summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/smbdotconf/security/adminusers.xml26
-rw-r--r--docs/docbook/smbdotconf/security/algorithmicridbase.xml43
-rw-r--r--docs/docbook/smbdotconf/security/allowhosts.xml14
-rw-r--r--docs/docbook/smbdotconf/security/allowtrusteddomains.xml42
-rw-r--r--docs/docbook/smbdotconf/security/authmethods.xml31
-rw-r--r--docs/docbook/smbdotconf/security/createmask.xml84
-rw-r--r--docs/docbook/smbdotconf/security/createmode.xml13
-rw-r--r--docs/docbook/smbdotconf/security/denyhosts.xml14
-rw-r--r--docs/docbook/smbdotconf/security/directorymask.xml88
-rw-r--r--docs/docbook/smbdotconf/security/directorymode.xml13
-rw-r--r--docs/docbook/smbdotconf/security/directorysecuritymask.xml58
-rw-r--r--docs/docbook/smbdotconf/security/encryptpasswords.xml43
-rw-r--r--docs/docbook/smbdotconf/security/forcecreatemode.xml45
-rw-r--r--docs/docbook/smbdotconf/security/forcedirectorymode.xml47
-rw-r--r--docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml57
-rw-r--r--docs/docbook/smbdotconf/security/forcegroup.xml64
-rw-r--r--docs/docbook/smbdotconf/security/forcesecuritymode.xml59
-rw-r--r--docs/docbook/smbdotconf/security/forceuser.xml44
-rw-r--r--docs/docbook/smbdotconf/security/group.xml14
-rw-r--r--docs/docbook/smbdotconf/security/guestaccount.xml50
-rw-r--r--docs/docbook/smbdotconf/security/guestok.xml32
-rw-r--r--docs/docbook/smbdotconf/security/guestonly.xml25
-rw-r--r--docs/docbook/smbdotconf/security/hostsallow.xml86
-rw-r--r--docs/docbook/smbdotconf/security/hostsdeny.xml26
-rw-r--r--docs/docbook/smbdotconf/security/hostsequiv.xml49
-rw-r--r--docs/docbook/smbdotconf/security/inheritacls.xml26
-rw-r--r--docs/docbook/smbdotconf/security/inheritpermissions.xml64
-rw-r--r--docs/docbook/smbdotconf/security/invalidusers.xml58
-rw-r--r--docs/docbook/smbdotconf/security/lanmanauth.xml23
-rw-r--r--docs/docbook/smbdotconf/security/maptoguest.xml99
-rw-r--r--docs/docbook/smbdotconf/security/minpasswdlength.xml16
-rw-r--r--docs/docbook/smbdotconf/security/minpasswordlength.xml27
-rw-r--r--docs/docbook/smbdotconf/security/nonunixaccountrange.xml40
-rw-r--r--docs/docbook/smbdotconf/security/ntlmauth.xml27
-rw-r--r--docs/docbook/smbdotconf/security/nullpasswords.xml20
-rw-r--r--docs/docbook/smbdotconf/security/obeypamrestrictions.xml32
-rw-r--r--docs/docbook/smbdotconf/security/onlyguest.xml14
-rw-r--r--docs/docbook/smbdotconf/security/onlyuser.xml44
-rw-r--r--docs/docbook/smbdotconf/security/pampasswordchange.xml31
-rw-r--r--docs/docbook/smbdotconf/security/passdbbackend.xml174
-rw-r--r--docs/docbook/smbdotconf/security/passwdchat.xml120
-rw-r--r--docs/docbook/smbdotconf/security/passwdchatdebug.xml48
-rw-r--r--docs/docbook/smbdotconf/security/passwdprogram.xml64
-rw-r--r--docs/docbook/smbdotconf/security/passwordlevel.xml84
-rw-r--r--docs/docbook/smbdotconf/security/passwordserver.xml164
-rw-r--r--docs/docbook/smbdotconf/security/printeradmin.xml25
-rw-r--r--docs/docbook/smbdotconf/security/privatedir.xml21
-rw-r--r--docs/docbook/smbdotconf/security/public.xml15
-rw-r--r--docs/docbook/smbdotconf/security/readlist.xml35
-rw-r--r--docs/docbook/smbdotconf/security/readonly.xml29
-rw-r--r--docs/docbook/smbdotconf/security/restrictanonymous.xml20
-rw-r--r--docs/docbook/smbdotconf/security/root.xml16
-rw-r--r--docs/docbook/smbdotconf/security/rootdir.xml16
-rw-r--r--docs/docbook/smbdotconf/security/rootdirectory.xml58
-rw-r--r--docs/docbook/smbdotconf/security/security.xml477
-rw-r--r--docs/docbook/smbdotconf/security/securitymask.xml59
-rw-r--r--docs/docbook/smbdotconf/security/serverschannel.xml43
-rw-r--r--docs/docbook/smbdotconf/security/smbpasswdfile.xml25
-rw-r--r--docs/docbook/smbdotconf/security/unixpasswordsync.xml36
-rw-r--r--docs/docbook/smbdotconf/security/updateencrypted.xml55
-rw-r--r--docs/docbook/smbdotconf/security/user.xml14
-rw-r--r--docs/docbook/smbdotconf/security/username.xml124
-rw-r--r--docs/docbook/smbdotconf/security/usernamelevel.xml40
-rw-r--r--docs/docbook/smbdotconf/security/usernamemap.xml169
-rw-r--r--docs/docbook/smbdotconf/security/users.xml15
-rw-r--r--docs/docbook/smbdotconf/security/validusers.xml38
-rw-r--r--docs/docbook/smbdotconf/security/writable.xml14
-rw-r--r--docs/docbook/smbdotconf/security/writeable.xml14
-rw-r--r--docs/docbook/smbdotconf/security/writelist.xml35
-rw-r--r--docs/docbook/smbdotconf/security/writeok.xml14
70 files changed, 1953 insertions, 1696 deletions
diff --git a/docs/docbook/smbdotconf/security/adminusers.xml b/docs/docbook/smbdotconf/security/adminusers.xml
index 2e1abaf6e1..09989aa79a 100644
--- a/docs/docbook/smbdotconf/security/adminusers.xml
+++ b/docs/docbook/smbdotconf/security/adminusers.xml
@@ -1,15 +1,17 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ADMINUSERS"/>admin users (S)</term>
- <listitem><para>This is a list of users who will be granted
- administrative privileges on the share. This means that they
- will do all file operations as the super-user (root).</para>
+<samba:parameter name="admin users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</para>
- <para>You should use this option very carefully, as any user in
- this list will be able to do anything they like on the share,
- irrespective of file permissions.</para>
+ <para>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</para>
- <para>Default: <emphasis>no admin users</emphasis></para>
+ <para>Default: <emphasis>no admin users</emphasis></para>
- <para>Example: <command moreinfo="none">admin users = jason</command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">admin users = jason</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/algorithmicridbase.xml b/docs/docbook/smbdotconf/security/algorithmicridbase.xml
index 3c2bf8686e..d1d33d419b 100644
--- a/docs/docbook/smbdotconf/security/algorithmicridbase.xml
+++ b/docs/docbook/smbdotconf/security/algorithmicridbase.xml
@@ -1,22 +1,27 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ALGORITHMICRIDBASE"/>algorithmic rid base (G)</term>
- <listitem><para>This determines how Samba will use its
- algorithmic mapping from uids/gid to the RIDs needed to construct
- NT Security Identifiers.</para>
+<samba:parameter name="algorithmic rid base"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This determines how Samba will use its
+ algorithmic mapping from uids/gid to the RIDs needed to construct
+ NT Security Identifiers.
+ </para>
- <para>Setting this option to a larger value could be useful to sites
- transitioning from WinNT and Win2k, as existing user and
- group rids would otherwise clash with sytem users etc.
- </para>
+ <para>Setting this option to a larger value could be useful to sites
+ transitioning from WinNT and Win2k, as existing user and
+ group rids would otherwise clash with sytem users etc.
+ </para>
- <para>All UIDs and GIDs must be able to be resolved into SIDs for
- the correct operation of ACLs on the server. As such the algorithmic
- mapping can't be 'turned off', but pushing it 'out of the way' should
- resolve the issues. Users and groups can then be assigned 'low' RIDs
- in arbitary-rid supporting backends. </para>
+ <para>All UIDs and GIDs must be able to be resolved into SIDs for
+ the correct operation of ACLs on the server. As such the algorithmic
+ mapping can't be 'turned off', but pushing it 'out of the way' should
+ resolve the issues. Users and groups can then be assigned 'low' RIDs
+ in arbitary-rid supporting backends.
+ </para>
- <para>Default: <command moreinfo="none">algorithmic rid base = 1000</command></para>
-
- <para>Example: <command moreinfo="none">algorithmic rid base = 100000</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">algorithmic rid base = 1000</command></para>
+
+ <para>Example: <command moreinfo="none">algorithmic rid base = 100000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/allowhosts.xml b/docs/docbook/smbdotconf/security/allowhosts.xml
index 7fd2f426f8..ea7c0fa05e 100644
--- a/docs/docbook/smbdotconf/security/allowhosts.xml
+++ b/docs/docbook/smbdotconf/security/allowhosts.xml
@@ -1,5 +1,9 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ALLOWHOSTS"/>allow hosts (S)</term>
- <listitem><para>Synonym for <link linkend="HOSTSALLOW">
- <parameter moreinfo="none">hosts allow</parameter></link>.</para></listitem>
- </samba:parameter>
+<samba:parameter name="allow hosts"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="HOSTSALLOW">
+ <parameter moreinfo="none">hosts allow</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
index 35dcd76cbd..63363d2607 100644
--- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
+++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
@@ -1,22 +1,26 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ALLOWTRUSTEDDOMAINS"/>allow trusted domains (G)</term>
- <listitem><para>This option only takes effect when the <link linkend="SECURITY"><parameter moreinfo="none">security</parameter></link> option is set to
- <constant>server</constant> or <constant>domain</constant>.
- If it is set to no, then attempts to connect to a resource from
- a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
- in will fail, even if that domain is trusted by the remote server
- doing the authentication.</para>
+<samba:parameter name="allow trusted domains"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option only takes effect when the <link linkend="SECURITY">
+ <parameter moreinfo="none">security</parameter></link> option is set to
+ <constant>server</constant> or <constant>domain</constant>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</para>
- <para>This is useful if you only want your Samba server to
- serve resources to users in the domain it is a member of. As
- an example, suppose that there are two domains DOMA and DOMB. DOMB
- is trusted by DOMA, which contains the Samba server. Under normal
- circumstances, a user with an account in DOMB can then access the
- resources of a UNIX account with the same account name on the
- Samba server even if they do not have an account in DOMA. This
- can make implementing a security boundary difficult.</para>
+ <para>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</para>
- <para>Default: <command moreinfo="none">allow trusted domains = yes</command></para>
+ <para>Default: <command moreinfo="none">allow trusted domains = yes</command></para>
- </listitem>
- </samba:parameter>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml
index 2e569558a0..0b7965d55b 100644
--- a/docs/docbook/smbdotconf/security/authmethods.xml
+++ b/docs/docbook/smbdotconf/security/authmethods.xml
@@ -1,16 +1,19 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="AUTHMETHODS"/>auth methods (G)</term>
- <listitem><para>This option allows the administrator to chose what
- authentication methods <command moreinfo="none">smbd</command> will use when authenticating
- a user. This option defaults to sensible values based on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link>.
+<samba:parameter name="auth methods"
+ context="G"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows the administrator to chose what
+ authentication methods <command moreinfo="none">smbd</command> will use when authenticating
+ a user. This option defaults to sensible values based on <link linkend="SECURITY">
+ <parameter moreinfo="none">security</parameter></link>.</para>
- Each entry in the list attempts to authenticate the user in turn, until
- the user authenticates. In practice only one method will ever actually
- be able to complete the authentication.
- </para>
+ <para>Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ </para>
- <para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
- <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
+ <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/createmask.xml b/docs/docbook/smbdotconf/security/createmask.xml
index 9a197bf7c3..6765702878 100644
--- a/docs/docbook/smbdotconf/security/createmask.xml
+++ b/docs/docbook/smbdotconf/security/createmask.xml
@@ -1,39 +1,45 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="CREATEMASK"/>create mask (S)</term>
- <listitem><para>A synonym for this parameter is
- <link linkend="CREATEMODE"><parameter moreinfo="none">create mode</parameter>
- </link>.</para>
-
- <para>When a file is created, the necessary permissions are
- calculated according to the mapping from DOS modes to UNIX
- permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
- with this parameter. This parameter may be thought of as a bit-wise
- MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
- set here will be removed from the modes set on a file when it is
- created.</para>
-
- <para>The default value of this parameter removes the
- 'group' and 'other' write and execute bits from the UNIX modes.</para>
-
- <para>Following this Samba will bit-wise 'OR' the UNIX mode created
- from this parameter with the value of the <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force create mode</parameter></link>
- parameter which is set to 000 by default.</para>
-
- <para>This parameter does not affect directory modes. See the
- parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode
- </parameter></link> for details.</para>
-
- <para>See also the <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force
- create mode</parameter></link> parameter for forcing particular mode
- bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
- <parameter moreinfo="none">directory mode</parameter></link> parameter for masking
- mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
- <parameter moreinfo="none">inherit permissions</parameter></link> parameter.</para>
-
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="SECURITYMASK"><parameter moreinfo="none">security mask</parameter></link>.</para>
-
- <para>Default: <command moreinfo="none">create mask = 0744</command></para>
- <para>Example: <command moreinfo="none">create mask = 0775</command></para></listitem>
- </samba:parameter>
+<samba:parameter name="create maske"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A synonym for this parameter is
+ <link linkend="CREATEMODE"><parameter moreinfo="none">create mode</parameter>
+ </link>.</para>
+
+ <para>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
+ set here will be removed from the modes set on a file when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <link linkend="FORCECREATEMODE">
+ <parameter moreinfo="none">force create mode</parameter></link>
+ parameter which is set to 000 by default.</para>
+
+ <para>This parameter does not affect directory modes. See the
+ parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode
+ </parameter></link> for details.</para>
+
+ <para>See also the <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force
+ create mode</parameter></link> parameter for forcing particular mode
+ bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
+ <parameter moreinfo="none">directory mode</parameter></link> parameter for masking
+ mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
+ <parameter moreinfo="none">inherit permissions</parameter></link> parameter.</para>
+
+ <para>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <link linkend="SECURITYMASK">
+ <parameter moreinfo="none">security mask</parameter></link>.</para>
+
+ <para>Default: <command moreinfo="none">create mask = 0744</command></para>
+
+ <para>Example: <command moreinfo="none">create mask = 0775</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/createmode.xml b/docs/docbook/smbdotconf/security/createmode.xml
index 7e78ab0181..c49acf070d 100644
--- a/docs/docbook/smbdotconf/security/createmode.xml
+++ b/docs/docbook/smbdotconf/security/createmode.xml
@@ -1,5 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="CREATEMODE"/>create mode (S)</term>
- <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter moreinfo="none">
- create mask</parameter></link>.</para></listitem>
- </samba:parameter>
+<samba:parameter name="create mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a synonym for <link linkend="CREATEMASK"><parameter moreinfo="none">
+ create mask</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/denyhosts.xml b/docs/docbook/smbdotconf/security/denyhosts.xml
index f50fb33d33..d5ffb0e452 100644
--- a/docs/docbook/smbdotconf/security/denyhosts.xml
+++ b/docs/docbook/smbdotconf/security/denyhosts.xml
@@ -1,5 +1,9 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="DENYHOSTS"/>deny hosts (S)</term>
- <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts
- deny</parameter></link>.</para></listitem>
- </samba:parameter>
+<samba:parameter name="deny hosts"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts
+ deny</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorymask.xml b/docs/docbook/smbdotconf/security/directorymask.xml
index 0844733ede..d50047d46f 100644
--- a/docs/docbook/smbdotconf/security/directorymask.xml
+++ b/docs/docbook/smbdotconf/security/directorymask.xml
@@ -1,43 +1,47 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="DIRECTORYMASK"/>directory mask (S)</term>
- <listitem><para>This parameter is the octal modes which are
- used when converting DOS modes to UNIX modes when creating UNIX
- directories.</para>
-
- <para>When a directory is created, the necessary permissions are
- calculated according to the mapping from DOS modes to UNIX permissions,
- and the resulting UNIX mode is then bit-wise 'AND'ed with this
- parameter. This parameter may be thought of as a bit-wise MASK for
- the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
- here will be removed from the modes set on a directory when it is
- created.</para>
-
- <para>The default value of this parameter removes the 'group'
- and 'other' write bits from the UNIX mode, allowing only the
- user who owns the directory to modify it.</para>
+<samba:parameter name="directory mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</para>
+
+ <para>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
+ here will be removed from the modes set on a directory when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</para>
- <para>Following this Samba will bit-wise 'OR' the UNIX mode
- created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force directory mode
- </parameter></link> parameter. This parameter is set to 000 by
- default (i.e. no extra mode bits are added).</para>
-
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security mask</parameter></link>.</para>
-
- <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
- directory mode</parameter></link> parameter to cause particular mode
- bits to always be set on created directories.</para>
-
- <para>See also the <link linkend="CREATEMODE"><parameter moreinfo="none">create mode
- </parameter></link> parameter for masking mode bits on created files,
- and the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
- security mask</parameter></link> parameter.</para>
-
- <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
- inherit permissions</parameter></link> parameter.</para>
-
- <para>Default: <command moreinfo="none">directory mask = 0755</command></para>
- <para>Example: <command moreinfo="none">directory mask = 0775</command></para>
- </listitem>
- </samba:parameter>
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE">
+ <parameter moreinfo="none">force directory mode</parameter></link> parameter.
+ This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
+
+ <para>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK">
+ <parameter moreinfo="none">directory security mask</parameter></link>.</para>
+
+ <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
+ directory mode</parameter></link> parameter to cause particular mode
+ bits to always be set on created directories.</para>
+
+ <para>See also the <link linkend="CREATEMODE"><parameter moreinfo="none">create mode
+ </parameter></link> parameter for masking mode bits on created files,
+ and the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
+ security mask</parameter></link> parameter.</para>
+
+ <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">directory mask = 0755</command></para>
+
+ <para>Example: <command moreinfo="none">directory mask = 0775</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorymode.xml b/docs/docbook/smbdotconf/security/directorymode.xml
index 9678cd91ad..3facac2bc1 100644
--- a/docs/docbook/smbdotconf/security/directorymode.xml
+++ b/docs/docbook/smbdotconf/security/directorymode.xml
@@ -1,5 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="DIRECTORYMODE"/>directory mode (S)</term>
- <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
- directory mask</parameter></link></para></listitem>
- </samba:parameter>
+<samba:parameter name="directory mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/directorysecuritymask.xml b/docs/docbook/smbdotconf/security/directorysecuritymask.xml
index 76d153f6f4..d5413d4578 100644
--- a/docs/docbook/smbdotconf/security/directorysecuritymask.xml
+++ b/docs/docbook/smbdotconf/security/directorysecuritymask.xml
@@ -1,32 +1,36 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="DIRECTORYSECURITYMASK"/>directory security mask (S)</term>
- <listitem><para>This parameter controls what UNIX permission bits
- can be modified when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog
- box.</para>
+<samba:parameter name="directory security mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
- <para>If not set explicitly this parameter is set to 0777
- meaning a user is allowed to modify all the user/group/world
- permissions on a directory.</para>
+ <para>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</para>
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- it as the default of <constant>0777</constant>.</para>
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it as the default of <constant>0777</constant>.</para>
- <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
- force directory security mode</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none">security mask</parameter></link>,
- <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
- </parameter></link> parameters.</para>
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
+ force directory security mode</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter moreinfo="none">security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
+ </parameter></link> parameters.</para>
- <para>Default: <command moreinfo="none">directory security mask = 0777</command></para>
- <para>Example: <command moreinfo="none">directory security mask = 0700</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">directory security mask = 0777</command></para>
+
+ <para>Example: <command moreinfo="none">directory security mask = 0700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/encryptpasswords.xml b/docs/docbook/smbdotconf/security/encryptpasswords.xml
index d7ceb8d598..4f83a776c8 100644
--- a/docs/docbook/smbdotconf/security/encryptpasswords.xml
+++ b/docs/docbook/smbdotconf/security/encryptpasswords.xml
@@ -1,21 +1,26 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ENCRYPTPASSWORDS"/>encrypt passwords (G)</term>
- <listitem><para>This boolean controls whether encrypted passwords
- will be negotiated with the client. Note that Windows NT 4.0 SP3 and
- above and also Windows 98 will by default expect encrypted passwords
- unless a registry entry is changed. To use encrypted passwords in
- Samba see the file ENCRYPTION.txt in the Samba documentation
- directory <filename moreinfo="none">docs/</filename> shipped with the source code.</para>
+<samba:parameter name="encrypt passwords"
+ context="G"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the file ENCRYPTION.txt in the Samba documentation
+ directory <filename moreinfo="none">docs/</filename> shipped
+ with the source code.</para>
- <para>In order for encrypted passwords to work correctly
- <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> must either
- have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> program for information on how to set up
- and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which
- causes <command moreinfo="none">smbd</command> to authenticate against another
- server.</para>
+ <para>In order for encrypted passwords to work correctly
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> must either
+ have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> program for information on how to set up
+ and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which
+ causes <command moreinfo="none">smbd</command> to authenticate against another
+ server.</para>
- <para>Default: <command moreinfo="none">encrypt passwords = yes</command></para></listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">encrypt passwords = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcecreatemode.xml b/docs/docbook/smbdotconf/security/forcecreatemode.xml
index 238340d7c5..66b29950d0 100644
--- a/docs/docbook/smbdotconf/security/forcecreatemode.xml
+++ b/docs/docbook/smbdotconf/security/forcecreatemode.xml
@@ -1,25 +1,28 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCECREATEMODE"/>force create mode (S)</term>
- <listitem><para>This parameter specifies a set of UNIX mode bit
- permissions that will <emphasis>always</emphasis> be set on a
- file created by Samba. This is done by bitwise 'OR'ing these bits onto
- the mode bits of a file that is being created or having its
- permissions changed. The default for this parameter is (in octal)
- 000. The modes in this parameter are bitwise 'OR'ed onto the file
- mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
- parameter is applied.</para>
+<samba:parameter name="force create mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
+ parameter is applied.</para>
- <para>See also the parameter <link linkend="CREATEMASK"><parameter moreinfo="none">create
- mask</parameter></link> for details on masking mode bits on files.</para>
+ <para>See also the parameter <link linkend="CREATEMASK"><parameter moreinfo="none">create
+ mask</parameter></link> for details on masking mode bits on files.</para>
- <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">inherit
- permissions</parameter></link> parameter.</para>
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">inherit
+ permissions</parameter></link> parameter.</para>
- <para>Default: <command moreinfo="none">force create mode = 000</command></para>
- <para>Example: <command moreinfo="none">force create mode = 0755</command></para>
+ <para>Default: <command moreinfo="none">force create mode = 000</command></para>
- <para>would force all created files to have read and execute
- permissions set for 'group' and 'other' as well as the
- read/write/execute bits set for the 'user'.</para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">force create mode = 0755</command></para>
+
+ <para>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcedirectorymode.xml b/docs/docbook/smbdotconf/security/forcedirectorymode.xml
index 460a7fc6f2..b417f08b24 100644
--- a/docs/docbook/smbdotconf/security/forcedirectorymode.xml
+++ b/docs/docbook/smbdotconf/security/forcedirectorymode.xml
@@ -1,26 +1,29 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCEDIRECTORYMODE"/>force directory mode (S)</term>
- <listitem><para>This parameter specifies a set of UNIX mode bit
- permissions that will <emphasis>always</emphasis> be set on a directory
- created by Samba. This is done by bitwise 'OR'ing these bits onto the
- mode bits of a directory that is being created. The default for this
- parameter is (in octal) 0000 which will not add any extra permission
- bits to a created directory. This operation is done after the mode
- mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
- applied.</para>
+<samba:parameter name="force directory mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
+ applied.</para>
- <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
- directory mask</parameter></link> for details on masking mode bits
- on created directories.</para>
+ <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link> for details on masking mode bits
+ on created directories.</para>
- <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
- inherit permissions</parameter></link> parameter.</para>
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">
+ inherit permissions</parameter></link> parameter.</para>
- <para>Default: <command moreinfo="none">force directory mode = 000</command></para>
- <para>Example: <command moreinfo="none">force directory mode = 0755</command></para>
+ <para>Default: <command moreinfo="none">force directory mode = 000</command></para>
- <para>would force all created directories to have read and execute
- permissions set for 'group' and 'other' as well as the
- read/write/execute bits set for the 'user'.</para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">force directory mode = 0755</command></para>
+
+ <para>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml
index a01b297b05..8c35ccbf8a 100644
--- a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -1,32 +1,35 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCEDIRECTORYSECURITYMODE"/>force directory security mode (S)</term>
- <listitem><para>This parameter controls what UNIX permission bits
- can be modified when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog box.</para>
+<samba:parameter name="force directory security mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</para>
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a directory, the user has always set to be 'on'.</para>
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</para>
- <para>If not set explicitly this parameter is 000, which
- allows a user to modify all the user/group/world permissions on a
- directory without restrictions.</para>
+ <para>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</para>
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- it set as 0000.</para>
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</para>
- <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">
- directory security mask</parameter></link>, <link linkend="SECURITYMASK">
- <parameter moreinfo="none">security mask</parameter></link>,
- <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
- </parameter></link> parameters.</para>
+ <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">
+ directory security mask</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter moreinfo="none">security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
+ </parameter></link> parameters.</para>
- <para>Default: <command moreinfo="none">force directory security mode = 0</command></para>
- <para>Example: <command moreinfo="none">force directory security mode = 700</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">force directory security mode = 0</command></para>
+
+ <para>Example: <command moreinfo="none">force directory security mode = 700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcegroup.xml b/docs/docbook/smbdotconf/security/forcegroup.xml
index abfec79e03..eafdfe8e23 100644
--- a/docs/docbook/smbdotconf/security/forcegroup.xml
+++ b/docs/docbook/smbdotconf/security/forcegroup.xml
@@ -1,35 +1,37 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCEGROUP"/>force group (S)</term>
- <listitem><para>This specifies a UNIX group name that will be
- assigned as the default primary group for all users connecting
- to this service. This is useful for sharing files by ensuring
- that all access to files on service will use the named group for
- their permissions checking. Thus, by assigning permissions for this
- group to the files and directories within this service the Samba
- administrator can restrict or allow sharing of these files.</para>
+<samba:parameter name="force group"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</para>
- <para>In Samba 2.0.5 and above this parameter has extended
- functionality in the following way. If the group name listed here
- has a '+' character prepended to it then the current user accessing
- the share only has the primary group default assigned to this group
- if they are already assigned as a member of that group. This allows
- an administrator to decide that only users who are already in a
- particular group will create files with group ownership set to that
- group. This gives a finer granularity of ownership assignment. For
- example, the setting <filename moreinfo="none">force group = +sys</filename> means
- that only users who are already in group sys will have their default
- primary group assigned to sys when accessing this Samba share. All
- other users will retain their ordinary primary group.</para>
+ <para>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <filename moreinfo="none">force group = +sys</filename> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</para>
- <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user
- </parameter></link> parameter is also set the group specified in
- <parameter moreinfo="none">force group</parameter> will override the primary group
- set in <parameter moreinfo="none">force user</parameter>.</para>
+ <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter>
+ </link> parameter is also set the group specified in
+ <parameter moreinfo="none">force group</parameter> will override the primary group
+ set in <parameter moreinfo="none">force user</parameter>.</para>
- <para>See also <link linkend="FORCEUSER"><parameter moreinfo="none">force
- user</parameter></link>.</para>
+ <para>See also <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter></link>.</para>
- <para>Default: <emphasis>no forced group</emphasis></para>
- <para>Example: <command moreinfo="none">force group = agroup</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <emphasis>no forced group</emphasis></para>
+
+ <para>Example: <command moreinfo="none">force group = agroup</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forcesecuritymode.xml b/docs/docbook/smbdotconf/security/forcesecuritymode.xml
index 2db50f1ce3..4151239f53 100644
--- a/docs/docbook/smbdotconf/security/forcesecuritymode.xml
+++ b/docs/docbook/smbdotconf/security/forcesecuritymode.xml
@@ -1,33 +1,36 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCESECURITYMODE"/>force security mode (S)</term>
- <listitem><para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog
- box.</para>
+<samba:parameter name="force security mode"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</para>
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a file, the user has always set to be 'on'.</para>
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</para>
- <para>If not set explicitly this parameter is set to 0,
- and allows a user to modify all the user/group/world permissions on a file,
- with no restrictions.</para>
+ <para>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</para>
- <para><emphasis>Note</emphasis> that users who can access
- the Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- this set to 0000.</para>
+ <para><emphasis>Note</emphasis> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</para>
- <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
- force directory security mode</parameter></link>,
- <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security
- mask</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none">
- security mask</parameter></link> parameters.</para>
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
+ force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security
+ mask</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none">
+ security mask</parameter></link> parameters.</para>
- <para>Default: <command moreinfo="none">force security mode = 0</command></para>
- <para>Example: <command moreinfo="none">force security mode = 700</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">force security mode = 0</command></para>
+
+ <para>Example: <command moreinfo="none">force security mode = 700</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/forceuser.xml b/docs/docbook/smbdotconf/security/forceuser.xml
index 4747db13fe..79c7aa3806 100644
--- a/docs/docbook/smbdotconf/security/forceuser.xml
+++ b/docs/docbook/smbdotconf/security/forceuser.xml
@@ -1,25 +1,27 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="FORCEUSER"/>force user (S)</term>
- <listitem><para>This specifies a UNIX user name that will be
- assigned as the default user for all users connecting to this service.
- This is useful for sharing files. You should also use it carefully
- as using it incorrectly can cause security problems.</para>
+<samba:parameter name="force user"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</para>
- <para>This user name only gets used once a connection is established.
- Thus clients still need to connect as a valid user and supply a
- valid password. Once connected, all file operations will be performed
- as the &quot;forced user&quot;, no matter what username the client connected
- as. This can be very useful.</para>
+ <para>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the &quot;forced user&quot;, no matter what username the client connected
+ as. This can be very useful.</para>
- <para>In Samba 2.0.5 and above this parameter also causes the
- primary group of the forced user to be used as the primary group
- for all file activity. Prior to 2.0.5 the primary group was left
- as the primary group of the connecting user (this was a bug).</para>
+ <para>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</para>
- <para>See also <link linkend="FORCEGROUP"><parameter moreinfo="none">force group
- </parameter></link></para>
+ <para>See also <link linkend="FORCEGROUP"><parameter moreinfo="none">force group</parameter></link></para>
- <para>Default: <emphasis>no forced user</emphasis></para>
- <para>Example: <command moreinfo="none">force user = auser</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <emphasis>no forced user</emphasis></para>
+
+ <para>Example: <command moreinfo="none">force user = auser</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/group.xml b/docs/docbook/smbdotconf/security/group.xml
index afc410ce34..453ca0f45b 100644
--- a/docs/docbook/smbdotconf/security/group.xml
+++ b/docs/docbook/smbdotconf/security/group.xml
@@ -1,5 +1,9 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="GROUP"/>group (S)</term>
- <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter moreinfo="none">force
- group</parameter></link>.</para></listitem>
- </samba:parameter>
+<samba:parameter name="group"
+ context="S"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="FORCEGROUP">
+ <parameter moreinfo="none">force group</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestaccount.xml b/docs/docbook/smbdotconf/security/guestaccount.xml
index ab15c4460d..9db3b6362d 100644
--- a/docs/docbook/smbdotconf/security/guestaccount.xml
+++ b/docs/docbook/smbdotconf/security/guestaccount.xml
@@ -1,27 +1,31 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="GUESTACCOUNT"/>guest account (S)</term>
- <listitem><para>This is a username which will be used for access
- to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
- guest ok</parameter></link> (see below). Whatever privileges this
- user has will be available to any client connecting to the guest service.
- Typically this user will exist in the password file, but will not
- have a valid login. The user account &quot;ftp&quot; is often a good choice
- for this parameter. If a username is specified in a given service,
- the specified username overrides this one.</para>
+<samba:parameter name="guest account"
+ context="G,S"
+ basic="1" advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a username which will be used for access
+ to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
+ guest ok</parameter></link> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account &quot;ftp&quot; is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.
+ </para>
- <para>One some systems the default guest account &quot;nobody&quot; may not
- be able to print. Use another account in this case. You should test
- this by trying to log in as your guest user (perhaps by using the
- <command moreinfo="none">su -</command> command) and trying to print using the
- system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
- lp(1)</command>.</para>
+ <para>One some systems the default guest account &quot;nobody&quot; may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <command moreinfo="none">su -</command> command) and trying to print using the
+ system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
+ lp(1)</command>.</para>
- <para>This parameter does not accept % macros, because
- many parts of the system require this value to be
- constant for correct operation.</para>
+ <para>This parameter does not accept % macros, because
+ many parts of the system require this value to be
+ constant for correct operation.</para>
- <para>Default: <emphasis>specified at compile time, usually
- &quot;nobody&quot;</emphasis></para>
+ <para>Default: <emphasis>specified at compile time, usually &quot;nobody&quot;</emphasis></para>
- <para>Example: <command moreinfo="none">guest account = ftp</command></para></listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">guest account = ftp</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestok.xml b/docs/docbook/smbdotconf/security/guestok.xml
index 2b7a8cee8a..eef1801dc3 100644
--- a/docs/docbook/smbdotconf/security/guestok.xml
+++ b/docs/docbook/smbdotconf/security/guestok.xml
@@ -1,17 +1,21 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="GUESTOK"/>guest ok (S)</term>
- <listitem><para>If this parameter is <constant>yes</constant> for
- a service, then no password is required to connect to the service.
- Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para>
+<samba:parameter name="guest ok"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+ guest account</parameter></link>.</para>
- <para>This paramater nullifies the benifits of setting
- <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
- anonymous</parameter></link> = 2</para>
+ <para>This paramater nullifies the benifits of setting
+ <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
+ anonymous</parameter></link> = 2</para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
- </para>
+ <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+ security</parameter></link> for more information about this option.
+ </para>
- <para>Default: <command moreinfo="none">guest ok = no</command></para></listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">guest ok = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/guestonly.xml b/docs/docbook/smbdotconf/security/guestonly.xml
index ac7f62ad68..f116a5f22c 100644
--- a/docs/docbook/smbdotconf/security/guestonly.xml
+++ b/docs/docbook/smbdotconf/security/guestonly.xml
@@ -1,13 +1,16 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="GUESTONLY"/>guest only (S)</term>
- <listitem><para>If this parameter is <constant>yes</constant> for
- a service, then only guest connections to the service are permitted.
- This parameter will have no effect if <link linkend="GUESTOK">
- <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
+<samba:parameter name="guest only"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <link linkend="GUESTOK">
+ <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
- </para>
+ <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+ security</parameter></link> for more information about this option.
+ </para>
- <para>Default: <command moreinfo="none">guest only = no</command></para></listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">guest only = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsallow.xml b/docs/docbook/smbdotconf/security/hostsallow.xml
index ea91b73903..95aa7ee516 100644
--- a/docs/docbook/smbdotconf/security/hostsallow.xml
+++ b/docs/docbook/smbdotconf/security/hostsallow.xml
@@ -1,60 +1,62 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="HOSTSALLOW"/>hosts allow (S)</term>
- <listitem><para>A synonym for this parameter is <parameter moreinfo="none">allow
- hosts</parameter>.</para>
+<samba:parameter name="hosts allow"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A synonym for this parameter is <parameter moreinfo="none">allow
+ hosts</parameter>.</para>
- <para>This parameter is a comma, space, or tab delimited
- set of hosts which are permitted to access a service.</para>
+ <para>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</para>
- <para>If specified in the [global] section then it will
- apply to all services, regardless of whether the individual
- service has a different setting.</para>
+ <para>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</para>
- <para>You can specify the hosts by name or IP number. For
- example, you could restrict access to only the hosts on a
- Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5.
- </command>. The full syntax of the list is described in the man
- page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man
- page may not be present on your system, so a brief description will
- be given here also.</para>
+ <para>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5.
+ </command>. The full syntax of the list is described in the man
+ page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</para>
- <para>Note that the localhost address 127.0.0.1 will always
- be allowed access unless specifically denied by a <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts deny</parameter></link> option.</para>
+ <para>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <link linkend="HOSTSDENY">
+ <parameter moreinfo="none">hosts deny</parameter></link> option.</para>
- <para>You can also specify hosts by network/netmask pairs and
- by netgroup names if your system supports netgroups. The
- <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
- wildcard list. The following examples may provide some help:</para>
+ <para>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</para>
- <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+ <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
- <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+ <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
- <para>Example 2: allow hosts that match the given network/netmask</para>
+ <para>Example 2: allow hosts that match the given network/netmask</para>
- <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
+ <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
- <para>Example 3: allow a couple of hosts</para>
+ <para>Example 3: allow a couple of hosts</para>
- <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+ <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
- <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but
- deny access from one particular host</para>
+ <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but
+ deny access from one particular host</para>
- <para><command moreinfo="none">hosts allow = @foonet</command></para>
+ <para><command moreinfo="none">hosts allow = @foonet</command></para>
- <para><command moreinfo="none">hosts deny = pirate</command></para>
+ <para><command moreinfo="none">hosts deny = pirate</command></para>
- <para>Note that access still requires suitable user-level passwords.</para>
+ <note><para>Note that access still requires suitable user-level passwords.</para></note>
- <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
- <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access
- to see if it does what you expect.</para>
+ <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access
+ to see if it does what you expect.</para>
- <para>Default: <emphasis>none (i.e., all hosts permitted access)
- </emphasis></para>
+ <para>Default: <emphasis>none (i.e., all hosts permitted access)</emphasis></para>
- <para>Example: <command moreinfo="none">allow hosts = 150.203.5. myhost.mynet.edu.au
- </command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">allow hosts = 150.203.5. myhost.mynet.edu.au</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsdeny.xml b/docs/docbook/smbdotconf/security/hostsdeny.xml
index f37e2b7e4d..e4b47051fa 100644
--- a/docs/docbook/smbdotconf/security/hostsdeny.xml
+++ b/docs/docbook/smbdotconf/security/hostsdeny.xml
@@ -1,14 +1,16 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="HOSTSDENY"/>hosts deny (S)</term>
- <listitem><para>The opposite of <parameter moreinfo="none">hosts allow</parameter>
- - hosts listed here are <emphasis>NOT</emphasis> permitted access to
- services unless the specific services have their own lists to override
- this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter>
- list takes precedence.</para>
+<samba:parameter name="hosts deny"
+ context="S"
+ basic="1" advanced="1" print="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The opposite of <parameter moreinfo="none">hosts allow</parameter>
+ - hosts listed here are <emphasis>NOT</emphasis> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter>
+ list takes precedence.</para>
- <para>Default: <emphasis>none (i.e., no hosts specifically excluded)
- </emphasis></para>
+ <para>Default: <emphasis>none (i.e., no hosts specifically excluded)</emphasis></para>
- <para>Example: <command moreinfo="none">hosts deny = 150.203.4. badhost.mynet.edu.au
- </command></para></listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">hosts deny = 150.203.4. badhost.mynet.edu.au</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/hostsequiv.xml b/docs/docbook/smbdotconf/security/hostsequiv.xml
index 084d8268ef..873053be28 100644
--- a/docs/docbook/smbdotconf/security/hostsequiv.xml
+++ b/docs/docbook/smbdotconf/security/hostsequiv.xml
@@ -1,26 +1,29 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="HOSTSEQUIV"/>hosts equiv (G)</term>
- <listitem><para>If this global parameter is a non-null string,
- it specifies the name of a file to read for the names of hosts
- and users who will be allowed access without specifying a password.
- </para>
+<samba:parameter name="hosts equiv"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </para>
- <para>This is not be confused with <link linkend="HOSTSALLOW">
- <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts
- access to services and is more useful for guest services. <parameter moreinfo="none">
- hosts equiv</parameter> may be useful for NT clients which will
- not supply passwords to Samba.</para>
+ <para>This is not be confused with <link linkend="HOSTSALLOW">
+ <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts
+ access to services and is more useful for guest services. <parameter moreinfo="none">
+ hosts equiv</parameter> may be useful for NT clients which will
+ not supply passwords to Samba.</para>
- <note><para>The use of <parameter moreinfo="none">hosts equiv
- </parameter> can be a major security hole. This is because you are
- trusting the PC to supply the correct username. It is very easy to
- get a PC to supply a false username. I recommend that the
- <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really
- know what you are doing, or perhaps on a home network where you trust
- your spouse and kids. And only if you <emphasis>really</emphasis> trust
- them :-).</para></note>
+ <note><para>The use of <parameter moreinfo="none">hosts equiv
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <emphasis>really</emphasis> trust
+ them :-).</para></note>
- <para>Default: <emphasis>no host equivalences</emphasis></para>
- <para>Example: <command moreinfo="none">hosts equiv = /etc/hosts.equiv</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <emphasis>no host equivalences</emphasis></para>
+ <para>Example: <command moreinfo="none">hosts equiv = /etc/hosts.equiv</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/inheritacls.xml b/docs/docbook/smbdotconf/security/inheritacls.xml
index f70c0d9165..6fcfdc19ce 100644
--- a/docs/docbook/smbdotconf/security/inheritacls.xml
+++ b/docs/docbook/smbdotconf/security/inheritacls.xml
@@ -1,14 +1,14 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="INHERITACLS"/>inherit acls (S)</term>
- <listitem><para>This parameter can be used to ensure
- that if default acls exist on parent directories,
- they are always honored when creating a subdirectory.
- The default behavior is to use the mode specified
- when creating the directory. Enabling this option
- sets the mode to 0777, thus guaranteeing that
- default directory acls are propagated.
- </para>
+<samba:parameter name="inherit acls"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter can be used to ensure that if default acls
+ exist on parent directories, they are always honored when creating a
+ subdirectory. The default behavior is to use the mode specified when
+ creating the directory. Enabling this option sets the mode to 0777,
+ thus guaranteeing that default directory acls are propagated.
+ </para>
- <para>Default: <command moreinfo="none">inherit acls = no</command>
- </para></listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">inherit acls = no</command>
+</para></listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/inheritpermissions.xml b/docs/docbook/smbdotconf/security/inheritpermissions.xml
index 34fade33d0..aacf169863 100644
--- a/docs/docbook/smbdotconf/security/inheritpermissions.xml
+++ b/docs/docbook/smbdotconf/security/inheritpermissions.xml
@@ -1,36 +1,40 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="INHERITPERMISSIONS"/>inherit permissions (S)</term>
- <listitem><para>The permissions on new files and directories
- are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
- create mask</parameter></link>, <link linkend="DIRECTORYMASK">
- <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force create mode</parameter>
- </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
- directory mode</parameter></link> but the boolean inherit
- permissions parameter overrides this.</para>
+<samba:parameter name="inherit permissions"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The permissions on new files and directories
+ are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
+ create mask</parameter></link>, <link linkend="DIRECTORYMASK">
+ <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter moreinfo="none">force create mode</parameter>
+ </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
+ directory mode</parameter></link> but the boolean inherit
+ permissions parameter overrides this.</para>
- <para>New directories inherit the mode of the parent directory,
- including bits such as setgid.</para>
+ <para>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</para>
- <para>New files inherit their read/write bits from the parent
- directory. Their execute bits continue to be determined by
- <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
- </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
- </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
- </link> as usual.</para>
+ <para>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
+ </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
+ </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
+ </link> as usual.</para>
- <para>Note that the setuid bit is <emphasis>never</emphasis> set via
- inheritance (the code explicitly prohibits this).</para>
+ <para>Note that the setuid bit is <emphasis>never</emphasis> set via
+ inheritance (the code explicitly prohibits this).</para>
- <para>This can be particularly useful on large systems with
- many users, perhaps several thousand, to allow a single [homes]
- share to be used flexibly by each user.</para>
+ <para>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</para>
- <para>See also <link linkend="CREATEMASK"><parameter moreinfo="none">create mask
- </parameter></link>, <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
- directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
- <parameter moreinfo="none">force create mode</parameter></link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force directory mode</parameter>
- </link>.</para>
+ <para>See also <link linkend="CREATEMASK"><parameter moreinfo="none">create mask
+ </parameter></link>, <link linkend="DIRECTORYMASK"><parameter moreinfo="none">
+ directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter moreinfo="none">force create mode</parameter></link> and <link linkend="FORCEDIRECTORYMODE">
+ <parameter moreinfo="none">force directory mode</parameter>
+ </link>.</para>
- <para>Default: <command moreinfo="none">inherit permissions = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">inherit permissions = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/invalidusers.xml b/docs/docbook/smbdotconf/security/invalidusers.xml
index 34e534ff28..f9d5d218e8 100644
--- a/docs/docbook/smbdotconf/security/invalidusers.xml
+++ b/docs/docbook/smbdotconf/security/invalidusers.xml
@@ -1,33 +1,35 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="INVALIDUSERS"/>invalid users (S)</term>
- <listitem><para>This is a list of users that should not be allowed
- to login to this service. This is really a <emphasis>paranoid</emphasis>
- check to absolutely ensure an improper setting does not breach
- your security.</para>
+<samba:parameter name="invalid users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that should not be allowed
+ to login to this service. This is really a <emphasis>paranoid</emphasis>
+ check to absolutely ensure an improper setting does not breach
+ your security.</para>
- <para>A name starting with a '@' is interpreted as an NIS
- netgroup first (if your system supports NIS), and then as a UNIX
- group if the name was not found in the NIS netgroup database.</para>
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
- <para>A name starting with '+' is interpreted only
- by looking in the UNIX group database. A name starting with
- '&amp;' is interpreted only by looking in the NIS netgroup database
- (this requires NIS to be working on your system). The characters
- '+' and '&amp;' may be used at the start of the name in either order
- so the value <parameter moreinfo="none">+&amp;group</parameter> means check the
- UNIX group database, followed by the NIS netgroup database, and
- the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
- netgroup database, followed by the UNIX group database (the
- same as the '@' prefix).</para>
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&amp;' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&amp;' may be used at the start of the name in either order
+ so the value <parameter moreinfo="none">+&amp;group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
- <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
- This is useful in the [homes] section.</para>
+ <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
+ This is useful in the [homes] section.</para>
- <para>See also <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
- </parameter></link>.</para>
+ <para>See also <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
+ </parameter></link>.</para>
- <para>Default: <emphasis>no invalid users</emphasis></para>
- <para>Example: <command moreinfo="none">invalid users = root fred admin @wheel
- </command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <emphasis>no invalid users</emphasis></para>
+
+ <para>Example: <command moreinfo="none">invalid users = root fred admin @wheel</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index 851b1ae4ac..e293242472 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -1,11 +1,14 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="LANMANAUTH"/>lanman auth (G)</term>
- <listitem><para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users
- using the LANMAN password hash. If disabled, only clients which support NT
- password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
- Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+<samba:parameter name="lanman auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users
+ using the LANMAN password hash. If disabled, only clients which support NT
+ password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
+ Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
- <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/maptoguest.xml b/docs/docbook/smbdotconf/security/maptoguest.xml
index 966260a9b1..4f66319928 100644
--- a/docs/docbook/smbdotconf/security/maptoguest.xml
+++ b/docs/docbook/smbdotconf/security/maptoguest.xml
@@ -1,53 +1,62 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="MAPTOGUEST"/>map to guest (G)</term>
- <listitem><para>This parameter is only useful in <link linkend="SECURITY">
- security</link> modes other than <parameter moreinfo="none">security = share</parameter>
- - i.e. <constant>user</constant>, <constant>server</constant>,
- and <constant>domain</constant>.</para>
+<samba:parameter name="map to guest"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is only useful in <link linkend="SECURITY">
+ security</link> modes other than <parameter moreinfo="none">security = share</parameter>
+ - i.e. <constant>user</constant>, <constant>server</constant>,
+ and <constant>domain</constant>.</para>
- <para>This parameter can take three different values, which tell
- <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> what to do with user
- login requests that don't match a valid UNIX user in some way.</para>
+ <para>This parameter can take three different values, which tell
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> what to do with user
+ login requests that don't match a valid UNIX user in some way.</para>
- <para>The three settings are :</para>
+ <para>The three settings are :</para>
- <itemizedlist>
- <listitem><para><constant>Never</constant> - Means user login
- requests with an invalid password are rejected. This is the
- default.</para></listitem>
+ <itemizedlist>
+ <listitem>
+ <para><constant>Never</constant> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</para>
+ </listitem>
- <listitem><para><constant>Bad User</constant> - Means user
- logins with an invalid password are rejected, unless the username
- does not exist, in which case it is treated as a guest login and
- mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para></listitem>
+ <listitem>
+ <para><constant>Bad User</constant> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+ guest account</parameter></link>.</para>
+ </listitem>
- <listitem><para><constant>Bad Password</constant> - Means user logins
- with an invalid password are treated as a guest login and mapped
- into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
- this can cause problems as it means that any user incorrectly typing
- their password will be silently logged on as &quot;guest&quot; - and
- will not know the reason they cannot access files they think
- they should - there will have been no message given to them
- that they got their password wrong. Helpdesk services will
- <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
- guest</parameter> parameter this way :-).</para></listitem>
- </itemizedlist>
+ <listitem>
+ <para><constant>Bad Password</constant> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as &quot;guest&quot; - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
+ guest</parameter> parameter this way :-).</para>
+ </listitem>
+ </itemizedlist>
- <para>Note that this parameter is needed to set up &quot;Guest&quot;
- share services when using <parameter moreinfo="none">security</parameter> modes other than
- share. This is because in these modes the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client so the server
- cannot make authentication decisions at the correct time (connection
- to the share) for &quot;Guest&quot; shares.</para>
+ <para>Note that this parameter is needed to set up &quot;Guest&quot;
+ share services when using <parameter moreinfo="none">security</parameter> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for &quot;Guest&quot; shares.</para>
- <para>For people familiar with the older Samba releases, this
- parameter maps to the old compile-time setting of the <constant>
- GUEST_SESSSETUP</constant> value in local.h.</para>
+ <para>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <constant>
+ GUEST_SESSSETUP</constant> value in local.h.</para>
- <para>Default: <command moreinfo="none">map to guest = Never</command></para>
- <para>Example: <command moreinfo="none">map to guest = Bad User</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">map to guest = Never</command></para>
+ <para>Example: <command moreinfo="none">map to guest = Bad User</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/minpasswdlength.xml b/docs/docbook/smbdotconf/security/minpasswdlength.xml
index 8e52b923fb..d7ecc3e21b 100644
--- a/docs/docbook/smbdotconf/security/minpasswdlength.xml
+++ b/docs/docbook/smbdotconf/security/minpasswdlength.xml
@@ -1,6 +1,10 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="MINPASSWDLENGTH"/>min passwd length (G)</term>
- <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH">
- <parameter moreinfo="none">min password length</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="min passwd length"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="MINPASSWORDLENGTH">
+ <parameter moreinfo="none">min password length</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/minpasswordlength.xml b/docs/docbook/smbdotconf/security/minpasswordlength.xml
index da1e65a55b..69a1701ea2 100644
--- a/docs/docbook/smbdotconf/security/minpasswordlength.xml
+++ b/docs/docbook/smbdotconf/security/minpasswordlength.xml
@@ -1,14 +1,17 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="MINPASSWORDLENGTH"/>min password length (G)</term>
- <listitem><para>This option sets the minimum length in characters
- of a plaintext password that <command moreinfo="none">smbd</command> will accept when performing
- UNIX password changing.</para>
+<samba:parameter name="min passsword length"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option sets the minimum length in characters of a
+ plaintext password that <command moreinfo="none">smbd</command> will
+ accept when performing UNIX password changing.</para>
- <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
- password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
- <parameter moreinfo="none">passwd program</parameter></link> and <link linkend="PASSWDCHATDEBUG"><parameter moreinfo="none">passwd chat debug</parameter>
- </link>.</para>
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
+ password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
+ <parameter moreinfo="none">passwd program</parameter></link> and <link linkend="PASSWDCHATDEBUG">
+ <parameter moreinfo="none">passwd chat debug</parameter></link>.</para>
- <para>Default: <command moreinfo="none">min password length = 5</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">min password length = 5</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml
index baa9a783b0..4004af2d94 100644
--- a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml
+++ b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml
@@ -1,21 +1,25 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="NONUNIXACCOUNTRANGE"/>non unix account range (G)</term>
- <listitem><para>The non unix account range parameter specifies
- the range of 'user ids' that are allocated by the various 'non unix
- account' passdb backends. These backends allow
- the storage of passwords for users who don't exist in /etc/passwd.
- This is most often used for machine account creation.
- This range of ids should have no existing local or NIS users within
- it as strange conflicts can occur otherwise.</para>
+<samba:parameter name="non unix account range"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise.</para>
- <note><para>These userids never appear on the system and Samba will never
- 'become' these users. They are used only to ensure that the algorithmic
- RID mapping does not conflict with normal users.
- </para></note>
+ <note>
+ <para>These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ </para>
+ </note>
- <para>Default: <command moreinfo="none">non unix account range = &lt;empty string&gt;
- </command></para>
+ <para>Default: <command moreinfo="none">non unix account range = &lt;empty string&gt;</command></para>
- <para>Example: <command moreinfo="none">non unix account range = 10000-20000</command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">non unix account range = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index a3b8caf062..b0b3179ab7 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -1,16 +1,15 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="NTLMAUTH"/>ntlm auth (G)</term>
- <listitem><para>This parameter determines
- whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will
- attempt to authenticate users using the NTLM password hash.
- If disabled, only the lanman password hashes will be used.
- </para>
+<samba:parameter name="ntlm auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
+ If disabled, only the lanman password hashes will be used.</para>
- <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
- be enabled in order to be able to log in.
- </para>
+ <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
+ be enabled in order to be able to log in.</para>
- <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/nullpasswords.xml b/docs/docbook/smbdotconf/security/nullpasswords.xml
index 40b687fceb..944a307eb7 100644
--- a/docs/docbook/smbdotconf/security/nullpasswords.xml
+++ b/docs/docbook/smbdotconf/security/nullpasswords.xml
@@ -1,11 +1,13 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="NULLPASSWORDS"/>null passwords (G)</term>
- <listitem><para>Allow or disallow client access to accounts
- that have null passwords. </para>
+<samba:parameter name="null passwords"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Allow or disallow client access to accounts that have null passwords. </para>
- <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry>.</para>
+ <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>.</para>
- <para>Default: <command moreinfo="none">null passwords = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">null passwords = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml
index 92a6bce22d..42d6b5cc43 100644
--- a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml
+++ b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml
@@ -1,15 +1,19 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="OBEYPAMRESTRICTIONS"/>obey pam restrictions (G)</term>
- <listitem><para>When Samba 2.2 is configured to enable PAM support
- (i.e. --with-pam), this parameter will control whether or not Samba
- should obey PAM's account and session management directives. The
- default behavior is to use PAM for clear text authentication only
- and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypt passwords = yes</parameter>
- </link>. The reason is that PAM modules cannot support the challenge/response
- authentication mechanism needed in the presence of SMB password encryption.
- </para>
+<samba:parameter name="obey pam restrictions"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>When Samba 3.0 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason
+ is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </para>
- <para>Default: <command moreinfo="none">obey pam restrictions = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">obey pam restrictions = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/onlyguest.xml b/docs/docbook/smbdotconf/security/onlyguest.xml
index 018fa1a0b5..756c682ab3 100644
--- a/docs/docbook/smbdotconf/security/onlyguest.xml
+++ b/docs/docbook/smbdotconf/security/onlyguest.xml
@@ -1,6 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ONLYGUEST"/>only guest (S)</term>
- <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter moreinfo="none">
- guest only</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="only guest"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>A synonym for <link linkend="GUESTONLY"><parameter moreinfo="none">
+ guest only</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/onlyuser.xml b/docs/docbook/smbdotconf/security/onlyuser.xml
index d0bbac7541..9975023ecb 100644
--- a/docs/docbook/smbdotconf/security/onlyuser.xml
+++ b/docs/docbook/smbdotconf/security/onlyuser.xml
@@ -1,24 +1,26 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ONLYUSER"/>only user (S)</term>
- <listitem><para>This is a boolean option that controls whether
- connections with usernames not in the <parameter moreinfo="none">user</parameter>
- list will be allowed. By default this option is disabled so that a
- client can supply a username to be used by the server. Enabling
- this parameter will force the server to only use the login
- names from the <parameter moreinfo="none">user</parameter> list and is only really
- useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
- security.</para>
+<samba:parameter name="only user"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a boolean option that controls whether
+ connections with usernames not in the <parameter moreinfo="none">user</parameter>
+ list will be allowed. By default this option is disabled so that a
+ client can supply a username to be used by the server. Enabling
+ this parameter will force the server to only use the login
+ names from the <parameter moreinfo="none">user</parameter> list and is only really
+ useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
+ security.</para>
- <para>Note that this also means Samba won't try to deduce
- usernames from the service name. This can be annoying for
- the [homes] section. To get around this you could use <command moreinfo="none">user =
- %S</command> which means your <parameter moreinfo="none">user</parameter> list
- will be just the service name, which for home directories is the
- name of the user.</para>
+ <para>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <command moreinfo="none">user =
+ %S</command> which means your <parameter moreinfo="none">user</parameter> list
+ will be just the service name, which for home directories is the
+ name of the user.</para>
- <para>See also the <link linkend="USER"><parameter moreinfo="none">user</parameter>
- </link> parameter.</para>
+ <para>See also the <link linkend="USER"><parameter moreinfo="none">user</parameter>
+ </link> parameter.</para>
- <para>Default: <command moreinfo="none">only user = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">only user = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/pampasswordchange.xml b/docs/docbook/smbdotconf/security/pampasswordchange.xml
index 8f0e91ae2d..5eb60e5270 100644
--- a/docs/docbook/smbdotconf/security/pampasswordchange.xml
+++ b/docs/docbook/smbdotconf/security/pampasswordchange.xml
@@ -1,16 +1,17 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PAMPASSWORDCHANGE"/>pam password change (G)</term>
- <listitem><para>With the addition of better PAM support in Samba 2.2,
- this parameter, it is possible to use PAM's password change control
- flag for Samba. If enabled, then PAM will be used for password
- changes when requested by an SMB client instead of the program listed in
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>.
- It should be possible to enable this without changing your
- <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
- parameter for most setups.
- </para>
+<samba:parameter name="pam password change"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>.
+ It should be possible to enable this without changing your
+ <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
+ parameter for most setups.</para>
- <para>Default: <command moreinfo="none">pam password change = no</command></para>
-
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">pam password change = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml
index 918c802e78..256b6c9709 100644
--- a/docs/docbook/smbdotconf/security/passdbbackend.xml
+++ b/docs/docbook/smbdotconf/security/passdbbackend.xml
@@ -1,91 +1,119 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSDBBACKEND"/>passdb backend (G)</term>
- <listitem><para>This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both
- smbpasswd and tdbsam to be used without a recompile.
- Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.
- Experimental backends must still be selected
- (eg --with-tdbsam) at configure time.
- </para>
+<samba:parameter name="passdb backend"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>This option allows the administrator to chose which backends
+ to retrieve and store passwords with. This allows (for example) both
+ smbpasswd and tdbsam to be used without a recompile. Multiple
+ backends can be specified, separated by spaces. The backends will be
+ searched in the order they are specified. New users are always added
+ to the first backend specified. Experimental backends must still be
+ selected (eg --with-tdbsam) at configure time. </para>
- <para>This parameter is in two parts, the backend's name, and a 'location'
- string that has meaning only to that particular backed. These are separated
- by a : character.</para>
+ <para>This parameter is in two parts, the backend's name, and a 'location'
+ string that has meaning only to that particular backed. These are separated
+ by a : character.</para>
- <para>Available backends can include:
- <itemizedlist>
- <listitem><para><command moreinfo="none">smbpasswd</command> - The default smbpasswd
- backend. Takes a path to the smbpasswd file as an optional argument.</para></listitem>
+ <para>Available backends can include:
+ <itemizedlist>
+ <listitem>
+ <para><command moreinfo="none">smbpasswd</command> - The default smbpasswd
+ backend. Takes a path to the smbpasswd file as an optional argument.
+ </para>
+ </listitem>
- <listitem><para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd
- backend, but with support for 'not unix accounts'.
- Takes a path to the smbpasswd file as an optional argument.</para>
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account range</parameter></link></para></listitem>
+ <listitem>
+ <para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd
+ backend, but with support for 'not unix accounts'.
+ Takes a path to the smbpasswd file as an optional argument.</para>
+
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter moreinfo="none">non unix account range</parameter></link></para>
+ </listitem>
- <listitem><para><command moreinfo="none">tdbsam</command> - The TDB based password storage
- backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the <link linkend="PRIVATEDIR">
- <parameter moreinfo="none">private dir</parameter></link> directory.</para></listitem>
+ <listitem>
+ <para><command moreinfo="none">tdbsam</command> - The TDB based password storage
+ backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <link linkend="PRIVATEDIR">
+ <parameter moreinfo="none">private dir</parameter></link> directory.</para>
+ </listitem>
- <listitem><para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage
- backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the <link linkend="PRIVATEDIR">
- <parameter moreinfo="none">private dir</parameter></link> directory.</para>
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account range</parameter></link></para></listitem>
+ <listitem>
+ <para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage
+ backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <link linkend="PRIVATEDIR">
+ <parameter moreinfo="none">private dir</parameter></link> directory.</para>
+
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter moreinfo="none">non unix account range</parameter></link></para>
+ </listitem>
- <listitem><para><command moreinfo="none">ldapsam</command> - The LDAP based passdb
- backend. Takes an LDAP URL as an optional argument (defaults to
- <command moreinfo="none">ldap://localhost</command>)</para></listitem>
+ <listitem>
+ <para><command moreinfo="none">ldapsam</command> - The LDAP based passdb
+ backend. Takes an LDAP URL as an optional argument (defaults to
+ <command moreinfo="none">ldap://localhost</command>)</para>
+ </listitem>
- <listitem><para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb
- backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
- <command moreinfo="none">ldap://localhost</command>)</para>
+ <listitem>
+ <para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb
+ backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
+ <command moreinfo="none">ldap://localhost</command>)</para>
- <para>Note: In this module, any account without a matching POSIX account is regarded
- as 'non unix'. </para>
+ <para>Note: In this module, any account without a matching POSIX account is regarded
+ as 'non unix'. </para>
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account
- range</parameter></link></para>
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter moreinfo="none">non unix account range</parameter></link></para>
- <para>LDAP connections should be secured where
- possible. This may be done using either
- Start-TLS (see <link linkend="LDAPSSL">
- <parameter moreinfo="none">ldap ssl</parameter></link>) or by
- specifying <parameter moreinfo="none">ldaps://</parameter> in
- the URL argument.
- </para></listitem>
+ <para>LDAP connections should be secured where possible. This may be done using either
+ Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
+ specifying <parameter moreinfo="none">ldaps://</parameter> in
+ the URL argument. </para>
+ </listitem>
- <listitem><para><command moreinfo="none">nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem>
+ <listitem>
+ <para><command moreinfo="none">nisplussam</command> -
+ The NIS+ based passdb backend. Takes name NIS domain as
+ an optional argument. Only works with sun NIS+ servers.
+ </para>
+ </listitem>
- <listitem><para><command moreinfo="none">plugin</command> - Allows Samba to load an
- arbitary passdb backend from the .so specified as a compulsary argument.
- </para>
+ <listitem>
+ <para><command moreinfo="none">plugin</command> - Allows Samba to load an
+ arbitary passdb backend from the .so specified as a compulsary argument.
+ </para>
- <para>Any characters after the (optional) second : are passed to the plugin
- for its own processing</para>
- </listitem>
+ <para>Any characters after the (optional) second : are passed to the plugin
+ for its own processing</para>
+ </listitem>
- <listitem><para><command moreinfo="none">unixsam</command> - Allows samba to map all (other) available unix users</para>
+ <listitem>
+ <para><command moreinfo="none">unixsam</command> - Allows samba to map all (other)
+ available unix users</para>
- <para>This backend uses the standard unix database for retrieving users. Users included
- in this pdb are NOT listed in samba user listings and users included in this pdb won't be
- able to login. The use of this backend is to always be able to display the owner of a file
- on the samba server - even when the user doesn't have a 'real' samba account in one of the
- other passdb backends.
- </para>
+ <para>This backend uses the standard unix database for retrieving users. Users included
+ in this pdb are NOT listed in samba user listings and users included in this pdb won't be
+ able to login. The use of this backend is to always be able to display the owner of a file
+ on the samba server - even when the user doesn't have a 'real' samba account in one of the
+ other passdb backends.
+ </para>
- <para>This backend should always be the last backend listed, since it contains all users in
- the unix passdb and might 'override' mappings if specified earlier. It's meant to only return
- accounts for users that aren't covered by the previous backends.</para>
- </listitem>
- </itemizedlist>
+ <para>This backend should always be the last backend listed, since it contains all users in
+ the unix passdb and might 'override' mappings if specified earlier. It's meant to only return
+ accounts for users that aren't covered by the previous backends.
</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+
+ <para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para>
+
+ <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</command></para>
+
+ <para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</command></para>
- <para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para>
- <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</command></para>
- <para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</command></para>
- <para>Example: <command moreinfo="none">passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdchat.xml b/docs/docbook/smbdotconf/security/passwdchat.xml
index 922f1a878c..fcefd8f8df 100644
--- a/docs/docbook/smbdotconf/security/passwdchat.xml
+++ b/docs/docbook/smbdotconf/security/passwdchat.xml
@@ -1,58 +1,62 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSWDCHAT"/>passwd chat (G)</term>
- <listitem><para>This string controls the <emphasis>&quot;chat&quot;</emphasis>
- conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> and the local password changing
- program to change the user's password. The string describes a
- sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
- </link> and what to expect back. If the expected output is not
- received then the password is not changed.</para>
-
- <para>This chat sequence is often quite site specific, depending
- on what local methods are used for password control (such as NIS
- etc).</para>
- <para>Note that this parameter only is only used if the <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
- password sync</parameter></link> parameter is set to <constant>yes</constant>. This
- sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password
- in the smbpasswd file is being changed, without access to the old
- password cleartext. This means that root must be able to reset the user's password
- without knowing the text of the previous password. In the presence of NIS/YP,
- this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must be
- executed on the NIS master.
- </para>
-
-
- <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted
- for the new password. The chat sequence can also contain the standard
- macros <constant>\\n</constant>, <constant>\\r</constant>, <constant>
- \\t</constant> and <constant>\\s</constant> to give line-feed,
- carriage-return, tab and space. The chat sequence string can also contain
- a '*' which matches any sequence of characters.
- Double quotes can be used to collect strings with spaces
- in them into a single string.</para>
-
- <para>If the send string in any part of the chat sequence
- is a full stop &quot;.&quot;, then no string is sent. Similarly,
- if the expect string is a full stop then no string is expected.</para>
-
- <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
- password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
- may be matched in any order, and success is determined by the PAM result,
- not any particular output. The \n macro is ignored for PAM conversions.
- </para>
-
- <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix password
- sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">
- passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG">
- <parameter moreinfo="none">passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE">
- <parameter moreinfo="none">pam password change</parameter></link>.</para>
-
- <para>Default: <command moreinfo="none">passwd chat = *new*password* %n\\n
- *new*password* %n\\n *changed*</command></para>
- <para>Example: <command moreinfo="none">passwd chat = &quot;*Enter OLD password*&quot; %o\\n
- &quot;*Enter NEW password*&quot; %n\\n &quot;*Reenter NEW password*&quot; %n\\n &quot;*Password
- changed*&quot;</command></para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="passwd chat"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This string controls the <emphasis>&quot;chat&quot;</emphasis>
+ conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
+ <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
+ </link> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</para>
+
+ <para>Note that this parameter only is only used if the <link
+ linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter>
+ </link> parameter is set to <constant>yes</constant>. This sequence is
+ then called <emphasis>AS ROOT</emphasis> when the SMB password in the
+ smbpasswd file is being changed, without access to the old password
+ cleartext. This means that root must be able to reset the user's password without
+ knowing the text of the previous password. In the presence of
+ NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must
+ be executed on the NIS master.
+ </para>
+
+
+ <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted
+ for the new password. The chat sequence can also contain the standard
+ macros <constant>\\n</constant>, <constant>\\r</constant>, <constant>\\t</constant> and <constant>\\s</constant> to
+ give line-feed, carriage-return, tab and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
+ in them into a single string.</para>
+
+ <para>If the send string in any part of the chat sequence is a full
+ stop &quot;.&quot;, then no string is sent. Similarly, if the
+ expect string is a full stop then no string is expected.</para>
+
+ <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
+ password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
+ may be matched in any order, and success is determined by the PAM result,
+ not any particular output. The \n macro is ignored for PAM conversions.
+ </para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix password
+ sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">
+ passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG">
+ <parameter moreinfo="none">passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE">
+ <parameter moreinfo="none">pam password change</parameter></link>.</para>
+
+ <para>Default: <command moreinfo="none">passwd chat = *new*password* %n\\n
+ *new*password* %n\\n *changed*</command></para>
+
+ <para>Example: <command moreinfo="none">passwd chat = &quot;*Enter OLD password*&quot; %o\\n
+ &quot;*Enter NEW password*&quot; %n\\n &quot;*Reenter NEW password*&quot; %n\\n
+ &quot;*Password changed*&quot;</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdchatdebug.xml b/docs/docbook/smbdotconf/security/passwdchatdebug.xml
index a5771b72d2..2d731b5d11 100644
--- a/docs/docbook/smbdotconf/security/passwdchatdebug.xml
+++ b/docs/docbook/smbdotconf/security/passwdchatdebug.xml
@@ -1,25 +1,27 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSWDCHATDEBUG"/>passwd chat debug (G)</term>
- <listitem><para>This boolean specifies if the passwd chat script
- parameter is run in <emphasis>debug</emphasis> mode. In this mode the
- strings passed to and received from the passwd chat are printed
- in the <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> log with a
- <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link>
- of 100. This is a dangerous option as it will allow plaintext passwords
- to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
- Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
- when calling the <parameter moreinfo="none">passwd program</parameter> and should
- be turned off after this has been done. This option has no effect if the
- <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
- paramter is set. This parameter is off by default.</para>
+<samba:parameter name="passwd chat debug"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> log with a
+ <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
+ Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
+ when calling the <parameter moreinfo="none">passwd program</parameter> and should
+ be turned off after this has been done. This option has no effect if the
+ <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
+ paramter is set. This parameter is off by default.</para>
+ <para>See also <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter>
+ </link>, <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter>
+ </link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
+ </link>.</para>
- <para>See also <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter>
- </link>, <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter>
- </link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
- </link>.</para>
-
- <para>Default: <command moreinfo="none">passwd chat debug = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">passwd chat debug = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml
index dae24e22a1..dbcc261ce4 100644
--- a/docs/docbook/smbdotconf/security/passwdprogram.xml
+++ b/docs/docbook/smbdotconf/security/passwdprogram.xml
@@ -1,35 +1,39 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSWDPROGRAM"/>passwd program (G)</term>
- <listitem><para>The name of a program that can be used to set
- UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter>
- will be replaced with the user name. The user name is checked for
- existence before calling the password changing program.</para>
+<samba:parameter name="passwd program"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
- <para>Also note that many passwd programs insist in <emphasis>reasonable
- </emphasis> passwords, such as a minimum length, or the inclusion
- of mixed case chars and digits. This can pose a problem as some clients
- (such as Windows for Workgroups) uppercase the password before sending
- it.</para>
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
- <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix
- password sync</parameter> parameter is set to <constant>yes
- </constant> then this program is called <emphasis>AS ROOT</emphasis>
- before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
- </ulink> file is changed. If this UNIX password change fails, then
- <command moreinfo="none">smbd</command> will fail to change the SMB password also
- (this is by design).</para>
+ <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix
+ password sync</parameter> parameter is set to <constant>yes
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry>
+ <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ </ulink> file is changed. If this UNIX password change fails, then
+ <command moreinfo="none">smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
- <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter
- is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
- for <emphasis>ALL</emphasis> programs called, and must be examined
- for security implications. Note that by default <parameter moreinfo="none">unix
- password sync</parameter> is set to <constant>no</constant>.</para>
+ <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter moreinfo="none">unix
+ password sync</parameter> is set to <constant>no</constant>.</para>
- <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
- password sync</parameter></link>.</para>
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
+ password sync</parameter></link>.</para>
- <para>Default: <command moreinfo="none">passwd program = /bin/passwd</command></para>
- <para>Example: <command moreinfo="none">passwd program = /sbin/npasswd %u</command>
- </para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">passwd program = /bin/passwd</command></para>
+
+ <para>Example: <command moreinfo="none">passwd program = /sbin/npasswd %u</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordlevel.xml b/docs/docbook/smbdotconf/security/passwordlevel.xml
index 408082f838..28b9999731 100644
--- a/docs/docbook/smbdotconf/security/passwordlevel.xml
+++ b/docs/docbook/smbdotconf/security/passwordlevel.xml
@@ -1,40 +1,44 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSWORDLEVEL"/>password level (G)</term>
- <listitem><para>Some client/server combinations have difficulty
- with mixed-case passwords. One offending client is Windows for
- Workgroups, which for some reason forces passwords to upper
- case when using the LANMAN1 protocol, but leaves them alone when
- using COREPLUS! Another problem child is the Windows 95/98
- family of operating systems. These clients upper case clear
- text passwords even when NT LM 0.12 selected by the protocol
- negotiation request/response.</para>
-
- <para>This parameter defines the maximum number of characters
- that may be upper case in passwords.</para>
-
- <para>For example, say the password given was &quot;FRED&quot;. If <parameter moreinfo="none">
- password level</parameter> is set to 1, the following combinations
- would be tried if &quot;FRED&quot; failed:</para>
-
- <para>&quot;Fred&quot;, &quot;fred&quot;, &quot;fRed&quot;, &quot;frEd&quot;,&quot;freD&quot;</para>
-
- <para>If <parameter moreinfo="none">password level</parameter> was set to 2,
- the following combinations would also be tried: </para>
-
- <para>&quot;FRed&quot;, &quot;FrEd&quot;, &quot;FreD&quot;, &quot;fREd&quot;, &quot;fReD&quot;, &quot;frED&quot;, ..</para>
-
- <para>And so on.</para>
-
- <para>The higher value this parameter is set to the more likely
- it is that a mixed case password will be matched against a single
- case password. However, you should be aware that use of this
- parameter reduces security and increases the time taken to
- process a new connection.</para>
-
- <para>A value of zero will cause only two attempts to be
- made - the password as is and the password in all-lower case.</para>
-
- <para>Default: <command moreinfo="none">password level = 0</command></para>
- <para>Example: <command moreinfo="none">password level = 4</command></para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="password level"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS! Another problem child is the Windows 95/98
+ family of operating systems. These clients upper case clear
+ text passwords even when NT LM 0.12 selected by the protocol
+ negotiation request/response.</para>
+
+ <para>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</para>
+
+ <para>For example, say the password given was &quot;FRED&quot;. If <parameter moreinfo="none">
+ password level</parameter> is set to 1, the following combinations
+ would be tried if &quot;FRED&quot; failed:</para>
+
+ <para>&quot;Fred&quot;, &quot;fred&quot;, &quot;fRed&quot;, &quot;frEd&quot;,&quot;freD&quot;</para>
+
+ <para>If <parameter moreinfo="none">password level</parameter> was set to 2,
+ the following combinations would also be tried: </para>
+
+ <para>&quot;FRed&quot;, &quot;FrEd&quot;, &quot;FreD&quot;, &quot;fREd&quot;, &quot;fReD&quot;, &quot;frED&quot;, ..</para>
+
+ <para>And so on.</para>
+
+ <para>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</para>
+
+ <para>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</para>
+
+ <para>Default: <command moreinfo="none">password level = 0</command></para>
+
+ <para>Example: <command moreinfo="none">password level = 4</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
index b803816d88..e40ff32b75 100644
--- a/docs/docbook/smbdotconf/security/passwordserver.xml
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -1,92 +1,98 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PASSWORDSERVER"/>password server (G)</term>
- <listitem><para>By specifying the name of another SMB server (such
- as a WinNT box) with this option, and using <command moreinfo="none">security = domain
- </command> or <command moreinfo="none">security = server</command> you can get Samba
- to do all its username/password validation via a remote server.</para>
+<samba:parameter name="password server"
+ context="G"
+ advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command moreinfo="none">security = domain
+ </command> or <command moreinfo="none">security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
- <para>This option sets the name of the password server to use.
- It must be a NetBIOS name, so if the machine's NetBIOS name is
- different from its Internet name then you may have to add its NetBIOS
- name to the lmhosts file which is stored in the same directory
- as the <filename moreinfo="none">smb.conf</filename> file.</para>
+ <para>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename moreinfo="none">smb.conf</filename> file.</para>
- <para>The name of the password server is looked up using the
- parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
- resolve order</parameter></link> and so may resolved
- by any method and order described in that parameter.</para>
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
- <para>The password server must be a machine capable of using
- the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
- user level security mode.</para>
+ <para>The password server must be a machine capable of using
+ the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+ user level security mode.</para>
- <note><para>Using a password server
- means your UNIX box (running Samba) is only as secure as your
- password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
- YOU DON'T COMPLETELY TRUST</emphasis>.</para></note>
+ <note><para>Using a password server means your UNIX box (running
+ Samba) is only as secure as your password server. <emphasis>DO NOT
+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
+ </para></note>
- <para>Never point a Samba server at itself for password
- serving. This will cause a loop and could lock up your Samba
- server!</para>
+ <para>Never point a Samba server at itself for password serving.
+ This will cause a loop and could lock up your Samba server!</para>
- <para>The name of the password server takes the standard
- substitutions, but probably the only useful one is <parameter moreinfo="none">%m
- </parameter>, which means the Samba server will use the incoming
- client as the password server. If you use this then you better
- trust your clients, and you had better restrict them with hosts allow!</para>
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</para>
- <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
- <constant>domain</constant>, then the list of machines in this
- option must be a list of Primary or Backup Domain controllers for the
- Domain or the character '*', as the Samba server is effectively
- in that domain, and will use cryptographically authenticated RPC calls
- to authenticate the user logging on. The advantage of using <command moreinfo="none">
- security = domain</command> is that if you list several hosts in the
- <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
- </command> will try each in turn till it finds one that responds. This
- is useful in case your primary server goes down.</para>
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command moreinfo="none">
+ security = domain</command> is that if you list several hosts in the
+ <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
- <para>If the <parameter moreinfo="none">password server</parameter> option is set
- to the character '*', then Samba will attempt to auto-locate the
- Primary or Backup Domain controllers to authenticate against by
- doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
- and then contacting each server returned in the list of IP
- addresses from the name resolution source. </para>
+ <para>If the <parameter moreinfo="none">password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
- <para>If the list of servers contains both names and the '*'
- character, the list is treated as a list of preferred
- domain controllers, but an auto lookup of all remaining DC's
- will be added to the list as well. Samba will not attempt to optimize
- this list by locating the closest DC.</para>
+ <para>If the list of servers contains both names and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</para>
- <para>If the <parameter moreinfo="none">security</parameter> parameter is
- set to <constant>server</constant>, then there are different
- restrictions that <command moreinfo="none">security = domain</command> doesn't
- suffer from:</para>
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command moreinfo="none">security = domain</command> doesn't
+ suffer from:</para>
- <itemizedlist>
- <listitem><para>You may list several password servers in
- the <parameter moreinfo="none">password server</parameter> parameter, however if an
- <command moreinfo="none">smbd</command> makes a connection to a password server,
- and then the password server fails, no more users will be able
- to be authenticated from this <command moreinfo="none">smbd</command>. This is a
- restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
- </command> mode and cannot be fixed in Samba.</para></listitem>
+ <itemizedlist>
+ <listitem>
+ <para>You may list several password servers in
+ the <parameter moreinfo="none">password server</parameter> parameter, however if an
+ <command moreinfo="none">smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command moreinfo="none">smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+ </command> mode and cannot be fixed in Samba.</para>
+ </listitem>
+
+ <listitem>
+ <para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command moreinfo="none">
+ security = server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para>
+ </listitem>
+ </itemizedlist>
- <listitem><para>If you are using a Windows NT server as your
- password server then you will have to ensure that your users
- are able to login from the Samba server, as when in <command moreinfo="none">
- security = server</command> mode the network logon will appear to
- come from there rather than from the users workstation.</para></listitem>
- </itemizedlist>
+ <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
+ </parameter></link> parameter.</para>
- <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
- </parameter></link> parameter.</para>
-
- <para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command>
- </para>
- <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *
- </command></para>
- <para>Example: <command moreinfo="none">password server = *</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
+
+ <para>Example: <command moreinfo="none">password server = *</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/printeradmin.xml b/docs/docbook/smbdotconf/security/printeradmin.xml
index 7037facca0..c0640ea188 100644
--- a/docs/docbook/smbdotconf/security/printeradmin.xml
+++ b/docs/docbook/smbdotconf/security/printeradmin.xml
@@ -1,12 +1,15 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PRINTERADMIN"/>printer admin (S)</term>
- <listitem><para>This is a list of users that can do anything to
- printers via the remote administration interfaces offered by MS-RPC
- (usually using a NT workstation). Note that the root user always
- has admin rights.</para>
+<samba:parameter name="printer admin"
+ context="S"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</para>
- <para>Default: <command moreinfo="none">printer admin = &lt;empty string&gt;</command>
- </para>
- <para>Example: <command moreinfo="none">printer admin = admin, @staff</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">printer admin = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">printer admin = admin, @staff</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/privatedir.xml b/docs/docbook/smbdotconf/security/privatedir.xml
index ca22089122..1fc7eb0b36 100644
--- a/docs/docbook/smbdotconf/security/privatedir.xml
+++ b/docs/docbook/smbdotconf/security/privatedir.xml
@@ -1,10 +1,13 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PRIVATEDIR"/>private dir (G)</term>
- <listitem><para>This parameters defines the directory
- smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
- and <filename moreinfo="none">secrets.tdb</filename>.
- </para>
+<samba:parameter name="private dir"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameters defines the directory
+ smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
+ and <filename moreinfo="none">secrets.tdb</filename>.
+ </para>
- <para>Default :<command moreinfo="none">private dir = ${prefix}/private</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default :<command moreinfo="none">private dir = ${prefix}/private</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/public.xml b/docs/docbook/smbdotconf/security/public.xml
index a1f6a1ee29..a9e942811e 100644
--- a/docs/docbook/smbdotconf/security/public.xml
+++ b/docs/docbook/smbdotconf/security/public.xml
@@ -1,6 +1,9 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="PUBLIC"/>public (S)</term>
- <listitem><para>Synonym for <link linkend="GUESTOK"><parameter moreinfo="none">guest
- ok</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="public"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="GUESTOK"><parameter moreinfo="none">guest
+ ok</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/readlist.xml b/docs/docbook/smbdotconf/security/readlist.xml
index 15d135d54e..41a97e5ffc 100644
--- a/docs/docbook/smbdotconf/security/readlist.xml
+++ b/docs/docbook/smbdotconf/security/readlist.xml
@@ -1,17 +1,22 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="READLIST"/>read list (S)</term>
- <listitem><para>This is a list of users that are given read-only
- access to a service. If the connecting user is in this list then
- they will not be given write access, no matter what the <link linkend="READONLY"><parameter moreinfo="none">read only</parameter></link>
- option is set to. The list can include group names using the
- syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
- invalid users</parameter></link> parameter.</para>
+<samba:parameter name="read list"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>
+ option is set to. The list can include group names using the
+ syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
+ invalid users</parameter></link> parameter.</para>
- <para>See also the <link linkend="WRITELIST"><parameter moreinfo="none">
- write list</parameter></link> parameter and the <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users</parameter>
- </link> parameter.</para>
+ <para>See also the <link linkend="WRITELIST"><parameter moreinfo="none">
+ write list</parameter></link> parameter and the <link linkend="INVALIDUSERS">
+ <parameter moreinfo="none">invalid users</parameter>
+ </link> parameter.</para>
- <para>Default: <command moreinfo="none">read list = &lt;empty string&gt;</command></para>
- <para>Example: <command moreinfo="none">read list = mary, @students</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">read list = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">read list = mary, @students</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/readonly.xml b/docs/docbook/smbdotconf/security/readonly.xml
index 02721935de..e71301c3e5 100644
--- a/docs/docbook/smbdotconf/security/readonly.xml
+++ b/docs/docbook/smbdotconf/security/readonly.xml
@@ -1,16 +1,19 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="READONLY"/>read only (S)</term>
- <listitem><para>An inverted synonym is <link linkend="WRITEABLE">
- <parameter moreinfo="none">writeable</parameter></link>.</para>
+<samba:parameter name="read only"
+ context="S"
+ basic="1" advanced="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>An inverted synonym is <link linkend="WRITEABLE">
+ <parameter moreinfo="none">writeable</parameter></link>.</para>
- <para>If this parameter is <constant>yes</constant>, then users
- of a service may not create or modify files in the service's
- directory.</para>
+ <para>If this parameter is <constant>yes</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
- <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
- will <emphasis>ALWAYS</emphasis> allow writing to the directory
- (user privileges permitting), but only via spooling operations.</para>
+ <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
- <para>Default: <command moreinfo="none">read only = yes</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">read only = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 4b09b7d2bc..7f78f94a99 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -1,10 +1,12 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="RESTRICTANONYMOUS"/>restrict anonymous (G)</term>
- <listitem><para>This is a integer parameter, and
- mirrors as much as possible the functinality the
- <constant>RestrictAnonymous</constant>
- registry key does on NT/Win2k. </para>
+<samba:parameter name="restrict anonymous"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a integer parameter, and mirrors as much as possible the functinality the
+ <constant>RestrictAnonymous</constant> registry key does on NT/Win2k.
+ </para>
- <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/root.xml b/docs/docbook/smbdotconf/security/root.xml
index f69c1a1ae1..1199d54099 100644
--- a/docs/docbook/smbdotconf/security/root.xml
+++ b/docs/docbook/smbdotconf/security/root.xml
@@ -1,6 +1,10 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ROOT"/>root (G)</term>
- <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
- <parameter moreinfo="none">root directory&quot;</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="root"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter moreinfo="none">root directory&quot;</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/rootdir.xml b/docs/docbook/smbdotconf/security/rootdir.xml
index 1f543aed6a..e4e5f0e509 100644
--- a/docs/docbook/smbdotconf/security/rootdir.xml
+++ b/docs/docbook/smbdotconf/security/rootdir.xml
@@ -1,6 +1,10 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ROOTDIR"/>root dir (G)</term>
- <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
- <parameter moreinfo="none">root directory&quot;</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="root dir"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter moreinfo="none">root directory&quot;</parameter></link>.
+ </para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/rootdirectory.xml b/docs/docbook/smbdotconf/security/rootdirectory.xml
index 9efc11e3c6..9c3e9cfad2 100644
--- a/docs/docbook/smbdotconf/security/rootdirectory.xml
+++ b/docs/docbook/smbdotconf/security/rootdirectory.xml
@@ -1,28 +1,34 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="ROOTDIRECTORY"/>root directory (G)</term>
- <listitem><para>The server will <command moreinfo="none">chroot()</command> (i.e.
- Change its root directory) to this directory on startup. This is
- not strictly necessary for secure operation. Even without it the
- server will deny access to files not in one of the service entries.
- It may also check for, and deny access to, soft links to other
- parts of the filesystem, or attempts to use &quot;..&quot; in file names
- to access other directories (depending on the setting of the <link linkend="WIDELINKS"><parameter moreinfo="none">wide links</parameter></link>
- parameter).</para>
+<samba:parameter name="root directory"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The server will <command moreinfo="none">chroot()</command> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use &quot;..&quot; in file names
+ to access other directories (depending on the setting of the <link linkend="WIDELINKS">
+ <parameter moreinfo="none">wide links</parameter></link>
+ parameter).
+ </para>
- <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
- than &quot;/&quot; adds an extra level of security, but at a price. It
- absolutely ensures that no access is given to files not in the
- sub-tree specified in the <parameter moreinfo="none">root directory</parameter>
- option, <emphasis>including</emphasis> some files needed for
- complete operation of the server. To maintain full operability
- of the server you will need to mirror some system files
- into the <parameter moreinfo="none">root directory</parameter> tree. In particular
- you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a
- subset of it), and any binaries or configuration files needed for
- printing (if required). The set of files that must be mirrored is
- operating system dependent.</para>
+ <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
+ than &quot;/&quot; adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter moreinfo="none">root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter moreinfo="none">root directory</parameter> tree. In particular
+ you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
- <para>Default: <command moreinfo="none">root directory = /</command></para>
- <para>Example: <command moreinfo="none">root directory = /homes/smb</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">root directory = /</command></para>
+
+ <para>Example: <command moreinfo="none">root directory = /homes/smb</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml
index 8e97d8721f..68c5f2cdd2 100644
--- a/docs/docbook/smbdotconf/security/security.xml
+++ b/docs/docbook/smbdotconf/security/security.xml
@@ -1,237 +1,254 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="SECURITY"/>security (G)</term>
- <listitem><para>This option affects how clients respond to
- Samba and is one of the most important settings in the <filename moreinfo="none">
- smb.conf</filename> file.</para>
-
- <para>The option sets the &quot;security mode bit&quot; in replies to
- protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
- based on this bit whether (and how) to transfer user and password
- information to the server.</para>
-
-
- <para>The default is <command moreinfo="none">security = user</command>, as this is
- the most common setting needed when talking to Windows 98 and
- Windows NT.</para>
-
- <para>The alternatives are <command moreinfo="none">security = share</command>,
- <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
- </command>.</para>
-
- <para>In versions of Samba prior to 2.0.0, the default was
- <command moreinfo="none">security = share</command> mainly because that was
- the only option at one stage.</para>
-
- <para>There is a bug in WfWg that has relevance to this
- setting. When in user or server level security a WfWg client
- will totally ignore the password you type in the &quot;connect
- drive&quot; dialog box. This makes it very difficult (if not impossible)
- to connect to a Samba service as anyone except the user that
- you are logged into WfWg as.</para>
-
- <para>If your PCs use usernames that are the same as their
- usernames on the UNIX machine then you will want to use
- <command moreinfo="none">security = user</command>. If you mostly use usernames
- that don't exist on the UNIX box then use <command moreinfo="none">security =
- share</command>.</para>
-
- <para>You should also use <command moreinfo="none">security = share</command> if you
- want to mainly setup shares without a password (guest shares). This
- is commonly used for a shared printer server. It is more difficult
- to setup guest shares with <command moreinfo="none">security = user</command>, see
- the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link>parameter for details.</para>
+<samba:parameter name="security"
+ context="G"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename moreinfo="none">
+ smb.conf</filename> file.</para>
+
+ <para>The option sets the &quot;security mode bit&quot; in replies to
+ protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</para>
+
+
+ <para>The default is <command moreinfo="none">security = user</command>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</para>
+
+ <para>The alternatives are <command moreinfo="none">security = share</command>,
+ <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
+ </command>.</para>
+
+ <para>In versions of Samba prior to 2.0.0, the default was
+ <command moreinfo="none">security = share</command> mainly because that was
+ the only option at one stage.</para>
+
+ <para>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the &quot;connect
+ drive&quot; dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</para>
+
+ <para>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <command moreinfo="none">security = user</command>. If you mostly use usernames
+ that don't exist on the UNIX box then use <command moreinfo="none">security =
+ share</command>.</para>
+
+ <para>You should also use <command moreinfo="none">security = share</command> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <command moreinfo="none">security = user</command>, see
+ the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link>parameter for details.</para>
- <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
- hybrid mode</emphasis> where it is offers both user and share
- level security under different <link linkend="NETBIOSALIASES">
- <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+ <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
+ hybrid mode</emphasis> where it is offers both user and share
+ level security under different <link linkend="NETBIOSALIASES">
+ <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
- <para>The different settings will now be explained.</para>
+ <para>The different settings will now be explained.</para>
- <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE
- </emphasis></para>
+ <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
- <para>When clients connect to a share level security server they
- need not log onto the server with a valid username and password before
- attempting to connect to a shared resource (although modern clients
- such as Windows 95/98 and Windows NT will send a logon request with
- a username but no password when talking to a <command moreinfo="none">security = share
- </command> server). Instead, the clients send authentication information
- (passwords) on a per-share basis, at the time they attempt to connect
- to that share.</para>
-
- <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
- uses a valid UNIX user to act on behalf of the client, even in
- <command moreinfo="none">security = share</command> level security.</para>
-
- <para>As clients are not required to send a username to the server
- in share level security, <command moreinfo="none">smbd</command> uses several
- techniques to determine the correct UNIX user to use on behalf
- of the client.</para>
-
- <para>A list of possible UNIX usernames to match with the given
- client password is constructed using the following methods :</para>
-
- <itemizedlist>
- <listitem><para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
- only</parameter></link> parameter is set, then all the other
- stages are missed and only the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link> username is checked.
- </para></listitem>
-
- <listitem><para>Is a username is sent with the share connection
- request, then this username (after mapping - see <link linkend="USERNAMEMAP"><parameter moreinfo="none">username map</parameter></link>),
- is added as a potential username.</para></listitem>
-
- <listitem><para>If the client did a previous <emphasis>logon
- </emphasis> request (the SessionSetup SMB call) then the
- username sent in this SMB will be added as a potential username.
- </para></listitem>
-
- <listitem><para>The name of the service the client requested is
- added as a potential username.</para></listitem>
-
- <listitem><para>The NetBIOS name of the client is added to
- the list as a potential username.</para></listitem>
-
- <listitem><para>Any users on the <link linkend="USER"><parameter moreinfo="none">
- user</parameter></link> list are added as potential usernames.
- </para></listitem>
- </itemizedlist>
-
- <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
- not set, then this list is then tried with the supplied password.
- The first user for whom the password matches will be used as the
- UNIX user.</para>
-
- <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
- set, or no username can be determined then if the share is marked
- as available to the <parameter moreinfo="none">guest account</parameter>, then this
- guest user will be used, otherwise access is denied.</para>
-
- <para>Note that it can be <emphasis>very</emphasis> confusing
- in share-level security as to which UNIX username will eventually
- be used in granting access.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER
- </emphasis></para>
-
- <para>This is the default security setting in Samba 3.0.
- With user-level security a client must first &quot;log-on&quot; with a
- valid username and password (which can be mapped using the <link linkend="USERNAMEMAP"><parameter moreinfo="none">username map</parameter></link>
- parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
- be used in this security mode. Parameters such as <link linkend="USER">
- <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
- <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
- may change the UNIX user to use on this connection, but only after
- the user has been successfully authenticated.</para>
-
- <para><emphasis>Note</emphasis> that the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client. This is why
- guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN
-
- </emphasis></para>
-
- <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> has been used to add this
- machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter to be set to <constant>yes</constant>. In this
- mode Samba will try to validate the username/password by passing
- it to a Windows NT Primary or Backup Domain Controller, in exactly
- the same way that a Windows NT Server would do.</para>
-
- <para><emphasis>Note</emphasis> that a valid UNIX user must still
- exist as well as the account on the Domain Controller to allow
- Samba to have a valid UNIX account to map file access to.</para>
-
- <para><emphasis>Note</emphasis> that from the client's point
- of view <command moreinfo="none">security = domain</command> is the same as <command moreinfo="none">security = user
- </command>. It only affects how the server deals with the authentication,
- it does not in any way affect what the client sees.</para>
-
- <para><emphasis>Note</emphasis> that the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client. This is why
- guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter.</para>
-
- <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER
- </emphasis></para>
-
- <para>In this mode Samba will try to validate the username/password
- by passing it to another SMB server, such as an NT box. If this
- fails it will revert to <command moreinfo="none">security =
- user</command>. It expects the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter to be set to
- <constant>yes</constant>, unless the remote server
- does not support them. However note
- that if encrypted passwords have been negotiated then Samba cannot
- revert back to checking the UNIX password file, it must have a valid
- <filename moreinfo="none">smbpasswd</filename> file to check users against. See the
- documentation file in the <filename moreinfo="none">docs/</filename> directory
- <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this
- up.</para>
-
- <para><emphasis>Note</emphasis> this mode of operation
- has significant pitfalls, due to the fact that is
- activly initiates a man-in-the-middle attack on the
- remote SMB server. In particular, this mode of
- operation can cause significant resource consuption on
- the PDC, as it must maintain an active connection for
- the duration of the user's session. Furthermore, if
- this connection is lost, there is no way to
- reestablish it, and futher authenticaions to the Samba
- server may fail. (From a single client, till it
- disconnects). </para>
-
- <para><emphasis>Note</emphasis> that from the client's point of
- view <command moreinfo="none">security = server</command> is the same as <command moreinfo="none">
- security = user</command>. It only affects how the server deals
- with the authentication, it does not in any way affect what the
- client sees.</para>
-
- <para><emphasis>Note</emphasis> that the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client. This is why
- guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter.</para>
+ <para>When clients connect to a share level security server they
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <command moreinfo="none">security = share
+ </command> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</para>
+
+ <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <command moreinfo="none">security = share</command> level security.</para>
+
+ <para>As clients are not required to send a username to the server
+ in share level security, <command moreinfo="none">smbd</command> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</para>
+
+ <para>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
+ only</parameter></link> parameter is set, then all the other
+ stages are missed and only the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link> username is checked.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>Is a username is sent with the share connection
+ request, then this username (after mapping - see <link linkend="USERNAMEMAP">
+ <parameter moreinfo="none">username map</parameter></link>),
+ is added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>If the client did a previous <emphasis>logon
+ </emphasis> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>The name of the service the client requested is
+ added as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>The NetBIOS name of the client is added to
+ the list as a potential username.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
+ user</parameter></link> list are added as potential usernames.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</para>
+
+ <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <parameter moreinfo="none">guest account</parameter>, then this
+ guest user will be used, otherwise access is denied.</para>
+
+ <para>Note that it can be <emphasis>very</emphasis> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+ <para>This is the default security setting in Samba 3.0.
+ With user-level security a client must first &quot;log-on&quot; with a
+ valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
+ <parameter moreinfo="none">username map</parameter></link>
+ parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
+ be used in this security mode. Parameters such as <link linkend="USER">
+ <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
+ <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter>
+ </link> parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point
+ of view <command moreinfo="none">security = domain</command> is the same
+ as <command moreinfo="none">security = user</command>. It only
+ affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
+ server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
+
+ <para>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <command moreinfo="none">security =
+ user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter
+ to be set to <constant>yes</constant>, unless the remote server
+ does not support them. However note that if encrypted passwords have been
+ negotiated then Samba cannot revert back to checking the UNIX password file,
+ it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
+ users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory
+ <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
+
+ <para><emphasis>Note</emphasis> this mode of operation has
+ significant pitfalls, due to the fact that is activly initiates a
+ man-in-the-middle attack on the remote SMB server. In particular,
+ this mode of operation can cause significant resource consuption on
+ the PDC, as it must maintain an active connection for the duration
+ of the user's session. Furthermore, if this connection is lost,
+ there is no way to reestablish it, and futher authenticaions to the
+ Samba server may fail. (From a single client, till it disconnects).
+ </para>
+
+ <para><emphasis>Note</emphasis> that from the client's point of
+ view <command moreinfo="none">security = server</command> is the
+ same as <command moreinfo="none">security = user</command>. It
+ only affects how the server deals with the authentication, it does
+ not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+ <parameter moreinfo="none">guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
+ server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
- <para>Default: <command moreinfo="none">security = USER</command></para>
- <para>Example: <command moreinfo="none">security = DOMAIN</command></para>
+ <para>Default: <command moreinfo="none">security = USER</command></para>
+ <para>Example: <command moreinfo="none">security = DOMAIN</command></para>
- </listitem>
- </samba:parameter>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/securitymask.xml b/docs/docbook/smbdotconf/security/securitymask.xml
index 9ed0adcbf4..ee3e8f916c 100644
--- a/docs/docbook/smbdotconf/security/securitymask.xml
+++ b/docs/docbook/smbdotconf/security/securitymask.xml
@@ -1,33 +1,36 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="SECURITYMASK"/>security mask (S)</term>
- <listitem><para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security
- dialog box.</para>
+<samba:parameter name="security mask"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
- <para>If not set explicitly this parameter is 0777, allowing
- a user to modify all the user/group/world permissions on a file.
- </para>
+ <para>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </para>
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone
- &quot;appliance&quot; systems. Administrators of most normal systems will
- probably want to leave it set to <constant>0777</constant>.</para>
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ &quot;appliance&quot; systems. Administrators of most normal systems will
+ probably want to leave it set to <constant>0777</constant>.</para>
- <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
- <parameter moreinfo="none">force directory security mode</parameter></link>,
- <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
- security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
- <parameter moreinfo="none">force security mode</parameter></link> parameters.</para>
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
+ <parameter moreinfo="none">force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
+ security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
+ <parameter moreinfo="none">force security mode</parameter></link> parameters.</para>
- <para>Default: <command moreinfo="none">security mask = 0777</command></para>
- <para>Example: <command moreinfo="none">security mask = 0770</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">security mask = 0777</command></para>
+
+ <para>Example: <command moreinfo="none">security mask = 0770</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml
index 05261fa417..afbc458068 100644
--- a/docs/docbook/smbdotconf/security/serverschannel.xml
+++ b/docs/docbook/smbdotconf/security/serverschannel.xml
@@ -1,24 +1,25 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="SERVERSCHANNEL"/>server schannel (G)</term>
- <listitem>
+<samba:parameter name="server schannel"
+ context="G"
+ basic="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
- <para>This controls whether the server offers or even
- demands the use of the netlogon schannel.
- <parameter>server schannel = no</parameter> does not
- offer the schannel, <parameter>server schannel =
- auto</parameter> offers the schannel but does not
- enforce it, and <parameter>server schannel =
- yes</parameter> denies access if the client is not
- able to speak netlogon schannel. This is only the case
- for Windows NT4 before SP4.</para>
+ <para>This controls whether the server offers or even
+ demands the use of the netlogon schannel.
+ <parameter>server schannel = no</parameter> does not
+ offer the schannel, <parameter>server schannel =
+ auto</parameter> offers the schannel but does not
+ enforce it, and <parameter>server schannel =
+ yes</parameter> denies access if the client is not
+ able to speak netlogon schannel. This is only the case
+ for Windows NT4 before SP4.</para>
- <para>Please note that with this set to
- <parameter>no</parameter> you will have to apply the
- WindowsXP requireSignOrSeal-Registry patch found in
- the docs/Registry subdirectory.</para
+ <para>Please note that with this set to
+ <parameter>no</parameter> you will have to apply the
+ WindowsXP requireSignOrSeal-Registry patch found in
+ the docs/Registry subdirectory.</para
- <para>Default: <command>server schannel = auto</command></para>
-
- <para>Example: <command>server schannel = yes</command>/para>
- </listitem>
- <samba:parameter> \ No newline at end of file
+ <para>Default: <command>server schannel = auto</command></para>
+ <para>Example: <command>server schannel = yes</command></para>
+</listitem>
+</samba:parameter> \ No newline at end of file
diff --git a/docs/docbook/smbdotconf/security/smbpasswdfile.xml b/docs/docbook/smbdotconf/security/smbpasswdfile.xml
index 2efbd12169..cb31ba5019 100644
--- a/docs/docbook/smbdotconf/security/smbpasswdfile.xml
+++ b/docs/docbook/smbdotconf/security/smbpasswdfile.xml
@@ -1,13 +1,14 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="SMBPASSWDFILE"/>smb passwd file (G)</term>
- <listitem><para>This option sets the path to the encrypted
- smbpasswd file. By default the path to the smbpasswd file
- is compiled into Samba.</para>
-
- <para>Default: <command moreinfo="none">smb passwd file = ${prefix}/private/smbpasswd
- </command></para>
+<samba:parameter name="smb passwd file"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
- <para>Example: <command moreinfo="none">smb passwd file = /etc/samba/smbpasswd
- </command></para>
- </listitem>
- </samba:parameter>
+ <para>This option sets the path to the encrypted smbpasswd file. By
+ default the path to the smbpasswd file is compiled into Samba.</para>
+
+ <para>Default: <command moreinfo="none">smb passwd file = ${prefix}/private/smbpasswd</command></para>
+
+ <para>Example: <command moreinfo="none">smb passwd file = /etc/samba/smbpasswd</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/unixpasswordsync.xml b/docs/docbook/smbdotconf/security/unixpasswordsync.xml
index 41c6d983d0..0d22ed9c7e 100644
--- a/docs/docbook/smbdotconf/security/unixpasswordsync.xml
+++ b/docs/docbook/smbdotconf/security/unixpasswordsync.xml
@@ -1,18 +1,22 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="UNIXPASSWORDSYNC"/>unix password sync (G)</term>
- <listitem><para>This boolean parameter controls whether Samba
- attempts to synchronize the UNIX password with the SMB password
- when the encrypted SMB password in the smbpasswd file is changed.
- If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
- program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
- to allow the new UNIX password to be set without access to the
- old UNIX password (as the SMB password change code has no
- access to the old password cleartext, only the new).</para>
+<samba:parameter name="unix password sync"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
+ program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</para>
- <para>See also <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd
- program</parameter></link>, <link linkend="PASSWDCHAT"><parameter moreinfo="none">
- passwd chat</parameter></link>.</para>
+ <para>See also <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd
+ program</parameter></link>, <link linkend="PASSWDCHAT"><parameter moreinfo="none">
+ passwd chat</parameter></link>.
+ </para>
- <para>Default: <command moreinfo="none">unix password sync = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">unix password sync = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml
index 45c66e0de2..76b37948d7 100644
--- a/docs/docbook/smbdotconf/security/updateencrypted.xml
+++ b/docs/docbook/smbdotconf/security/updateencrypted.xml
@@ -1,28 +1,33 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="UPDATEENCRYPTED"/>update encrypted (G)</term>
- <listitem><para>This boolean parameter allows a user logging
- on with a plaintext password to have their encrypted (hashed)
- password in the smbpasswd file to be updated automatically as
- they log on. This option allows a site to migrate from plaintext
- password authentication (users authenticate with plaintext
- password over the wire, and are checked against a UNIX account
- database) to encrypted password authentication (the SMB
- challenge/response authentication mechanism) without forcing
- all users to re-enter their passwords via smbpasswd at the time the
- change is made. This is a convenience option to allow the change over
- to encrypted passwords to be made over a longer period. Once all users
- have encrypted representations of their passwords in the smbpasswd
- file this parameter should be set to <constant>no</constant>.</para>
+<samba:parameter name="update encrypted"
+ context="G"
+ basic="1" advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
- <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypt passwords</parameter>
- </link> parameter must be set to <constant>no</constant> when
- this parameter is set to <constant>yes</constant>.</para>
+ <para>This boolean parameter allows a user logging on with
+ a plaintext password to have their encrypted (hashed) password in
+ the smbpasswd file to be updated automatically as they log
+ on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing all
+ users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change
+ over to encrypted passwords to be made over a longer period.
+ Once all users have encrypted representations of their passwords
+ in the smbpasswd file this parameter should be set to
+ <constant>no</constant>.</para>
- <para>Note that even when this parameter is set a user
- authenticating to <command moreinfo="none">smbd</command> must still enter a valid
- password in order to connect correctly, and to update their hashed
- (smbpasswd) passwords.</para>
+ <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must
+ be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
- <para>Default: <command moreinfo="none">update encrypted = no</command></para>
- </listitem>
- </samba:parameter>
+ <para>Note that even when this parameter is set a user
+ authenticating to <command moreinfo="none">smbd</command> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</para>
+
+ <para>Default: <command moreinfo="none">update encrypted = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/user.xml b/docs/docbook/smbdotconf/security/user.xml
index 9c0502061b..4ca2e18fac 100644
--- a/docs/docbook/smbdotconf/security/user.xml
+++ b/docs/docbook/smbdotconf/security/user.xml
@@ -1,6 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="USER"/>user (S)</term>
- <listitem><para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">
- username</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="user"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">username</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/username.xml b/docs/docbook/smbdotconf/security/username.xml
index 779f24170b..f1aa2fe1f8 100644
--- a/docs/docbook/smbdotconf/security/username.xml
+++ b/docs/docbook/smbdotconf/security/username.xml
@@ -1,62 +1,64 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="USERNAME"/>username (S)</term>
- <listitem><para>Multiple users may be specified in a comma-delimited
- list, in which case the supplied password will be tested against
- each username in turn (left to right).</para>
-
- <para>The <parameter moreinfo="none">username</parameter> line is needed only when
- the PC is unable to supply its own username. This is the case
- for the COREPLUS protocol or where your users have different WfWg
- usernames to UNIX usernames. In both these cases you may also be
- better using the \\server\share%user syntax instead.</para>
-
- <para>The <parameter moreinfo="none">username</parameter> line is not a great
- solution in many cases as it means Samba will try to validate
- the supplied password against each of the usernames in the
- <parameter moreinfo="none">username</parameter> line in turn. This is slow and
- a bad idea for lots of users in case of duplicate passwords.
- You may get timeouts or security breaches using this parameter
- unwisely.</para>
-
- <para>Samba relies on the underlying UNIX security. This
- parameter does not restrict who can login, it just offers hints
- to the Samba server as to what usernames might correspond to the
- supplied password. Users can login as whoever they please and
- they will be able to do no more damage than if they started a
- telnet session. The daemon runs as the user that they log in as,
- so they cannot do anything that user cannot do.</para>
-
- <para>To restrict a service to a particular set of users you
- can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
- </parameter></link> parameter.</para>
-
- <para>If any of the usernames begin with a '@' then the name
- will be looked up first in the NIS netgroups list (if Samba
- is compiled with netgroup support), followed by a lookup in
- the UNIX groups database and will expand to a list of all users
- in the group of that name.</para>
+<samba:parameter name="username"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</para>
+
+ <para>The <parameter moreinfo="none">username</parameter> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</para>
+
+ <para>The <parameter moreinfo="none">username</parameter> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <parameter moreinfo="none">username</parameter> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</para>
+
+ <para>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</para>
+
+ <para>To restrict a service to a particular set of users you
+ can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
+ </parameter></link> parameter.</para>
+
+ <para>If any of the usernames begin with a '@' then the name
+ will be looked up first in the NIS netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</para>
- <para>If any of the usernames begin with a '+' then the name
- will be looked up only in the UNIX groups database and will
- expand to a list of all users in the group of that name.</para>
-
- <para>If any of the usernames begin with a '&amp;' then the name
- will be looked up only in the NIS netgroups database (if Samba
- is compiled with netgroup support) and will expand to a list
- of all users in the netgroup group of that name.</para>
-
- <para>Note that searching though a groups database can take
- quite some time, and some clients may time out during the
- search.</para>
-
- <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
- USERNAME/PASSWORD VALIDATION</link> for more information on how
- this parameter determines access to the services.</para>
-
- <para>Default: <command moreinfo="none">The guest account if a guest service,
- else &lt;empty string&gt;.</command></para>
-
- <para>Examples:<command moreinfo="none">username = fred, mary, jack, jane,
- @users, @pcgroup</command></para>
- </listitem>
- </samba:parameter>
+ <para>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '&amp;' then the name
+ will be looked up only in the NIS netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</para>
+
+ <para>Note that searching though a groups database can take
+ quite some time, and some clients may time out during the
+ search.</para>
+
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
+
+ <para>Default: <command moreinfo="none">The guest account if a guest service,
+ else &lt;empty string&gt;.</command></para>
+
+ <para>Examples:<command moreinfo="none">username = fred, mary, jack, jane,
+ @users, @pcgroup</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/usernamelevel.xml b/docs/docbook/smbdotconf/security/usernamelevel.xml
index a4deff3bf9..3c71e3b710 100644
--- a/docs/docbook/smbdotconf/security/usernamelevel.xml
+++ b/docs/docbook/smbdotconf/security/usernamelevel.xml
@@ -1,20 +1,24 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="USERNAMELEVEL"/>username level (G)</term>
- <listitem><para>This option helps Samba to try and 'guess' at
- the real UNIX username, as many DOS clients send an all-uppercase
- username. By default Samba tries all lowercase, followed by the
- username with the first letter capitalized, and fails if the
- username is not found on the UNIX machine.</para>
+<samba:parameter name="username level"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
- <para>If this parameter is set to non-zero the behavior changes.
- This parameter is a number that specifies the number of uppercase
- combinations to try while trying to determine the UNIX user name. The
- higher the number the more combinations will be tried, but the slower
- the discovery of usernames will be. Use this parameter when you have
- strange usernames on your UNIX machine, such as <constant>AstrangeUser
- </constant>.</para>
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
- <para>Default: <command moreinfo="none">username level = 0</command></para>
- <para>Example: <command moreinfo="none">username level = 5</command></para>
- </listitem>
- </samba:parameter>
+ <para>Default: <command moreinfo="none">username level = 0</command></para>
+
+ <para>Example: <command moreinfo="none">username level = 5</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/usernamemap.xml b/docs/docbook/smbdotconf/security/usernamemap.xml
index 37ee72c235..583a1a872e 100644
--- a/docs/docbook/smbdotconf/security/usernamemap.xml
+++ b/docs/docbook/smbdotconf/security/usernamemap.xml
@@ -1,90 +1,91 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="USERNAMEMAP"/>username map (G)</term>
- <listitem><para>This option allows you to specify a file containing
- a mapping of usernames from the clients to the server. This can be
- used for several purposes. The most common is to map usernames
- that users use on DOS or Windows machines to those that the UNIX
- box uses. The other is to map multiple users to a single username
- so that they can more easily share files.</para>
-
- <para>The map file is parsed line by line. Each line should
- contain a single UNIX username on the left then a '=' followed
- by a list of usernames on the right. The list of usernames on the
- right may contain names of the form @group in which case they
- will match any UNIX username in that group. The special client
- name '*' is a wildcard and matches any name. Each line of the
- map file may be up to 1023 characters long.</para>
-
- <para>The file is processed on each line by taking the
- supplied username and comparing it with each username on the right
- hand side of the '=' signs. If the supplied name matches any of
- the names on the right hand side then it is replaced with the name
- on the left. Processing then continues with the next line.</para>
-
- <para>If any line begins with a '#' or a ';' then it is
- ignored</para>
-
- <para>If any line begins with an '!' then the processing
- will stop after that line if a mapping was done by the line.
- Otherwise mapping continues with every line being processed.
- Using '!' is most useful when you have a wildcard mapping line
- later in the file.</para>
-
- <para>For example to map from the name <constant>admin</constant>
- or <constant>administrator</constant> to the UNIX name <constant>
- root</constant> you would use:</para>
-
- <para><command moreinfo="none">root = admin administrator</command></para>
-
- <para>Or to map anyone in the UNIX group <constant>system</constant>
- to the UNIX name <constant>sys</constant> you would use:</para>
-
- <para><command moreinfo="none">sys = @system</command></para>
-
- <para>You can have as many mappings as you like in a username
- map file.</para>
-
-
- <para>If your system supports the NIS NETGROUP option then
- the netgroup database is checked before the <filename moreinfo="none">/etc/group
- </filename> database for matching groups.</para>
-
- <para>You can map Windows usernames that have spaces in them
- by using double quotes around the name. For example:</para>
-
- <para><command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command></para>
-
- <para>would map the windows username &quot;Andrew Tridgell&quot; to the
- unix username &quot;tridge&quot;.</para>
-
- <para>The following example would map mary and fred to the
- unix user sys, and map the rest to guest. Note the use of the
- '!' to tell Samba to stop processing if it gets a match on
- that line.</para>
+<samba:parameter name="username map"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</para>
+
+ <para>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</para>
+
+ <para>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</para>
+
+ <para>If any line begins with a '#' or a ';' then it is ignored</para>
+
+ <para>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</para>
+
+ <para>For example to map from the name <constant>admin</constant>
+ or <constant>administrator</constant> to the UNIX name <constant>
+ root</constant> you would use:</para>
+
+ <para><command moreinfo="none">root = admin administrator</command></para>
+
+ <para>Or to map anyone in the UNIX group <constant>system</constant>
+ to the UNIX name <constant>sys</constant> you would use:</para>
+
+ <para><command moreinfo="none">sys = @system</command></para>
+
+ <para>You can have as many mappings as you like in a username map file.</para>
+
+
+ <para>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <filename moreinfo="none">/etc/group
+ </filename> database for matching groups.</para>
+
+ <para>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</para>
+
+ <para><command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command></para>
+
+ <para>would map the windows username &quot;Andrew Tridgell&quot; to the
+ unix username &quot;tridge&quot;.</para>
+
+ <para>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</para>
<para><programlisting format="linespecific">
!sys = mary fred
guest = *
</programlisting></para>
- <para>Note that the remapping is applied to all occurrences
- of usernames. Thus if you connect to \\server\fred and <constant>
- fred</constant> is remapped to <constant>mary</constant> then you
- will actually be connecting to \\server\mary and will need to
- supply a password suitable for <constant>mary</constant> not
- <constant>fred</constant>. The only exception to this is the
- username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
- password server</parameter></link> (if you have one). The password
- server will receive whatever username the client supplies without
- modification.</para>
-
- <para>Also note that no reverse mapping is done. The main effect
- this has is with printing. Users who have been mapped may have
- trouble deleting print jobs as PrintManager under WfWg will think
- they don't own the print job.</para>
-
- <para>Default: <emphasis>no username map</emphasis></para>
- <para>Example: <command moreinfo="none">username map = /usr/local/samba/lib/users.map
- </command></para>
- </listitem>
- </samba:parameter>
+ <para>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <constant>
+ fred</constant> is remapped to <constant>mary</constant> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
+ password server</parameter></link> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</para>
+
+ <para>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</para>
+
+ <para>Default: <emphasis>no username map</emphasis></para>
+
+ <para>Example: <command moreinfo="none">username map = /usr/local/samba/lib/users.map</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/users.xml b/docs/docbook/smbdotconf/security/users.xml
index e78d259f62..fdb19da243 100644
--- a/docs/docbook/smbdotconf/security/users.xml
+++ b/docs/docbook/smbdotconf/security/users.xml
@@ -1,6 +1,9 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="USERS"/>users (S)</term>
- <listitem><para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">
- username</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="users"
+ context="S"
+ hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none">
+ username</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/validusers.xml b/docs/docbook/smbdotconf/security/validusers.xml
index 5155a5ef34..268e913cb5 100644
--- a/docs/docbook/smbdotconf/security/validusers.xml
+++ b/docs/docbook/smbdotconf/security/validusers.xml
@@ -1,23 +1,25 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="VALIDUSERS"/>valid users (S)</term>
- <listitem><para>This is a list of users that should be allowed
- to login to this service. Names starting with '@', '+' and '&amp;'
- are interpreted using the same rules as described in the
- <parameter moreinfo="none">invalid users</parameter> parameter.</para>
+<samba:parameter name="valid users"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&amp;'
+ are interpreted using the same rules as described in the
+ <parameter moreinfo="none">invalid users</parameter> parameter.</para>
- <para>If this is empty (the default) then any user can login.
- If a username is in both this list and the <parameter moreinfo="none">invalid
- users</parameter> list then access is denied for that user.</para>
+ <para>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <parameter moreinfo="none">invalid
+ users</parameter> list then access is denied for that user.</para>
- <para>The current servicename is substituted for <parameter moreinfo="none">%S
- </parameter>. This is useful in the [homes] section.</para>
+ <para>The current servicename is substituted for <parameter moreinfo="none">%S
+ </parameter>. This is useful in the [homes] section.</para>
- <para>See also <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users
- </parameter></link></para>
+ <para>See also <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users
+ </parameter></link></para>
- <para>Default: <emphasis>No valid users list (anyone can login)
- </emphasis></para>
+ <para>Default: <emphasis>No valid users list (anyone can login)
+ </emphasis></para>
- <para>Example: <command moreinfo="none">valid users = greg, @pcusers</command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">valid users = greg, @pcusers</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writable.xml b/docs/docbook/smbdotconf/security/writable.xml
index 66ba44cc44..9b32db8ebc 100644
--- a/docs/docbook/smbdotconf/security/writable.xml
+++ b/docs/docbook/smbdotconf/security/writable.xml
@@ -1,6 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="WRITABLE"/>writable (S)</term>
- <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter moreinfo="none">
- writeable</parameter></link> for people who can't spell :-).</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="writable"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Synonym for <link linkend="WRITEABLE"><parameter moreinfo="none">
+ writeable</parameter></link> for people who can't spell :-).</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writeable.xml b/docs/docbook/smbdotconf/security/writeable.xml
index b963410374..63e7734986 100644
--- a/docs/docbook/smbdotconf/security/writeable.xml
+++ b/docs/docbook/smbdotconf/security/writeable.xml
@@ -1,6 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="WRITEABLE"/>writeable (S)</term>
- <listitem><para>Inverted synonym for <link linkend="READONLY"><parameter moreinfo="none">
- read only</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="writeable"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Inverted synonym for <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>.</para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writelist.xml b/docs/docbook/smbdotconf/security/writelist.xml
index 76ee56c93a..4a0e046127 100644
--- a/docs/docbook/smbdotconf/security/writelist.xml
+++ b/docs/docbook/smbdotconf/security/writelist.xml
@@ -1,21 +1,22 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="WRITELIST"/>write list (S)</term>
- <listitem><para>This is a list of users that are given read-write
- access to a service. If the connecting user is in this list then
- they will be given write access, no matter what the <link linkend="READONLY"><parameter moreinfo="none">read only</parameter></link>
- option is set to. The list can include group names using the
- @group syntax.</para>
+<samba:parameter name="write list"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>
+ option is set to. The list can include group names using the
+ @group syntax.</para>
- <para>Note that if a user is in both the read list and the
- write list then they will be given write access.</para>
+ <para>Note that if a user is in both the read list and the
+ write list then they will be given write access.</para>
- <para>See also the <link linkend="READLIST"><parameter moreinfo="none">read list
- </parameter></link> option.</para>
+ <para>See also the <link linkend="READLIST"><parameter moreinfo="none">read list
+ </parameter></link> option.</para>
- <para>Default: <command moreinfo="none">write list = &lt;empty string&gt;
- </command></para>
+ <para>Default: <command moreinfo="none">write list = &lt;empty string&gt;</command></para>
- <para>Example: <command moreinfo="none">write list = admin, root, @staff
- </command></para>
- </listitem>
- </samba:parameter>
+ <para>Example: <command moreinfo="none">write list = admin, root, @staff</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/writeok.xml b/docs/docbook/smbdotconf/security/writeok.xml
index 103c2be993..da68489012 100644
--- a/docs/docbook/smbdotconf/security/writeok.xml
+++ b/docs/docbook/smbdotconf/security/writeok.xml
@@ -1,6 +1,8 @@
-<samba:parameter xmlns:samba="http://samba.org/common">
- <term><anchor id="WRITEOK"/>write ok (S)</term>
- <listitem><para>Inverted synonym for <link linkend="READONLY"><parameter moreinfo="none">
- read only</parameter></link>.</para>
- </listitem>
- </samba:parameter>
+<samba:parameter name="write ok"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>Inverted synonym for <link linkend="READONLY">
+ <parameter moreinfo="none">read only</parameter></link>.</para>
+</listitem>
+</samba:parameter>