1 files changed, 28 insertions, 0 deletions

diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml
new file mode 100644
index 0000000000..45c66e0de2
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/updateencrypted.xml
@@ -0,0 +1,28 @@
+<samba:parameter xmlns:samba="http://samba.org/common">
+		<term><anchor id="UPDATEENCRYPTED"/>update encrypted (G)</term>
+		<listitem><para>This boolean parameter allows a user logging 
+		on with a plaintext password to have their encrypted (hashed) 
+		password in the smbpasswd file to be updated automatically as 
+		they log on. This option allows a site to migrate from plaintext 
+		password authentication (users authenticate with plaintext 
+		password over the wire, and are checked against a UNIX account 
+		database) to encrypted password authentication (the SMB 
+		challenge/response authentication mechanism) without forcing
+		all users to re-enter their passwords via smbpasswd at the time the
+		change is made. This is a convenience option to allow the change over
+		to encrypted passwords to be made over a longer period. Once all users
+		have encrypted representations of their passwords in the smbpasswd
+		file this parameter should be set to <constant>no</constant>.</para>
+
+		<para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypt passwords</parameter>
+		</link> parameter must be set to <constant>no</constant> when
+		this parameter is set to <constant>yes</constant>.</para>
+
+		<para>Note that even when this parameter is set a user 
+		authenticating to <command moreinfo="none">smbd</command> must still enter a valid 
+		password in order to connect correctly, and to update their hashed 
+		(smbpasswd) passwords.</para>
+
+  		<para>Default: <command moreinfo="none">update encrypted = no</command></para>
+		</listitem>
+		</samba:parameter>