summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/winbind
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/winbind')
-rw-r--r--docs-xml/smbdotconf/winbind/applygrouppolicies.xml19
-rw-r--r--docs-xml/smbdotconf/winbind/createkrb5conf.xml23
-rw-r--r--docs-xml/smbdotconf/winbind/idmapbackend.xml22
-rw-r--r--docs-xml/smbdotconf/winbind/idmapcachetime.xml13
-rw-r--r--docs-xml/smbdotconf/winbind/idmapconfig.xml122
-rw-r--r--docs-xml/smbdotconf/winbind/idmapgid.xml21
-rw-r--r--docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml12
-rw-r--r--docs-xml/smbdotconf/winbind/idmapuid.xml21
-rw-r--r--docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/netutralizent4emulation.xml18
-rw-r--r--docs-xml/smbdotconf/winbind/rejectmd5servers.xml25
-rw-r--r--docs-xml/smbdotconf/winbind/requirestrongkey.xml26
-rw-r--r--docs-xml/smbdotconf/winbind/templatehomedir.xml17
-rw-r--r--docs-xml/smbdotconf/winbind/templateshell.xml13
-rw-r--r--docs-xml/smbdotconf/winbind/winbindcachetime.xml20
-rw-r--r--docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/winbindenumgroups.xml19
-rw-r--r--docs-xml/smbdotconf/winbind/winbindenumusers.xml23
-rw-r--r--docs-xml/smbdotconf/winbind/winbindexpandgroups.xml35
-rw-r--r--docs-xml/smbdotconf/winbind/winbindignoredomains.xml14
-rw-r--r--docs-xml/smbdotconf/winbind/winbindmaxclients.xml19
-rw-r--r--docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml24
-rw-r--r--docs-xml/smbdotconf/winbind/winbindnestedgroups.xml16
-rw-r--r--docs-xml/smbdotconf/winbind/winbindnormalizenames.xml30
-rw-r--r--docs-xml/smbdotconf/winbind/winbindnssinfo.xml38
-rw-r--r--docs-xml/smbdotconf/winbind/winbindofflinelogon.xml17
-rw-r--r--docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml14
-rw-r--r--docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/winbindrpconly.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml29
-rw-r--r--docs-xml/smbdotconf/winbind/winbindsealedpipes.xml15
-rw-r--r--docs-xml/smbdotconf/winbind/winbindseparator.xml20
-rw-r--r--docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml22
-rw-r--r--docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml34
35 files changed, 816 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
new file mode 100644
index 0000000..67baa0d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="apply group policies"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This option controls whether winbind will execute the gpupdate
+ command defined in <smbconfoption name="gpo update command"/> on the
+ Group Policy update interval. The Group Policy update interval is
+ defined as every 90 minutes, plus a random offset between 0 and 30
+ minutes. This applies Group Policy Machine polices to the client or
+ KDC and machine policies to a server.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
new file mode 100644
index 0000000..4054034
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="create krb5 conf"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ Setting this parameter to <value type="example">no</value> prevents
+ winbind from creating custom krb5.conf files. Winbind normally does
+ this because the krb5 libraries are not AD-site-aware and thus would
+ pick any domain controller out of potentially very many. Winbind
+ is site-aware and makes the krb5 libraries use a local DC by
+ creating its own krb5.conf files.
+ </para>
+ <para>
+ Preventing winbind from doing this might become necessary if you
+ have to add special options into your system-krb5.conf that winbind
+ does not see.
+ </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml
new file mode 100644
index 0000000..864a975
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="idmap backend"
+ context="G"
+ type="string"
+ generated_function="0"
+ handler="handle_idmap_backend"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The idmap backend provides a plugin interface for Winbind to use
+ varying backends to store SID/uid/gid mapping tables.
+ </para>
+
+ <para>
+ This option specifies the default backend that is used when no special
+ configuration set, but it is now deprecated in favour of the new
+ spelling <smbconfoption name="idmap config * : backend"/>.
+ </para>
+</description>
+
+<value type="default">tdb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapcachetime.xml b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
new file mode 100644
index 0000000..87c6c56
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="idmap cache time"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the number of seconds that Winbind's
+ idmap interface will cache positive SID/uid/gid query results. By
+ default, Samba will cache these results for one week.
+ </para>
+</description>
+
+<value type="default">604800</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
new file mode 100644
index 0000000..f70f11d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -0,0 +1,122 @@
+<samba:parameter name="idmap config DOMAIN : OPTION"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ ID mapping in Samba is the mapping between Windows SIDs and Unix user
+ and group IDs. This is performed by Winbindd with a configurable plugin
+ interface. Samba's ID mapping is configured by options starting with the
+ <smbconfoption name="idmap config"/> prefix.
+ An idmap option consists of the <smbconfoption name="idmap config"/>
+ prefix, followed by a domain name or the asterisk character (*),
+ a colon, and the name of an idmap setting for the chosen domain.
+ </para>
+
+ <para>
+ The idmap configuration is hence divided into groups, one group
+ for each domain to be configured, and one group with the
+ asterisk instead of a proper domain name, which specifies the
+ default configuration that is used to catch all domains that do
+ not have an explicit idmap configuration of their own.
+ </para>
+
+ <para>
+ There are three general options available:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>backend = backend_name</term>
+ <listitem><para>
+ This specifies the name of the idmap plugin to use as the
+ SID/uid/gid backend for this domain. The standard backends are
+ tdb
+ (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+ tdb2
+ (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ldap
+ (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ rid
+ (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ hash
+ (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ autorid
+ (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ad
+ (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>)
+ and nss
+ (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>).
+ The corresponding manual pages contain the details, but
+ here is a summary.
+ </para>
+ <para>
+ The first three of these create mappings of their own using
+ internal unixid counters and store the mappings in a database.
+ These are suitable for use in the default idmap configuration.
+ The rid and hash backends use a pure algorithmic calculation
+ to determine the unixid for a SID. The autorid module is a
+ mixture of the tdb and rid backend. It creates ranges for
+ each domain encountered and then uses the rid algorithm for each
+ of these automatically configured domains individually.
+ The ad backend uses unix ids stored in Active Directory via
+ the standard schema extensions. The nss backend reverses
+ the standard winbindd setup and gets the unix ids via names
+ from nsswitch which can be useful in an ldap setup.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative. For allocating backends, this also
+ defines the start and the end of the range for allocating
+ new unique IDs.
+ </para>
+ <para>
+ winbind uses this parameter to find the backend that is
+ authoritative for a unix ID to SID mapping, so it must be set
+ for each individually configured domain and for the default
+ configuration. The configured ranges must be mutually disjoint.
+ </para>
+ <para>
+ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>read only = yes|no</term>
+ <listitem><para>
+ This option can be used to turn the writing backends
+ tdb, tdb2, and ldap into read only mode. This can be useful
+ e.g. in cases where a pre-filled database exists that should
+ not be extended automatically.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ The following example illustrates how to configure the <citerefentry>
+ <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
+ </citerefentry> backend for the CORP domain and the
+ <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> backend for all other
+ domains. This configuration assumes that the admin of CORP assigns
+ unix ids below 1000000 via the SFU extensions, and winbind is supposed
+ to use the next million entries for its own mappings from trusted
+ domains and for local groups for example.
+ </para>
+
+ <programlisting>
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config CORP : backend = ad
+ idmap config CORP : range = 1000-999999
+ </programlisting>
+
+</description>
+<related>min domain uid</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml
new file mode 100644
index 0000000..1b576b2
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapgid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap gid"
+ context="G"
+ type="string"
+ generated_function="0"
+ handler="handle_idmap_gid"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>winbind gid</synonym>
+<description>
+ <para>
+ The idmap gid parameter specifies the range of group ids
+ for the default idmap configuration. It is now deprecated
+ in favour of <smbconfoption name="idmap config * : range"/>.
+ </para>
+
+ <para>See the <smbconfoption name="idmap config"/> option.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
new file mode 100644
index 0000000..32c4e1f
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="idmap negative cache time"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the number of seconds that Winbind's
+ idmap interface will cache negative SID/uid/gid query results.
+ </para>
+</description>
+
+<value type="default">120</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml
new file mode 100644
index 0000000..f666f61
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapuid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap uid"
+ type="string"
+ context="G"
+ generated_function="0"
+ handler="handle_idmap_uid"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>winbind uid</synonym>
+<description>
+ <para>
+ The idmap uid parameter specifies the range of user ids for
+ the default idmap configuration. It is now deprecated in favour
+ of <smbconfoption name="idmap config * : range"/>.
+ </para>
+
+ <para>See the <smbconfoption name="idmap config"/> option.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
new file mode 100644
index 0000000..3e53292
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="include system krb5 conf"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Setting this parameter to <value type="example">no</value> will prevent
+ winbind to include the system /etc/krb5.conf file into the krb5.conf file
+ it creates. See also <smbconfoption name="create krb5 conf"/>. This option
+ only applies to Samba built with MIT Kerberos.
+ </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
new file mode 100644
index 0000000..247822e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="neutralize nt4 emulation"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd sends
+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
+ the NT4 emulation of a domain controller.</para>
+
+ <para>Typically you should not need set this.
+ It can be useful for upgrades from NT4 to AD domains.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644
index 0000000..3bc4eaf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="reject md5 servers"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd requires support
+ for aes support for the netlogon secure channel.</para>
+
+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to yes if all domain controllers support aes.
+ This will prevent downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+
+ <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
new file mode 100644
index 0000000..9c1c1d7
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="require strong key"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd requires support
+ for md5 strong key support for the netlogon secure channel.</para>
+
+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to no if some domain controllers only support des.
+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
+
+ <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
+
+ <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templatehomedir.xml b/docs-xml/smbdotconf/winbind/templatehomedir.xml
new file mode 100644
index 0000000..2801edf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templatehomedir.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="template homedir"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>When filling out the user information for a Windows NT
+ user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon uses this
+ parameter to fill in the home directory for that user. If the
+ string <parameter moreinfo="none">%D</parameter> is present it
+ is substituted with the user's Windows NT domain name. If the
+ string <parameter moreinfo="none">%U</parameter> is present it
+ is substituted with the user's Windows NT user name.</para>
+</description>
+
+<value type="default">/home/%D/%U</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templateshell.xml b/docs-xml/smbdotconf/winbind/templateshell.xml
new file mode 100644
index 0000000..891c424
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templateshell.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="template shell"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>When filling out the user information for a Windows NT
+ user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon uses this
+ parameter to fill in the login shell for that user.</para>
+</description>
+
+<value type="default">/bin/false</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindcachetime.xml b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
new file mode 100644
index 0000000..2f69de3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind cache time"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the number of
+ seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</para>
+
+ <para>
+ This does not apply to authentication requests, these are always
+ evaluated in real time unless the <smbconfoption name="winbind
+ offline logon"/> option has been enabled.
+ </para>
+</description>
+
+<value type="default">300</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml
new file mode 100644
index 0000000..7827d36
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbindd socket directory"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This setting controls the location of the winbind daemon's socket.</para>
+ <para>Except within automated test scripts, this should not be
+ altered, as the client tools (nss_winbind etc) do not honour
+ this parameter. Client tools must then be advised of the
+ altered path with the WINBINDD_SOCKET_DIR environment
+ variable.</para>
+</description>
+
+<value type="default">&pathconfig.WINBINDD_SOCKET_DIR;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumgroups.xml b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
new file mode 100644
index 0000000..c3339e1
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="winbind enum groups"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> it may be necessary to suppress
+ the enumeration of groups through the <command moreinfo="none">setgrent()</command>,
+ <command moreinfo="none">getgrent()</command> and
+ <command moreinfo="none">endgrent()</command> group of system calls. If
+ the <parameter moreinfo="none">winbind enum groups</parameter> parameter is
+ <constant>no</constant>, calls to the <command moreinfo="none">getgrent()</command> system
+ call will not return any data. </para>
+
+<warning><para>Turning off group enumeration may cause some programs to behave oddly. </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumusers.xml b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
new file mode 100644
index 0000000..5ce53d6
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="winbind enum users"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> it may be
+ necessary to suppress the enumeration of users through the <command moreinfo="none">setpwent()</command>,
+ <command moreinfo="none">getpwent()</command> and
+ <command moreinfo="none">endpwent()</command> group of system calls. If
+ the <parameter moreinfo="none">winbind enum users</parameter> parameter is
+ <constant>no</constant>, calls to the <command moreinfo="none">getpwent</command> system call
+ will not return any data. </para>
+
+<warning><para>Turning off user
+ enumeration may cause some programs to behave oddly. For
+ example, the finger program relies on having access to the
+ full user list when searching for matching
+ usernames. </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
new file mode 100644
index 0000000..5a05ecf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="winbind expand groups"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls the maximum depth that winbindd
+ will traverse when flattening nested group memberships
+ of Windows domain groups. This is different from the
+ <smbconfoption name="winbind nested groups"/> option
+ which implements the Windows NT4 model of local group
+ nesting. The &quot;winbind expand groups&quot;
+ parameter specifically applies to the membership of
+ domain groups.</para>
+
+ <para>This option also affects the return of non nested
+ group memberships of Windows domain users. With the
+ new default "winbind expand groups = 0" winbind does
+ not query group memberships at all.</para>
+
+ <para>Be aware that a high value for this parameter can
+ result in system slowdown as the main parent winbindd daemon
+ must perform the group unrolling and will be unable to answer
+ incoming NSS or authentication requests during this time.</para>
+
+ <para>The default value was changed from 1 to 0 with Samba 4.2.
+ Some broken applications (including some implementations of
+ newgrp and sg) calculate the group memberships of
+ users by traversing groups, such applications will require
+ "winbind expand groups = 1". But the new default makes winbindd
+ more reliable as it doesn't require SAMR access to domain
+ controllers of trusted domains.</para>
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindignoredomains.xml b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml
new file mode 100644
index 0000000..af99222
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="winbind:ignore domains"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Allows one to enter a list of trusted domains winbind should
+ ignore (untrust). This can avoid the overhead of resources from
+ attempting to login to DCs that should not be communicated with.
+ </para>
+
+</description>
+<value type="default"></value>
+<value type="example">DOMAIN1, DOMAIN2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindmaxclients.xml b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml
new file mode 100644
index 0000000..847a588
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="winbind max clients"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the maximum number of clients
+ the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon can connect with.
+ The parameter is not a hard limit.
+ The <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon configures
+ itself to be able to accept at least that many connections,
+ and if the limit is reached, an attempt is made to disconnect
+ idle clients.
+ </para>
+</description>
+
+<value type="default">200</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
new file mode 100644
index 0000000..be39143
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="winbind max domain connections"
+ context="G"
+ type="integer"
+ function="_winbind_max_domain_connections"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the maximum number of simultaneous
+ connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon should open to the
+ domain controller of one domain.
+ Setting this parameter to a value greater than 1 can improve
+ scalability with many simultaneous winbind requests,
+ some of which might be slow.
+ </para>
+ <para>
+ Note that if <smbconfoption name="winbind offline logon"/> is set to
+ <constant>Yes</constant>, then only one
+ DC connection is allowed per domain, regardless of this setting.
+ </para>
+</description>
+
+<value type="default">1</value>
+<value type="example">10</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
new file mode 100644
index 0000000..a4a03eb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind nested groups"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>If set to yes, this parameter activates the support for nested
+ groups. Nested groups are also called local groups or
+ aliases. They work like their counterparts in Windows: Nested
+ groups are defined locally on any machine (they are shared
+ between DC's through their SAM) and can contain users and
+ global groups from any trusted SAM. To be able to use nested
+ groups, you need to run nss_winbind.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
new file mode 100644
index 0000000..362f488
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="winbind normalize names"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter controls whether winbindd will replace
+ whitespace in user and group names with an underscore (_) character.
+ For example, whether the name &quot;Space Kadet&quot; should be
+ replaced with the string &quot;space_kadet&quot;.
+ Frequently Unix shell scripts will have difficulty with usernames
+ contains whitespace due to the default field separator in the shell.
+ If your domain possesses names containing the underscore character,
+ this option may cause problems unless the name aliasing feature
+ is supported by your nss_info plugin.
+ </para>
+
+ <para>This feature also enables the name aliasing API which can
+ be used to make domain user and group names to a non-qualified
+ version. Please refer to the manpage for the configured
+ idmap and nss_info plugin for the specifics on how to configure
+ name aliasing for a specific configuration. Name aliasing takes
+ precedence (and is mutually exclusive) over the whitespace
+ replacement mechanism discussed previously.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnssinfo.xml b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
new file mode 100644
index 0000000..e6d17c2
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="winbind nss info"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control how Winbind retrieves Name
+ Service Information to construct a user's home directory and login shell.
+ Currently the following settings are available:
+
+ <itemizedlist>
+ <listitem>
+ <para><parameter moreinfo="none">template</parameter>
+ - The default, using the parameters of <parameter moreinfo="none">template
+ shell</parameter> and <parameter moreinfo="none">template homedir</parameter>)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">&lt;sfu | sfu20 | rfc2307 &gt;</parameter>
+ - When Samba is running in security = ads and your Active Directory
+ Domain Controller does support the Microsoft "Services for Unix" (SFU)
+ LDAP schema, winbind can retrieve the login shell and the home
+ directory attributes directly from your Directory Server. For SFU 3.0 or 3.5 simply choose
+ "sfu", if you use SFU 2.0 please choose "sfu20".</para>
+ <para>Note that for the idmap backend <refentrytitle>idmap_ad</refentrytitle>
+ you need to configure those settings in the idmap configuration section.
+ Make sure to consult the documentation of the idmap backend that you are using.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+</para>
+</description>
+
+<value type="default">template</value>
+<value type="example">sfu</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
new file mode 100644
index 0000000..9cf1249
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="winbind offline logon"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control whether Winbind should
+ allow one to login with the <parameter moreinfo="none">pam_winbind</parameter>
+ module using Cached Credentials. If enabled, winbindd will store user credentials
+ from successful logins encrypted in a local cache.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml
new file mode 100644
index 0000000..f26fd5e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="winbind reconnect delay"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the number of
+ seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon will wait between
+ attempts to contact a Domain controller for a domain that is
+ determined to be down or not contactable.</para>
+</description>
+
+<value type="default">30</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
new file mode 100644
index 0000000..f6bb738
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind refresh tickets"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+ retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml
new file mode 100644
index 0000000..8c7ec56
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind request timeout"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the number of
+ seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon will wait before
+ disconnecting either a client connection with no outstanding
+ requests (idle) or a client connection with a request that has
+ remained outstanding (hung) for longer than this number of seconds.</para>
+</description>
+
+<value type="default">60</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrpconly.xml b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
new file mode 100644
index 0000000..50795ac
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind rpc only"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ Setting this parameter to <value type="example">yes</value> forces
+ winbindd to use RPC instead of LDAP to retrieve information from Domain
+ Controllers.
+ </para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..12e94cb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
+ <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to yes, winbindd periodically tries to scan for new
+ trusted domains and adds them to a global list inside of winbindd.
+ The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+ Setting it to yes matches the behaviour of Samba 4.7 and older.</para>
+
+ <para>The construction of that global list is not reliable and often
+ incomplete in complex trust setups. In most situations the list is
+ not needed any more for winbindd to operate correctly.
+ E.g. for plain file serving via SMB using a simple idmap setup
+ with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+ However some more complex setups require the list, e.g.
+ if you specify idmap backends for specific domains.
+ Some pam_winbind setups may also require the global list.</para>
+
+ <para>If you have a setup that doesn't require the global list, you should set
+ <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
new file mode 100644
index 0000000..016ac9b
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml
new file mode 100644
index 0000000..eda14f4
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind separator"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter allows an admin to define the character
+ used when listing a username of the form of <replaceable>DOMAIN
+ </replaceable>\<replaceable>user</replaceable>. This parameter
+ is only applicable when using the <filename moreinfo="none">pam_winbind.so</filename>
+ and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
+ </para>
+
+ <para>Please note that setting this parameter to + causes problems
+ with group membership at least on glibc systems, as the character +
+ is used as a special character for NIS in /etc/group.</para>
+</description>
+
+<value type="default">\</value>
+<value type="example">+</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
new file mode 100644
index 0000000..186398e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="winbind use default domain"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies whether the
+ <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon should operate on users
+ without domain component in their username. Users without a domain
+ component are treated as is part of the winbindd server's own
+ domain. While this does not benefit Windows users, it makes SSH, FTP and
+ e-mail function in a way much closer to the way they
+ would in a native unix system.</para>
+ <para>This option should be avoided if possible. It can cause confusion
+ about responsibilities for a user or group. In many situations it is
+ not clear whether winbind or /etc/passwd should be seen as authoritative
+ for a user, likewise for groups.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 0000000..d30b7f3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+ winbindd doesn't even get a complete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE.
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">yes</value>
+<value type="example">no</value>
+</samba:parameter>