1 files changed, 34 insertions, 0 deletions

diff --git a/docs/smbdotconf/security/updateencrypted.xml b/docs/smbdotconf/security/updateencrypted.xml
new file mode 100644
index 0000000000..551f4338f6
--- /dev/null
+++ b/docs/smbdotconf/security/updateencrypted.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="update encrypted"
+                 context="G"
+				 type="boolean"
+                 basic="1" advanced="1" developer="1"
+		 xmlns:samba="http://samba.org/common">
+<description>
+
+    <para>This boolean parameter allows a user logging on with
+    a plaintext password to have their encrypted (hashed) password in
+    the smbpasswd file to be updated automatically as they log
+    on. This option allows a site to migrate from plaintext  	
+    password authentication (users authenticate with plaintext  	
+    password over the wire, and are checked against a UNIX account  	
+    database) to encrypted password authentication (the SMB  	
+    challenge/response authentication mechanism) without forcing all
+    users to re-enter their passwords via smbpasswd at the time the 	
+    change is made. This is a convenience option to allow the change
+    over to encrypted passwords to be made over a longer period.
+    Once all users have encrypted representations of their passwords
+    in the smbpasswd file this parameter should be set to
+    <constant>no</constant>.</para>
+
+    <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must 
+    be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
+
+    <para>Note that even when this parameter is set a user 
+    authenticating to <command moreinfo="none">smbd</command> must still enter a valid 
+    password in order to connect correctly, and to update their hashed 
+	(smbpasswd) passwords.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>