ading new files from 3.0

(This used to be commit 99feae7b5b1c229a925367b87c0c0f636d9a2d75)

14 files changed, 266 insertions, 0 deletions

diff --git a/docs/docbook/smbdotconf/misc/valid.xml b/docs/docbook/smbdotconf/misc/valid.xml
new file mode 100644
index 0000000000..b5756f0afe
--- /dev/null
+++ b/docs/docbook/smbdotconf/misc/valid.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="-valid"
+		 context="S"
+		 xmlns:samba="http://samba.org/common">
+ <listitem>
+	<para> This parameter indicates whether a share is 
+	valid and thus can be used. When this parameter is set to false, 
+	the share will be in no way visible nor accessible.
+	</para>
+
+	<para>
+	This option should not be 
+	used by regular users but might be of help to developers. 
+	Samba uses this option internally to mark shares as deleted.
+	</para>
+
+	<para>Default: <emphasis>True</emphasis></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
new file mode 100644
index 0000000000..ccdb137a69
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="total print jobs"
+                 context="G"
+                 print="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This parameter accepts an integer value which defines
+    a limit on the maximum number of print jobs that will be accepted 
+    system wide at any given time.  If a print job is submitted
+    by a client which will exceed this number, then <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will return an 
+    error indicating that no space is available on the server.  The 
+    default value of 0 means that no such limit exists.  This parameter
+    can be used to prevent a server from exceeding its capacity and is
+    designed as a printing throttle.  See also <link linkend="MAXPRINTJOBS">
+    <parameter moreinfo="none">max print jobs</parameter></link>.
+    </para>
+		
+    <para>Default: <command moreinfo="none">total print jobs = 0</command></para>
+
+    <para>Example: <command moreinfo="none">total print jobs = 5000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/clientusespnego.xml b/docs/docbook/smbdotconf/protocol/clientusespnego.xml
new file mode 100644
index 0000000000..df25fbfb20
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/clientusespnego.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="client use spnego"
+                 context="G"
+                 developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para> This variable controls controls whether samba clients will try 
+    to use Simple and Protected NEGOciation (as specified by rfc2478) with 
+    WindowsXP and Windows2000 servers to agree upon an authentication mechanism. 
+	</para>
+
+    <para>Default:  <emphasis>client use spnego = yes</emphasis></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/mapaclinherit.xml b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml
new file mode 100644
index 0000000000..5b8ed7f656
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="map acl inherit"
+                 context="S"
+                 advanced="1" wizard="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
+    access control entry flags stored in Windows ACLs into an extended attribute
+    called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
+    on a platform that supports extended attributes (Linux and IRIX so far) and
+    allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
+    POSIX ACL mapping code.
+    </para>
+		
+    <para>Default: <command moreinfo="none">map acl inherit = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml
new file mode 100644
index 0000000000..6f2b3ec510
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/profileacls.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="profile acls"
+                 context="S"
+                 advanced="1" wizard="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> 
+	This boolean parameter was added to fix the problems that people have been
+	having with storing user profiles on Samba shares from Windows 2000 or
+	Windows XP clients. New versions of Windows 2000 or Windows XP service
+	packs do security ACL checking on the owner and ability to write of the
+	profile directory stored on a local workstation when copied from a Samba
+	share. When not in domain mode with winbindd then the security info copied
+	onto the local workstation has no meaning to the logged in user (SID) on
+	that workstation so the profile storing fails. Adding this parameter
+	onto a share used for profile storage changes two things about the
+	returned Windows ACL. Firstly it changes the owner and group owner
+	of all reported files and directories to be BUILTIN\\Administrators,
+	BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
+	it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
+	every returned ACL. This will allow any Windows 2000 or XP workstation
+	user to access the profile. Note that if you have multiple users logging
+	on to a workstation then in order to prevent them from being able to access
+	each others profiles you must remove the "Bypass traverse checking" advanced
+	user right. This will prevent access to other users profile directories as
+	the top level profile directory (named after the user) is created by the
+	workstation profile code and has an ACL restricting entry to the directory
+	tree to the owning user.
+    </para>
+		
+    <para>Default: <command moreinfo="none">profile acls = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientlanmanauth.xml b/docs/docbook/smbdotconf/security/clientlanmanauth.xml
new file mode 100644
index 0000000000..a427198ea3
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientlanmanauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client lanman auth"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba client
+    tools will attempt to authenticate itself to servers using the
+    weaker LANMAN password hash. If disabled, only server which support NT 
+    password hashes (e.g. Windows NT/2000, Samba, etc... but not 
+    Windows 95/98) will be able to be connected from the Samba client.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Clients
+    without Windows 95/98 servers are advised to disable
+    this option.  </para>
+
+    <para>Disabling this option will also disable the <command
+    moreinfo="none">client plaintext auth</command> option</para>
+
+    <para>Likewise, if the <command moreinfo="none">client ntlmv2
+    auth</command> parameter is enabled, then only NTLMv2 logins will be
+    attempted.  Not all servers support NTLMv2, and most will require
+    special configuration to us it.</para>
+
+    <para>Default : <command moreinfo="none">client lanman auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
new file mode 100644
index 0000000000..0bf196488b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="client ntlmv2 auth"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate itself to servers using the NTLMv2 encrypted password
+    response.</para>
+
+    <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+    secure than earlier versions) will be sent.  Many servers
+    (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
+    NTLMv2.  </para>
+
+    <para>If disabled, an NTLM response (and possibly a LANMAN response)
+    will be sent by the client, depending on the value of <command
+    moreinfo="none">client lanman auth</command>.  </para>
+
+    <para>Note that some sites (particularly
+    those following 'best practice' security polices) only allow NTLMv2
+    responses, and not the weaker LM or NTLM.</para>
+
+	<para>Default : <command moreinfo="none">client ntlmv2 auth = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/vfs/vfsobjects.xml b/docs/docbook/smbdotconf/vfs/vfsobjects.xml
new file mode 100644
index 0000000000..32a10b5bd6
--- /dev/null
+++ b/docs/docbook/smbdotconf/vfs/vfsobjects.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="vfs objects"
+                 context="S"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>This parameter specifies the backend names which 
+	are used for Samba VFS I/O operations.  By default, normal 
+	disk I/O operations are used but these can be overloaded 
+	with one or more VFS objects. </para>
+		
+	<para>Default: <emphasis>no value</emphasis></para>
+
+	<para>Example: <command moreinfo="none">vfs objects = extd_audit recycle</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml
new file mode 100644
index 0000000000..86786f0734
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="enable rid algorithm"
+                 context="G"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>This option is used to control whether or not smbd in Samba 3.0 should fallback
+	to the algorithm used by Samba 2.2 to generate user and group RIDs.  The longterm
+	development goal is to remove the algorithmic mappings of RIDs altogether, but 
+	this has proved to be difficult.  This parameter is mainly provided so that
+	developers can turn the algorithm on and off and see what breaks.  This parameter
+	should not be disabled by non-developers because certain features in Samba will fail 
+	to work without it.
+	</para>
+
+	<para>Default: <command moreinfo="none">enable rid algorithm = &lt;yes&gt;</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/idmapgid.xml b/docs/docbook/smbdotconf/winbind/idmapgid.xml
new file mode 100644
index 0000000000..8bd46a80c6
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/idmapgid.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="idmap gid"
+                 context="G"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+
+	<para>The idmap gid parameter specifies the range of group ids that are allocated for
+	the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no 
+	existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
+
+	<para>The availability of an idmap gid range is essential for correct operation of
+	all group mapping.</para>
+
+	<para>Default: <command moreinfo="none">idmap gid = &lt;empty string&gt;</command></para>
+
+	<para>Example: <command moreinfo="none">idmap gid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/idmapuid.xml b/docs/docbook/smbdotconf/winbind/idmapuid.xml
new file mode 100644
index 0000000000..5e6a245bfe
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/idmapuid.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="idmap uid"
+                 context="G"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>The idmap uid parameter specifies the range of user ids that are allocated for use
+	in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
+	or NIS users within it as strange conflicts can occur otherwise.</para>
+
+	<para>Default: <command moreinfo="none">idmap uid = &lt;empty string&gt;</command></para>
+		
+	<para>Example: <command moreinfo="none">idmap uid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml
new file mode 100644
index 0000000000..bd59ea7ee0
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="template primary group"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>This option defines the default primary group for 
+	each user created by <citerefentry><refentrytitle>winbindd</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry>'s local account management
+	functions (similar to the 'add user script').
+	</para>
+
+	<para>Default: <command moreinfo="none">template primary group = nobody</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml
new file mode 100644
index 0000000000..f6e7cfb359
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind enable local accounts"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>This parameter controls whether or not winbindd 
+	will act as a stand in replacement for the various account
+	management hooks in smb.conf (e.g. 'add user script').
+	If enabled, winbindd will support the creation of local 
+	users and groups as another source of UNIX account information
+	available via getpwnam() or getgrgid(), etc...
+	</para>
+
+	<para>Default: <command moreinfo="none">winbind enable local accounts = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml
new file mode 100644
index 0000000000..bf383131d4
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind trusted domains only"
+                 context="G"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>This parameter is designed to allow Samba servers that
+	are members of a Samba controlled domain to use UNIX accounts
+	distributed vi NIS, rsync, or LDAP as the uid's for winbindd users
+	in the hosts primary domain.  Therefore, the user 'SAMBA\user1' would
+	be mapped to the account 'user1' in /etc/passwd instead of allocating
+	a new uid for him or her.
+	</para>
+
+	<para>Default: <command moreinfo="none">winbind trusted domains only = &lt;no&gt;</command></para>
+</listitem>
+</samba:parameter>