1 files changed, 22 insertions, 0 deletions

diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
new file mode 100644
index 0000000000..35dcd76cbd
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
@@ -0,0 +1,22 @@
+<samba:parameter xmlns:samba="http://samba.org/common">
+		<term><anchor id="ALLOWTRUSTEDDOMAINS"/>allow trusted domains (G)</term>
+		<listitem><para>This option only takes effect when the <link linkend="SECURITY"><parameter moreinfo="none">security</parameter></link> option is set to 
+		<constant>server</constant> or <constant>domain</constant>.  
+		If it is set to no, then attempts to connect to a resource from 
+		a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running 
+		in will fail, even if that domain is trusted by the remote server 
+		doing the authentication.</para>
+		
+		<para>This is useful if you only want your Samba server to 
+		serve resources to users in the domain it is a member of. As 
+		an example, suppose that there are two domains DOMA and DOMB.  DOMB 
+		is trusted by DOMA, which contains the Samba server.  Under normal 
+		circumstances, a user with an account in DOMB can then access the 
+		resources of a UNIX account with the same account name on the 
+		Samba server even if they do not have an account in DOMA.  This 
+		can make implementing a security boundary difficult.</para>
+
+		<para>Default: <command moreinfo="none">allow trusted domains = yes</command></para>
+
+		</listitem>
+		</samba:parameter>