1 files changed, 26 insertions, 0 deletions

diff --git a/docs/smbdotconf/security/allowtrusteddomains.xml b/docs/smbdotconf/security/allowtrusteddomains.xml
new file mode 100644
index 0000000000..38d3fc150e
--- /dev/null
+++ b/docs/smbdotconf/security/allowtrusteddomains.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="allow trusted domains"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+		 xmlns:samba="http://samba.org/common">
+<description>
+    <para>This option only takes effect when the <link linkend="SECURITY">
+    <parameter moreinfo="none">security</parameter></link> option is set to 
+    <constant>server</constant> or <constant>domain</constant>.  
+    If it is set to no, then attempts to connect to a resource from 
+    a domain or workgroup other than the one which smbd is running 
+    in will fail, even if that domain is trusted by the remote server 
+    doing the authentication.</para>
+		
+    <para>This is useful if you only want your Samba server to 
+    serve resources to users in the domain it is a member of. As 
+    an example, suppose that there are two domains DOMA and DOMB.  DOMB 
+    is trusted by DOMA, which contains the Samba server.  Under normal 
+    circumstances, a user with an account in DOMB can then access the 
+    resources of a UNIX account with the same account name on the 
+    Samba server even if they do not have an account in DOMA.  This 
+    can make implementing a security boundary difficult.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>