windows NT server 
+	again.</para>
+
+        <para>
+	This does not apply to authentication requests, these are always 
+	evaluated in real time unless the <smbconfoption name="winbind 
+	offline logon"/> option has been enabled.
+	</para>
+</description>
+
+<value type="default">300</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumgroups.xml b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
new file mode 100644
index 0000000000..74f6feed01
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind enum groups"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be necessary to suppress 
+	the enumeration of groups through the <command moreinfo="none">setgrent()</command>,
+	<command moreinfo="none">getgrent()</command> and
+	<command moreinfo="none">endgrent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum groups</parameter> parameter is
+	<constant>no</constant>, calls to the <command moreinfo="none">getgrent()</command> system
+	call will not return any data. </para>
+
+<warning><para>Turning off group enumeration may cause some programs to behave oddly.  </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumusers.xml b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
new file mode 100644
index 0000000000..c987feaf8a
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="winbind enum users"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be
+	necessary to suppress the enumeration of users through the <command moreinfo="none">setpwent()</command>,
+	 <command moreinfo="none">getpwent()</command> and
+	 <command moreinfo="none">endpwent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum users</parameter> parameter is
+	 <constant>no</constant>, calls to the <command moreinfo="none">getpwent</command> system call
+	will not return any data. </para>
+
+<warning><para>Turning off user
+	enumeration may cause some programs to behave oddly.  For
+	example, the finger program relies on having access to the
+	full user list when searching for matching
+	usernames. </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
new file mode 100644
index 0000000000..19b81b3e0a
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="winbind expand groups"
+                 context="G"
+		 type="integer"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls the maximum depth that winbindd
+              will traverse when flattening nested group memberships
+	      of Windows domain groups.  This is different from the
+	      <smbconfoption name="winbind nested groups"/> option
+              which implements the Windows NT4 model of local group 
+	      nesting.  The &quot;winbind expand groups&quot;
+              parameter specifically applies to the membership of 
+	      domain groups.</para>
+
+	 <para>Be aware that a high value for this parameter can
+	 result in system slowdown as the main parent winbindd daemon
+	 must perform the group unrolling and will be unable to answer
+	 incoming NSS or authentication requests during this time.</para>
+  
+</description>
+
+<value type="default">1</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
new file mode 100644
index 0000000000..01e95bbaca
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="winbind nested groups"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>If set to yes, this parameter activates the support for nested
+                 groups. Nested groups are also called local groups or
+                 aliases. They work like their counterparts in Windows: Nested
+                 groups are defined locally on any machine (they are shared
+                 between DC's through their SAM) and can contain users and
+                 global groups from any trusted SAM. To be able to use nested
+                 groups, you need to run nss_winbind.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
new file mode 100644
index 0000000000..28826cf5f3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind normalize names"
+                 context="G"
+		 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter controls whether winbindd will replace
+	whitespace in user and group names with an underscore (_) character.
+	For example, whether the name &quot;Space Kadet&quot; should be
+	replaced with the string &quot;space_kadet&quot;.
+	Frequently Unix shell scripts will have difficulty with usernames 
+	contains whitespace due to the default field separator in the shell.
+	Do not enable this option if the underscore character is used in
+	account names within your domain
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnssinfo.xml b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
new file mode 100644
index 0000000000..d6e40c6bf6
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="winbind nss info"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control how Winbind retrieves Name
+	Service Information to construct a user's home directory and login shell. 
+	Currently the following settings are available: 
+
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">template</parameter> 
+			- The default, using the parameters of <parameter moreinfo="none">template 
+			shell</parameter> and <parameter moreinfo="none">template homedir</parameter>)
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">&lt;sfu | rfc2307 &gt;</parameter>
+			- When Samba is running in security = ads and your Active Directory
+			Domain Controller does support the Microsoft "Services for Unix" (SFU)
+			LDAP schema, winbind can retrieve the login shell and the home
+			directory attributes directly from your Directory Server. Note that
+			retrieving UID and GID from your ADS-Server requires to 
+			use <parameter moreinfo="non">idmap backend</parameter> = ad 
+			or <parameter moreinfo="non">idmap config DOMAIN:backend</parameter> = ad 
+			as well.
+			</para>
+		</listitem>
+			
+	</itemizedlist>
+
+</para>
+</description>
+
+<value type="default">template</value>
+<value type="example">template sfu</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
new file mode 100644
index 0000000000..b5a0de1631
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="winbind offline logon"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should
+	allow to login with the <parameter moreinfo="none">pam_winbind</parameter> 
+	module using Cached Credentials. If enabled, winbindd will store user credentials
+	from successful logins encrypted in a local cache.
+	</para>
+
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
new file mode 100644
index 0000000000..d39cb76861
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind refresh tickets"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+	retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrpconly.xml b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
new file mode 100644
index 0000000000..53a0877350
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind rpc only"
+	context="G"
+	type="string"
+		 advanced="1" developer="0"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	Setting this parameter to <value type="example">yes</value> forces 
+	winbindd to use RPC instead of LDAP to retrieve information from Domain
+        Controllers.
+	</para>
+	
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml
new file mode 100644
index 0000000000..63ab42000d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="winbind separator"
+                 context="G"
+                 advanced="1" developer="1"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter allows an admin to define the character 
+	used when listing a username of the form of <replaceable>DOMAIN
+	</replaceable>\<replaceable>user</replaceable>.  This parameter 
+	is only applicable when using the <filename moreinfo="none">pam_winbind.so</filename>
+	and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
+	</para>
+
+	<para>Please note that setting this parameter to + causes problems
+	with group membership at least on glibc systems, as the character +
+	is used as a special character for NIS in /etc/group.</para>
+</description>
+
+<value type="default">'\'</value>
+<value type="example">+</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
new file mode 100644
index 0000000000..6ca229cfe9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="winbind trusted domains only"
+                 context="G"
+		 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter is designed to allow Samba servers that are members 
+	of a Samba controlled domain to use UNIX accounts distributed via NIS, 
+	rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
+	Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to 
+	the account user1 in /etc/passwd instead of allocating a new uid for him or her.
+	</para>
+
+	<para>
+	This parameter is now deprecated in favor of the newer idmap_nss backend.
+	Refer to the <smbconfoption name="idmap domains"/> smb.conf option and
+	the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> man page for more information.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
new file mode 100644
index 0000000000..334068a329
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="winbind use default domain"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies whether the
+	 <citerefentry><refentrytitle>winbindd</refentrytitle> 
+	<manvolnum>8</manvolnum></citerefentry> daemon should operate on users  
+	without domain component in their username. Users without a domain
+	component are treated as is part of the winbindd server's own
+	domain. While this does not benifit Windows users, it makes SSH, FTP and
+	e-mail function in a way much closer to the way they
+	would in a native unix system.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>