<samba:parameter name="invalid users"
                 context="S"
				 type="list"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>This is a list of users that should not be allowed 
    to login to this service. This is really a <emphasis>paranoid</emphasis> 
    check to absolutely ensure an improper setting does not breach 
    your security.</para>
		
    <para>A name starting with a '@' is interpreted as an NIS 
    netgroup first (if your system supports NIS), and then as a UNIX 
    group if the name was not found in the NIS netgroup database.</para>

    <para>A name starting with '+' is interpreted only 
    by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 
    '&amp;' is interpreted only by looking in the NIS netgroup database 
    (this requires NIS to be working on your system). The characters 
    '+' and '&amp;' may be used at the start of the name in either order 
    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
    UNIX group database, followed by the NIS netgroup database, and 
    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
    netgroup database, followed by the UNIX group database (the 
    same as the '@' prefix).</para>

    <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
		This is useful in the [homes] section.</para>
</description>

<related>valid users</related>

<value type="default"><comment>no invalid users</comment></value>
<value type="example">root fred admin @wheel</value>
</samba:parameter>