summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/logon
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/logon')
-rw-r--r--docs-xml/smbdotconf/logon/abortshutdownscript.xml16
-rw-r--r--docs-xml/smbdotconf/logon/addgroupscript.xml19
-rw-r--r--docs-xml/smbdotconf/logon/addmachinescript.xml21
-rw-r--r--docs-xml/smbdotconf/logon/adduserscript.xml55
-rw-r--r--docs-xml/smbdotconf/logon/addusertogroupscript.xml22
-rw-r--r--docs-xml/smbdotconf/logon/deletegroupscript.xml15
-rw-r--r--docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml17
-rw-r--r--docs-xml/smbdotconf/logon/deleteuserscript.xml22
-rw-r--r--docs-xml/smbdotconf/logon/domainlogons.xml18
-rw-r--r--docs-xml/smbdotconf/logon/enableprivileges.xml26
-rw-r--r--docs-xml/smbdotconf/logon/logondrive.xml19
-rw-r--r--docs-xml/smbdotconf/logon/logonhome.xml57
-rw-r--r--docs-xml/smbdotconf/logon/logonpath.xml70
-rw-r--r--docs-xml/smbdotconf/logon/logonscript.xml51
-rw-r--r--docs-xml/smbdotconf/logon/setprimarygroupscript.xml20
-rw-r--r--docs-xml/smbdotconf/logon/shutdownscript.xml60
16 files changed, 508 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/logon/abortshutdownscript.xml b/docs-xml/smbdotconf/logon/abortshutdownscript.xml
new file mode 100644
index 0000000000..45bed073ea
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/abortshutdownscript.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="abort shutdown script"
+ context="G"
+ advanced="1" developer="1"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> that
+ should stop a shutdown procedure issued by the <smbconfoption name="shutdown script"/>.</para>
+
+ <para>If the connected user posseses the <constant>SeRemoteShutdownPrivilege</constant>,
+ right, this command will be run as user.</para>
+</description>
+<value type="default">&quot;&quot;</value>
+<value type="example">/sbin/shutdown -c</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addgroupscript.xml b/docs-xml/smbdotconf/logon/addgroupscript.xml
new file mode 100644
index 0000000000..3804e144ff
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addgroupscript.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="add group script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by <citerefentry>
+ <refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> when a new group is requested. It
+ will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. This script is only useful
+ for installations using the Windows NT domain administration tools. The script is free to create a group with
+ an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric
+ gid of the created group on stdout.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/sbin/groupadd %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addmachinescript.xml b/docs-xml/smbdotconf/logon/addmachinescript.xml
new file mode 100644
index 0000000000..c06a4a964f
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addmachinescript.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="add machine script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run by
+ <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine is
+ added to Samba's domain and a Unix account matching the machine's name appended with a &quot;$&quot; does not
+ already exist.
+ </para>
+ <para>This option is very similar to the <smbconfoption
+ name="add user script"/>, and likewise uses the %u
+ substitution for the account name. Do not use the %m
+ substitution. </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/adduserscript.xml b/docs-xml/smbdotconf/logon/adduserscript.xml
new file mode 100644
index 0000000000..7128cb73c7
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/adduserscript.xml
@@ -0,0 +1,55 @@
+<samba:parameter name="add user script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by
+ <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ under special circumstances described below.
+ </para>
+
+ <para>
+ Normally, a Samba server requires that UNIX users are created for all users accessing
+ files on this server. For sites that use Windows NT account databases as their primary
+ user database creating these users and keeping the user list in sync with the Windows
+ NT PDC is an onerous task. This option allows smbd to create the required UNIX users
+ <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.
+ </para>
+
+ <para>
+ In order to use this option, <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> must <emphasis>NOT</emphasis> be set to
+ <smbconfoption name="security">share</smbconfoption> and <smbconfoption name="add user script"/>
+ must be set to a full pathname for a script that will create a UNIX user given one argument of
+ <parameter moreinfo="none">%u</parameter>, which expands into the UNIX user name to create.
+ </para>
+
+ <para>
+ When the Windows user attempts to access the Samba server, at login (session setup in
+ the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> contacts the <smbconfoption name="password server"/>
+ and attempts to authenticate the given user with the given password. If the authentication
+ succeeds then <command moreinfo="none">smbd</command> attempts to find a UNIX user in the UNIX
+ password database to map the Windows user into. If this lookup fails, and
+ <smbconfoption name="add user script"/> is set then <command moreinfo="none">smbd</command> will
+ call the specified script <emphasis>AS ROOT</emphasis>, expanding any
+ <parameter moreinfo="none">%u</parameter> argument to be the user name to create.
+ </para>
+
+ <para>
+ If this script successfully creates the user then <command moreinfo="none">smbd</command> will
+ continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.
+ </para>
+
+ <para>
+ See also <smbconfoption name="security"/>, <smbconfoption name="password server"/>,
+ <smbconfoption name="delete user script"/>.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/local/samba/bin/add_user %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addusertogroupscript.xml b/docs-xml/smbdotconf/logon/addusertogroupscript.xml
new file mode 100644
index 0000000000..f7eb410024
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addusertogroupscript.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="add user to group script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Full path to the script that will be called when a user is added to a group using the Windows NT domain administration
+ tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ <emphasis>AS ROOT</emphasis>. Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and
+ any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+ </para>
+
+ <para>
+ Note that the <command>adduser</command> command used in the example below does
+ not support the used syntax on all systems.
+ </para>
+
+</description>
+<value type="default"></value>
+<value type="example">/usr/sbin/adduser %u %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deletegroupscript.xml b/docs-xml/smbdotconf/logon/deletegroupscript.xml
new file mode 100644
index 0000000000..bd265b7fc8
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deletegroupscript.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="delete group script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when a group is requested to be deleted.
+ It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed.
+ This script is only useful for installations using the Windows NT domain administration tools.
+ </para>
+</description>
+<value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml
new file mode 100644
index 0000000000..a685ab5290
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="delete user from group script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Full path to the script that will be called when
+ a user is removed from a group using the Windows NT domain administration
+ tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>.
+ Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and
+ any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+</para>
+</description>
+<value type="default"/>
+<value type="example">/usr/sbin/deluser %u %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deleteuserscript.xml b/docs-xml/smbdotconf/logon/deleteuserscript.xml
new file mode 100644
index 0000000000..b3abe23e4c
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deleteuserscript.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="delete user script"
+ type="string"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is the full pathname to a script that will
+ be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when managing users
+ with remote RPC (NT) tools.
+ </para>
+
+ <para>This script is called when a remote client removes a user
+ from the server, normally using 'User Manager for Domains' or
+ <command moreinfo="none">rpcclient</command>.</para>
+
+ <para>This script should delete the given UNIX username.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">/usr/local/samba/bin/del_user %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml
new file mode 100644
index 0000000000..d274faa18b
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/domainlogons.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="domain logons"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ If set to <constant>yes</constant>, the Samba server will
+ provide the netlogon service for Windows 9X network logons for the
+ <smbconfoption name="workgroup"/> it is in.
+ This will also cause the Samba server to act as a domain
+ controller for NT4 style domain services. For more details on
+ setting up this feature see the Domain Control chapter of the
+ Samba HOWTO Collection.
+ </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml
new file mode 100644
index 0000000000..3e958e0ce9
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/enableprivileges.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="enable privileges"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
+ <command>net rpc rights</command> or one of the Windows user and group manager tools. This parameter is
+ enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to
+ assign privileges to users or groups which can then result in certain smbd operations running as root that
+ would normally run under the context of the connected user.
+ </para>
+
+ <para>
+ An example of how privileges can be used is to assign the right to join clients to a Samba controlled
+ domain without providing root access to the server via smbd.
+ </para>
+
+ <para>
+ Please read the extended description provided in the Samba HOWTO documentation.
+ </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logondrive.xml b/docs-xml/smbdotconf/logon/logondrive.xml
new file mode 100644
index 0000000000..b32cfd7006
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logondrive.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="logon drive"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the local path to which the home directory will be
+ connected (see <smbconfoption name="logon home"/>) and is only used by NT
+ Workstations.
+ </para>
+
+ <para>
+ Note that this option is only useful if Samba is set up as a logon server.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">h:</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonhome.xml b/docs-xml/smbdotconf/logon/logonhome.xml
new file mode 100644
index 0000000000..b7a10a98fc
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonhome.xml
@@ -0,0 +1,57 @@
+<samba:parameter name="logon home"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do
+ </para>
+
+ <para>
+ <prompt moreinfo="none">C:\&gt;</prompt><userinput moreinfo="none">NET USE H: /HOME</userinput>
+ </para>
+
+ <para>
+ from a command prompt, for example.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
+ </para>
+
+ <para>
+ This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a
+ subdirectory of the user's home directory. This is done in the following way:
+ </para>
+
+ <para>
+ <command moreinfo="none">logon home = \\%N\%U\profile</command>
+ </para>
+
+ <para>
+ This tells Samba to return the above string, with substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
+ <command moreinfo="none">net use /home</command> but use the whole string when dealing with profiles.
+ </para>
+
+ <para>
+ Note that in prior versions of Samba, the <smbconfoption name="logon path"/> was returned rather than
+ <parameter moreinfo="none">logon home</parameter>. This broke <command moreinfo="none">net use /home</command>
+ but allowed profiles outside the home directory. The current implementation is correct, and can be used for
+ profiles if you use the above trick.
+ </para>
+
+ <para>
+ Disable this feature by setting <smbconfoption name="logon home">""</smbconfoption> - using the empty string.
+ </para>
+
+ <para>
+ This option is only useful if Samba is set up as a logon server.
+ </para>
+</description>
+
+<value type="default">\\%N\%U</value>
+<value type="example">\\remote_smb_server\%U</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonpath.xml b/docs-xml/smbdotconf/logon/logonpath.xml
new file mode 100644
index 0000000000..f0a3817106
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonpath.xml
@@ -0,0 +1,70 @@
+<samba:parameter name="logon path"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are
+ stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
+ profiles. To find out how to handle roaming profiles for Win 9X system, see the
+ <smbconfoption name="logon home"/> parameter.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine. It also specifies the directory from which the &quot;Application Data&quot;, <filename
+ moreinfo="none">desktop</filename>, <filename moreinfo="none">start menu</filename>, <filename
+ moreinfo="none">network neighborhood</filename>, <filename moreinfo="none">programs</filename> and other
+ folders, and their contents, are loaded and displayed on your Windows NT client.
+ </para>
+
+ <para>
+ The share and the path must be readable by the user for the preferences and directories to be loaded onto the
+ Windows NT client. The share must be writeable when the user logs in for the first time, in order that the
+ Windows NT client can create the NTuser.dat and other directories.
+ Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable
+ that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a
+ <emphasis>MAN</emphasis>datory profile).
+ </para>
+
+ <para>
+ Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged
+ in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting
+ this parameter to \\%N\homes\profile_path will cause problems).
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
+ </para>
+
+ <warning><para>
+ Do not quote the value. Setting this as <quote>\\%N\profile\%U</quote>
+ will break profile handling. Where the tdbsam or ldapsam passdb backend
+ is used, at the time the user account is created the value configured
+ for this parameter is written to the passdb backend and that value will
+ over-ride the parameter value present in the smb.conf file. Any error
+ present in the passdb backend account record must be editted using the
+ appropriate tool (pdbedit on the command-line, or any other locally
+ provided system tool).
+ </para></warning>
+
+ <para>Note that this option is only useful if Samba is set up as a domain controller.</para>
+
+ <para>
+ Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
+ example, <smbconfoption name="logon path">""</smbconfoption>. Take note that even if the default setting
+ in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
+ backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
+ requires that the user account settings must also be blank.
+ </para>
+
+ <para>
+ An example of use is:
+<programlisting>
+logon path = \\PROFILESERVER\PROFILE\%U
+</programlisting>
+ </para>
+</description>
+<value type="default">\\%N\%U\profile</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonscript.xml b/docs-xml/smbdotconf/logon/logonscript.xml
new file mode 100644
index 0000000000..5b304514d0
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonscript.xml
@@ -0,0 +1,51 @@
+<samba:parameter name="logon script"
+ context="G"
+ advanced="1" developer="1"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the batch file (<filename>.bat</filename>) or NT command file
+ (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file
+ must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
+ </para>
+
+ <para>
+ The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon]
+ service specifies a <smbconfoption name="path"/> of <filename
+ moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon
+ script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is:
+<programlisting>
+ /usr/local/samba/netlogon/STARTUP.BAT
+</programlisting>
+ </para>
+
+ <para>
+ The contents of the batch file are entirely your choice. A suggested command would be to add <command
+ moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the
+ same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command>
+ for commonly used utilities, or
+<programlisting>
+<userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput>
+</programlisting>
+ for example.
+ </para>
+
+ <para>
+ Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users
+ write permission on the batch files in a secure environment, as this would allow the batch files to be
+ arbitrarily modified and security to be breached.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine.
+ </para>
+
+ <para>
+ This option is only useful if Samba is set up as a logon server.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">scripts\%U.bat</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/setprimarygroupscript.xml b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml
new file mode 100644
index 0000000000..b348501e8b
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="set primary group script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>Thanks to the Posix subsystem in NT a Windows User has a
+ primary group in addition to the auxiliary groups. This script
+ sets the primary group in the unix userdatase when an
+ administrator sets the primary group from the windows user
+ manager or when fetching a SAM with <command>net rpc
+ vampire</command>. <parameter>%u</parameter> will be replaced
+ with the user whose primary group is to be set.
+ <parameter>%g</parameter> will be replaced with the group to
+ set.</para>
+</description>
+<value type="default"></value>
+<value type="example">/usr/sbin/usermod -g '%g' '%u'</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/shutdownscript.xml b/docs-xml/smbdotconf/logon/shutdownscript.xml
new file mode 100644
index 0000000000..7e8ec8fd3a
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/shutdownscript.xml
@@ -0,0 +1,60 @@
+<samba:parameter name="shutdown script"
+ context="G"
+ type="string"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This a full path name to a script called by
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> that should
+ start a shutdown procedure.</para>
+
+ <para>If the connected user posseses the <constant>SeRemoteShutdownPrivilege</constant>,
+ right, this command will be run as user.</para>
+
+ <para>The %z %t %r %f variables are expanded as follows:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><parameter moreinfo="none">%z</parameter> will be substituted with the
+ shutdown message sent to the server.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%t</parameter> will be substituted with the
+ number of seconds to wait before effectively starting the
+ shutdown procedure.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%r</parameter> will be substituted with the
+ switch <emphasis>-r</emphasis>. It means reboot after shutdown
+ for NT.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%f</parameter> will be substituted with the
+ switch <emphasis>-f</emphasis>. It means force the shutdown
+ even if applications do not respond for NT.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Shutdown script example:
+<programlisting format="linespecific">
+#!/bin/bash
+
+$time=0
+let &quot;time/60&quot;
+let &quot;time++&quot;
+
+/sbin/shutdown $3 $4 +$time $1 &amp;
+</programlisting>
+ Shutdown does not return so we need to launch it in background.
+ </para>
+
+</description>
+<related>abort shutdown script</related>
+<value type="default"></value>
+<value type="example">/usr/local/samba/sbin/shutdown %m %t %r %f</value>
+
+</samba:parameter>