summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/projdoc/InterdomainTrusts.sgml216
-rw-r--r--docs/docbook/smbdotconf/logging/debughirestimestamp.xml17
-rw-r--r--docs/docbook/smbdotconf/logging/debuglevel.xml9
-rw-r--r--docs/docbook/smbdotconf/logging/debugpid.xml19
-rw-r--r--docs/docbook/smbdotconf/logging/debugtimestamp.xml14
-rw-r--r--docs/docbook/smbdotconf/logging/debuguid.xml17
-rw-r--r--docs/docbook/smbdotconf/logging/logfile.xml14
-rw-r--r--docs/docbook/smbdotconf/logging/loglevel.xml18
-rw-r--r--docs/docbook/smbdotconf/logging/maxlogsize.xml17
-rw-r--r--docs/docbook/smbdotconf/logging/syslog.xml20
-rw-r--r--docs/docbook/smbdotconf/logging/syslogonly.xml12
-rw-r--r--docs/docbook/smbdotconf/logging/timestamplogs.xml9
-rw-r--r--docs/docbook/smbdotconf/printing/disablespoolss.xml23
-rw-r--r--docs/docbook/smbdotconf/printing/loadprinters.xml13
-rw-r--r--docs/docbook/smbdotconf/printing/lpqcommand.xml44
-rw-r--r--docs/docbook/smbdotconf/printing/lprmcommand.xml30
-rw-r--r--docs/docbook/smbdotconf/printing/maxprintjobs.xml18
-rw-r--r--docs/docbook/smbdotconf/printing/printable.xml18
-rw-r--r--docs/docbook/smbdotconf/printing/printcap.xml9
-rw-r--r--docs/docbook/smbdotconf/printing/printcommand.xml89
-rw-r--r--docs/docbook/smbdotconf/printing/printok.xml9
-rw-r--r--docs/docbook/smbdotconf/printing/totalprintjobs.xml22
-rw-r--r--docs/docbook/smbdotconf/protocol/announceas.xml21
-rw-r--r--docs/docbook/smbdotconf/protocol/announceversion.xml15
-rw-r--r--docs/docbook/smbdotconf/protocol/disablenetbios.xml18
-rw-r--r--docs/docbook/smbdotconf/protocol/largereadwrite.xml18
-rw-r--r--docs/docbook/smbdotconf/protocol/maxmux.xml12
-rw-r--r--docs/docbook/smbdotconf/protocol/maxprotocol.xml48
-rw-r--r--docs/docbook/smbdotconf/protocol/maxttl.xml14
-rw-r--r--docs/docbook/smbdotconf/protocol/maxwinsttl.xml18
-rw-r--r--docs/docbook/smbdotconf/protocol/maxxmit.xml16
-rw-r--r--docs/docbook/smbdotconf/protocol/minprotocol.xml23
-rw-r--r--docs/docbook/smbdotconf/protocol/minwinsttl.xml16
-rw-r--r--docs/docbook/smbdotconf/protocol/nameresolveorder.xml58
-rw-r--r--docs/docbook/smbdotconf/protocol/ntaclsupport.xml14
-rw-r--r--docs/docbook/smbdotconf/protocol/ntpipesupport.xml15
-rw-r--r--docs/docbook/smbdotconf/protocol/ntstatussupport.xml17
-rw-r--r--docs/docbook/smbdotconf/protocol/protocol.xml9
-rw-r--r--docs/docbook/smbdotconf/protocol/readbmpx.xml15
-rw-r--r--docs/docbook/smbdotconf/protocol/readraw.xml24
-rw-r--r--docs/docbook/smbdotconf/protocol/smbports.xml10
-rw-r--r--docs/docbook/smbdotconf/protocol/timeserver.xml12
-rw-r--r--docs/docbook/smbdotconf/protocol/unicode.xml13
-rw-r--r--docs/docbook/smbdotconf/protocol/unixextensions.xml15
-rw-r--r--docs/docbook/smbdotconf/protocol/usespnego.xml15
-rw-r--r--docs/docbook/smbdotconf/protocol/writeraw.xml12
-rw-r--r--docs/docbook/smbdotconf/security/adminusers.xml17
-rw-r--r--docs/docbook/smbdotconf/security/algorithmicridbase.xml27
-rw-r--r--docs/docbook/smbdotconf/security/allowhosts.xml9
-rw-r--r--docs/docbook/smbdotconf/security/allowtrusteddomains.xml26
-rw-r--r--docs/docbook/smbdotconf/security/authmethods.xml19
-rw-r--r--docs/docbook/smbdotconf/security/createmode.xml8
-rw-r--r--docs/docbook/smbdotconf/security/denyhosts.xml9
-rw-r--r--docs/docbook/smbdotconf/security/directorymask.xml47
-rw-r--r--docs/docbook/smbdotconf/security/directorymode.xml8
-rw-r--r--docs/docbook/smbdotconf/security/directorysecuritymask.xml36
-rw-r--r--docs/docbook/smbdotconf/security/forcecreatemode.xml28
-rw-r--r--docs/docbook/smbdotconf/security/forcedirectorymode.xml29
-rw-r--r--docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml35
-rw-r--r--docs/docbook/smbdotconf/security/forcegroup.xml37
-rw-r--r--docs/docbook/smbdotconf/security/forcesecuritymode.xml36
-rw-r--r--docs/docbook/smbdotconf/security/forceuser.xml27
-rw-r--r--docs/docbook/smbdotconf/security/group.xml9
-rw-r--r--docs/docbook/smbdotconf/security/guestaccount.xml31
-rw-r--r--docs/docbook/smbdotconf/security/guestok.xml21
-rw-r--r--docs/docbook/smbdotconf/security/guestonly.xml16
-rw-r--r--docs/docbook/smbdotconf/security/hostsallow.xml62
-rw-r--r--docs/docbook/smbdotconf/security/hostsdeny.xml16
-rw-r--r--docs/docbook/smbdotconf/security/hostsequiv.xml29
-rw-r--r--docs/docbook/smbdotconf/security/inheritacls.xml14
-rw-r--r--docs/docbook/smbdotconf/security/inheritpermissions.xml40
-rw-r--r--docs/docbook/smbdotconf/security/invalidusers.xml35
-rw-r--r--docs/docbook/smbdotconf/security/lanmanauth.xml14
-rw-r--r--docs/docbook/smbdotconf/security/maptoguest.xml62
-rw-r--r--docs/docbook/smbdotconf/security/minpasswdlength.xml10
-rw-r--r--docs/docbook/smbdotconf/security/nonunixaccountrange.xml25
-rw-r--r--docs/docbook/smbdotconf/security/ntlmauth.xml15
-rw-r--r--docs/docbook/smbdotconf/security/nullpasswords.xml13
-rw-r--r--docs/docbook/smbdotconf/security/obeypamrestrictions.xml19
-rw-r--r--docs/docbook/smbdotconf/security/onlyguest.xml8
-rw-r--r--docs/docbook/smbdotconf/security/onlyuser.xml26
-rw-r--r--docs/docbook/smbdotconf/security/pampasswordchange.xml17
-rw-r--r--docs/docbook/smbdotconf/security/passwdchat.xml62
-rw-r--r--docs/docbook/smbdotconf/security/passwdchatdebug.xml27
-rw-r--r--docs/docbook/smbdotconf/security/passwdprogram.xml39
-rw-r--r--docs/docbook/smbdotconf/security/passwordlevel.xml44
-rw-r--r--docs/docbook/smbdotconf/security/passwordserver.xml98
-rw-r--r--docs/docbook/smbdotconf/security/printeradmin.xml15
-rw-r--r--docs/docbook/smbdotconf/security/privatedir.xml13
-rw-r--r--docs/docbook/smbdotconf/security/public.xml9
-rw-r--r--docs/docbook/smbdotconf/security/readlist.xml22
-rw-r--r--docs/docbook/smbdotconf/security/readonly.xml19
-rw-r--r--docs/docbook/smbdotconf/security/root.xml10
-rw-r--r--docs/docbook/smbdotconf/security/rootdir.xml10
-rw-r--r--docs/docbook/smbdotconf/security/rootdirectory.xml34
-rw-r--r--docs/docbook/smbdotconf/security/security.xml254
-rw-r--r--docs/docbook/smbdotconf/security/securitymask.xml36
-rw-r--r--docs/docbook/smbdotconf/security/serverschannel.xml25
-rw-r--r--docs/docbook/smbdotconf/security/smbpasswdfile.xml14
-rw-r--r--docs/docbook/smbdotconf/security/unixpasswordsync.xml22
-rw-r--r--docs/docbook/smbdotconf/security/updateencrypted.xml33
-rw-r--r--docs/docbook/smbdotconf/security/user.xml8
-rw-r--r--docs/docbook/smbdotconf/security/username.xml64
-rw-r--r--docs/docbook/smbdotconf/security/usernamelevel.xml24
-rw-r--r--docs/docbook/smbdotconf/security/usernamemap.xml91
-rw-r--r--docs/docbook/smbdotconf/security/users.xml9
-rw-r--r--docs/docbook/smbdotconf/security/validusers.xml25
-rw-r--r--docs/docbook/smbdotconf/security/writable.xml8
-rw-r--r--docs/docbook/smbdotconf/security/writeable.xml8
-rw-r--r--docs/docbook/smbdotconf/security/writelist.xml22
-rw-r--r--docs/docbook/smbdotconf/security/writeok.xml8
-rw-r--r--docs/docbook/smbdotconf/tuning/blocksize.xml22
-rw-r--r--docs/docbook/smbdotconf/tuning/changenotifytimeout.xml20
-rw-r--r--docs/docbook/smbdotconf/tuning/deadtime.xml27
-rw-r--r--docs/docbook/smbdotconf/tuning/getwdcache.xml14
-rw-r--r--docs/docbook/smbdotconf/tuning/hostnamelookups.xml16
-rw-r--r--docs/docbook/smbdotconf/tuning/keepalive.xml21
-rw-r--r--docs/docbook/smbdotconf/tuning/maxconnections.xml18
-rw-r--r--docs/docbook/smbdotconf/tuning/maxdisksize.xml28
-rw-r--r--docs/docbook/smbdotconf/tuning/maxopenfiles.xml19
-rw-r--r--docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml18
-rw-r--r--docs/docbook/smbdotconf/tuning/minprintspace.xml18
-rw-r--r--docs/docbook/smbdotconf/tuning/namecachetimeout.xml15
-rw-r--r--docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml18
-rw-r--r--docs/docbook/smbdotconf/tuning/readsize.xml29
-rw-r--r--docs/docbook/smbdotconf/tuning/socketoptions.xml75
-rw-r--r--docs/docbook/smbdotconf/tuning/statcachesize.xml12
-rw-r--r--docs/docbook/smbdotconf/tuning/strictallocate.xml23
-rw-r--r--docs/docbook/smbdotconf/tuning/syncalways.xml21
-rw-r--r--docs/docbook/smbdotconf/tuning/usemmap.xml17
-rw-r--r--docs/docbook/smbdotconf/tuning/usesendfile.xml15
-rw-r--r--docs/docbook/smbdotconf/tuning/writecachesize.xml30
-rw-r--r--source3/include/idmap.h56
-rw-r--r--source3/nsswitch/winbindd_idmap_tdb.c459
134 files changed, 4029 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml
new file mode 100644
index 0000000000..0fc634c544
--- /dev/null
+++ b/docs/docbook/projdoc/InterdomainTrusts.sgml
@@ -0,0 +1,216 @@
+<chapter id="InterdomainTrusts">
+<chapterinfo>
+ &author.jht;
+ &author.mimir;
+ <pubdate>April 3, 2003</pubdate>
+</chapterinfo>
+
+<title>Interdomain Trust Relationships</title>
+
+<para>
+Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
+will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
+adopt Active Directory or an LDAP based authentication back end. This section explains
+some background information regarding trust relationships and how to create them. It is now
+possible for Samba3 to NT4 trust (and vica versa), as well as Samba3 to Samba3 trusts.
+</para>
+
+<sect1>
+<title>Trust Relationship Background</title>
+
+<para>
+MS Windows NT3.x/4.0 type security domains employ a non-hierchical security structure.
+The limitations of this architecture as it affects the scalability of MS Windows networking
+in large organisations is well known. Additionally, the flat-name space that results from
+this design significantly impacts the delegation of administrative responsibilities in
+large and diverse organisations.
+</para>
+
+<para>
+Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
+of circumventing the limitations of the older technologies. Not every organisation is ready
+or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
+is quite adequate, there thus remains an entrenched user base for whom there is no direct
+desire to go through a disruptive change to adopt ADS.
+</para>
+
+<para>
+Microsoft introduced with MS Windows NT the ability to allow differing security domains
+to affect a mechanism so that users from one domain may be given access rights and privilidges
+in another domain. The language that describes this capability is couched in terms of
+<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
+from another domain. The domain from which users are available to another security domain is
+said to be a trusted domain. The domain in which those users have assigned rights and privilidges
+is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
+thus if users in both domains are to have privilidges and rights in each others' domain, then it is
+necessary to establish two (2) relationships, one in each direction.
+</para>
+
+<para>
+In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
+are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
+relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
+implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
+transitive.
+</para>
+
+<para>
+New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
+by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
+domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
+an inherent feature of ADS domains.
+</para>
+
+</sect1>
+
+<sect1>
+<title>MS Windows NT4 Trust Configuration</title>
+
+<para>
+There are two steps to creating an inter-domain trust relationship.
+
+<sect2>
+<title>NT4 as the Trusting Domain</title>
+
+<para>
+For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager.
+To affect a two way trust relationship it is necessary for each domain administrator to make
+available (for use by an external domain) it's security resources. This is done from the Domain
+User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then
+next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and
+"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that
+will be able to assign user rights to your domain. In addition it is necessary to enter a password
+that is specific to this trust relationship. The password is added twice.
+</para>
+
+</sect2>
+
+<sect2>
+<title>NT4 as the Trusted Domain</title>
+
+<para>
+A trust relationship will work only when the other (trusting) domain makes the appropriate connections
+with the trusted domain. To consumate the trust relationship the administrator will launch the
+Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
+"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in
+which must be entered the name of the remote domain as well as the password assigned to that trust.
+<para>
+
+</sect2>
+</sect1>
+
+<sect1>
+<title>Configuring Samba Domain Trusts</title>
+
+<para>
+This descitpion is meant to be a fairly short introduction about how to set up a Samba server so
+that it could participate in interdomain trust relationships. Trust relationship support in Samba
+is in its early stage, so lot of things don't work yet. Paricularly, the contents of this document
+applies to NT4-style trusts.
+</para>
+
+<para>
+Each of the procedures described below is treated as they were performed with Windows NT4 Server on
+one end. The other end could just as well be another Samba3 domain. It can be clearly seen, after
+reading this document, that combining Samba-specific parts of what's written below leads to trust
+between domains in purely Samba environment.
+</para>
+
+<sect2>
+<title>Samba3 as the Trusting Domain</title>
+
+<para>
+In order to set Samba PDC to be trusted party of the relationship first you need
+to create special account for domain that will be the trusting party. To do that,
+you can use 'smbpasswd' utility. Creating the trusted domain account is very
+similiar to creating the connection to the trusting machine's account. Suppose,
+your domain is called SAMBA, and the remote domain is called RUMBA. Your first
+step will be to issue this command from your favourite shell:
+</para>
+
+<para>
+<screen>
+<prompt>deity#</prompt> <userinput>smbpasswd -a -i rumba</userinput>
+ New SMB password: XXXXXXXX
+ Retype SMB password: XXXXXXXX
+ Added user rumba$
+</screen>
+
+where <parameter>-a</parameter> means to add a new account into the passdb database and <parameter>-i</parameter> means create this account with the Inter-Domain trust flag.
+</para>
+
+<para>
+The account name will be 'rumba$' (the name of the remote domain)
+</para>
+
+<para>
+fter issuing this command you'll be asked for typing account's
+password. You can use any password you want, but be aware that Windows NT will
+not change this password until 7 days have passed since account creating.
+After command returns successfully, you can look at your new account's entry
+(in the way depending on your configuration) and see that account's name is
+really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
+the trust by establishing it from Windows NT Server.
+</para>
+
+<para>
+Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'.
+Right beside 'Trusted domains' list press 'Add...' button. You'll be prompted for
+trusted domain name and the relationship's password. Type in SAMBA, as this is
+your domain name and the password you've just used during account creation.
+Press OK and if everything went fine, you will see 'Trusted domain relationship
+successfully established' message. Well done.
+</para>
+
+</sect2>
+<sect2>
+<title>Samba3 as the Trusted Domain</title>
+
+<para>
+This time activities are somewhat reversed. Again, we'll assume that your domain
+controlled by Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
+</para>
+
+<para>
+The very first thing is to add account for SAMBA domain on RUMBA's PDC.
+</para>
+
+<para>
+Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'.
+Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted
+domein (SAMBA) and password securing the relationship.
+</para>
+
+<para>
+Password can be arbitrarily chosen the more, because it's easy to change it
+from Samba server whenever you want. After confirming password your account is
+ready and waiting. Now it's Samba's turn.
+</para>
+
+<para>
+Using your favourite shell while being logged on as root, issue this command:
+</para>
+
+<para>
+<prompt>deity# </prompt><userinput>net rpc trustdom establish rumba</userinput>
+</para>
+
+<para>
+You'll be prompted for password you've just typed on your Windows NT4 Server box.
+Don't worry if you will see the error message with returned code of
+<errorname>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</errorname>. It means the
+password you gave is correct and the NT4 Server says the account is ready for trusting your domain
+and not for ordinary connection. After that, be patient it can take a while (especially
+in large networks), you should see 'Success' message. Contgratulations! Your trust
+relationship has just been established.
+</para>
+
+<note><para>
+Note that you have to run this command as root, since you need write access to
+your <filename>secrets.tdb</filename> file.
+</para></note>
+
+</sect2>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/smbdotconf/logging/debughirestimestamp.xml b/docs/docbook/smbdotconf/logging/debughirestimestamp.xml
new file mode 100644
index 0000000000..4e49b89ddb
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/debughirestimestamp.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="debug hires timestamp"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command moreinfo="none">debug hires timestamp = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/debuglevel.xml b/docs/docbook/smbdotconf/logging/debuglevel.xml
new file mode 100644
index 0000000000..8bd4b4e0b5
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/debuglevel.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="debug level"
+ context="G"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="LOGLEVEL"><parameter moreinfo="none">
+ log level</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/debugpid.xml b/docs/docbook/smbdotconf/logging/debugpid.xml
new file mode 100644
index 0000000000..ff393f5159
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/debugpid.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="debug pid"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>When using only one log file for more then one forked
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>-process there may be hard to
+ follow which process outputs which message. This boolean parameter
+ is adds the process-id to the timestamp message headers in the
+ logfile when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command moreinfo="none">debug pid = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/debugtimestamp.xml b/docs/docbook/smbdotconf/logging/debugtimestamp.xml
new file mode 100644
index 0000000000..e337b5b8f2
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/debugtimestamp.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="debug timestamp"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Samba debug log messages are timestamped
+ by default. If you are running at a high <link linkend="DEBUGLEVEL">
+ <parameter moreinfo="none">debug level</parameter></link> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</para>
+
+ <para>Default: <command moreinfo="none">debug timestamp = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/debuguid.xml b/docs/docbook/smbdotconf/logging/debuguid.xml
new file mode 100644
index 0000000000..bcacdf32c0
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/debuguid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="debug uid"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command moreinfo="none">debug uid = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/logfile.xml b/docs/docbook/smbdotconf/logging/logfile.xml
new file mode 100644
index 0000000000..8d3761a841
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/logfile.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="log file"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows you to override the name
+ of the Samba log file (also known as the debug file).</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</para>
+
+ <para>Example: <command moreinfo="none">log file = /usr/local/samba/var/log.%m</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/loglevel.xml b/docs/docbook/smbdotconf/logging/loglevel.xml
new file mode 100644
index 0000000000..6f03fe80e9
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/loglevel.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="log level"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The value of the parameter (a astring) allows
+ the debug level (logging level) to be specified in the
+ <filename moreinfo="none">smb.conf</filename> file. This parameter has been
+ extended since the 2.2.x series, now it allow to specify the debug
+ level for multiple debug classes. This is to give greater
+ flexibility in the configuration of the system.</para>
+
+ <para>The default will be the log level specified on
+ the command line or level zero if none was specified.</para>
+
+ <para>Example: <command moreinfo="none">log level = 3 passdb:5 auth:10 winbind:2</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/maxlogsize.xml b/docs/docbook/smbdotconf/logging/maxlogsize.xml
new file mode 100644
index 0000000000..6e0ec6735a
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/maxlogsize.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="max log size"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <filename moreinfo="none">.old</filename> extension.</para>
+
+ <para>A size of 0 means no limit.</para>
+
+ <para>Default: <command moreinfo="none">max log size = 5000</command></para>
+
+ <para>Example: <command moreinfo="none">max log size = 1000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/syslog.xml b/docs/docbook/smbdotconf/logging/syslog.xml
new file mode 100644
index 0000000000..0fdf070045
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/syslog.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="syslog"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <constant>LOG_ERR</constant>, debug
+ level one maps onto <constant>LOG_WARNING</constant>, debug level
+ two maps onto <constant>LOG_NOTICE</constant>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <constant>
+ LOG_DEBUG</constant>.</para>
+
+ <para>This parameter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</para>
+
+ <para>Default: <command moreinfo="none">syslog = 1</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/syslogonly.xml b/docs/docbook/smbdotconf/logging/syslogonly.xml
new file mode 100644
index 0000000000..2b584d8d6d
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/syslogonly.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="syslog only"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</para>
+
+ <para>Default: <command moreinfo="none">syslog only = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/logging/timestamplogs.xml b/docs/docbook/smbdotconf/logging/timestamplogs.xml
new file mode 100644
index 0000000000..e744ce54c6
--- /dev/null
+++ b/docs/docbook/smbdotconf/logging/timestamplogs.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="timestamp logs"
+ context="G"
+ developer="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+ debug timestamp</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/disablespoolss.xml b/docs/docbook/smbdotconf/printing/disablespoolss.xml
new file mode 100644
index 0000000000..366092fce1
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/disablespoolss.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="disable spoolss"
+ context="G"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Enabling this parameter will disable Samba's support
+ for the SPOOLSS set of MS-RPC's and will yield identical behavior
+ as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
+ Lanman style printing commands. Windows 9x/ME will be uneffected by
+ the parameter. However, this will also disable the ability to upload
+ printer drivers to a Samba server via the Windows NT Add Printer
+ Wizard or by using the NT printer properties dialog window. It will
+ also disable the capability of Windows NT/2000 clients to download
+ print drivers from the Samba host upon demand.
+ <emphasis>Be very careful about enabling this parameter.</emphasis>
+ </para>
+
+ <para>See also <link linkend="USECLIENTDRIVER">use client driver</link>
+ </para>
+
+ <para>Default : <command moreinfo="none">disable spoolss = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/loadprinters.xml b/docs/docbook/smbdotconf/printing/loadprinters.xml
new file mode 100644
index 0000000000..efc2658ba8
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/loadprinters.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="load printers"
+ context="G"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <link linkend="PRINTERSSECT">printers</link> section for
+ more details.</para>
+
+ <para>Default: <command moreinfo="none">load printers = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/lpqcommand.xml b/docs/docbook/smbdotconf/printing/lpqcommand.xml
new file mode 100644
index 0000000000..f1b62af627
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/lpqcommand.xml
@@ -0,0 +1,44 @@
+<samba:parameter name="lpq command"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies the command to be
+ executed on the server host in order to obtain <command moreinfo="none">lpq
+ </command>-style printer status information.</para>
+
+ <para>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</para>
+
+ <para>Currently nine styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <parameter moreinfo="none">printing =</parameter> option.</para>
+
+ <para>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</para>
+
+ <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the <parameter moreinfo="none">lpq command</parameter> as the <envar>$PATH
+ </envar> may not be available to the server. When compiled with
+ the CUPS libraries, no <parameter moreinfo="none">lpq command</parameter> is
+ needed because smbd will make a library call to obtain the
+ print queue listing.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter moreinfo="none">printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter moreinfo="none">
+ printing</parameter></emphasis></para>
+
+ <para>Example: <command moreinfo="none">lpq command = /usr/bin/lpq -P%p</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/lprmcommand.xml b/docs/docbook/smbdotconf/printing/lprmcommand.xml
new file mode 100644
index 0000000000..567602c4f9
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/lprmcommand.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="lprm command"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</para>
+
+ <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name
+ is put in its place. A <parameter moreinfo="none">%j</parameter> is replaced with
+ the job number (an integer).</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the <parameter moreinfo="none">lprm command</parameter> as the PATH may not be
+ available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter moreinfo="none">printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter moreinfo="none">printing
+ </parameter></emphasis></para>
+
+ <para>Example 1: <command moreinfo="none">lprm command = /usr/bin/lprm -P%p %j</command></para>
+
+ <para>Example 2: <command moreinfo="none">lprm command = /usr/bin/cancel %p-%j</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/maxprintjobs.xml b/docs/docbook/smbdotconf/printing/maxprintjobs.xml
new file mode 100644
index 0000000000..a631b6b8c4
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/maxprintjobs.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="max print jobs"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter limits the maximum number of
+ jobs allowable in a Samba printer queue at any given moment.
+ If this number is exceeded, <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will remote &quot;Out of Space&quot; to the client.
+ See all <link linkend="TOTALPRINTJOBS"><parameter moreinfo="none">total
+ print jobs</parameter></link>.
+ </para>
+
+ <para>Default: <command moreinfo="none">max print jobs = 1000</command></para>
+
+ <para>Example: <command moreinfo="none">max print jobs = 5000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/printable.xml b/docs/docbook/smbdotconf/printing/printable.xml
new file mode 100644
index 0000000000..946e8b4b96
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/printable.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="printable"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </para>
+
+ <para>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <link linkend="READONLY"><parameter moreinfo="none">read only
+ </parameter></link> parameter controls only non-printing access to
+ the resource.</para>
+
+ <para>Default: <command moreinfo="none">printable = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/printcap.xml b/docs/docbook/smbdotconf/printing/printcap.xml
new file mode 100644
index 0000000000..0ee08a263f
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/printcap.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="printcap"
+ context="G"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="PRINTCAPNAME"><parameter moreinfo="none">
+ printcap name</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/printcommand.xml b/docs/docbook/smbdotconf/printing/printcommand.xml
new file mode 100644
index 0000000000..5444309053
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/printcommand.xml
@@ -0,0 +1,89 @@
+<samba:parameter name="print command"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>After a print job has finished spooling to
+ a service, this command will be used via a <command moreinfo="none">system()</command>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</para>
+
+ <para>The print command is simply a text string. It will be used
+ verbatim after macro substitutions have been made:</para>
+
+ <para>%s, %p - the path to the spool
+ file name</para>
+
+ <para>%p - the appropriate printer
+ name</para>
+
+ <para>%J - the job
+ name as transmitted by the client.</para>
+
+ <para>%c - The number of printed pages
+ of the spooled job (if known).</para>
+
+ <para>%z - the size of the spooled
+ print job (in bytes)</para>
+
+ <para>The print command <emphasis>MUST</emphasis> contain at least
+ one occurrence of <parameter moreinfo="none">%s</parameter> or <parameter moreinfo="none">%f
+ </parameter> - the <parameter moreinfo="none">%p</parameter> is optional. At the time
+ a job is submitted, if no printer name is supplied the <parameter moreinfo="none">%p
+ </parameter> will be silently removed from the printer command.</para>
+
+ <para>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</para>
+
+ <para>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</para>
+
+ <para>Note that printing may fail on some UNIXes from the
+ <constant>nobody</constant> account. If this happens then create
+ an alternative guest account that can print and set the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>
+ in the [global] section.</para>
+
+ <para>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</para>
+
+ <para><command moreinfo="none">print command = echo Printing %s &gt;&gt;
+ /tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+ <para>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <link linkend="PRINTING">
+ <parameter moreinfo="none">printing</parameter></link> parameter.</para>
+
+ <para>Default: For <command moreinfo="none">printing = BSD, AIX, QNX, LPRNG
+ or PLP :</command></para>
+ <para><command moreinfo="none">print command = lpr -r -P%p %s</command></para>
+
+ <para>For <command moreinfo="none">printing = SYSV or HPUX :</command></para>
+ <para><command moreinfo="none">print command = lp -c -d%p %s; rm %s</command></para>
+
+ <para>For <command moreinfo="none">printing = SOFTQ :</command></para>
+ <para><command moreinfo="none">print command = lp -d%p -s %s; rm %s</command></para>
+
+ <para>For printing = CUPS : If SAMBA is compiled against
+ libcups, then <link linkend="PRINTING">printcap = cups</link>
+ uses the CUPS API to
+ submit jobs, etc. Otherwise it maps to the System V
+ commands with the -oraw option for printing, i.e. it
+ uses <command moreinfo="none">lp -c -d%p -oraw; rm %s</command>.
+ With <command moreinfo="none">printing = cups</command>,
+ and if SAMBA is compiled against libcups, any manually
+ set print command will be ignored.</para>
+
+
+ <para>Example: <command moreinfo="none">print command = /usr/local/samba/bin/myprintscript %p %s</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/printok.xml b/docs/docbook/smbdotconf/printing/printok.xml
new file mode 100644
index 0000000000..0a0e6605f1
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/printok.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="print ok"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="PRINTABLE">
+ <parameter moreinfo="none">printable</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
new file mode 100644
index 0000000000..ccdb137a69
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="total print jobs"
+ context="G"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also <link linkend="MAXPRINTJOBS">
+ <parameter moreinfo="none">max print jobs</parameter></link>.
+ </para>
+
+ <para>Default: <command moreinfo="none">total print jobs = 0</command></para>
+
+ <para>Example: <command moreinfo="none">total print jobs = 5000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/announceas.xml b/docs/docbook/smbdotconf/protocol/announceas.xml
new file mode 100644
index 0000000000..b063fcc1b7
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/announceas.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="announce as"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies what type of server <citerefentry><refentrytitle>nmbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : &quot;NT Server&quot; (which can also be written as &quot;NT&quot;),
+ &quot;NT Workstation&quot;, &quot;Win95&quot; or &quot;WfW&quot; meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</para>
+
+ <para>Default: <command moreinfo="none">announce as = NT Server</command></para>
+
+ <para>Example: <command moreinfo="none">announce as = Win95</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/announceversion.xml b/docs/docbook/smbdotconf/protocol/announceversion.xml
new file mode 100644
index 0000000000..217004b5fc
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/announceversion.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="announce version"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.9. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</para>
+
+ <para>Default: <command moreinfo="none">announce version = 4.9</command></para>
+
+ <para>Example: <command moreinfo="none">announce version = 2.0</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/disablenetbios.xml b/docs/docbook/smbdotconf/protocol/disablenetbios.xml
new file mode 100644
index 0000000000..2fe92d00b7
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/disablenetbios.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="disable netbios"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Enabling this parameter will disable netbios support
+ in Samba. Netbios is the only available form of browsing in
+ all windows versions except for 2000 and XP. </para>
+
+ <note><para>Note that clients that only support netbios won't be able to
+ see your samba server when netbios support is disabled.
+ </para></note>
+
+ <para>Default: <command moreinfo="none">disable netbios = no</command></para>
+
+ <para>Example: <command moreinfo="none">disable netbios = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/largereadwrite.xml b/docs/docbook/smbdotconf/protocol/largereadwrite.xml
new file mode 100644
index 0000000000..25c58899c4
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/largereadwrite.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="large readwrite"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> supports the new 64k
+ streaming read and write varient SMB requests introduced with
+ Windows 2000. Note that due to Windows 2000 client redirector bugs
+ this requires Samba to be running on a 64-bit capable operating
+ system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
+ performance by 10% with Windows 2000 clients. Defaults to on. Not as
+ tested as some other Samba code paths.</para>
+
+ <para>Default: <command moreinfo="none">large readwrite = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/maxmux.xml b/docs/docbook/smbdotconf/protocol/maxmux.xml
new file mode 100644
index 0000000000..c05487fdca
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/maxmux.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="max mux"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option controls the maximum number of
+ outstanding simultaneous SMB operations that Samba tells the client
+ it will allow. You should never need to set this parameter.</para>
+
+ <para>Default: <command moreinfo="none">max mux = 50</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/maxprotocol.xml b/docs/docbook/smbdotconf/protocol/maxprotocol.xml
new file mode 100644
index 0000000000..3f4e917828
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/maxprotocol.xml
@@ -0,0 +1,48 @@
+<samba:parameter name="max protocol"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>CORE</constant>: Earliest version. No
+ concept of user names.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>COREPLUS</constant>: Slight improvements on
+ CORE for efficiency.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>LANMAN1</constant>: First <emphasis>
+ modern</emphasis> version of the protocol. Long filename
+ support.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>NT1</constant>: Current up to date version of the protocol.
+ Used by Windows NT. Known as CIFS.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</para>
+
+ <para>See also <link linkend="MINPROTOCOL"><parameter moreinfo="none">min
+ protocol</parameter></link></para>
+
+ <para>Default: <command moreinfo="none">max protocol = NT1</command></para>
+
+ <para>Example: <command moreinfo="none">max protocol = LANMAN1</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/maxttl.xml b/docs/docbook/smbdotconf/protocol/maxttl.xml
new file mode 100644
index 0000000000..63c2b57ad7
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/maxttl.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="max ttl"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option tells <citerefentry><refentrytitle>nmbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> what the default 'time to live'
+ of NetBIOS names should be (in seconds) when <command moreinfo="none">nmbd</command> is
+ requesting a name using either a broadcast packet or from a WINS server. You should
+ never need to change this parameter. The default is 3 days.</para>
+
+ <para>Default: <command moreinfo="none">max ttl = 259200</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/maxwinsttl.xml b/docs/docbook/smbdotconf/protocol/maxwinsttl.xml
new file mode 100644
index 0000000000..eafacc28fa
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/maxwinsttl.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="max wins ttl"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option tells <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when acting as a WINS server (<link linkend="WINSSUPPORT">
+ <parameter moreinfo="none">wins support = yes</parameter></link>) what the maximum
+ 'time to live' of NetBIOS names that <command moreinfo="none">nmbd</command>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</para>
+
+ <para>See also the <link linkend="MINWINSTTL"><parameter moreinfo="none">min
+ wins ttl</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">max wins ttl = 518400</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/maxxmit.xml b/docs/docbook/smbdotconf/protocol/maxxmit.xml
new file mode 100644
index 0000000000..3125b8d3b9
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/maxxmit.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="max xmit"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </para>
+
+ <para>Default: <command moreinfo="none">max xmit = 65535</command></para>
+
+ <para>Example: <command moreinfo="none">max xmit = 8192</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/minprotocol.xml b/docs/docbook/smbdotconf/protocol/minprotocol.xml
new file mode 100644
index 0000000000..f382701948
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/minprotocol.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="min protocol"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The value of the parameter (a string) is the
+ lowest SMB protocol dialect than Samba will support. Please refer
+ to the <link linkend="MAXPROTOCOL"><parameter moreinfo="none">max protocol</parameter></link>
+ parameter for a list of valid protocol names and a brief description
+ of each. You may also wish to refer to the C source code in
+ <filename moreinfo="none">source/smbd/negprot.c</filename> for a listing of known protocol
+ dialects supported by clients.</para>
+
+ <para>If you are viewing this parameter as a security measure, you should
+ also refer to the <link linkend="LANMANAUTH"><parameter moreinfo="none">lanman
+ auth</parameter></link> parameter. Otherwise, you should never need
+ to change this parameter.</para>
+
+ <para>Default : <command moreinfo="none">min protocol = CORE</command></para>
+
+ <para>Example : <command moreinfo="none">min protocol = NT1</command> # disable DOS clients</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/minwinsttl.xml b/docs/docbook/smbdotconf/protocol/minwinsttl.xml
new file mode 100644
index 0000000000..8ad1a5600f
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/minwinsttl.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="min wins ttl"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option tells <citerefentry><refentrytitle>nmbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
+ when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter moreinfo="none">
+ wins support = yes</parameter></link>) what the minimum 'time to live'
+ of NetBIOS names that <command moreinfo="none">nmbd</command> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</para>
+
+ <para>Default: <command moreinfo="none">min wins ttl = 21600</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml
new file mode 100644
index 0000000000..897d04ad1c
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml
@@ -0,0 +1,58 @@
+<samba:parameter name="name resolve order"
+ context="G"
+ advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option is used by the programs in the Samba
+ suite to determine what naming services to use and in what order
+ to resolve host names to IP addresses. The option takes a space
+ separated string of name resolution options.</para>
+
+ <para>The options are: &quot;lmhosts&quot;, &quot;host&quot;,
+ &quot;wins&quot; and &quot;bcast&quot;. They cause names to be
+ resolved as follows:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>lmhosts</constant> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ any name type matches for lookup.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>host</constant> : Do a standard host
+ name to IP address resolution, using the system <filename moreinfo="none">/etc/hosts
+ </filename>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename>
+ file. Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>wins</constant> : Query a name with
+ the IP address listed in the <link linkend="WINSSERVER"><parameter moreinfo="none">
+ wins server</parameter></link> parameter. If no WINS server has
+ been specified this method will be ignored.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>bcast</constant> : Do a broadcast on
+ each of the known local interfaces listed in the <link linkend="INTERFACES"><parameter moreinfo="none">interfaces</parameter></link>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Default: <command moreinfo="none">name resolve order = lmhosts host wins bcast</command></para>
+
+ <para>Example: <command moreinfo="none">name resolve order = lmhosts bcast host</command></para>
+
+ <para>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/ntaclsupport.xml b/docs/docbook/smbdotconf/protocol/ntaclsupport.xml
new file mode 100644
index 0000000000..64276d51c3
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/ntaclsupport.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="nt acl support"
+ context="S"
+ advanced="1" wizard="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to map
+ UNIX permissions into Windows NT access control lists.
+ This parameter was formally a global parameter in releases
+ prior to 2.2.2.</para>
+
+ <para>Default: <command moreinfo="none">nt acl support = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/ntpipesupport.xml b/docs/docbook/smbdotconf/protocol/ntpipesupport.xml
new file mode 100644
index 0000000000..e5c42a7696
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/ntpipesupport.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="nt pipe support"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow Windows NT
+ clients to connect to the NT SMB specific <constant>IPC$</constant>
+ pipes. This is a developer debugging option and can be left
+ alone.</para>
+
+ <para>Default: <command moreinfo="none">nt pipe support = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/ntstatussupport.xml b/docs/docbook/smbdotconf/protocol/ntstatussupport.xml
new file mode 100644
index 0000000000..ecb19128ee
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/ntstatussupport.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="nt status support"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will negotiate NT specific status
+ support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
+ If this option is set to <constant>no</constant> then Samba offers
+ exactly the same DOS error codes that versions prior to Samba 2.2.3
+ reported.</para>
+
+ <para>You should not need to ever disable this parameter.</para>
+
+ <para>Default: <command moreinfo="none">nt status support = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/protocol.xml b/docs/docbook/smbdotconf/protocol/protocol.xml
new file mode 100644
index 0000000000..19926649c0
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/protocol.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="protocol"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="MAXPROTOCOL">
+ <parameter moreinfo="none">max protocol</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/readbmpx.xml b/docs/docbook/smbdotconf/protocol/readbmpx.xml
new file mode 100644
index 0000000000..0298407cef
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/readbmpx.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="read bmpx"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will support the &quot;Read
+ Block Multiplex&quot; SMB. This is now rarely used and defaults to
+ <constant>no</constant>. You should never need to set this
+ parameter.</para>
+
+ <para>Default: <command moreinfo="none">read bmpx = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/readraw.xml b/docs/docbook/smbdotconf/protocol/readraw.xml
new file mode 100644
index 0000000000..6b24f39d68
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/readraw.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="read raw"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</para>
+
+ <para>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </para>
+
+ <para>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</para>
+
+ <para>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <link linkend="WRITERAW">
+ <parameter moreinfo="none">write raw</parameter></link>.</para>
+
+ <para>Default: <command moreinfo="none">read raw = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/smbports.xml b/docs/docbook/smbdotconf/protocol/smbports.xml
new file mode 100644
index 0000000000..9d06c37964
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/smbports.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="smb ports"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Specifies which ports the server should listen on for SMB traffic.</para>
+
+ <para>Default: <command moreinfo="none">smb ports = 445 139</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/timeserver.xml b/docs/docbook/smbdotconf/protocol/timeserver.xml
new file mode 100644
index 0000000000..d78f9a456d
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/timeserver.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="time server"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines if <citerefentry><refentrytitle>nmbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> advertises itself as a time server to Windows
+ clients.</para>
+
+ <para>Default: <command moreinfo="none">time server = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/unicode.xml b/docs/docbook/smbdotconf/protocol/unicode.xml
new file mode 100644
index 0000000000..be93cb61e2
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/unicode.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="unicode"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Specifies whether Samba should try
+ to use unicode on the wire by default. Note: This does NOT
+ mean that samba will assume that the unix machine uses unicode!
+ </para>
+
+ <para>Default: <command moreinfo="none">unicode = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/unixextensions.xml b/docs/docbook/smbdotconf/protocol/unixextensions.xml
new file mode 100644
index 0000000000..2f68b9605e
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/unixextensions.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="unix extensions"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether Samba
+ implments the CIFS UNIX extensions, as defined by HP.
+ These extensions enable Samba to better serve UNIX CIFS clients
+ by supporting features such as symbolic links, hard links, etc...
+ These extensions require a similarly enabled client, and are of
+ no current use to Windows clients.</para>
+
+ <para>Default: <command moreinfo="none">unix extensions = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml
new file mode 100644
index 0000000000..88c9f1df7a
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/usespnego.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="use spnego"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para> This variable controls controls whether samba will try
+ to use Simple and Protected NEGOciation (as specified by rfc2478) with
+ WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
+ Unless further issues are discovered with our SPNEGO
+ implementation, there is no reason this should ever be
+ disabled.</para>
+
+ <para>Default: <emphasis>use spnego = yes</emphasis></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/writeraw.xml b/docs/docbook/smbdotconf/protocol/writeraw.xml
new file mode 100644
index 0000000000..e71c54cabd
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/writeraw.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="write raw"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls whether or not the server
+ will support raw write SMB's when transferring data from clients.
+ You should never need to change this parameter.</para>
+
+ <para>Default: <command moreinfo="none">write raw = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/adminusers.xml b/docs/docbook/smbdotconf/security/adminusers.xml
new file mode 100644
index 0000000000..09989aa79a
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/adminusers.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="admin users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</para>
+
+ <para>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</para>
+
+ <para>Default: <emphasis>no admin users</emphasis></para>
+
+ <para>Example: <command moreinfo="none">admin users = jason</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/algorithmicridbase.xml b/docs/docbook/smbdotconf/security/algorithmicridbase.xml
new file mode 100644
index 0000000000..d1d33d419b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/algorithmicridbase.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="algorithmic rid base"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This determines how Samba will use its
+ algorithmic mapping from uids/gid to the RIDs needed to construct
+ NT Security Identifiers.
+ </para>
+
+ <para>Setting this option to a larger value could be useful to sites
+ transitioning from WinNT and Win2k, as existing user and
+ group rids would otherwise clash with sytem users etc.
+ </para>
+
+ <para>All UIDs and GIDs must be able to be resolved into SIDs for
+ the correct operation of ACLs on the server. As such the algorithmic
+ mapping can't be 'turned off', but pushing it 'out of the way' should
+ resolve the issues. Users and groups can then be assigned 'low' RIDs
+ in arbitary-rid supporting backends.
+ </para>
+
+ <para>Default: <command moreinfo="none">algorithmic rid base = 1000</command></para>
+
+ <para>Example: <command moreinfo="none">algorithmic rid base = 100000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/allowhosts.xml b/docs/docbook/smbdotconf/security/allowhosts.xml
new file mode 100644
index 0000000000..ea7c0fa05e
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/allowhosts.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="allow hosts"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="HOSTSALLOW">
+ <parameter moreinfo="none">hosts allow</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
new file mode 100644
index 0000000000..63363d2607
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="allow trusted domains"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option only takes effect when the <link linkend="SECURITY">
+ <parameter moreinfo="none">security</parameter></link> option is set to
+ <constant>server</constant> or <constant>domain</constant>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</para>
+
+ <para>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</para>
+
+ <para>Default: <command moreinfo="none">allow trusted domains = yes</command></para>
+
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml
new file mode 100644
index 0000000000..0b7965d55b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/authmethods.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="auth methods"
+ context="G"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows the administrator to chose what
+ authentication methods <command moreinfo="none">smbd</command> will use when authenticating
+ a user. This option defaults to sensible values based on <link linkend="SECURITY">
+ <parameter moreinfo="none">security</parameter></link>.</para>
+
+ <para>Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ </para>
+
+ <para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
+ <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/createmode.xml b/docs/docbook/smbdotconf/security/createmode.xml
new file mode 100644
index 0000000000..c49acf070d
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/createmode.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="create mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a synonym for <link linkend="CREATEMASK"><parameter moreinfo="none">
+ create mask</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/denyhosts.xml b/docs/docbook/smbdotconf/security/denyhosts.xml
new file mode 100644
index 0000000000..d5ffb0e452
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/denyhosts.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="deny hosts"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts
+ deny</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorymask.xml b/docs/docbook/smbdotconf/security/directorymask.xml
new file mode 100644
index 0000000000..d50047d46f
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/directorymask.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="directory mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</para>
+
+ <para>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
+ here will be removed from the modes set on a directory when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE">
+ <parameter moreinfo="none">force directory mode</parameter></link> parameter.
+ This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
+
+ <para>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK">
+ <parameter moreinfo="none">directory security mask</parameter></link>.</para>
+
+ <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
+ directory mode</parameter></link> parameter to cause particular mode
+ bits to always be set on created directories.</para>
+
+ <para>See also the <link linkend="CREATEMODE"><parameter moreinfo="none">create mode
+ </parameter></link> parameter for masking mode bits on created files,
+ and the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
+ security mask</parameter></link> parameter.</para>
+
+ <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">directory mask = 0755</command></para>
+
+ <para>Example: <command moreinfo="none">directory mask = 0775</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorymode.xml b/docs/docbook/smbdotconf/security/directorymode.xml
new file mode 100644
index 0000000000..3facac2bc1
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/directorymode.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="directory mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorysecuritymask.xml b/docs/docbook/smbdotconf/security/directorysecuritymask.xml
new file mode 100644
index 0000000000..d5413d4578
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/directorysecuritymask.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="directory security mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it as the default of <constant>0777</constant>.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
+ force directory security mode</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter moreinfo="none">security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command moreinfo="none">directory security mask = 0777</command></para>
+
+ <para>Example: <command moreinfo="none">directory security mask = 0700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcecreatemode.xml b/docs/docbook/smbdotconf/security/forcecreatemode.xml
new file mode 100644
index 0000000000..66b29950d0
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forcecreatemode.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="force create mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
+ parameter is applied.</para>
+
+ <para>See also the parameter <link linkend="CREATEMASK"><parameter moreinfo="none">create
+ mask</parameter></link> for details on masking mode bits on files.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">inherit
+ permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">force create mode = 000</command></para>
+
+ <para>Example: <command moreinfo="none">force create mode = 0755</command></para>
+
+ <para>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcedirectorymode.xml b/docs/docbook/smbdotconf/security/forcedirectorymode.xml
new file mode 100644
index 0000000000..b417f08b24
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forcedirectorymode.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="force directory mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
+ applied.</para>
+
+ <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link> for details on masking mode bits
+ on created directories.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">force directory mode = 000</command></para>
+
+ <para>Example: <command moreinfo="none">force directory mode = 0755</command></para>
+
+ <para>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml
new file mode 100644
index 0000000000..8c35ccbf8a
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="force directory security mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</para>
+
+ <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">
+ directory security mask</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter moreinfo="none">security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command moreinfo="none">force directory security mode = 0</command></para>
+
+ <para>Example: <command moreinfo="none">force directory security mode = 700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcegroup.xml b/docs/docbook/smbdotconf/security/forcegroup.xml
new file mode 100644
index 0000000000..eafdfe8e23
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forcegroup.xml
@@ -0,0 +1,37 @@
+<samba:parameter name="force group"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</para>
+
+ <para>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <filename moreinfo="none">force group = +sys</filename> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</para>
+
+ <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter>
+ </link> parameter is also set the group specified in
+ <parameter moreinfo="none">force group</parameter> will override the primary group
+ set in <parameter moreinfo="none">force user</parameter>.</para>
+
+ <para>See also <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter></link>.</para>
+
+ <para>Default: <emphasis>no forced group</emphasis></para>
+
+ <para>Example: <command moreinfo="none">force group = agroup</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcesecuritymode.xml b/docs/docbook/smbdotconf/security/forcesecuritymode.xml
new file mode 100644
index 0000000000..4151239f53
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forcesecuritymode.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="force security mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
+ force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security
+ mask</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none">
+ security mask</parameter></link> parameters.</para>
+
+ <para>Default: <command moreinfo="none">force security mode = 0</command></para>
+
+ <para>Example: <command moreinfo="none">force security mode = 700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forceuser.xml b/docs/docbook/smbdotconf/security/forceuser.xml
new file mode 100644
index 0000000000..79c7aa3806
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/forceuser.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="force user"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</para>
+
+ <para>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the &quot;forced user&quot;, no matter what username the client connected
+ as. This can be very useful.</para>
+
+ <para>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</para>
+
+ <para>See also <link linkend="FORCEGROUP"><parameter moreinfo="none">force group</parameter></link></para>
+
+ <para>Default: <emphasis>no forced user</emphasis></para>
+
+ <para>Example: <command moreinfo="none">force user = auser</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/group.xml b/docs/docbook/smbdotconf/security/group.xml
new file mode 100644
index 0000000000..453ca0f45b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/group.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="group"
+ context="S"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="FORCEGROUP">
+ <parameter moreinfo="none">force group</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestaccount.xml b/docs/docbook/smbdotconf/security/guestaccount.xml
new file mode 100644
index 0000000000..9db3b6362d
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/guestaccount.xml
@@ -0,0 +1,31 @@
+<samba:parameter name="guest account"
+ context="G,S"
+ basic="1" advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a username which will be used for access
+ to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
+ guest ok</parameter></link> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account &quot;ftp&quot; is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.
+ </para>
+
+ <para>One some systems the default guest account &quot;nobody&quot; may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <command moreinfo="none">su -</command> command) and trying to print using the
+ system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
+ lp(1)</command>.</para>
+
+ <para>This parameter does not accept % macros, because
+ many parts of the system require this value to be
+ constant for correct operation.</para>
+
+ <para>Default: <emphasis>specified at compile time, usually &quot;nobody&quot;</emphasis></para>
+
+ <para>Example: <command moreinfo="none">guest account = ftp</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestok.xml b/docs/docbook/smbdotconf/security/guestok.xml
new file mode 100644
index 0000000000..eef1801dc3
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/guestok.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="guest ok"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+ guest account</parameter></link>.</para>
+
+ <para>This paramater nullifies the benifits of setting
+ <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
+ anonymous</parameter></link> = 2</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command moreinfo="none">guest ok = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestonly.xml b/docs/docbook/smbdotconf/security/guestonly.xml
new file mode 100644
index 0000000000..f116a5f22c
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/guestonly.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="guest only"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <link linkend="GUESTOK">
+ <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command moreinfo="none">guest only = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsallow.xml b/docs/docbook/smbdotconf/security/hostsallow.xml
new file mode 100644
index 0000000000..95aa7ee516
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/hostsallow.xml
@@ -0,0 +1,62 @@
+<samba:parameter name="hosts allow"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A synonym for this parameter is <parameter moreinfo="none">allow
+ hosts</parameter>.</para>
+
+ <para>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</para>
+
+ <para>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</para>
+
+ <para>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5.
+ </command>. The full syntax of the list is described in the man
+ page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</para>
+
+ <para>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <link linkend="HOSTSDENY">
+ <parameter moreinfo="none">hosts deny</parameter></link> option.</para>
+
+ <para>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</para>
+
+ <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+ <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+ <para>Example 2: allow hosts that match the given network/netmask</para>
+
+ <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+ <para>Example 3: allow a couple of hosts</para>
+
+ <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+
+ <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but
+ deny access from one particular host</para>
+
+ <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+ <para><command moreinfo="none">hosts deny = pirate</command></para>
+
+ <note><para>Note that access still requires suitable user-level passwords.</para></note>
+
+ <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access
+ to see if it does what you expect.</para>
+
+ <para>Default: <emphasis>none (i.e., all hosts permitted access)</emphasis></para>
+
+ <para>Example: <command moreinfo="none">allow hosts = 150.203.5. myhost.mynet.edu.au</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsdeny.xml b/docs/docbook/smbdotconf/security/hostsdeny.xml
new file mode 100644
index 0000000000..e4b47051fa
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/hostsdeny.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="hosts deny"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The opposite of <parameter moreinfo="none">hosts allow</parameter>
+ - hosts listed here are <emphasis>NOT</emphasis> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter>
+ list takes precedence.</para>
+
+ <para>Default: <emphasis>none (i.e., no hosts specifically excluded)</emphasis></para>
+
+ <para>Example: <command moreinfo="none">hosts deny = 150.203.4. badhost.mynet.edu.au</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsequiv.xml b/docs/docbook/smbdotconf/security/hostsequiv.xml
new file mode 100644
index 0000000000..873053be28
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/hostsequiv.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="hosts equiv"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </para>
+
+ <para>This is not be confused with <link linkend="HOSTSALLOW">
+ <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts
+ access to services and is more useful for guest services. <parameter moreinfo="none">
+ hosts equiv</parameter> may be useful for NT clients which will
+ not supply passwords to Samba.</para>
+
+ <note><para>The use of <parameter moreinfo="none">hosts equiv
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <emphasis>really</emphasis> trust
+ them :-).</para></note>
+
+ <para>Default: <emphasis>no host equivalences</emphasis></para>
+ <para>Example: <command moreinfo="none">hosts equiv = /etc/hosts.equiv</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/inheritacls.xml b/docs/docbook/smbdotconf/security/inheritacls.xml
new file mode 100644
index 0000000000..6fcfdc19ce
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/inheritacls.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="inherit acls"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter can be used to ensure that if default acls
+ exist on parent directories, they are always honored when creating a
+ subdirectory. The default behavior is to use the mode specified when
+ creating the directory. Enabling this option sets the mode to 0777,
+ thus guaranteeing that default directory acls are propagated.
+ </para>
+
+ <para>Default: <command moreinfo="none">inherit acls = no</command>
+</para></listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/inheritpermissions.xml b/docs/docbook/smbdotconf/security/inheritpermissions.xml
new file mode 100644
index 0000000000..aacf169863
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/inheritpermissions.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="inherit permissions"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The permissions on new files and directories
+ are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
+ create mask</parameter></link>, <link linkend="DIRECTORYMASK">
+ <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter moreinfo="none">force create mode</parameter>
+ </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
+ directory mode</parameter></link> but the boolean inherit
+ permissions parameter overrides this.</para>
+
+ <para>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</para>
+
+ <para>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
+ </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
+ </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
+ </link> as usual.</para>
+
+ <para>Note that the setuid bit is <emphasis>never</emphasis> set via
+ inheritance (the code explicitly prohibits this).</para>
+
+ <para>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</para>
+
+ <para>See also <link linkend="CREATEMASK"><parameter moreinfo="none">create mask
+ </parameter></link>, <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter moreinfo="none">force create mode</parameter></link> and <link linkend="FORCEDIRECTORYMODE">
+ <parameter moreinfo="none">force directory mode</parameter>
+ </link>.</para>
+
+ <para>Default: <command moreinfo="none">inherit permissions = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/invalidusers.xml b/docs/docbook/smbdotconf/security/invalidusers.xml
new file mode 100644
index 0000000000..f9d5d218e8
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/invalidusers.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="invalid users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that should not be allowed
+ to login to this service. This is really a <emphasis>paranoid</emphasis>
+ check to absolutely ensure an improper setting does not breach
+ your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
+
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&amp;' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&amp;' may be used at the start of the name in either order
+ so the value <parameter moreinfo="none">+&amp;group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
+
+ <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
+ This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>no invalid users</emphasis></para>
+
+ <para>Example: <command moreinfo="none">invalid users = root fred admin @wheel</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
new file mode 100644
index 0000000000..e293242472
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="lanman auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users
+ using the LANMAN password hash. If disabled, only clients which support NT
+ password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
+ Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+ <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/maptoguest.xml b/docs/docbook/smbdotconf/security/maptoguest.xml
new file mode 100644
index 0000000000..4f66319928
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/maptoguest.xml
@@ -0,0 +1,62 @@
+<samba:parameter name="map to guest"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is only useful in <link linkend="SECURITY">
+ security</link> modes other than <parameter moreinfo="none">security = share</parameter>
+ - i.e. <constant>user</constant>, <constant>server</constant>,
+ and <constant>domain</constant>.</para>
+
+ <para>This parameter can take three different values, which tell
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> what to do with user
+ login requests that don't match a valid UNIX user in some way.</para>
+
+ <para>The three settings are :</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>Never</constant> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>Bad User</constant> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+ guest account</parameter></link>.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>Bad Password</constant> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as &quot;guest&quot; - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
+ guest</parameter> parameter this way :-).</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Note that this parameter is needed to set up &quot;Guest&quot;
+ share services when using <parameter moreinfo="none">security</parameter> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for &quot;Guest&quot; shares.</para>
+
+ <para>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <constant>
+ GUEST_SESSSETUP</constant> value in local.h.</para>
+
+ <para>Default: <command moreinfo="none">map to guest = Never</command></para>
+ <para>Example: <command moreinfo="none">map to guest = Bad User</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/minpasswdlength.xml b/docs/docbook/smbdotconf/security/minpasswdlength.xml
new file mode 100644
index 0000000000..d7ecc3e21b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/minpasswdlength.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="min passwd length"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="MINPASSWORDLENGTH">
+ <parameter moreinfo="none">min password length</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml
new file mode 100644
index 0000000000..4004af2d94
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="non unix account range"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise.</para>
+
+ <note>
+ <para>These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ </para>
+ </note>
+
+ <para>Default: <command moreinfo="none">non unix account range = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">non unix account range = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
new file mode 100644
index 0000000000..b0b3179ab7
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="ntlm auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
+ If disabled, only the lanman password hashes will be used.</para>
+
+ <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
+ be enabled in order to be able to log in.</para>
+
+ <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/nullpasswords.xml b/docs/docbook/smbdotconf/security/nullpasswords.xml
new file mode 100644
index 0000000000..944a307eb7
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/nullpasswords.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="null passwords"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Allow or disallow client access to accounts that have null passwords. </para>
+
+ <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>.</para>
+
+ <para>Default: <command moreinfo="none">null passwords = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml
new file mode 100644
index 0000000000..42d6b5cc43
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="obey pam restrictions"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>When Samba 3.0 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason
+ is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </para>
+
+ <para>Default: <command moreinfo="none">obey pam restrictions = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/onlyguest.xml b/docs/docbook/smbdotconf/security/onlyguest.xml
new file mode 100644
index 0000000000..756c682ab3
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/onlyguest.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="only guest"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A synonym for <link linkend="GUESTONLY"><parameter moreinfo="none">
+ guest only</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/onlyuser.xml b/docs/docbook/smbdotconf/security/onlyuser.xml
new file mode 100644
index 0000000000..9975023ecb
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/onlyuser.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="only user"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a boolean option that controls whether
+ connections with usernames not in the <parameter moreinfo="none">user</parameter>
+ list will be allowed. By default this option is disabled so that a
+ client can supply a username to be used by the server. Enabling
+ this parameter will force the server to only use the login
+ names from the <parameter moreinfo="none">user</parameter> list and is only really
+ useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
+ security.</para>
+
+ <para>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <command moreinfo="none">user =
+ %S</command> which means your <parameter moreinfo="none">user</parameter> list
+ will be just the service name, which for home directories is the
+ name of the user.</para>
+
+ <para>See also the <link linkend="USER"><parameter moreinfo="none">user</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">only user = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/pampasswordchange.xml b/docs/docbook/smbdotconf/security/pampasswordchange.xml
new file mode 100644
index 0000000000..5eb60e5270
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/pampasswordchange.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="pam password change"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>.
+ It should be possible to enable this without changing your
+ <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
+ parameter for most setups.</para>
+
+ <para>Default: <command moreinfo="none">pam password change = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdchat.xml b/docs/docbook/smbdotconf/security/passwdchat.xml
new file mode 100644
index 0000000000..fcefd8f8df
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwdchat.xml
@@ -0,0 +1,62 @@
+<samba:parameter name="passwd chat"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This string controls the <emphasis>&quot;chat&quot;</emphasis>
+ conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
+ <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
+ </link> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</para>
+
+ <para>Note that this parameter only is only used if the <link
+ linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter>
+ </link> parameter is set to <constant>yes</constant>. This sequence is
+ then called <emphasis>AS ROOT</emphasis> when the SMB password in the
+ smbpasswd file is being changed, without access to the old password
+ cleartext. This means that root must be able to reset the user's password without
+ knowing the text of the previous password. In the presence of
+ NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must
+ be executed on the NIS master.
+ </para>
+
+
+ <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted
+ for the new password. The chat sequence can also contain the standard
+ macros <constant>\\n</constant>, <constant>\\r</constant>, <constant>\\t</constant> and <constant>\\s</constant> to
+ give line-feed, carriage-return, tab and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
+ in them into a single string.</para>
+
+ <para>If the send string in any part of the chat sequence is a full
+ stop &quot;.&quot;, then no string is sent. Similarly, if the
+ expect string is a full stop then no string is expected.</para>
+
+ <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
+ password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
+ may be matched in any order, and success is determined by the PAM result,
+ not any particular output. The \n macro is ignored for PAM conversions.
+ </para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix password
+ sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">
+ passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG">
+ <parameter moreinfo="none">passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE">
+ <parameter moreinfo="none">pam password change</parameter></link>.</para>
+
+ <para>Default: <command moreinfo="none">passwd chat = *new*password* %n\\n
+ *new*password* %n\\n *changed*</command></para>
+
+ <para>Example: <command moreinfo="none">passwd chat = &quot;*Enter OLD password*&quot; %o\\n
+ &quot;*Enter NEW password*&quot; %n\\n &quot;*Reenter NEW password*&quot; %n\\n
+ &quot;*Password changed*&quot;</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdchatdebug.xml b/docs/docbook/smbdotconf/security/passwdchatdebug.xml
new file mode 100644
index 0000000000..2d731b5d11
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwdchatdebug.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="passwd chat debug"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> log with a
+ <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
+ Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
+ when calling the <parameter moreinfo="none">passwd program</parameter> and should
+ be turned off after this has been done. This option has no effect if the
+ <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
+ paramter is set. This parameter is off by default.</para>
+
+ <para>See also <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter>
+ </link>, <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter>
+ </link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
+ </link>.</para>
+
+ <para>Default: <command moreinfo="none">passwd chat debug = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml
new file mode 100644
index 0000000000..dbcc261ce4
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwdprogram.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="passwd program"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
+
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
+
+ <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix
+ password sync</parameter> parameter is set to <constant>yes
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry>
+ <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ </ulink> file is changed. If this UNIX password change fails, then
+ <command moreinfo="none">smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
+
+ <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter moreinfo="none">unix
+ password sync</parameter> is set to <constant>no</constant>.</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
+ password sync</parameter></link>.</para>
+
+ <para>Default: <command moreinfo="none">passwd program = /bin/passwd</command></para>
+
+ <para>Example: <command moreinfo="none">passwd program = /sbin/npasswd %u</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordlevel.xml b/docs/docbook/smbdotconf/security/passwordlevel.xml
new file mode 100644
index 0000000000..28b9999731
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwordlevel.xml
@@ -0,0 +1,44 @@
+<samba:parameter name="password level"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS! Another problem child is the Windows 95/98
+ family of operating systems. These clients upper case clear
+ text passwords even when NT LM 0.12 selected by the protocol
+ negotiation request/response.</para>
+
+ <para>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</para>
+
+ <para>For example, say the password given was &quot;FRED&quot;. If <parameter moreinfo="none">
+ password level</parameter> is set to 1, the following combinations
+ would be tried if &quot;FRED&quot; failed:</para>
+
+ <para>&quot;Fred&quot;, &quot;fred&quot;, &quot;fRed&quot;, &quot;frEd&quot;,&quot;freD&quot;</para>
+
+ <para>If <parameter moreinfo="none">password level</parameter> was set to 2,
+ the following combinations would also be tried: </para>
+
+ <para>&quot;FRed&quot;, &quot;FrEd&quot;, &quot;FreD&quot;, &quot;fREd&quot;, &quot;fReD&quot;, &quot;frED&quot;, ..</para>
+
+ <para>And so on.</para>
+
+ <para>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</para>
+
+ <para>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</para>
+
+ <para>Default: <command moreinfo="none">password level = 0</command></para>
+
+ <para>Example: <command moreinfo="none">password level = 4</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..e40ff32b75
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,98 @@
+<samba:parameter name="password server"
+ context="G"
+ advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command moreinfo="none">security = domain
+ </command> or <command moreinfo="none">security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
+
+ <para>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename moreinfo="none">smb.conf</filename> file.</para>
+
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server must be a machine capable of using
+ the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+ user level security mode.</para>
+
+ <note><para>Using a password server means your UNIX box (running
+ Samba) is only as secure as your password server. <emphasis>DO NOT
+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
+ </para></note>
+
+ <para>Never point a Samba server at itself for password serving.
+ This will cause a loop and could lock up your Samba server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command moreinfo="none">
+ security = domain</command> is that if you list several hosts in the
+ <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter moreinfo="none">password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the list of servers contains both names and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command moreinfo="none">security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>You may list several password servers in
+ the <parameter moreinfo="none">password server</parameter> parameter, however if an
+ <command moreinfo="none">smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command moreinfo="none">smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+ </command> mode and cannot be fixed in Samba.</para>
+ </listitem>
+
+ <listitem>
+ <para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command moreinfo="none">
+ security = server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
+
+ <para>Example: <command moreinfo="none">password server = *</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/printeradmin.xml b/docs/docbook/smbdotconf/security/printeradmin.xml
new file mode 100644
index 0000000000..c0640ea188
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/printeradmin.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="printer admin"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</para>
+
+ <para>Default: <command moreinfo="none">printer admin = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">printer admin = admin, @staff</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/privatedir.xml b/docs/docbook/smbdotconf/security/privatedir.xml
new file mode 100644
index 0000000000..1fc7eb0b36
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/privatedir.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="private dir"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameters defines the directory
+ smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
+ and <filename moreinfo="none">secrets.tdb</filename>.
+ </para>
+
+ <para>Default :<command moreinfo="none">private dir = ${prefix}/private</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/public.xml b/docs/docbook/smbdotconf/security/public.xml
new file mode 100644
index 0000000000..a9e942811e
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/public.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="public"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="GUESTOK"><parameter moreinfo="none">guest
+ ok</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/readlist.xml b/docs/docbook/smbdotconf/security/readlist.xml
new file mode 100644
index 0000000000..41a97e5ffc
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/readlist.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="read list"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>
+ option is set to. The list can include group names using the
+ syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
+ invalid users</parameter></link> parameter.</para>
+
+ <para>See also the <link linkend="WRITELIST"><parameter moreinfo="none">
+ write list</parameter></link> parameter and the <link linkend="INVALIDUSERS">
+ <parameter moreinfo="none">invalid users</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">read list = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">read list = mary, @students</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/readonly.xml b/docs/docbook/smbdotconf/security/readonly.xml
new file mode 100644
index 0000000000..e71301c3e5
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/readonly.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="read only"
+ context="S"
+ basic="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>An inverted synonym is <link linkend="WRITEABLE">
+ <parameter moreinfo="none">writeable</parameter></link>.</para>
+
+ <para>If this parameter is <constant>yes</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
+
+ <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
+
+ <para>Default: <command moreinfo="none">read only = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/root.xml b/docs/docbook/smbdotconf/security/root.xml
new file mode 100644
index 0000000000..1199d54099
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/root.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="root"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter moreinfo="none">root directory&quot;</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/rootdir.xml b/docs/docbook/smbdotconf/security/rootdir.xml
new file mode 100644
index 0000000000..e4e5f0e509
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/rootdir.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="root dir"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter moreinfo="none">root directory&quot;</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/rootdirectory.xml b/docs/docbook/smbdotconf/security/rootdirectory.xml
new file mode 100644
index 0000000000..9c3e9cfad2
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/rootdirectory.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="root directory"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The server will <command moreinfo="none">chroot()</command> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use &quot;..&quot; in file names
+ to access other directories (depending on the setting of the <link linkend="WIDELINKS">
+ <parameter moreinfo="none">wide links</parameter></link>
+ parameter).
+ </para>
+
+ <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
+ than &quot;/&quot; adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter moreinfo="none">root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter moreinfo="none">root directory</parameter> tree. In particular
+ you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
+
+ <para>Default: <command moreinfo="none">root directory = /</command></para>
+
+ <para>Example: <command moreinfo="none">root directory = /homes/smb</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml
new file mode 100644
index 0000000000..68c5f2cdd2
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/security.xml
@@ -0,0 +1,254 @@
+<samba:parameter name="security"
+ context="G"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename moreinfo="none">
+ smb.conf</filename> file.</para>
+
+ <para>The option sets the &quot;security mode bit&quot; in replies to
+ protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</para>
+
+
+ <para>The default is <command moreinfo="none">security = user</command>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</para>
+
+ <para>The alternatives are <command moreinfo="none">security = share</command>,
+ <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
+ </command>.</para>
+
+ <para>In versions of Samba prior to 2.0.0, the default was
+ <command moreinfo="none">security = share</command> mainly because that was
+ the only option at one stage.</para>
+
+ <para>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the &quot;connect
+ drive&quot; dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</para>
+
+ <para>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <command moreinfo="none">security = user</command>. If you mostly use usernames
+ that don't exist on the UNIX box then use <command moreinfo="none">security =
+ share</command>.</para>
+
+ <para>You should also use <command moreinfo="none">security = share</command> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <command moreinfo="none">security = user</command>, see
+ the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link>parameter for details.</para>
+
+ <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
+ hybrid mode</emphasis> where it is offers both user and share
+ level security under different <link linkend="NETBIOSALIASES">
+ <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+
+ <para>The different settings will now be explained.</para>
+
+
+ <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
+
+ <para>When clients connect to a share level security server they
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <command moreinfo="none">security = share
+ </command> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</para>
+
+ <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <command moreinfo="none">security = share</command> level security.</para>
+
+ <para>As clients are not required to send a username to the server
+ in share level security, <command moreinfo="none">smbd</command> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</para>
+
+ <para>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
+ only</parameter></link> parameter is set, then all the other
+ stages are missed and only the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link> username is checked.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>Is a username is sent with the share connection
+ request, then this username (after mapping - see <link linkend="USERNAMEMAP">
+ <parameter moreinfo="none">username map</parameter></link>),
+ is added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>If the client did a previous <emphasis>logon
+ </emphasis> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>The name of the service the client requested is
+ added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>The NetBIOS name of the client is added to
+ the list as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
+ user</parameter></link> list are added as potential usernames.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</para>
+
+ <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <parameter moreinfo="none">guest account</parameter>, then this
+ guest user will be used, otherwise access is denied.</para>
+
+ <para>Note that it can be <emphasis>very</emphasis> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+ <para>This is the default security setting in Samba 3.0.
+ With user-level security a client must first &quot;log-on&quot; with a
+ valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
+ <parameter moreinfo="none">username map</parameter></link>
+ parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
+ be used in this security mode. Parameters such as <link linkend="USER">
+ <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
+ <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter>
+ </link> parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point
+ of view <command moreinfo="none">security = domain</command> is the same
+ as <command moreinfo="none">security = user</command>. It only
+ affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
+ server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
+
+ <para>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <command moreinfo="none">security =
+ user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter
+ to be set to <constant>yes</constant>, unless the remote server
+ does not support them. However note that if encrypted passwords have been
+ negotiated then Samba cannot revert back to checking the UNIX password file,
+ it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
+ users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory
+ <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
+
+ <para><emphasis>Note</emphasis> this mode of operation has
+ significant pitfalls, due to the fact that is activly initiates a
+ man-in-the-middle attack on the remote SMB server. In particular,
+ this mode of operation can cause significant resource consuption on
+ the PDC, as it must maintain an active connection for the duration
+ of the user's session. Furthermore, if this connection is lost,
+ there is no way to reestablish it, and futher authenticaions to the
+ Samba server may fail. (From a single client, till it disconnects).
+ </para>
+
+ <para><emphasis>Note</emphasis> that from the client's point of
+ view <command moreinfo="none">security = server</command> is the
+ same as <command moreinfo="none">security = user</command>. It
+ only affects how the server deals with the authentication, it does
+ not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
+ server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">security = USER</command></para>
+ <para>Example: <command moreinfo="none">security = DOMAIN</command></para>
+
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/securitymask.xml b/docs/docbook/smbdotconf/security/securitymask.xml
new file mode 100644
index 0000000000..ee3e8f916c
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/securitymask.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="security mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ &quot;appliance&quot; systems. Administrators of most normal systems will
+ probably want to leave it set to <constant>0777</constant>.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
+ <parameter moreinfo="none">force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
+ security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
+ <parameter moreinfo="none">force security mode</parameter></link> parameters.</para>
+
+ <para>Default: <command moreinfo="none">security mask = 0777</command></para>
+
+ <para>Example: <command moreinfo="none">security mask = 0770</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml
new file mode 100644
index 0000000000..1747fbea66
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/serverschannel.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="server schannel"
+ context="G"
+ basic="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>This controls whether the server offers or even
+ demands the use of the netlogon schannel.
+ <parameter>server schannel = no</parameter> does not
+ offer the schannel, <parameter>server schannel =
+ auto</parameter> offers the schannel but does not
+ enforce it, and <parameter>server schannel =
+ yes</parameter> denies access if the client is not
+ able to speak netlogon schannel. This is only the case
+ for Windows NT4 before SP4.</para>
+
+ <para>Please note that with this set to
+ <parameter>no</parameter> you will have to apply the
+ WindowsXP requireSignOrSeal-Registry patch found in
+ the docs/Registry subdirectory.</para>
+
+ <para>Default: <command>server schannel = auto</command></para>
+ <para>Example: <command>server schannel = yes</command></para>
+</listitem>
+</samba:parameter> \ No newline at end of file
diff --git a/docs/docbook/smbdotconf/security/smbpasswdfile.xml b/docs/docbook/smbdotconf/security/smbpasswdfile.xml
new file mode 100644
index 0000000000..cb31ba5019
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/smbpasswdfile.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="smb passwd file"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>This option sets the path to the encrypted smbpasswd file. By
+ default the path to the smbpasswd file is compiled into Samba.</para>
+
+ <para>Default: <command moreinfo="none">smb passwd file = ${prefix}/private/smbpasswd</command></para>
+
+ <para>Example: <command moreinfo="none">smb passwd file = /etc/samba/smbpasswd</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/unixpasswordsync.xml b/docs/docbook/smbdotconf/security/unixpasswordsync.xml
new file mode 100644
index 0000000000..0d22ed9c7e
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/unixpasswordsync.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="unix password sync"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
+ program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>See also <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd
+ program</parameter></link>, <link linkend="PASSWDCHAT"><parameter moreinfo="none">
+ passwd chat</parameter></link>.
+ </para>
+
+ <para>Default: <command moreinfo="none">unix password sync = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml
new file mode 100644
index 0000000000..76b37948d7
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/updateencrypted.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="update encrypted"
+ context="G"
+ basic="1" advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>This boolean parameter allows a user logging on with
+ a plaintext password to have their encrypted (hashed) password in
+ the smbpasswd file to be updated automatically as they log
+ on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing all
+ users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change
+ over to encrypted passwords to be made over a longer period.
+ Once all users have encrypted representations of their passwords
+ in the smbpasswd file this parameter should be set to
+ <constant>no</constant>.</para>
+
+ <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must
+ be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
+
+ <para>Note that even when this parameter is set a user
+ authenticating to <command moreinfo="none">smbd</command> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</para>
+
+ <para>Default: <command moreinfo="none">update encrypted = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/user.xml b/docs/docbook/smbdotconf/security/user.xml
new file mode 100644
index 0000000000..4ca2e18fac
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/user.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="user"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">username</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/username.xml b/docs/docbook/smbdotconf/security/username.xml
new file mode 100644
index 0000000000..f1aa2fe1f8
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/username.xml
@@ -0,0 +1,64 @@
+<samba:parameter name="username"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</para>
+
+ <para>The <parameter moreinfo="none">username</parameter> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</para>
+
+ <para>The <parameter moreinfo="none">username</parameter> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <parameter moreinfo="none">username</parameter> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</para>
+
+ <para>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</para>
+
+ <para>To restrict a service to a particular set of users you
+ can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
+ </parameter></link> parameter.</para>
+
+ <para>If any of the usernames begin with a '@' then the name
+ will be looked up first in the NIS netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '&amp;' then the name
+ will be looked up only in the NIS netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</para>
+
+ <para>Note that searching though a groups database can take
+ quite some time, and some clients may time out during the
+ search.</para>
+
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
+
+ <para>Default: <command moreinfo="none">The guest account if a guest service,
+ else &lt;empty string&gt;.</command></para>
+
+ <para>Examples:<command moreinfo="none">username = fred, mary, jack, jane,
+ @users, @pcgroup</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/usernamelevel.xml b/docs/docbook/smbdotconf/security/usernamelevel.xml
new file mode 100644
index 0000000000..3c71e3b710
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/usernamelevel.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="username level"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
+
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
+
+ <para>Default: <command moreinfo="none">username level = 0</command></para>
+
+ <para>Example: <command moreinfo="none">username level = 5</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/usernamemap.xml b/docs/docbook/smbdotconf/security/usernamemap.xml
new file mode 100644
index 0000000000..583a1a872e
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/usernamemap.xml
@@ -0,0 +1,91 @@
+<samba:parameter name="username map"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</para>
+
+ <para>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</para>
+
+ <para>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</para>
+
+ <para>If any line begins with a '#' or a ';' then it is ignored</para>
+
+ <para>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</para>
+
+ <para>For example to map from the name <constant>admin</constant>
+ or <constant>administrator</constant> to the UNIX name <constant>
+ root</constant> you would use:</para>
+
+ <para><command moreinfo="none">root = admin administrator</command></para>
+
+ <para>Or to map anyone in the UNIX group <constant>system</constant>
+ to the UNIX name <constant>sys</constant> you would use:</para>
+
+ <para><command moreinfo="none">sys = @system</command></para>
+
+ <para>You can have as many mappings as you like in a username map file.</para>
+
+
+ <para>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <filename moreinfo="none">/etc/group
+ </filename> database for matching groups.</para>
+
+ <para>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</para>
+
+ <para><command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command></para>
+
+ <para>would map the windows username &quot;Andrew Tridgell&quot; to the
+ unix username &quot;tridge&quot;.</para>
+
+ <para>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</para>
+
+<para><programlisting format="linespecific">
+!sys = mary fred
+guest = *
+</programlisting></para>
+
+ <para>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <constant>
+ fred</constant> is remapped to <constant>mary</constant> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
+ password server</parameter></link> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</para>
+
+ <para>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</para>
+
+ <para>Default: <emphasis>no username map</emphasis></para>
+
+ <para>Example: <command moreinfo="none">username map = /usr/local/samba/lib/users.map</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/users.xml b/docs/docbook/smbdotconf/security/users.xml
new file mode 100644
index 0000000000..fdb19da243
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/users.xml
@@ -0,0 +1,9 @@
+<samba:parameter name="users"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">
+ username</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/validusers.xml b/docs/docbook/smbdotconf/security/validusers.xml
new file mode 100644
index 0000000000..268e913cb5
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/validusers.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="valid users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&amp;'
+ are interpreted using the same rules as described in the
+ <parameter moreinfo="none">invalid users</parameter> parameter.</para>
+
+ <para>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <parameter moreinfo="none">invalid
+ users</parameter> list then access is denied for that user.</para>
+
+ <para>The current servicename is substituted for <parameter moreinfo="none">%S
+ </parameter>. This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users
+ </parameter></link></para>
+
+ <para>Default: <emphasis>No valid users list (anyone can login)
+ </emphasis></para>
+
+ <para>Example: <command moreinfo="none">valid users = greg, @pcusers</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writable.xml b/docs/docbook/smbdotconf/security/writable.xml
new file mode 100644
index 0000000000..9b32db8ebc
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/writable.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="writable"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="WRITEABLE"><parameter moreinfo="none">
+ writeable</parameter></link> for people who can't spell :-).</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writeable.xml b/docs/docbook/smbdotconf/security/writeable.xml
new file mode 100644
index 0000000000..63e7734986
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/writeable.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="writeable"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Inverted synonym for <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writelist.xml b/docs/docbook/smbdotconf/security/writelist.xml
new file mode 100644
index 0000000000..4a0e046127
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/writelist.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="write list"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>
+ option is set to. The list can include group names using the
+ @group syntax.</para>
+
+ <para>Note that if a user is in both the read list and the
+ write list then they will be given write access.</para>
+
+ <para>See also the <link linkend="READLIST"><parameter moreinfo="none">read list
+ </parameter></link> option.</para>
+
+ <para>Default: <command moreinfo="none">write list = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">write list = admin, root, @staff</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writeok.xml b/docs/docbook/smbdotconf/security/writeok.xml
new file mode 100644
index 0000000000..da68489012
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/writeok.xml
@@ -0,0 +1,8 @@
+<samba:parameter name="write ok"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Inverted synonym for <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/blocksize.xml b/docs/docbook/smbdotconf/tuning/blocksize.xml
new file mode 100644
index 0000000000..eecf1925e8
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/blocksize.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="block size"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls the behavior of <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when reporting disk free
+ sizes. By default, this reports a disk block size of 1024 bytes.
+ </para>
+
+ <para>Changing this parameter may have some effect on the
+ efficiency of client writes, this is not yet confirmed. This
+ parameter was added to allow advanced administrators to change
+ it (usually to a higher value) and test the effect it has on
+ client write performance without re-compiling the code. As this
+ is an experimental option it may be removed in a future release.
+ </para>
+
+ <para>Changing this option does not change the disk free reporting
+ size, just the block size unit reported to the client.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml b/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml
new file mode 100644
index 0000000000..471798c269
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="change notify timeout"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This SMB allows a client to tell a server to
+ &quot;watch&quot; a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon only performs such a scan
+ on each requested directory once every <parameter moreinfo="none">change notify
+ timeout</parameter> seconds.</para>
+
+ <para>Default: <command moreinfo="none">change notify timeout = 60</command></para>
+
+ <para>Example: <command moreinfo="none">change notify timeout = 300</command></para>
+
+ <para>Would change the scan time to every 5 minutes.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/deadtime.xml b/docs/docbook/smbdotconf/tuning/deadtime.xml
new file mode 100644
index 0000000000..cbbf751862
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/deadtime.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="dead time"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</para>
+
+ <para>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</para>
+
+ <para>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</para>
+
+ <para>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</para>
+
+ <para>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</para>
+
+ <para>Default: <command moreinfo="none">deadtime = 0</command></para>
+ <para>Example: <command moreinfo="none">deadtime = 15</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/getwdcache.xml b/docs/docbook/smbdotconf/tuning/getwdcache.xml
new file mode 100644
index 0000000000..8c22be9fb5
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/getwdcache.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="getwd cache"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <link linkend="WIDELINKS"><parameter moreinfo="none">wide links</parameter>
+ </link> parameter is set to <constant>no</constant>.</para>
+
+ <para>Default: <command moreinfo="none">getwd cache = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/hostnamelookups.xml b/docs/docbook/smbdotconf/tuning/hostnamelookups.xml
new file mode 100644
index 0000000000..613fabe42f
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/hostnamelookups.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="hostname lookups"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Specifies whether samba should use (expensive)
+ hostname lookups or use the ip addresses instead. An example place
+ where hostname lookups are currently used is when checking
+ the <command moreinfo="none">hosts deny</command> and <command moreinfo="none">hosts allow</command>.
+ </para>
+
+ <para>Default: <command moreinfo="none">hostname lookups = yes</command></para>
+
+ <para>Example: <command moreinfo="none">hostname lookups = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/keepalive.xml b/docs/docbook/smbdotconf/tuning/keepalive.xml
new file mode 100644
index 0000000000..1320dfab61
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/keepalive.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="keepalive"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The value of the parameter (an integer) represents
+ the number of seconds between <parameter moreinfo="none">keepalive</parameter>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</para>
+
+ <para>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <link linkend="SOCKETOPTIONS">
+ <parameter moreinfo="none">socket options</parameter></link>).
+ Basically you should only use this option if you strike difficulties.</para>
+
+ <para>Default: <command moreinfo="none">keepalive = 300</command></para>
+
+ <para>Example: <command moreinfo="none">keepalive = 600</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/maxconnections.xml b/docs/docbook/smbdotconf/tuning/maxconnections.xml
new file mode 100644
index 0000000000..5127df06f4
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/maxconnections.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="max connections"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows the number of simultaneous connections to a service to be limited.
+ If <parameter moreinfo="none">max connections</parameter> is greater than 0 then connections
+ will be refused if this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</para>
+
+ <para>Record lock files are used to implement this feature. The lock files will be stored in
+ the directory specified by the <link linkend="LOCKDIRECTORY">
+ <parameter moreinfo="none">lock directory</parameter></link> option.</para>
+
+ <para>Default: <command moreinfo="none">max connections = 0</command></para>
+
+ <para>Example: <command moreinfo="none">max connections = 10</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/maxdisksize.xml b/docs/docbook/smbdotconf/tuning/maxdisksize.xml
new file mode 100644
index 0000000000..7d99b31e03
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/maxdisksize.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="max disk size"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</para>
+
+ <para>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <parameter moreinfo="none">max
+ disk size</parameter>.</para>
+
+ <para>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</para>
+
+ <para>A <parameter moreinfo="none">max disk size</parameter> of 0 means no limit.</para>
+
+ <para>Default: <command moreinfo="none">max disk size = 0</command></para>
+
+ <para>Example: <command moreinfo="none">max disk size = 1000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/maxopenfiles.xml b/docs/docbook/smbdotconf/tuning/maxopenfiles.xml
new file mode 100644
index 0000000000..9505b2aaa5
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/maxopenfiles.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="max open files"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter limits the maximum number of
+ open files that one <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</para>
+
+ <para>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</para>
+
+ <para>Default: <command moreinfo="none">max open files = 10000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml b/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml
new file mode 100644
index 0000000000..453818ab7d
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="max smbd processes"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter limits the maximum number of <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> processes concurrently running on a system and is intended
+ as a stopgap to prevent degrading service to clients in the event that the server has insufficient
+ resources to handle more than this number of connections. Remember that under normal operating
+ conditions, each user will have an <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> associated with him or her to handle connections to all
+ shares from a given host.</para>
+
+ <para>Default: <command moreinfo="none">max smbd processes = 0</command> ## no limit</para>
+
+ <para>Example: <command moreinfo="none">max smbd processes = 1000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/minprintspace.xml b/docs/docbook/smbdotconf/tuning/minprintspace.xml
new file mode 100644
index 0000000000..0df75af0ab
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/minprintspace.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="min print space"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter moreinfo="none">printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">min print space = 0</command></para>
+
+ <para>Example: <command moreinfo="none">min print space = 2000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/namecachetimeout.xml b/docs/docbook/smbdotconf/tuning/namecachetimeout.xml
new file mode 100644
index 0000000000..6330760915
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/namecachetimeout.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="name cache timeout"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Specifies the number of seconds it takes before
+ entries in samba's hostname resolve cache time out. If
+ the timeout is set to 0. the caching is disabled.
+ </para>
+
+ <para>Default: <command moreinfo="none">name cache timeout = 660</command></para>
+
+ <para>Example: <command moreinfo="none">name cache timeout = 0</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml b/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml
new file mode 100644
index 0000000000..3fababf01b
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="paranoid server security"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Some version of NT 4.x allow non-guest
+ users with a bad passowrd. When this option is enabled, samba will not
+ use a broken NT 4.x server as password server, but instead complain
+ to the logs and exit.
+ </para>
+
+ <para>Disabling this option prevents Samba from making
+ this check, which involves deliberatly attempting a
+ bad logon to the remote server.</para>
+
+ <para>Default: <command moreinfo="none">paranoid server security = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/readsize.xml b/docs/docbook/smbdotconf/tuning/readsize.xml
new file mode 100644
index 0000000000..c76b810225
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/readsize.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="read size"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The option <parameter moreinfo="none">read size</parameter>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</para>
+
+ <para>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</para>
+
+ <para>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</para>
+
+ <para>Default: <command moreinfo="none">read size = 16384</command></para>
+
+ <para>Example: <command moreinfo="none">read size = 8192</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/socketoptions.xml b/docs/docbook/smbdotconf/tuning/socketoptions.xml
new file mode 100644
index 0000000000..5684ac5bca
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/socketoptions.xml
@@ -0,0 +1,75 @@
+<samba:parameter name="socket options"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows you to set socket options
+ to be used when talking with the client.</para>
+
+ <para>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</para>
+
+ <para>This option will typically be used to tune your Samba server
+ for optimal performance for your local network. There is no way
+ that Samba can know what the optimal parameters are for your net,
+ so you must experiment and choose them yourself. We strongly
+ suggest you read the appropriate documentation for your operating
+ system first (perhaps <command moreinfo="none">man
+ setsockopt</command> will help).</para>
+
+ <para>You may find that on some systems Samba will say
+ &quot;Unknown socket option&quot; when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <ulink url="mailto:samba-technical@samba.org">
+ samba-technical@samba.org</ulink>.</para>
+
+ <para>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</para>
+
+ <para>This is the list of socket options currently settable
+ using this option:</para>
+
+ <itemizedlist>
+ <listitem><para>SO_KEEPALIVE</para></listitem>
+ <listitem><para>SO_REUSEADDR</para></listitem>
+ <listitem><para>SO_BROADCAST</para></listitem>
+ <listitem><para>TCP_NODELAY</para></listitem>
+ <listitem><para>IPTOS_LOWDELAY</para></listitem>
+ <listitem><para>IPTOS_THROUGHPUT</para></listitem>
+ <listitem><para>SO_SNDBUF *</para></listitem>
+ <listitem><para>SO_RCVBUF *</para></listitem>
+ <listitem><para>SO_SNDLOWAT *</para></listitem>
+ <listitem><para>SO_RCVLOWAT *</para></listitem>
+ </itemizedlist>
+
+ <para>Those marked with a <emphasis>'*'</emphasis> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</para>
+
+ <para>To specify an argument use the syntax SOME_OPTION = VALUE
+ for example <command moreinfo="none">SO_SNDBUF = 8192</command>. Note that you must
+ not have any spaces before or after the = sign.</para>
+
+ <para>If you are on a local network then a sensible option
+ might be:</para>
+
+ <para><command moreinfo="none">socket options = IPTOS_LOWDELAY</command></para>
+
+ <para>If you have a local network then you could try:</para>
+
+ <para><command moreinfo="none">socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+ <para>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </para>
+
+ <para>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</para>
+
+ <para>Default: <command moreinfo="none">socket options = TCP_NODELAY</command></para>
+
+ <para>Example: <command moreinfo="none">socket options = IPTOS_LOWDELAY</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/statcachesize.xml b/docs/docbook/smbdotconf/tuning/statcachesize.xml
new file mode 100644
index 0000000000..0c8d4e0c72
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/statcachesize.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="stat cache size"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines the number of
+ entries in the <parameter moreinfo="none">stat cache</parameter>. You should
+ never need to change this parameter.</para>
+
+ <para>Default: <command moreinfo="none">stat cache size = 50</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/strictallocate.xml b/docs/docbook/smbdotconf/tuning/strictallocate.xml
new file mode 100644
index 0000000000..0d11519b04
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/strictallocate.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="strict allocate"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a boolean that controls the handling of
+ disk space allocation in the server. When this is set to <constant>yes</constant>
+ the server will change from UNIX behaviour of not committing real
+ disk storage blocks when a file is extended to the Windows behaviour
+ of actually forcing the disk system to allocate real storage blocks
+ when a file is created or extended to be a given size. In UNIX
+ terminology this means that Samba will stop creating sparse files.
+ This can be slow on some systems.</para>
+
+ <para>When strict allocate is <constant>no</constant> the server does sparse
+ disk block allocation when a file is extended.</para>
+
+ <para>Setting this to <constant>yes</constant> can help Samba return
+ out of quota messages on systems that are restricting the disk quota
+ of users.</para>
+
+ <para>Default: <command moreinfo="none">strict allocate = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/syncalways.xml b/docs/docbook/smbdotconf/tuning/syncalways.xml
new file mode 100644
index 0000000000..dca33eb802
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/syncalways.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="sync always"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is <constant>no</constant> then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is <constant>yes</constant> then every write will be followed by a <command moreinfo="none">fsync()
+ </command> call to ensure the data is written to disk. Note that
+ the <parameter moreinfo="none">strict sync</parameter> parameter must be set to
+ <constant>yes</constant> in order for this parameter to have
+ any affect.</para>
+
+ <para>See also the <link linkend="STRICTSYNC"><parameter moreinfo="none">strict
+ sync</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">sync always = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/usemmap.xml b/docs/docbook/smbdotconf/tuning/usemmap.xml
new file mode 100644
index 0000000000..1e79e07ef3
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/usemmap.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="use mmap"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This global parameter determines if the tdb internals of Samba can
+ depend on mmap working correctly on the running system. Samba requires a coherent
+ mmap/read-write system memory cache. Currently only HPUX does not have such a
+ coherent cache, and so this parameter is set to <constant>no</constant> by
+ default on HPUX. On all other systems this parameter should be left alone. This
+ parameter is provided to help the Samba developers track down problems with
+ the tdb internal code.
+ </para>
+
+ <para>Default: <command moreinfo="none">use mmap = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/usesendfile.xml b/docs/docbook/smbdotconf/tuning/usesendfile.xml
new file mode 100644
index 0000000000..6bbd651549
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/usesendfile.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="use sendfile"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant>, and Samba
+ was built with the --with-sendfile-support option, and the underlying operating
+ system supports sendfile system call, then some SMB read calls (mainly ReadAndX
+ and ReadRaw) will use the more efficient sendfile system call for files that
+ are exclusively oplocked. This may make more efficient use of the system CPU's
+ and cause Samba to be faster. This is off by default as it's effects are unknown
+ as yet.</para>
+
+ <para>Default: <command moreinfo="none">use sendfile = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/tuning/writecachesize.xml b/docs/docbook/smbdotconf/tuning/writecachesize.xml
new file mode 100644
index 0000000000..8b5fbe66bd
--- /dev/null
+++ b/docs/docbook/smbdotconf/tuning/writecachesize.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="write cache size"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this integer parameter is set to non-zero value,
+ Samba will create an in-memory cache for each oplocked file
+ (it does <emphasis>not</emphasis> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</para>
+
+ <para>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (i.e. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</para>
+
+ <para>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</para>
+
+ <para>Default: <command moreinfo="none">write cache size = 0</command></para>
+
+ <para>Example: <command moreinfo="none">write cache size = 262144</command></para>
+
+ <para>for a 256k cache size per file.</para>
+</listitem>
+</samba:parameter>
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
new file mode 100644
index 0000000000..1e56519453
--- /dev/null
+++ b/source3/include/idmap.h
@@ -0,0 +1,56 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Idmap headers
+
+ Copyright (C) Anthony Liguori 2003
+ Copyright (C) Simo Sorce 2003
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public
+ License along with this library; if not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+*/
+
+#define ID_EMPTY 0x00
+#define ID_USERID 0x01
+#define ID_GROUPID 0x02
+#define ID_OTHER 0x04
+
+#define ID_TYPEMASK 0x0f
+
+#define ID_NOMAP 0x10
+#define ID_CACHE 0x20
+
+typedef union unid_t {
+ uid_t uid;
+ gid_t gid;
+} unid_t;
+
+/* Filled out by IDMAP backends */
+struct idmap_methods {
+
+ /* Called when backend is first loaded */
+ NTSTATUS (*init)(void);
+
+ NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type);
+ NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid);
+ NTSTATUS (*set_mapping)(const DOM_SID *sid, unid_t id, int id_type);
+
+ /* Called when backend is unloaded */
+ NTSTATUS (*close)(void);
+
+ /* Called to dump backend status */
+ void (*status)(void);
+};
+
diff --git a/source3/nsswitch/winbindd_idmap_tdb.c b/source3/nsswitch/winbindd_idmap_tdb.c
new file mode 100644
index 0000000000..12d6972bae
--- /dev/null
+++ b/source3/nsswitch/winbindd_idmap_tdb.c
@@ -0,0 +1,459 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - user related function
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Anthony Liguori 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/* High water mark keys */
+#define HWM_GROUP "GROUP HWM"
+#define HWM_USER "USER HWM"
+
+/* idmap version determines auto-conversion */
+#define IDMAP_VERSION 2
+
+/* Globals */
+static TDB_CONTEXT *idmap_tdb;
+
+/* convert one record to the new format */
+static int tdb_convert_fn(TDB_CONTEXT * tdb, TDB_DATA key, TDB_DATA data,
+ void *ignored)
+{
+ struct winbindd_domain *domain;
+ char *p;
+ DOM_SID sid;
+ uint32 rid;
+ fstring keystr;
+ fstring dom_name;
+ TDB_DATA key2;
+
+ p = strchr(key.dptr, '/');
+ if (!p)
+ return 0;
+
+ *p = 0;
+ fstrcpy(dom_name, key.dptr);
+ *p++ = '/';
+
+ domain = find_domain_from_name(dom_name);
+ if (!domain) {
+ /* We must delete the old record. */
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : Unable to find domain %s\n",
+ dom_name));
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : deleting record %s\n",
+ key.dptr));
+ tdb_delete(idmap_tdb, key);
+ return 0;
+ }
+
+ rid = atoi(p);
+
+ sid_copy(&sid, &domain->sid);
+ sid_append_rid(&sid, rid);
+
+ sid_to_string(keystr, &sid);
+ key2.dptr = keystr;
+ key2.dsize = strlen(keystr) + 1;
+
+ if (tdb_store(idmap_tdb, key2, data, TDB_INSERT) != 0) {
+ /* not good! */
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : Unable to update record %s\n",
+ key2.dptr));
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : conversion failed - idmap corrupt ?\n"));
+ return -1;
+ }
+
+ if (tdb_store(idmap_tdb, data, key2, TDB_REPLACE) != 0) {
+ /* not good! */
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : Unable to update record %s\n",
+ data.dptr));
+ DEBUG(0,
+ ("winbindd: tdb_convert_fn : conversion failed - idmap corrupt ?\n"));
+ return -1;
+ }
+
+ tdb_delete(idmap_tdb, key);
+
+ return 0;
+}
+
+/*****************************************************************************
+ Convert the idmap database from an older version.
+*****************************************************************************/
+static BOOL tdb_idmap_convert(void)
+{
+ int32 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
+ BOOL bigendianheader =
+ (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
+
+ if (vers == IDMAP_VERSION)
+ return True;
+
+ if (((vers == -1) && bigendianheader)
+ || (IREV(vers) == IDMAP_VERSION)) {
+ /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
+ /*
+ * high and low records were created on a
+ * big endian machine and will need byte-reversing.
+ */
+
+ int32 wm;
+
+ wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
+
+ if (wm != -1) {
+ wm = IREV(wm);
+ } else
+ wm = server_state.uid_low;
+
+ if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
+ DEBUG(0,
+ ("tdb_idmap_convert: Unable to byteswap user hwm in idmap database\n"));
+ return False;
+ }
+
+ wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
+ if (wm != -1) {
+ wm = IREV(wm);
+ } else
+ wm = server_state.gid_low;
+
+ if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
+ DEBUG(0,
+ ("tdb_idmap_convert: Unable to byteswap group hwm in idmap database\n"));
+ return False;
+ }
+ }
+
+ /* the old format stored as DOMAIN/rid - now we store the SID direct */
+ tdb_traverse(idmap_tdb, tdb_convert_fn, NULL);
+
+ if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) ==
+ -1) {
+ DEBUG(0,
+ ("tdb_idmap_convert: Unable to byteswap group hwm in idmap database\n"));
+ return False;
+ }
+
+ return True;
+}
+
+/* Allocate either a user or group id from the pool */
+static BOOL tdb_allocate_id(uid_t * id, BOOL isgroup)
+{
+ int hwm;
+
+ /* Get current high water mark */
+ if ((hwm = tdb_fetch_int32(idmap_tdb,
+ isgroup ? HWM_GROUP : HWM_USER)) ==
+ -1) {
+ return False;
+ }
+
+ /* Return next available uid in list */
+ if ((isgroup && (hwm > server_state.gid_high)) ||
+ (!isgroup && (hwm > server_state.uid_high))) {
+ DEBUG(0,
+ ("winbind %sid range full!\n", isgroup ? "g" : "u"));
+ return False;
+ }
+
+ if (id) {
+ *id = hwm;
+ }
+
+ hwm++;
+
+ /* Store new high water mark */
+ tdb_store_int32(idmap_tdb, isgroup ? HWM_GROUP : HWM_USER, hwm);
+
+ return True;
+}
+
+/* Get a sid from an id */
+static BOOL tdb_get_sid_from_id(int id, DOM_SID * sid, BOOL isgroup)
+{
+ TDB_DATA key, data;
+ fstring keystr;
+ BOOL result = False;
+
+ slprintf(keystr, sizeof(keystr), "%s %d", isgroup ? "GID" : "UID",
+ id);
+
+ key.dptr = keystr;
+ key.dsize = strlen(keystr) + 1;
+
+ data = tdb_fetch(idmap_tdb, key);
+
+ if (data.dptr) {
+ result = string_to_sid(sid, data.dptr);
+ SAFE_FREE(data.dptr);
+ }
+
+ return result;
+}
+
+/* Get an id from a sid */
+static BOOL tdb_get_id_from_sid(DOM_SID * sid, uid_t * id, BOOL isgroup)
+{
+ TDB_DATA data, key;
+ fstring keystr;
+ BOOL result = False;
+
+ /* Check if sid is present in database */
+ sid_to_string(keystr, sid);
+
+ key.dptr = keystr;
+ key.dsize = strlen(keystr) + 1;
+
+ data = tdb_fetch(idmap_tdb, key);
+
+ if (data.dptr) {
+ fstring scanstr;
+ int the_id;
+
+ /* Parse and return existing uid */
+ fstrcpy(scanstr, isgroup ? "GID" : "UID");
+ fstrcat(scanstr, " %d");
+
+ if (sscanf(data.dptr, scanstr, &the_id) == 1) {
+ /* Store uid */
+ if (id) {
+ *id = the_id;
+ }
+
+ result = True;
+ }
+
+ SAFE_FREE(data.dptr);
+ } else {
+
+ /* Allocate a new id for this sid */
+ if (id && tdb_allocate_id(id, isgroup)) {
+ fstring keystr2;
+
+ /* Store new id */
+ slprintf(keystr2, sizeof(keystr2), "%s %d",
+ isgroup ? "GID" : "UID", *id);
+
+ data.dptr = keystr2;
+ data.dsize = strlen(keystr2) + 1;
+
+ tdb_store(idmap_tdb, key, data, TDB_REPLACE);
+ tdb_store(idmap_tdb, data, key, TDB_REPLACE);
+
+ result = True;
+ }
+ }
+
+ return result;
+}
+
+/*****************************************************************************
+ Initialise idmap database.
+*****************************************************************************/
+static BOOL tdb_idmap_init(void)
+{
+ SMB_STRUCT_STAT stbuf;
+
+ /* move to the new database on first startup */
+ if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
+ if (file_exist(lock_path("winbindd_idmap.tdb"), &stbuf)) {
+ char *cmd = NULL;
+
+ /* lazy file copy */
+ if (asprintf(&cmd, "cp -p %s/winbindd_idmap.tdb %s/idmap.tdb", lp_lockdir(), lp_lockdir()) != -1) {
+ system(cmd);
+ free(cmd);
+ }
+ if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
+ DEBUG(0, ("idmap_init: Unable to make a new database copy\n"));
+ return False;
+ }
+ }
+ }
+
+ /* Open tdb cache */
+ if (!(idmap_tdb = tdb_open_log(lock_path("idmap.tdb"), 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT,
+ 0600))) {
+ DEBUG(0,
+ ("winbindd_idmap_init: Unable to open idmap database\n"));
+ return False;
+ }
+
+ /* possibly convert from an earlier version */
+ if (!tdb_idmap_convert()) {
+ DEBUG(0, ("winbindd_idmap_init: Unable to open idmap database\n"));
+ return False;
+ }
+
+ /* Create high water marks for group and user id */
+ if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
+ if (tdb_store_int32
+ (idmap_tdb, HWM_USER, server_state.uid_low) == -1) {
+ DEBUG(0,
+ ("winbindd_idmap_init: Unable to initialise user hwm in idmap database\n"));
+ return False;
+ }
+ }
+
+ if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
+ if (tdb_store_int32
+ (idmap_tdb, HWM_GROUP, server_state.gid_low) == -1) {
+ DEBUG(0,
+ ("winbindd_idmap_init: Unable to initialise group hwm in idmap database\n"));
+ return False;
+ }
+ }
+
+ return True;
+}
+
+/* Get a sid from a uid */
+static BOOL tdb_get_sid_from_uid(uid_t uid, DOM_SID * sid)
+{
+ return tdb_get_sid_from_id((int) uid, sid, False);
+}
+
+/* Get a sid from a gid */
+static BOOL tdb_get_sid_from_gid(gid_t gid, DOM_SID * sid)
+{
+ return tdb_get_sid_from_id((int) gid, sid, True);
+}
+
+/* Get a uid from a sid */
+static BOOL tdb_get_uid_from_sid(DOM_SID * sid, uid_t * uid)
+{
+ return tdb_get_id_from_sid(sid, uid, False);
+}
+
+/* Get a gid from a group sid */
+static BOOL tdb_get_gid_from_sid(DOM_SID * sid, gid_t * gid)
+{
+ return tdb_get_id_from_sid(sid, gid, True);
+}
+
+/* Close the tdb */
+static BOOL tdb_idmap_close(void)
+{
+ if (idmap_tdb)
+ return (tdb_close(idmap_tdb) == 0);
+ return True;
+}
+
+
+/* Dump status information to log file. Display different stuff based on
+ the debug level:
+
+ Debug Level Information Displayed
+ =================================================================
+ 0 Percentage of [ug]id range allocated
+ 0 High water marks (next allocated ids)
+*/
+
+#define DUMP_INFO 0
+
+static void tdb_idmap_status(void)
+{
+ int user_hwm, group_hwm;
+
+ DEBUG(0, ("winbindd idmap status:\n"));
+
+ /* Get current high water marks */
+
+ if ((user_hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
+ DEBUG(DUMP_INFO,
+ ("\tCould not get userid high water mark!\n"));
+ }
+
+ if ((group_hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
+ DEBUG(DUMP_INFO,
+ ("\tCould not get groupid high water mark!\n"));
+ }
+
+ /* Display next ids to allocate */
+
+ if (user_hwm != -1) {
+ DEBUG(DUMP_INFO,
+ ("\tNext userid to allocate is %d\n", user_hwm));
+ }
+
+ if (group_hwm != -1) {
+ DEBUG(DUMP_INFO,
+ ("\tNext groupid to allocate is %d\n", group_hwm));
+ }
+
+ /* Display percentage of id range already allocated. */
+
+ if (user_hwm != -1) {
+ int num_users = user_hwm - server_state.uid_low;
+ int total_users =
+ server_state.uid_high - server_state.uid_low;
+
+ DEBUG(DUMP_INFO,
+ ("\tUser id range is %d%% full (%d of %d)\n",
+ num_users * 100 / total_users, num_users,
+ total_users));
+ }
+
+ if (group_hwm != -1) {
+ int num_groups = group_hwm - server_state.gid_low;
+ int total_groups =
+ server_state.gid_high - server_state.gid_low;
+
+ DEBUG(DUMP_INFO,
+ ("\tGroup id range is %d%% full (%d of %d)\n",
+ num_groups * 100 / total_groups, num_groups,
+ total_groups));
+ }
+
+ /* Display complete mapping of users and groups to rids */
+}
+
+struct winbindd_idmap_methods tdb_idmap_methods = {
+ tdb_idmap_init,
+
+ tdb_get_sid_from_uid,
+ tdb_get_sid_from_gid,
+
+ tdb_get_uid_from_sid,
+ tdb_get_gid_from_sid,
+
+ tdb_idmap_close,
+
+ tdb_idmap_status
+};
+
+BOOL winbind_idmap_reg_tdb(struct winbindd_idmap_methods **meth)
+{
+ *meth = &tdb_idmap_methods;
+
+ return True;
+}