summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docs-xml/smbdotconf/security/accessbasedshareenum.xml19
-rw-r--r--docs-xml/smbdotconf/security/aclclaimsevaluation.xml42
-rw-r--r--docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml30
-rw-r--r--docs-xml/smbdotconf/security/aclgroupcontrol.xml45
-rw-r--r--docs-xml/smbdotconf/security/adminusers.xml18
-rw-r--r--docs-xml/smbdotconf/security/algorithmicridbase.xml26
-rw-r--r--docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml27
-rw-r--r--docs-xml/smbdotconf/security/allowtrusteddomains.xml25
-rw-r--r--docs-xml/smbdotconf/security/binddnsdir.xml17
-rw-r--r--docs-xml/smbdotconf/security/checkpasswordscript.xml43
-rw-r--r--docs-xml/smbdotconf/security/clientipcsigning.xml26
-rw-r--r--docs-xml/smbdotconf/security/clientlanmanauth.xml36
-rw-r--r--docs-xml/smbdotconf/security/clientntlmv2auth.xml46
-rw-r--r--docs-xml/smbdotconf/security/clientplaintextauth.xml20
-rw-r--r--docs-xml/smbdotconf/security/clientprotection.xml51
-rw-r--r--docs-xml/smbdotconf/security/clientschannel.xml30
-rw-r--r--docs-xml/smbdotconf/security/clientsigning.xml24
-rw-r--r--docs-xml/smbdotconf/security/clientsmbencrypt.xml126
-rw-r--r--docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml21
-rw-r--r--docs-xml/smbdotconf/security/clientsmbsigningalgos.xml22
-rw-r--r--docs-xml/smbdotconf/security/clientusekerberos.xml49
-rw-r--r--docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml35
-rw-r--r--docs-xml/smbdotconf/security/createmask.xml37
-rw-r--r--docs-xml/smbdotconf/security/debugencryption.xml22
-rw-r--r--docs-xml/smbdotconf/security/dedicatedkeytabfile.xml16
-rw-r--r--docs-xml/smbdotconf/security/directorymask.xml33
-rw-r--r--docs-xml/smbdotconf/security/directorysecuritymask.xml12
-rw-r--r--docs-xml/smbdotconf/security/encryptpasswords.xml47
-rw-r--r--docs-xml/smbdotconf/security/forcecreatemode.xml25
-rw-r--r--docs-xml/smbdotconf/security/forcedirectorymode.xml25
-rw-r--r--docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml11
-rw-r--r--docs-xml/smbdotconf/security/forcegroup.xml40
-rw-r--r--docs-xml/smbdotconf/security/forcesecuritymode.xml11
-rw-r--r--docs-xml/smbdotconf/security/forceunknownacluser.xml27
-rw-r--r--docs-xml/smbdotconf/security/forceuser.xml28
-rw-r--r--docs-xml/smbdotconf/security/guestaccount.xml27
-rw-r--r--docs-xml/smbdotconf/security/guestok.xml19
-rw-r--r--docs-xml/smbdotconf/security/guestonly.xml15
-rw-r--r--docs-xml/smbdotconf/security/hostsallow.xml62
-rw-r--r--docs-xml/smbdotconf/security/hostsdeny.xml24
-rw-r--r--docs-xml/smbdotconf/security/inheritacls.xml24
-rw-r--r--docs-xml/smbdotconf/security/inheritowner.xml58
-rw-r--r--docs-xml/smbdotconf/security/inheritpermissions.xml35
-rw-r--r--docs-xml/smbdotconf/security/invalidusers.xml34
-rw-r--r--docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml42
-rw-r--r--docs-xml/smbdotconf/security/kdcenablefast.xml15
-rw-r--r--docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml24
-rw-r--r--docs-xml/smbdotconf/security/kdcsupportedenctypes.xml40
-rw-r--r--docs-xml/smbdotconf/security/kerberosencryptiontypes.xml47
-rw-r--r--docs-xml/smbdotconf/security/kerberosmethod.xml41
-rw-r--r--docs-xml/smbdotconf/security/kpasswdport.xml11
-rw-r--r--docs-xml/smbdotconf/security/krb5port.xml10
-rw-r--r--docs-xml/smbdotconf/security/lanmanauth.xml55
-rw-r--r--docs-xml/smbdotconf/security/lognttokencommand.xml14
-rw-r--r--docs-xml/smbdotconf/security/maptoguest.xml62
-rw-r--r--docs-xml/smbdotconf/security/mindomainuid.xml17
-rw-r--r--docs-xml/smbdotconf/security/mitkdccommand.xml15
-rw-r--r--docs-xml/smbdotconf/security/nt_hash_store.xml70
-rw-r--r--docs-xml/smbdotconf/security/ntlmauth.xml87
-rw-r--r--docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml16
-rw-r--r--docs-xml/smbdotconf/security/nullpasswords.xml14
-rw-r--r--docs-xml/smbdotconf/security/obeypamrestrictions.xml19
-rw-r--r--docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml12
-rw-r--r--docs-xml/smbdotconf/security/pampasswordchange.xml16
-rw-r--r--docs-xml/smbdotconf/security/passdbbackend.xml65
-rw-r--r--docs-xml/smbdotconf/security/passdbexpandexplicit.xml14
-rw-r--r--docs-xml/smbdotconf/security/passwdchat.xml57
-rw-r--r--docs-xml/smbdotconf/security/passwdchatdebug.xml26
-rw-r--r--docs-xml/smbdotconf/security/passwdchattimeout.xml13
-rw-r--r--docs-xml/smbdotconf/security/passwdprogram.xml37
-rw-r--r--docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml45
-rw-r--r--docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml67
-rw-r--r--docs-xml/smbdotconf/security/passwordserver.xml46
-rw-r--r--docs-xml/smbdotconf/security/preloadmodules.xml13
-rw-r--r--docs-xml/smbdotconf/security/privatedir.xml14
-rw-r--r--docs-xml/smbdotconf/security/rawntlmv2auth.xml27
-rw-r--r--docs-xml/smbdotconf/security/readlist.xml18
-rw-r--r--docs-xml/smbdotconf/security/readonly.xml18
-rw-r--r--docs-xml/smbdotconf/security/renameuserscript.xml33
-rw-r--r--docs-xml/smbdotconf/security/restrictanonymous.xml38
-rw-r--r--docs-xml/smbdotconf/security/rootdirectory.xml35
-rw-r--r--docs-xml/smbdotconf/security/sambakcccommand.xml18
-rw-r--r--docs-xml/smbdotconf/security/security.xml105
-rw-r--r--docs-xml/smbdotconf/security/securitymask.xml11
-rw-r--r--docs-xml/smbdotconf/security/serverrole.xml96
-rw-r--r--docs-xml/smbdotconf/security/serverschannel.xml102
-rw-r--r--docs-xml/smbdotconf/security/serverschannelrequireseal.xml117
-rw-r--r--docs-xml/smbdotconf/security/serversigning.xml29
-rw-r--r--docs-xml/smbdotconf/security/serversmbencrypt.xml241
-rw-r--r--docs-xml/smbdotconf/security/serversmbencryptionalgos.xml21
-rw-r--r--docs-xml/smbdotconf/security/serversmbsigningalgos.xml22
-rw-r--r--docs-xml/smbdotconf/security/smbencrypt.xml15
-rw-r--r--docs-xml/smbdotconf/security/smbpasswdfile.xml18
-rw-r--r--docs-xml/smbdotconf/security/tlscafile.xml20
-rw-r--r--docs-xml/smbdotconf/security/tlscertfile.xml19
-rw-r--r--docs-xml/smbdotconf/security/tlscrlfile.xml19
-rw-r--r--docs-xml/smbdotconf/security/tlsdhparamsfile.xml20
-rw-r--r--docs-xml/smbdotconf/security/tlsenabled.xml10
-rw-r--r--docs-xml/smbdotconf/security/tlskeyfile.xml20
-rw-r--r--docs-xml/smbdotconf/security/tlspriority.xml19
-rw-r--r--docs-xml/smbdotconf/security/tlsverifypeer.xml47
-rw-r--r--docs-xml/smbdotconf/security/unixpasswordsync.xml26
-rw-r--r--docs-xml/smbdotconf/security/usernamelevel.xml26
-rw-r--r--docs-xml/smbdotconf/security/usernamemap.xml130
-rw-r--r--docs-xml/smbdotconf/security/usernamemapcachetime.xml26
-rw-r--r--docs-xml/smbdotconf/security/usernamemapscript.xml19
-rw-r--r--docs-xml/smbdotconf/security/validusers.xml38
-rw-r--r--docs-xml/smbdotconf/security/writeable.xml14
-rw-r--r--docs-xml/smbdotconf/security/writelist.xml24
109 files changed, 3875 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/accessbasedshareenum.xml b/docs-xml/smbdotconf/security/accessbasedshareenum.xml
new file mode 100644
index 0000000..4557465
--- /dev/null
+++ b/docs-xml/smbdotconf/security/accessbasedshareenum.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="access based share enum"
+ type="boolean"
+ context="S"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>If this parameter is <constant>yes</constant> for a
+ service, then the share hosted by the service will only be visible
+ to users who have read or write access to the share during share
+ enumeration (for example net view \\sambaserver). The share ACLs
+ which allow or deny the access to the share can be modified using
+ for example the <command moreinfo="none">sharesec</command> command
+ or using the appropriate Windows tools. This has
+ parallels to access based enumeration, the main difference being
+ that only share permissions are evaluated, and security
+ descriptors on files contained on the share are not used in
+ computing enumeration access rights.</para>
+ </description>
+ <value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclclaimsevaluation.xml b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml
new file mode 100644
index 0000000..ab72617
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="acl claims evaluation"
+ context="G"
+ type="enum"
+ enumlist="enum_acl_claims_evaluation"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls the way Samba handles evaluation of
+ security descriptors in Samba, with regards to Active
+ Directory Claims. AD Claims, introduced with Windows 2012,
+ are essentially administrator-defined key-value pairs that can
+ be set both in Active Directory (communicated via the Kerberos
+ PAC) and in the security descriptor themselves.
+ </para>
+
+ <para>Active Directory claims are new with Samba 4.20.
+ Because the claims are evaluated against a very flexible
+ expression language within the security descriptor, this option provides a mechanism
+ to disable this logic if required by the administrator.</para>
+
+ <para>This default behaviour is that claims evaluation is
+ enabled in the AD DC only. Additionally, claims evaluation on
+ the AD DC is only enabled if the DC functional level
+ is 2012 or later. See <smbconfoption name="ad dc functional
+ level"/>.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>AD DC only</constant>: Enabled for the Samba AD
+ DC (for DC functional level 2012 or higher).</para>
+ </listitem>
+ <listitem>
+ <para><constant>never</constant>: Disabled in all cases.
+ This option disables some but not all of the
+ Authentication Policies and Authentication Policy Silos features of
+ the Windows 2012R2 functional level in the AD DC.</para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<value type="default">AD DC only</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml
new file mode 100644
index 0000000..b306b2b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="acl flag inherited canonicalization"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls the way Samba handles client requests setting
+ the Security Descriptor of files and directories and the effect the
+ operation has on the Security Descriptor flag &quot;DACL
+ auto-inherited&quot; (DI). Generally, this flag is set on a file (or
+ directory) upon creation if the parent directory has DI set and also has
+ inheritable ACEs.
+ </para>
+
+ <para>On the other hand when a Security Descriptor is explicitly set on
+ a file, the DI flag is cleared, unless the flag &quot;DACL Inheritance
+ Required&quot; (DR) is also set in the new Security Descriptor (fwiw, DR is
+ never stored on disk).</para>
+
+ <para>This is the default behaviour when this option is enabled (the
+ default). When setting this option to <command>no</command>, the
+ resulting value of the DI flag on-disk is directly taken from the DI
+ value of the to-be-set Security Descriptor. This can be used so dump
+ tools like rsync that copy data blobs from xattrs that represent ACLs
+ created by the acl_xattr VFS module will result in copies of the ACL
+ that are identical to the source. Without this option, the copied ACLs
+ would all lose the DI flag if set on the source.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
new file mode 100644
index 0000000..eeec434
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -0,0 +1,45 @@
+<samba:parameter name="acl group control"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
+ and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
+ <emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs
+ on that file.
+ </para>
+ <para>
+ On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in
+ that group to modify the permissions on it. This allows the delegation of security controls
+ on a point in the filesystem to the group owner of a directory and anything below it also owned
+ by that group. This means there are multiple people with permissions to modify ACLs on a file
+ or directory, easing manageability.
+ </para>
+ <para>
+ This parameter allows Samba to also permit delegation of the control over a point in the exported
+ directory hierarchy in much the same way as Windows. This allows all members of a UNIX group to
+ control the permissions on a file or directory they have group ownership on.
+ </para>
+
+ <para>
+ This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
+ on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
+ on them, which causes new files and directories created within it to inherit the group
+ ownership from the containing directory.
+ </para>
+
+ <para>
+ This parameter was deprecated in Samba 3.0.23, but re-activated in
+ Samba 3.0.31 and above, as it now only controls permission changes if the user
+ is in the owning primary group. It is now no longer equivalent to the
+ <parameter moreinfo="none">dos filemode</parameter> option.
+ </para>
+
+</description>
+
+<related>inherit owner</related>
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml
new file mode 100644
index 0000000..5e0f60c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/adminusers.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="admin users"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</para>
+
+ <para>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</para>
+
+</description>
+
+<value type="default"/>
+<value type="example">jason</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/algorithmicridbase.xml b/docs-xml/smbdotconf/security/algorithmicridbase.xml
new file mode 100644
index 0000000..a5eba3c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/algorithmicridbase.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="algorithmic rid base"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This determines how Samba will use its
+ algorithmic mapping from uids/gid to the RIDs needed to construct
+ NT Security Identifiers.
+ </para>
+
+ <para>Setting this option to a larger value could be useful to sites
+ transitioning from WinNT and Win2k, as existing user and
+ group rids would otherwise clash with system users etc.
+ </para>
+
+ <para>All UIDs and GIDs must be able to be resolved into SIDs for
+ the correct operation of ACLs on the server. As such the algorithmic
+ mapping can't be 'turned off', but pushing it 'out of the way' should
+ resolve the issues. Users and groups can then be assigned 'low' RIDs
+ in arbitrary-rid supporting backends.
+ </para>
+</description>
+
+<value type="default">1000</value>
+<value type="example">100000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
new file mode 100644
index 0000000..8bccab3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="allow dcerpc auth level connect"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether DCERPC services are allowed to
+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+ but no per message integrity nor privacy protection.</para>
+
+ <para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of
+ <constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of
+ <constant>yes</constant>.
+ </para>
+
+ <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
+
+ <para>This option is over-ridden by the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowtrusteddomains.xml b/docs-xml/smbdotconf/security/allowtrusteddomains.xml
new file mode 100644
index 0000000..3617210
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowtrusteddomains.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="allow trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
+ <constant>server</constant>, <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which smbd is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</para>
+
+ <para>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/binddnsdir.xml b/docs-xml/smbdotconf/security/binddnsdir.xml
new file mode 100644
index 0000000..a948cb5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/binddnsdir.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="binddns dir"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>bind dns directory</synonym>
+<description>
+ <para>
+ This parameters defines the directory samba will use to store the configuration
+ files for bind, such as named.conf.
+
+ NOTE: The bind dns directory needs to be on the same mount point as the private
+ directory!
+ </para>
+</description>
+
+<value type="default">&pathconfig.BINDDNS_DIR;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml
new file mode 100644
index 0000000..18aa2c6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="check password script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>The name of a program that can be used to check password
+ complexity. The password is sent to the program's standard input.</para>
+
+ <para>The program must return 0 on a good password, or any other value
+ if the password is bad.
+ In case the password is considered weak (the program does not return 0) the
+ user will be notified and the password change will fail.</para>
+
+ <para>In Samba AD, this script will be run <emphasis>AS ROOT</emphasis> by
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum>
+ </citerefentry> without any substitutions.</para>
+
+ <para>Note that starting with Samba 4.11 the following environment variables are exported to the script:</para>
+
+ <itemizedlist>
+ <listitem><para>
+ SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user,
+ the is the same as the %u substitutions in the none AD DC case.
+ </para></listitem>
+
+ <listitem><para>
+ SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present.
+ </para></listitem>
+
+ <listitem><para>
+ SAMBA_CPS_FULL_NAME is optional if the displayName is present.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command>
+ that uses cracklib to check the password quality.</para>
+
+</description>
+
+<value type="default"><comment>Disabled</comment></value>
+<value type="example">/usr/local/sbin/crackcheck</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
new file mode 100644
index 0000000..efbf17a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ function="_client_ipc_signing"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport. Possible values
+ are <emphasis>desired</emphasis>, <emphasis>required</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to required or default, SMB signing is mandatory.</para>
+
+ <para>When set to desired, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml
new file mode 100644
index 0000000..60e1c86
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="client lanman auth"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for LanMan (as distinct from NTLM, NTLMv2 or
+ Kerberos) authentication as a client
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client NTLMv2 auth = yes</command>
+ will be the enforced behaviour.</para>
+
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba client
+ tools will attempt to authenticate itself to servers using the
+ weaker LANMAN password hash. If disabled, only server which support NT
+ password hashes (e.g. Windows NT/2000, Samba, etc... but not
+ Windows 95/98) will be able to be connected from the Samba client.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to its
+ case-insensitive nature, and the choice of algorithm. Clients
+ without Windows 95/98 servers are advised to disable
+ this option. </para>
+
+ <para>Disabling this option will also disable the <command
+ moreinfo="none">client plaintext auth</command> option.</para>
+
+ <para>Likewise, if the <command moreinfo="none">client ntlmv2
+ auth</command> parameter is enabled, then only NTLMv2 logins will be
+ attempted.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
new file mode 100644
index 0000000..9b47944
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -0,0 +1,46 @@
+<samba:parameter name="client NTLMv2 auth"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NTLM and LanMan (as distinct from NTLMv2 or
+ Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client NTLMv2 auth = yes</command>
+ will be the enforced behaviour.</para>
+
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate itself to servers using the NTLMv2 encrypted password
+ response.</para>
+
+ <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+ secure than earlier versions) will be sent. Older servers
+ (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
+ NTLMv2 when not in an NTLMv2 supporting domain</para>
+
+ <para>Similarly, if enabled, NTLMv1, <command
+ moreinfo="none">client lanman auth</command> and <command
+ moreinfo="none">client plaintext auth</command>
+ authentication will be disabled. This also disables share-level
+ authentication. </para>
+
+ <para>If disabled, an NTLM response (and possibly a LANMAN response)
+ will be sent by the client, depending on the value of <command
+ moreinfo="none">client lanman auth</command>. </para>
+
+ <para>Note that Windows Vista and later versions already use
+ NTLMv2 by default, and some sites (particularly those following
+ 'best practice' security polices) only allow NTLMv2 responses, and
+ not the weaker LM or NTLM.</para>
+
+ <para>When <smbconfoption name="client use spnego"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml
new file mode 100644
index 0000000..5a51c33
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="client plaintext auth"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for plaintext (as distinct from NTLM, NTLMv2 or
+ Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client plaintext auth = no</command>
+ will be the enforced behaviour.</para>
+
+ <para>Specifies whether a client should send a plaintext
+ password if the server does not support encrypted passwords.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
+
diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml
new file mode 100644
index 0000000..347b004
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientprotection.xml
@@ -0,0 +1,51 @@
+<samba:parameter name="client protection"
+ context="G"
+ type="enum"
+ enumlist="enum_client_protection_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter defines which protection Samba client
+ tools should use by default.
+ </para>
+
+ <para>Possible client settings are:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>default</emphasis> - Use the individual
+ default values of the options:
+ <itemizedlist>
+ <listitem><para><parameter>client signing</parameter></para></listitem>
+ <listitem><para><parameter>client smb encrypt</parameter></para></listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>plain</emphasis> - This will send
+ everything just as plaintext, signing or
+ encryption are turned off.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>sign</emphasis> - This will enable
+ integrity checking.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>encrypt</emphasis> - This will enable
+ integrity checks and force encryption for
+ privacy.
+ </para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
new file mode 100644
index 0000000..d124ad4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="client schannel"
+ context="G"
+ type="enum"
+ enumlist="enum_bool_auto"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future.
+ </para>
+
+ <para>
+ This controls whether the client offers or even demands the use of the netlogon schannel.
+ <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel,
+ <smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
+ enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
+ if the server is not able to speak netlogon schannel.
+ </para>
+
+ <para>Note that for active directory domains this is hardcoded to
+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
+
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
+</description>
+<value type="default">yes</value>
+<value type="example">auto</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
new file mode 100644
index 0000000..bd92818
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="client signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing. Possible values
+ are <emphasis>desired</emphasis>, <emphasis>required</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to desired or default, SMB signing is offered, but not enforced.</para>
+
+ <para>When set to required, SMB signing is mandatory and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
+</description>
+
+<related>client ipc signing</related>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml
new file mode 100644
index 0000000..05df152
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencrypt.xml
@@ -0,0 +1,126 @@
+<samba:parameter name="client smb encrypt"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_encryption_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter controls whether a client should try or is required
+ to use SMB encryption. It has different effects depending on whether
+ the connection uses SMB1 or SMB3:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ If the connection uses SMB1, then this option controls the use
+ of a Samba-specific extension to the SMB protocol introduced in
+ Samba 3.2 that makes use of the Unix extensions.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ If the connection uses SMB2 or newer, then this option controls
+ the use of the SMB-level encryption that is supported in SMB
+ version 3.0 and above and available in Windows 8 and newer.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ This parameter can be set globally. Possible values are
+
+ <emphasis>off</emphasis>,
+ <emphasis>if_required</emphasis>,
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>.
+ A special value is <emphasis>default</emphasis> which is
+ the implicit default setting of <emphasis>if_required</emphasis>.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><emphasis>Effects for SMB1</emphasis></term>
+ <listitem>
+ <para>
+ The Samba-specific encryption of SMB1 connections is an
+ extension to the SMB protocol negotiated as part of the UNIX
+ extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
+ ability to encrypt and sign every request/response in a SMB
+ protocol stream. When enabled it provides a secure method of
+ SMB/CIFS communication, similar to an ssh protected session, but
+ using SMB/CIFS authentication to negotiate encryption and
+ signing keys. Currently this is only supported smbclient of by
+ Samba 3.2 and newer. Windows does not support this feature.
+ </para>
+
+ <para>
+ When set to default, SMB encryption is probed, but not
+ enforced. When set to required, SMB encryption is required and
+ if set to disabled, SMB encryption can not be negotiated.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>Effects for SMB3 and newer</emphasis></term>
+ <listitem>
+ <para>
+ Native SMB transport encryption is available in SMB version 3.0
+ or newer. It is only used by Samba if
+ <emphasis>client max protocol</emphasis> is set to
+ <emphasis>SMB3</emphasis> or newer.
+ </para>
+
+ <para>
+ These features can be controlled with settings of
+ <emphasis>client smb encrypt</emphasis> as follows:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>if_required</emphasis> globally will enable
+ negotiation of encryption but will not turn on
+ data encryption globally.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those servers
+ that support it.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>required</emphasis> globally
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>off</emphasis> globally will
+ completely disable the encryption feature for all
+ connections.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
new file mode 100644
index 0000000..78df3f9
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="client smb3 encryption algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ encryption algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of AES-128-CCM from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
+ available algorithm for these dialects.
+ </para>
+</description>
+
+<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value>
+<value type="example">AES-256-GCM</value>
+<value type="example">-AES-128-GCM -AES-128-CCM</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
new file mode 100644
index 0000000..f7c61f3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="client smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of AES-128-CMAC from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">-AES-128-CMAC</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientusekerberos.xml b/docs-xml/smbdotconf/security/clientusekerberos.xml
new file mode 100644
index 0000000..1ccf88e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusekerberos.xml
@@ -0,0 +1,49 @@
+<samba:parameter name="client use kerberos"
+ context="G"
+ type="enum"
+ function="_client_use_kerberos"
+ enumlist="enum_use_kerberos_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter determines whether Samba client tools will try
+ to authenticate using Kerberos. For Kerberos authentication you
+ need to use dns names instead of IP addresses when connecting
+ to a service.
+ </para>
+
+ <para>Possible option settings are:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>desired</emphasis> - Kerberos
+ authentication will be tried first and if it fails it
+ automatically fallback to NTLM.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>required</emphasis> - Kerberos
+ authentication will be required. There will be no
+ fallback to NTLM or a different alternative.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>off</emphasis> - Don't use
+ Kerberos, use NTLM instead or another
+ alternative.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ In case that weak cryptography is not allowed (e.g. FIPS mode)
+ the default will be forced to <emphasis>required</emphasis>.
+ </para>
+</description>
+
+<value type="default">desired</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000..8e9edd2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="client use spnego principal"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba components
+ acting as a client will attempt to use the server-supplied
+ principal sometimes given in the SPNEGO exchange.</para>
+
+ <para>If enabled, Samba can attempt to use Kerberos to contact
+ servers known only by IP address. Kerberos relies on names, so
+ ordinarily cannot function in this situation. </para>
+
+ <para>This is a VERY BAD IDEA for security reasons, and so this
+ parameter SHOULD NOT BE USED. It will be removed in a future
+ version of Samba.</para>
+
+ <para>If disabled, Samba will use the name used to look up the
+ server when asking the KDC for a ticket. This avoids situations
+ where a server may impersonate another, soliciting authentication
+ as one principal while being known on the network as another.
+ </para>
+
+ <para>Note that Windows XP SP2 and later versions already follow
+ this behaviour, and Windows Vista and later servers no longer
+ supply this 'rfc4178 hint' principal on the server side.</para>
+
+ <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+ (along with the functionality) in a later release of Samba.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml
new file mode 100644
index 0000000..06ee896
--- /dev/null
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -0,0 +1,37 @@
+<samba:parameter name="create mask"
+ context="S"
+ type="octal"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<synonym>create mode</synonym>
+<description>
+ <para>
+ When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to
+ UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may
+ be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will
+ be removed from the modes set on a file when it is created.
+ </para>
+
+ <para>
+ The default value of this parameter removes the <literal>group</literal> and <literal>other</literal>
+ write and execute bits from the UNIX modes.
+ </para>
+
+ <para>
+ Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
+ <smbconfoption name="force create mode"/> parameter which is set to 000 by default.
+ </para>
+
+ <para>
+ This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
+ for details.
+ </para>
+</description>
+
+<related>force create mode</related>
+<related>directory mode</related>
+<related>inherit permissions</related>
+
+<value type="default">0744</value>
+<value type="example">0775</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/debugencryption.xml b/docs-xml/smbdotconf/security/debugencryption.xml
new file mode 100644
index 0000000..5b51b4a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/debugencryption.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="debug encryption"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>
+ This option will make the smbd server and client code using
+ libsmb (smbclient, smbget, smbspool, ...) dump the Session Id,
+ the decrypted Session Key, the Signing Key, the Application Key,
+ the Encryption Key and the Decryption Key every time an SMB3+
+ session is established. This information will be printed in logs
+ at level 0.
+ </para>
+ <para>
+ Warning: access to these values enables the decryption of any
+ encrypted traffic on the dumped sessions. This option should
+ only be enabled for debugging purposes.
+ </para>
+ </description>
+
+ <value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml
new file mode 100644
index 0000000..b7c2680
--- /dev/null
+++ b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="dedicated keytab file"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Specifies the absolute path to the kerberos keytab file when
+ <smbconfoption name="kerberos method"/> is set to "dedicated
+ keytab".
+ </para>
+</description>
+<related>kerberos method</related>
+<value type="default"/>
+<value type="example">/usr/local/etc/krb5.keytab</value>
+</samba:parameter>
+
diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml
new file mode 100644
index 0000000..890092a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="directory mask"
+ context="S"
+ type="octal"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>directory mode</synonym>
+<description>
+ <para>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</para>
+
+ <para>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
+ here will be removed from the modes set on a directory when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
+ This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
+</description>
+
+<related>force directory mode</related>
+<related>create mask</related>
+<related>inherit permissions</related>
+<value type="default">0755</value>
+<value type="example">0775</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml
new file mode 100644
index 0000000..f02e4ff
--- /dev/null
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="directory security mask"
+ context="S"
+ removed="1"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter has been removed for Samba 4.0.0.
+ </para>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml
new file mode 100644
index 0000000..4fdfa89
--- /dev/null
+++ b/docs-xml/smbdotconf/security/encryptpasswords.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="encrypt passwords"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.11 and
+ support for plaintext (as distinct from NTLM, NTLMv2
+ or Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>encrypt passwords = yes</command>
+ will be the enforced behaviour.</para>
+ <para>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the chapter "User Database" in the Samba HOWTO Collection.
+ </para>
+
+ <para>
+ MS Windows clients that expect Microsoft encrypted passwords and that
+ do not have plain text password support enabled will be able to
+ connect only to a Samba server that has encrypted password support
+ enabled and for which the user accounts have a valid encrypted password.
+ Refer to the smbpasswd command man page for information regarding the
+ creation of encrypted passwords for user accounts.
+ </para>
+
+ <para>
+ The use of plain text passwords is NOT advised as support for this feature
+ is no longer maintained in Microsoft Windows products. If you want to use
+ plain text passwords you must set this parameter to no.
+ </para>
+
+ <para>In order for encrypted passwords to work correctly
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> must either
+ have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> program for information on how to set up
+ and maintain this file), or set the <smbconfoption name="security">[domain|ads]</smbconfoption> parameter which
+ causes <command moreinfo="none">smbd</command> to authenticate against another
+ server.</para>
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml
new file mode 100644
index 0000000..79e6e63
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="force create mode"
+ context="S"
+ type="octal"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
+ parameter is applied.</para>
+
+ <para>The example below would force all newly created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+
+</description>
+
+<related>create mask</related>
+<related>inherit permissions</related>
+
+<value type="default">0000</value>
+<value type="example">0755</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml
new file mode 100644
index 0000000..aa8375a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="force directory mode"
+ context="S"
+ type="octal"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
+ applied.</para>
+
+ <para>The example below would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+</description>
+
+<value type="default">0000</value>
+<value type="example">0755</value>
+
+<related>directory mask</related>
+<related>inherit permissions</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
new file mode 100644
index 0000000..fbd8e16
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="force directory security mode"
+ context="S"
+ type="string"
+ removed="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter has been removed for Samba 4.0.0.
+ </para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcegroup.xml b/docs-xml/smbdotconf/security/forcegroup.xml
new file mode 100644
index 0000000..646f550
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcegroup.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="force group"
+ context="S"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>group</synonym>
+<description>
+ <para>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</para>
+
+ <para>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <filename moreinfo="none">force group = +sys</filename> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</para>
+
+ <para>
+ If the <smbconfoption name="force user"/> parameter is also set the group specified in
+ <parameter moreinfo="none">force group</parameter> will override the primary group
+ set in <parameter moreinfo="none">force user</parameter>.</para>
+
+</description>
+
+<related>force user</related>
+
+<value type="default"/>
+<value type="example">agroup</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml
new file mode 100644
index 0000000..5a9479e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="force security mode"
+ context="S"
+ type="string"
+ removed="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter has been removed for Samba 4.0.0.
+ </para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forceunknownacluser.xml b/docs-xml/smbdotconf/security/forceunknownacluser.xml
new file mode 100644
index 0000000..c5aec53
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forceunknownacluser.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="force unknown acl user"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+ <para>
+ If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or
+ representation of a user or group id) as the owner or group owner of the file will be silently
+ mapped into the current UNIX uid or gid of the currently connected user.
+ </para>
+
+ <para>
+ This is designed to allow Windows NT clients to copy files and folders containing ACLs that were
+ created locally on the client machine and contain users local to that machine only (no domain
+ users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and
+ groupid of the file owner map to the current connected user. This can only be fixed correctly
+ when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
+ </para>
+
+ <para>
+ Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forceuser.xml b/docs-xml/smbdotconf/security/forceuser.xml
new file mode 100644
index 0000000..f3010a9
--- /dev/null
+++ b/docs-xml/smbdotconf/security/forceuser.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="force user"
+ type="string"
+ context="S"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</para>
+
+ <para>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the &quot;forced user&quot;, no matter what username the client connected
+ as. This can be very useful.</para>
+
+ <para>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</para>
+
+</description>
+
+<related>force group</related>
+<value type="default"/>
+<value type="example">auser</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestaccount.xml b/docs-xml/smbdotconf/security/guestaccount.xml
new file mode 100644
index 0000000..2914630
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestaccount.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="guest account"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is a username which will be used for access
+ to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ This user must exist in the password file, but does not require
+ a valid login. The user account &quot;ftp&quot; is often a good choice
+ for this parameter.
+ </para>
+
+ <para>On some systems the default guest account &quot;nobody&quot; may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <command moreinfo="none">su -</command> command) and trying to print using the
+ system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
+ lp(1)</command>.</para>
+
+ <para>This parameter does not accept % macros, because
+ many parts of the system require this value to be
+ constant for correct operation.</para>
+</description>
+<value type="default">nobody<comment>default can be changed at compile-time</comment></value>
+<value type="example">ftp</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestok.xml b/docs-xml/smbdotconf/security/guestok.xml
new file mode 100644
index 0000000..390f1c3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestok.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="guest ok"
+ type="boolean"
+ context="S"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>public</synonym>
+<description>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <smbconfoption name="guest account"/>.</para>
+
+ <para>This parameter nullifies the benefits of setting
+ <smbconfoption name="restrict anonymous">2</smbconfoption>
+ </para>
+
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
+ </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/guestonly.xml b/docs-xml/smbdotconf/security/guestonly.xml
new file mode 100644
index 0000000..5660162
--- /dev/null
+++ b/docs-xml/smbdotconf/security/guestonly.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="guest only"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>only guest</synonym>
+<description>
+ <para>If this parameter is <constant>yes</constant> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para>
+
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
+ </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml
new file mode 100644
index 0000000..8b4b622
--- /dev/null
+++ b/docs-xml/smbdotconf/security/hostsallow.xml
@@ -0,0 +1,62 @@
+<samba:parameter name="hosts allow"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>allow hosts</synonym>
+<description>
+ <para>A synonym for this parameter is <smbconfoption name="allow hosts"/>.</para>
+
+ <para>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</para>
+
+ <para>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</para>
+
+ <para>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <command>allow hosts = 150.203.5.</command>.
+ The full syntax of the list is described in the man
+ page <filename>hosts_access(5)</filename>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</para>
+
+ <para>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para>
+
+ <para>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</para>
+
+<para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+ <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+ <para>Example 2: allow hosts that match the given network/netmask</para>
+
+ <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+ <para>Example 3: allow a couple of hosts</para>
+
+ <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+
+ <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but
+ deny access from one particular host</para>
+
+ <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+ <para><command moreinfo="none">hosts deny = pirate</command></para>
+
+ <note><para>Note that access still requires suitable user-level passwords.</para></note>
+
+ <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access
+ to see if it does what you expect.</para>
+
+
+</description>
+
+<value type="example">150.203.5. myhost.mynet.edu.au</value>
+<value type="default"><comment>none (i.e., all hosts permitted access)</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/hostsdeny.xml b/docs-xml/smbdotconf/security/hostsdeny.xml
new file mode 100644
index 0000000..cd2f8de
--- /dev/null
+++ b/docs-xml/smbdotconf/security/hostsdeny.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="hosts deny"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>deny hosts</synonym>
+<description>
+ <para>The opposite of <parameter moreinfo="none">hosts allow</parameter>
+ - hosts listed here are <emphasis>NOT</emphasis> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter>
+ list takes precedence.</para>
+
+ <para>
+ In the event that it is necessary to deny all by default, use the keyword
+ ALL (or the netmask <literal>0.0.0.0/0</literal>) and then explicitly specify
+ to the <smbconfoption name="hosts allow">hosts allow</smbconfoption> parameter those hosts
+ that should be permitted access.
+ </para>
+</description>
+
+<value type="default"><comment>none (i.e., no hosts specifically excluded)</comment></value>
+
+<value type="example">150.203.4. badhost.mynet.edu.au</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml
new file mode 100644
index 0000000..4f1bf99
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritacls.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="inherit acls"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter is only relevant for filesystems that
+ do not support standardized NFS4 ACLs but only a POSIX draft ACL
+ implementation and which implements default ACLs like most filesystems
+ on Linux. It can be used to ensure that if default ACLs
+ exist on parent directories, they are always honored when creating a
+ new file or subdirectory in these parent directories. The default
+ behavior is to use the unix mode specified when creating the directory.
+ Enabling this option sets the unix mode to 0777, thus guaranteeing that
+ the default directory ACLs are propagated.
+
+ Note that using the VFS modules acl_xattr or acl_tdb which store native
+ Windows as meta-data will automatically turn this option on for any
+ share for which they are loaded, as they require this option to emulate
+ Windows ACLs correctly.
+</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritowner.xml b/docs-xml/smbdotconf/security/inheritowner.xml
new file mode 100644
index 0000000..c081e56
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritowner.xml
@@ -0,0 +1,58 @@
+<samba:parameter name="inherit owner"
+ context="S"
+ type="enum"
+ enumlist="enum_inherit_owner_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>The ownership of new files and directories
+ is normally governed by effective uid of the connected user.
+ This option allows the Samba administrator to specify that
+ the ownership for new files and directories should be controlled
+ by the ownership of the parent directory.</para>
+
+ <para>Valid options are:</para>
+ <itemizedlist>
+ <listitem><para><constant>no</constant> -
+ Both the Windows (SID) owner and the UNIX (uid) owner of the file are
+ governed by the identity of the user that created the file.
+ </para></listitem>
+
+ <listitem><para><constant>windows and unix</constant> -
+ The Windows (SID) owner and the UNIX (uid) owner of new files and
+ directories are set to the respective owner of the parent directory.
+ </para></listitem>
+
+ <listitem><para><constant>yes</constant> - a synonym for
+ <constant>windows and unix</constant>.
+ </para></listitem>
+
+ <listitem><para><constant>unix only</constant> -
+ Only the UNIX owner is set to the UNIX owner of the parent directory.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>Common scenarios where this behavior is useful is in
+ implementing drop-boxes, where users can create and edit files but
+ not delete them and ensuring that newly created files in a user's
+ roaming profile directory are actually owned by the user.</para>
+
+ <para>The <constant>unix only</constant> option effectively
+ breaks the tie between the Windows owner of a file and the
+ UNIX owner. As a logical consequence, in this mode,
+ setting the Windows owner of a file does not modify the UNIX
+ owner. Using this mode should typically be combined with a
+ backing store that can emulate the full NT ACL model without
+ affecting the POSIX permissions, such as the acl_xattr
+ VFS module, coupled with
+ <smbconfoption name="acl_xattr:ignore system acls">yes</smbconfoption>.
+ This can be used to emulate folder quotas, when files are
+ exposed only via SMB (without UNIX extensions).
+ The UNIX owner of a directory is locally set
+ and inherited by all subdirectories and files, and they all
+ consume the same quota.</para>
+</description>
+
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/inheritpermissions.xml b/docs-xml/smbdotconf/security/inheritpermissions.xml
new file mode 100644
index 0000000..9dda734
--- /dev/null
+++ b/docs-xml/smbdotconf/security/inheritpermissions.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="inherit permissions"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>,
+ <smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption
+ name="force directory mode"/> but the boolean inherit permissions parameter overrides this.
+ </para>
+
+ <para>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</para>
+
+ <para>
+ New files inherit their read/write bits from the parent directory. Their execute bits continue to be
+ determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption
+ name="map system"/> as usual.
+ </para>
+
+ <para>Note that the setuid bit is <emphasis>never</emphasis> set via
+ inheritance (the code explicitly prohibits this).</para>
+
+ <para>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</para>
+</description>
+
+<related>create mask</related>
+<related>directory mask</related>
+<related>force create mode</related>
+<related>force directory mode</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
new file mode 100644
index 0000000..b2fb2b9
--- /dev/null
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="invalid users"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is a list of users that should not be allowed
+ to login to this service. This is really a <emphasis>paranoid</emphasis>
+ check to absolutely ensure an improper setting does not breach
+ your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
+
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with
+ '&amp;' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&amp;' may be used at the start of the name in either order
+ so the value <parameter moreinfo="none">+&amp;group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
+
+ <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
+ This is useful in the [homes] section.</para>
+</description>
+
+<related>valid users</related>
+
+<value type="default"><comment>no invalid users</comment></value>
+<value type="example">root fred admin @wheel</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 0000000..9846111
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
+ <para>
+ This allows Samba administrators to match the configuration flexibility provided by the
+ <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+ <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml
new file mode 100644
index 0000000..e47ca3b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcenablefast.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="kdc enable fast"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>With the Samba 4.16 the embedded Heimdal KDC brings
+ support for RFC6113 FAST, which wasn't available in
+ older Samba versions.</para>
+
+ <para>This option is mostly for testing and currently only applies
+ if the embedded Heimdal KDC is used.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 0000000..1cb46d7
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ <constant>RFC8429</constant> declares that
+ <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+ there are known attacks on Active Directory use of this
+ cipher suite.
+ </para>
+ <para>
+ However for compatibility with Microsoft Windows this option
+ allows the KDC to assume that regardless of the value set in
+ a service account's
+ <constant>msDS-SupportedEncryptionTypes</constant> attribute
+ that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+ found in a service keytab) can be used if the potentially
+ older client requests it.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
new file mode 100644
index 0000000..5e028bb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="kdc supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ On an active directory domain controller, this is the list of supported encryption types for local running kdc.
+ </para>
+
+ <para>
+ This allows Samba administrators to remove support for weak/unused encryption types, similar
+ the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant>
+ GPO/Local Policies/Security Options Value, which results in the
+ <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
new file mode 100644
index 0000000..a245af5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="kerberos encryption types"
+ context="G"
+ type="enum"
+ enumlist="enum_kerberos_encryption_types_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines the encryption types to use when operating
+ as a Kerberos client. Possible values are <emphasis>all</emphasis>,
+ <emphasis>strong</emphasis>, and <emphasis>legacy</emphasis>.
+ </para>
+
+ <para>Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
+ tickets. This library is normally configured outside of Samba, using
+ the krb5.conf file. This file may also include directives to configure
+ the encryption types to be used. However, Samba implements Active Directory
+ protocols and algorithms to locate a domain controller. In order to
+ force the Kerberos library into using the correct domain controller,
+ some Samba processes, such as
+ <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and
+ <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, build a private krb5.conf
+ file for use by the Kerberos library while being invoked from Samba.
+ This private file controls all aspects of the Kerberos library operation,
+ and this parameter controls how the encryption types are configured
+ within this generated file, and therefore also controls the encryption
+ types negotiable by Samba.
+ </para>
+
+ <para>When set to <constant>all</constant>, all active directory
+ encryption types are allowed.
+ </para>
+
+ <para>When set to <constant>strong</constant>, only AES-based encryption
+ types are offered. This can be used in hardened environments to prevent
+ downgrade attacks.
+ </para>
+
+ <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
+ is allowed. AVOID using this option, because of
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>.
+ </para>
+</description>
+
+<value type="default">all</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml
new file mode 100644
index 0000000..b7cd988
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kerberosmethod.xml
@@ -0,0 +1,41 @@
+<samba:parameter name="kerberos method"
+ context="G"
+ type="enum"
+ enumlist="enum_kerberos_method"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Controls how kerberos tickets are verified.
+ </para>
+
+ <para>Valid options are:</para>
+ <itemizedlist>
+ <listitem><para>secrets only - use only the secrets.tdb for
+ ticket verification (default)</para></listitem>
+
+ <listitem><para>system keytab - use only the system keytab
+ for ticket verification</para></listitem>
+
+ <listitem><para>dedicated keytab - use a dedicated keytab
+ for ticket verification</para></listitem>
+
+ <listitem><para>secrets and keytab - use the secrets.tdb
+ first, then the system keytab</para></listitem>
+ </itemizedlist>
+
+ <para>
+ The major difference between "system keytab" and "dedicated
+ keytab" is that the latter method relies on kerberos to find the
+ correct keytab entry instead of filtering based on expected
+ principals.
+ </para>
+
+ <para>
+ When the kerberos method is in "dedicated keytab" mode,
+ <smbconfoption name="dedicated keytab file"/> must be set to
+ specify the location of the keytab file.
+ </para>
+</description>
+<related>dedicated keytab file</related>
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kpasswdport.xml b/docs-xml/smbdotconf/security/kpasswdport.xml
new file mode 100644
index 0000000..71cd337
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kpasswdport.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="kpasswd port"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Specifies which ports the Kerberos server should listen on for
+ password changes.</para>
+</description>
+
+<value type="default">464</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/krb5port.xml b/docs-xml/smbdotconf/security/krb5port.xml
new file mode 100644
index 0000000..06c7988
--- /dev/null
+++ b/docs-xml/smbdotconf/security/krb5port.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="krb5 port"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Specifies which port the KDC should listen on for Kerberos traffic.</para>
+</description>
+
+<value type="default">88</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
new file mode 100644
index 0000000..045e89d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -0,0 +1,55 @@
+<samba:parameter name="lanman auth"
+ context="G"
+ type="boolean"
+ function="_lanman_auth"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.11 and
+ support for LanMan (as distinct from NTLM, NTLMv2 or
+ Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>lanman auth = no</command>
+ will be the enforced behaviour.</para>
+
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate users or permit password changes
+ using the LANMAN password hash. If disabled, only clients which support NT
+ password hashes (e.g. Windows NT/2000 clients, smbclient, but not
+ Windows 95/98 or the MS DOS network client) will be able to
+ connect to the Samba host.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to its
+ case-insensitive nature, and the choice of algorithm. Servers
+ without Windows 95/98/ME or MS DOS clients are advised to disable
+ this option. </para>
+
+ <para>When this parameter is set to <value>no</value> this
+ will also result in sambaLMPassword in Samba's passdb being
+ blanked after the next password change. As a result of that
+ lanman clients won't be able to authenticate, even if lanman
+ auth is re-enabled later on.
+ </para>
+
+ <para>Unlike the <parameter moreinfo="none">encrypt
+ passwords</parameter> option, this parameter cannot alter client
+ behaviour, and the LANMAN response will still be sent over the
+ network. See the <command moreinfo="none">client lanman
+ auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+ <para>This parameter is overridden by <parameter moreinfo="none">ntlm
+ auth</parameter>, so unless that it is also set to
+ <constant>ntlmv1-permitted</constant> or <constant>yes</constant>,
+ then only NTLMv2 logins will be permitted and no LM hash will be
+ stored. All modern clients support NTLMv2, and but some older
+ clients require special configuration to use it.</para>
+
+ <para><emphasis>This parameter has no impact on the Samba AD DC,
+ LM authentication is always disabled and no LM password is ever
+ stored.</emphasis></para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/lognttokencommand.xml b/docs-xml/smbdotconf/security/lognttokencommand.xml
new file mode 100644
index 0000000..0ea269e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/lognttokencommand.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="log nt token command"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option can be set to a command that will be called when new nt
+ tokens are created.</para>
+
+ <para>This is only useful for development purposes.</para>
+</description>
+
+<value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml
new file mode 100644
index 0000000..c98086a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/maptoguest.xml
@@ -0,0 +1,62 @@
+<samba:parameter name="map to guest"
+ type="enum"
+ context="G"
+ enumlist="enum_map_to_guest"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter can take four different values, which tell
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> what to do with user
+ login requests that don't match a valid UNIX user in some way.</para>
+
+ <para>The four settings are :</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>Never</constant> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>Bad User</constant> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <smbconfoption name="guest account"/>.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>Bad Password</constant> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <smbconfoption name="guest account"/>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as &quot;guest&quot; - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
+ guest</parameter> parameter this way :-).</para>
+ </listitem>
+ <listitem>
+ <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
+ in some type of domain mode security (security = {domain|ads}) and means that
+ user logins which are successfully authenticated but which have no valid Unix
+ user account (and smbd is unable to create one) should be mapped to the defined
+ guest account. This was the default behavior of Samba 2.x releases. Note that
+ if a member server is running winbindd, this option should never be required
+ because the nss_winbind library will export the Windows domain users and groups
+ to the underlying OS via the Name Service Switch interface.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Note that this parameter is needed to set up &quot;Guest&quot;
+ share services. This is because in these modes the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for &quot;Guest&quot; shares. </para>
+</description>
+
+<value type="default">Never</value>
+<value type="example">Bad User</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 0000000..46ae795
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The integer parameter specifies the minimum uid allowed when mapping a
+ local account to a domain account.
+ </para>
+
+ <para>
+ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+ </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/mitkdccommand.xml b/docs-xml/smbdotconf/security/mitkdccommand.xml
new file mode 100644
index 0000000..602f27d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mitkdccommand.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="mit kdc command"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option specifies the path to the MIT kdc binary.</para>
+
+ <para>If the KDC is not installed in the default location and wasn't
+ correctly detected during build then you should modify this variable and
+ point it to the correct binary.</para>
+</description>
+
+<value type="default">&pathconfig.MITKDCPATH;</value>
+<value type="example">/opt/mit/sbin/krb5kdc</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/nt_hash_store.xml b/docs-xml/smbdotconf/security/nt_hash_store.xml
new file mode 100644
index 0000000..d7ed705
--- /dev/null
+++ b/docs-xml/smbdotconf/security/nt_hash_store.xml
@@ -0,0 +1,70 @@
+<samba:parameter name="nt hash store"
+ context="G"
+ type="enum"
+ enumlist="enum_nt_hash_store"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will, as an AD DC, attempt to
+ store the NT password hash used in NTLM and NTLMv2 authentication for
+ users in this domain. </para>
+
+ <para>If so configured, the Samba Active Directory Domain Controller,
+ will, except for trust accounts (computers, domain
+ controllers and inter-domain trusts) the
+ <emphasis>NOT store the NT hash</emphasis>
+ for new and changed accounts in the sam.ldb database.</para>
+
+ <para>This avoids the storage of an unsalted hash for these
+ user-created passwords. As a consequence the
+ <constant>arcfour-hmac-md5</constant> Kerberos key type is
+ also unavailable in the KDC for these users - thankfully
+ <emphasis>modern clients will select an AES based key
+ instead.</emphasis></para>
+
+ <para>NOTE: As the password history in Active Directory is
+ stored as an NT hash (and thus unavailable), a workaround is
+ used, relying instead on Kerberos password hash values.
+ This stores three passwords, the current, previous and second previous
+ password. This allows some checking against reuse. </para>
+
+ <para>However as these values are salted, changing the
+ sAMAccountName, userAccountControl or userPrincipalName of
+ an account will cause the salt to change. After the rare
+ combination of both a rename and a password change only the
+ current password will be recognised for password history
+ purposes.
+ </para>
+ <para>The available settings are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>always</constant> - Always store the NT hash
+ (as machine accounts will also always store an NT hash,
+ a hash will be stored for all accounts).</para>
+
+ <para>This setting may be useful if <parameter
+ moreinfo="none">ntlm auth</parameter> is set to <constant>disabled</constant>
+ for a trial period</para>
+
+ </listitem>
+
+ <listitem>
+ <para><constant>never</constant> - Never store the NT hash
+ for user accounts, only for machine accounts</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>auto</constant> - Store an NT hash if <parameter
+ moreinfo="none">ntlm auth</parameter> is not set to <constant>disabled</constant>.
+ </para>
+
+ </listitem>
+
+ </itemizedlist>
+
+</description>
+
+<related>ntlm auth</related>
+<value type="default">always</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
new file mode 100644
index 0000000..7ea38a4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -0,0 +1,87 @@
+<samba:parameter name="ntlm auth"
+ context="G"
+ type="enum"
+ enumlist="enum_ntlm_auth"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate users using the NTLM encrypted password response for
+ this local passdb (SAM or account database). </para>
+
+ <para>If disabled, both NTLM and LanMan authentication against the
+ local passdb is disabled.</para>
+
+ <para>Note that these settings apply only to local users,
+ authentication will still be forwarded to and NTLM authentication
+ accepted against any domain we are joined to, and any trusted
+ domain, even if disabled or if NTLMv2-only is enforced here. To
+ control NTLM authentication for domain users, this option must
+ be configured on each DC.</para>
+
+ <para>By default with <command moreinfo="none">ntlm auth</command> set to
+ <constant>ntlmv2-only</constant> only NTLMv2 logins will be
+ permitted. All modern clients support NTLMv2 by default, but some older
+ clients will require special configuration to use it.</para>
+
+ <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
+
+ <para>The available settings are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>ntlmv1-permitted</constant>
+ (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
+
+ <para>This is the required setting to enable the <parameter
+ moreinfo="none">lanman auth</parameter> parameter.</para>
+
+ </listitem>
+
+ <listitem>
+ <para><constant>ntlmv2-only</constant>
+ (alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
+ but permit NTLMv2.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>mschapv2-and-ntlmv2-only</constant> - Only
+ allow NTLMv1 when the client promises that it is providing
+ MSCHAPv2 authentication (such as the <command
+ moreinfo="none">ntlm_auth</command> tool).</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>disabled</constant> - Do not accept NTLM (or
+ LanMan) authentication of any level, nor permit
+ NTLM password changes.</para>
+
+ <para><emphasis>WARNING:</emphasis> Both Microsoft Windows
+ and Samba <emphasis>Read Only Domain Controllers</emphasis>
+ (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2
+ authentication to forward to a full DC. Setting this option
+ to <constant>disabled</constant> will cause these forwarded
+ authentications to fail.</para>
+
+ <para>Additionally, for Samba acting as an Active Directory
+ Domain Controller, for user accounts, if <parameter moreinfo="none">nt hash store</parameter>
+ is set to the default setting of <constant>auto</constant>,
+ the <emphasis>NT hash will not be stored</emphasis>
+ in the sam.ldb database for new users and after a
+ password change.</para>
+
+ </listitem>
+
+ </itemizedlist>
+
+ <para>The default changed from <constant>yes</constant> to
+ <constant>no</constant> with Samba 4.5. The default changed again
+ to <constant>ntlmv2-only</constant> with Samba 4.7, however the
+ behaviour is unchanged.</para>
+</description>
+
+<related>nt hash store</related>
+<related>lanman auth</related>
+<related>raw NTLMv2 auth</related>
+<value type="default">ntlmv2-only</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml
new file mode 100644
index 0000000..18d70cf
--- /dev/null
+++ b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="ntp signd socket directory"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This setting controls the location of the socket that
+ the NTP daemon uses to communicate with Samba for
+ signing packets.</para>
+
+ <para>If a non-default path is specified here, then it is also necessary
+ to make NTP aware of the new path using the <constant>ntpsigndsocket</constant>
+ directive in <filename>ntp.conf</filename>.</para>
+</description>
+
+<value type="default">&pathconfig.NTP_SIGND_SOCKET_DIR;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/nullpasswords.xml b/docs-xml/smbdotconf/security/nullpasswords.xml
new file mode 100644
index 0000000..49533f6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/nullpasswords.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="null passwords"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Allow or disallow client access to accounts that have null passwords. </para>
+
+ <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/obeypamrestrictions.xml b/docs-xml/smbdotconf/security/obeypamrestrictions.xml
new file mode 100644
index 0000000..92708ef
--- /dev/null
+++ b/docs-xml/smbdotconf/security/obeypamrestrictions.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="obey pam restrictions"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>When Samba 3.0 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <smbconfoption
+ name="encrypt passwords">yes</smbconfoption>. The reason
+ is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
new file mode 100644
index 0000000..78d6ff1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="old password allowed period"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Number of minutes to permit an NTLM login after a password change or reset using the old password. This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. </para>
+
+ <para>This parameter only applies when <smbconfoption name="server role"/> is set to Active Directory Domain Controller.</para>
+</description>
+
+<value type="default">60</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/pampasswordchange.xml b/docs-xml/smbdotconf/security/pampasswordchange.xml
new file mode 100644
index 0000000..92ab4ad
--- /dev/null
+++ b/docs-xml/smbdotconf/security/pampasswordchange.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="pam password change"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <smbconfoption name="passwd program"/>.
+ It should be possible to enable this without changing your
+ <smbconfoption name="passwd chat"/> parameter for most setups.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passdbbackend.xml b/docs-xml/smbdotconf/security/passdbbackend.xml
new file mode 100644
index 0000000..8265b3e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passdbbackend.xml
@@ -0,0 +1,65 @@
+<samba:parameter name="passdb backend"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This option allows the administrator to chose which backend
+ will be used for storing user and possibly group information. This allows
+ you to swap between different storage mechanisms without recompile. </para>
+
+ <para>The parameter value is divided into two parts, the backend's name, and a 'location'
+ string that has meaning only to that particular backed. These are separated
+ by a : character.</para>
+
+ <para>Available backends can include:
+ <itemizedlist>
+ <listitem>
+ <para><command moreinfo="none">smbpasswd</command> - The old plaintext passdb
+ backend. Some Samba features will not work if this passdb
+ backend is used. Takes a path to the smbpasswd file as an
+ optional argument.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para><command moreinfo="none">tdbsam</command> - The TDB based password storage
+ backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <smbconfoption name="private dir"/> directory.</para>
+ </listitem>
+
+ <listitem>
+ <para><command moreinfo="none">ldapsam</command> - The LDAP based passdb
+ backend. Takes an LDAP URL as an optional argument (defaults to
+ <command moreinfo="none">ldap://localhost</command>)</para>
+
+ <para>LDAP connections should be secured where possible. This may be done using either
+ Start-TLS (see <smbconfoption name="ldap ssl"/>) or by
+ specifying <parameter moreinfo="none">ldaps://</parameter> in
+ the URL argument. </para>
+
+ <para>Multiple servers may also be specified in double-quotes.
+ Whether multiple servers are supported or not and the exact
+ syntax depends on the LDAP library you use.
+ </para>
+
+ </listitem>
+ </itemizedlist>
+
+ </para>
+ Examples of use are:
+<programlisting>
+passdb backend = tdbsam:/etc/samba/private/passdb.tdb
+
+or multi server LDAP URL with OpenLDAP library:
+
+passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
+
+or multi server LDAP URL with Netscape based LDAP library:
+
+passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
+</programlisting>
+</description>
+
+<value type="default">tdbsam</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passdbexpandexplicit.xml b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml
new file mode 100644
index 0000000..41c8ea0
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="passdb expand explicit"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We
+ used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable
+ %G_osver% in which %G would have been substituted by the user's primary group.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchat.xml b/docs-xml/smbdotconf/security/passwdchat.xml
new file mode 100644
index 0000000..a04fc62
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchat.xml
@@ -0,0 +1,57 @@
+<samba:parameter name="passwd chat"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This string controls the <emphasis>&quot;chat&quot;</emphasis>
+ conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
+ <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control.</para>
+
+ <para>Note that this parameter only is used if the <smbconfoption
+ name="unix password sync"/> parameter is set to <constant>yes</constant>. This sequence is
+ then called <emphasis>AS ROOT</emphasis> when the SMB password in the
+ smbpasswd file is being changed, without access to the old password
+ cleartext. This means that root must be able to reset the user's password without
+ knowing the text of the previous password.
+ </para>
+
+ <para>The string can contain the macro <parameter
+ moreinfo="none">%n</parameter> which is substituted
+ for the new password. The old password (<parameter
+ moreinfo="none">%o</parameter>) is only available when
+ <smbconfoption name="encrypt passwords"/> has been disabled.
+ The chat sequence can also contain the standard macros
+ \n, \r, \t and \s to give line-feed, carriage-return, tab
+ and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters. Double quotes can
+ be used to collect strings with spaces in them into a single
+ string.</para>
+
+ <para>If the send string in any part of the chat sequence is a full
+ stop &quot;.&quot;, then no string is sent. Similarly, if the
+ expect string is a full stop then no string is expected.</para>
+
+ <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the
+ chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
+ output. The \n macro is ignored for PAM conversions.
+ </para>
+
+</description>
+
+<related>unix password sync</related>
+<related>passwd program</related>
+<related>passwd chat debug</related>
+<related>pam password change</related>
+
+<value type="default">*new*password* %n\n *new*password* %n\n *changed*</value>
+<value type="example">&quot;*Enter NEW password*&quot; %n\n &quot;*Reenter NEW password*&quot; %n\n &quot;*Password changed*&quot;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchatdebug.xml b/docs-xml/smbdotconf/security/passwdchatdebug.xml
new file mode 100644
index 0000000..0c3481e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchatdebug.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="passwd chat debug"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> log with a
+ <smbconfoption name="debug level"/>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
+ Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
+ when calling the <parameter moreinfo="none">passwd program</parameter> and should
+ be turned off after this has been done. This option has no effect if the
+ <smbconfoption name="pam password change"/>
+ parameter is set. This parameter is off by default.</para>
+</description>
+
+<related>passwd chat</related>
+<related>pam password change</related>
+<related>passwd program</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdchattimeout.xml b/docs-xml/smbdotconf/security/passwdchattimeout.xml
new file mode 100644
index 0000000..74e8688
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdchattimeout.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="passwd chat timeout"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This integer specifies the number of seconds smbd will wait for an initial
+ answer from a passwd chat script being run. Once the initial answer is received
+ the subsequent answers must be received in one tenth of this time. The default it
+ two seconds.</para>
+</description>
+
+<value type="default">2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwdprogram.xml b/docs-xml/smbdotconf/security/passwdprogram.xml
new file mode 100644
index 0000000..e12cc8e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwdprogram.xml
@@ -0,0 +1,37 @@
+<samba:parameter name="passwd program"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
+
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
+
+ <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix
+ password sync</parameter> parameter is set to <constant>yes
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the smbpasswd
+ file is changed. If this UNIX password change fails, then
+ <command moreinfo="none">smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
+
+ <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter moreinfo="none">unix
+ password sync</parameter> is set to <constant>no</constant>.</para>
+ </description>
+
+ <related>unix password symc</related>
+
+ <value type="default"></value>
+<value type="example">/bin/passwd %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml
new file mode 100644
index 0000000..e53cdbe
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml
@@ -0,0 +1,45 @@
+<samba:parameter name="password hash gpg key ids"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>If <command moreinfo="none">samba</command> is running as an
+ active directory domain controller, it is possible to store the
+ cleartext password of accounts in a PGP/OpenGPG encrypted form.</para>
+
+ <para>You can specify one or more recipients by key id or user id.
+ Note that 32bit key ids are not allowed, specify at least 64bit.</para>
+
+ <para>The value is stored as 'Primary:SambaGPG' in the
+ <command moreinfo="none">supplementalCredentials</command> attribute.</para>
+
+ <para>As password changes can occur on any domain controller,
+ you should configure this on each of them. Note that this feature is currently
+ available only on Samba domain controllers.</para>
+
+ <para>This option is only available if <command moreinfo="none">samba</command>
+ was compiled with <command moreinfo="none">gpgme</command> support.</para>
+
+ <para>You may need to export the <command moreinfo="none">GNUPGHOME</command>
+ environment variable before starting <command moreinfo="none">samba</command>.
+ <emphasis>It is strongly recommended to only store the public key in this
+ location. The private key is not used for encryption and should be
+ only stored where decryption is required.</emphasis></para>
+
+ <para>Being able to restore the cleartext password helps, when they need to be imported
+ into other authentication systems later (see <command moreinfo="none">samba-tool user getpassword</command>)
+ or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server
+ (see <command moreinfo="none">samba-tool user syncpasswords</command>).</para>
+
+ <para>While this option needs to be configured on all domain controllers, the
+ <command moreinfo="none">samba-tool user syncpasswords</command> command should
+ run on a single domain controller only (typically the PDC-emulator).</para>
+</description>
+
+<related>unix password sync</related>
+
+<value type="default"></value>
+<value type="example">4952E40301FAB41A</value>
+<value type="example">selftest@samba.example.com</value>
+<value type="example">selftest@samba.example.com, 4952E40301FAB41A</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml
new file mode 100644
index 0000000..18a43f9
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml
@@ -0,0 +1,67 @@
+<samba:parameter name="password hash userPassword schemes"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+<para>This parameter determines whether or not
+<citerefentry><refentrytitle>samba</refentrytitle>
+<manvolnum>8</manvolnum></citerefentry> acting as an Active
+Directory Domain Controller will attempt to store additional
+passwords hash types for the user</para>
+
+<para>The values are stored as 'Primary:userPassword' in the
+<command moreinfo="none">supplementalCredentials</command>
+attribute. The value of this option is a hash type.</para>
+
+<para>The currently supported hash types are:</para>
+<itemizedlist>
+ <listitem>
+ <para><constant>CryptSHA256</constant></para>
+ </listitem>
+ <listitem>
+ <para><constant>CryptSHA512</constant></para>
+ </listitem>
+</itemizedlist>
+
+<para>Multiple instances of a hash type may be computed and stored.
+The password hashes are calculated using the
+<citerefentry><refentrytitle>crypt</refentrytitle>
+<manvolnum>3</manvolnum></citerefentry> call.
+The number of rounds used to compute the hash can be specified by adding
+':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate
+an SHA512 hash using 4500 rounds. If not specified the Operating System
+defaults for
+<citerefentry><refentrytitle>crypt</refentrytitle>
+<manvolnum>3</manvolnum></citerefentry> are used.
+</para>
+
+<para>As password changes can occur on any domain controller,
+you should configure this on each of them. Note that this feature is
+currently available only on Samba domain controllers.</para>
+
+<para>Currently the NT Hash of the password is recorded when these hashes
+are calculated and stored. When retrieving the hashes the current value of the
+NT Hash is checked against the stored NT Hash. This detects password changes
+that have not updated the password hashes. In this case
+<command moreinfo="none">samba-tool user</command> will ignore the stored
+hash values.
+</para>
+
+<para>Being able to obtain the hashed password helps, when
+they need to be imported into other authentication systems
+later (see <command moreinfo="none">samba-tool user
+getpassword</command>) or you want to keep the passwords in
+sync with another system, e.g. an OpenLDAP server (see
+<command moreinfo="none">samba-tool user
+syncpasswords</command>).</para>
+
+<related>unix password sync</related>
+
+</description>
+
+<value type="default"></value>
+<value type="example">CryptSHA256</value>
+<value type="example">CryptSHA256 CryptSHA512</value>
+<value type="example">CryptSHA256:rounds=5000 CryptSHA512:rounds=7000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000..8bc2ecb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,46 @@
+<samba:parameter name="password server"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>By specifying the name of a domain controller with this option,
+ and using <command moreinfo="none">security = [ads|domain]</command>
+ it is possible to get Samba
+ to do all its username/password validation using a specific remote server.</para>
+
+ <para>Ideally, this option
+ <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba
+ to determine the best DC to contact dynamically, just as all other hosts in an
+ AD domain do. This allows the domain to be maintained (addition
+ and removal of domain controllers) without modification to
+ the smb.conf file. The cryptographic protection on the authenticated RPC calls
+ used to verify passwords ensures that this default is safe.</para>
+
+ <para><emphasis>It is strongly recommended that you use the
+ default of '*'</emphasis>, however if in your particular
+ environment you have reason to specify a particular DC list, then
+ the list of machines in this option must be a list of names or IP
+ addresses of Domain controllers for the Domain. If you use the
+ default of '*', or list several hosts in the <parameter
+ moreinfo="none">password server</parameter> option then <command
+ moreinfo="none">smbd </command> will try each in turn till it
+ finds one that responds. This is useful in case your primary
+ server goes down.</para>
+
+ <para>If the list of servers contains both names/IP's and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</para>
+
+ <para>If parameter is a name, it is looked up using the
+ parameter <smbconfoption name="name resolve order"/> and so may resolved
+ by any method and order described in that parameter.</para>
+
+</description>
+
+<related>security</related>
+<value type="default">*</value>
+<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
+<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/preloadmodules.xml b/docs-xml/smbdotconf/security/preloadmodules.xml
new file mode 100644
index 0000000..7b77674
--- /dev/null
+++ b/docs-xml/smbdotconf/security/preloadmodules.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="preload modules"
+ type="cmdlist"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is a list of paths to modules that should
+ be loaded into smbd before a client connects. This improves
+ the speed of smbd when reacting to new connections somewhat. </para>
+</description>
+
+<value type="default"></value>
+<value type="example">/usr/lib/samba/passdb/mysql.so</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml
new file mode 100644
index 0000000..9abcb7e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/privatedir.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="private dir"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>private directory</synonym>
+<description>
+ <para>This parameters defines the directory
+ smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
+ and <filename moreinfo="none">secrets.tdb</filename>.
+</para>
+</description>
+
+<value type="default">&pathconfig.PRIVATE_DIR;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
new file mode 100644
index 0000000..c4d7554
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="raw NTLMv2 auth"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NTLMv2 authentication without NTLMSSP will be removed
+ in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>raw NTLMv2 auth = no</command>
+ will be the enforced behaviour.</para>
+
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+ extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+ <para>If this option, <command moreinfo="none">lanman auth</command>
+ and <command moreinfo="none">ntlm auth</command> are all disabled,
+ then only clients with SPNEGO support will be permitted.
+ That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml
new file mode 100644
index 0000000..96f3746
--- /dev/null
+++ b/docs-xml/smbdotconf/security/readlist.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="read list"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is a list of users that are given read-only access to a service. If the connecting user is in this list
+ then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set
+ to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/>
+ parameter.
+ </para>
+</description>
+<related>write list</related>
+<related>invalid users</related>
+
+<value type="default"></value>
+<value type="example">mary, @students</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/readonly.xml b/docs-xml/smbdotconf/security/readonly.xml
new file mode 100644
index 0000000..834633f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/readonly.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="read only"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>An inverted synonym is <smbconfoption name="writeable"/>.</para>
+
+ <para>If this parameter is <constant>yes</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
+
+ <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/renameuserscript.xml b/docs-xml/smbdotconf/security/renameuserscript.xml
new file mode 100644
index 0000000..2bfbea4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/renameuserscript.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="rename user script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run as root by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> under special circumstances described below.
+ </para>
+
+ <para>
+ When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager
+ for Domains), this script will be run to rename the POSIX user. Two variables, <literal>%uold</literal> and
+ <literal>%unew</literal>, will be substituted with the old and new usernames, respectively. The script should
+ return 0 upon successful completion, and nonzero otherwise.
+ </para>
+
+ <note><para>
+ The script has all responsibility to rename all the necessary data that is accessible in this posix method.
+ This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care
+ of the contents of their respective files, so the script is responsible only for changing the POSIX username, and
+ other data that may required for your circumstances, such as home directory. Please also consider whether or
+ not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes,
+ because of the potential issues with renaming the LDAP naming attribute. In this case the script is
+ responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that
+ needs to change for other applications using the same directory.
+ </para></note>
+
+</description>
+
+<value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml
new file mode 100644
index 0000000..06abe7b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/restrictanonymous.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="restrict anonymous"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The setting of this parameter determines whether SAMR and LSA
+ DCERPC services can be accessed anonymously. This corresponds
+ to the following Windows Server registry options:
+ </para>
+
+ <programlisting>
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ </programlisting>
+
+ <para>
+ The option also affects the browse option which is required by
+ legacy clients which rely on Netbios browsing. While modern
+ Windows version should be fine with restricting the access
+ there could still be applications relying on anonymous access.
+ </para>
+
+ <para>
+ Setting <smbconfoption name="restrict anonymous">1</smbconfoption>
+ will disable anonymous SAMR access.
+ </para>
+
+ <para>
+ Setting <smbconfoption name="restrict anonymous">2</smbconfoption>
+ will, in addition to restricting SAMR access, disallow anonymous
+ connections to the IPC$ share in general.
+ Setting <smbconfoption name="guest ok">yes</smbconfoption> on any share
+ will remove the security advantage.
+ </para>
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/rootdirectory.xml b/docs-xml/smbdotconf/security/rootdirectory.xml
new file mode 100644
index 0000000..0eb7c15
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rootdirectory.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="root directory"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>root</synonym>
+<synonym>root dir</synonym>
+<description>
+ <para>The server will <command moreinfo="none">chroot()</command> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use &quot;..&quot; in file names
+ to access other directories (depending on the setting of the
+ <smbconfoption name="wide links"/> parameter).
+ </para>
+
+ <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
+ than &quot;/&quot; adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter moreinfo="none">root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter moreinfo="none">root directory</parameter> tree. In particular
+ you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">/homes/smb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/sambakcccommand.xml b/docs-xml/smbdotconf/security/sambakcccommand.xml
new file mode 100644
index 0000000..af8a28a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/sambakcccommand.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="samba kcc command"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option specifies the path to the Samba KCC command.
+ This script is used for replication topology replication.
+ </para>
+
+ <para>It should not be necessary to modify this option except
+ for testing purposes or if the <filename>samba_kcc</filename>
+ was installed in a non-default location.
+ </para>
+</description>
+
+<value type="default">&pathconfig.SCRIPTSBINDIR;/samba_kcc</value>
+<value type="example">/usr/local/bin/kcc</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
new file mode 100644
index 0000000..be2e9fd
--- /dev/null
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -0,0 +1,105 @@
+<samba:parameter name="security"
+ context="G"
+ type="enum"
+ function="_security"
+ enumlist="enum_security"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<when_value value="security">
+ <requires option="encrypt passwords">/(yes|true)/</requires>
+</when_value>
+<description>
+ <para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename moreinfo="none">
+ smb.conf</filename> file.</para>
+
+ <para>Unless <smbconfoption name="server role"/> is specified,
+ the default is <command moreinfo="none">security = user</command>, as this is
+ the most common setting, used for a standalone file server or a DC.</para>
+
+ <para>The alternatives to <command moreinfo="none">security = user</command> are
+ <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
+ </command>, which support joining Samba to a Windows domain</para>
+
+ <para>You should use <command moreinfo="none">security = user</command> and
+ <smbconfoption name="map to guest"/> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. </para>
+
+ <para>The different settings will now be explained.</para>
+
+
+ <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
+
+ <para>This is the default security setting in Samba, and causes Samba to consult
+ the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
+
+ <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+ <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba.
+ With user-level security a client must first &quot;log-on&quot; with a
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter). Encrypted passwords (see the <smbconfoption name="encrypt passwords"/> parameter) can also
+ be used in this security mode. Parameters such as <smbconfoption name="force user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows NT Domain. It expects the <smbconfoption name="encrypt passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point
+ of view <command moreinfo="none">security = domain</command> is the same
+ as <command moreinfo="none">security = user</command>. It only
+ affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+ <para>See also the <smbconfoption name="password server"/> parameter and
+ the <smbconfoption name="encrypt passwords"/> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
+
+ <para>In this mode, Samba will act as a domain member in an ADS realm. To operate
+ in this mode, the machine running Samba will need to have Kerberos installed
+ and configured and Samba will need to be joined to the ADS realm using the
+ net utility. </para>
+
+ <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
+ Controller. </para>
+
+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
+
+ <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+</description>
+
+<related>realm</related>
+<related>encrypt passwords</related>
+
+<value type="default">AUTO</value>
+<value type="example">DOMAIN</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
new file mode 100644
index 0000000..e535d32
--- /dev/null
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="security mask"
+ context="S"
+ type="string"
+ removed="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter has been removed for Samba 4.0.0.
+ </para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
new file mode 100644
index 0000000..4ea4e47
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -0,0 +1,96 @@
+<samba:parameter name="server role"
+ context="G"
+ type="enum"
+ function="_server_role"
+ enumlist="enum_server_role"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option determines the basic operating mode of a Samba
+ server and is one of the most important settings in the <filename
+ moreinfo="none"> smb.conf</filename> file.</para>
+
+ <para>The default is <command moreinfo="none">server role = auto</command>, as causes
+ Samba to operate according to the <smbconfoption name="security"/> setting, or if not
+ specified as a simple file server that is not connected to any domain.</para>
+
+ <para>The alternatives are
+ <command moreinfo="none">server role = standalone</command> or <command moreinfo="none">server role = member server
+ </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">server role = domain controller</command>, which run Samba as a Windows domain controller.</para>
+
+ <para>You should use <command moreinfo="none">server role = standalone</command> and
+ <smbconfoption name="map to guest"/> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. </para>
+
+ <para><anchor id="AUTO"/><emphasis>SERVER ROLE = AUTO</emphasis></para>
+
+ <para>This is the default server role in Samba, and causes Samba to consult
+ the <smbconfoption name="security"/> parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions.</para>
+
+ <para><anchor id="STANDALONE"/><emphasis>SERVER ROLE = STANDALONE</emphasis></para>
+
+ <para>If <smbconfoption name="security"/> is also not specified, this is the default security setting in Samba.
+ In standalone operation, a client must first &quot;log-on&quot; with a
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter) stored on this machine. Encrypted passwords (see the <smbconfoption name="encrypt passwords"/> parameter) are by default
+ used in this security mode. Parameters such as <smbconfoption name="force user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><anchor id="MEMBER SERVER"/><emphasis>SERVER ROLE = MEMBER SERVER</emphasis></para>
+
+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows Domain. It expects the <smbconfoption name="encrypt passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows or Samba Domain Controller, in exactly
+ the same way that a Windows Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para>
+
+ <para><anchor id="PDC"/><emphasis>SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs a classic Samba primary domain
+ controller, providing domain logon services to Windows and Samba
+ clients of an NT4-like domain. Clients must be joined to the domain to
+ create a secure, trusted path across the network. There must be
+ only one PDC per NetBIOS scope (typically a broadcast network or
+ clients served by a single WINS server).</para>
+
+ <para><anchor id="BDC"/><emphasis>SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs a classic Samba backup domain
+ controller, providing domain logon services to Windows and Samba
+ clients of an NT4-like domain. As a BDC, this allows
+ multiple Samba servers to provide redundant logon services to a
+ single NetBIOS scope.</para>
+
+ <para><anchor id="AD-DC"/><emphasis>SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba as an active directory
+ domain controller, providing domain logon services to Windows and
+ Samba clients of the domain. This role requires special
+ configuration, see the <ulink
+ url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
+ HOWTO</ulink></para>
+
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba in a hybrid mode for IPA
+ domain controller, providing forest trust to Active Directory.
+ This role requires special configuration performed by IPA installers
+ and should not be used manually by any administrator.
+ </para>
+</description>
+
+<related>security</related>
+<related>realm</related>
+<related>encrypt passwords</related>
+
+<value type="default">AUTO</value>
+<value type="example">ACTIVE DIRECTORY DOMAIN CONTROLLER</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
new file mode 100644
index 0000000..5c69f0f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -0,0 +1,102 @@
+<samba:parameter name="server schannel"
+ context="G"
+ type="enum"
+ enumlist="enum_bool_auto"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ This allows admins to use "auto" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
+ </para>
+
+ <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server require schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members, which required "server schannel = auto" before,
+ it is possible to specify explicit exception per computer account
+ by using 'server require schannel:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will complain in the log files at log level 0,
+ about the security problem if the option is not set to "no",
+ but the related computer is actually using the netlogon
+ secure channel (schannel) feature.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+ <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ server require schannel:LEGACYCOMPUTER1$ = no
+ server require schannel seal:LEGACYCOMPUTER1$ = no
+ server require schannel:NASBOX$ = no
+ server require schannel seal:NASBOX$ = no
+ server require schannel:LEGACYCOMPUTER2$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
new file mode 100644
index 0000000..0bec67d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -0,0 +1,117 @@
+<samba:parameter name="server schannel require seal"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
+ </para>
+
+ <para>
+ This option controls whether the netlogon server, will reject the usage
+ of netlogon secure channel without privacy/enryption.
+ </para>
+
+ <para>
+ The option is modelled after the registry key available on Windows.
+ </para>
+
+ <programlisting>
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
+ </programlisting>
+
+ <para>
+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <para>
+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
+ </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
+ it is possible to specify explicit exception per computer account
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
+ </para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server require schannel seal:LEGACYCOMPUTER1$ = no
+ server require schannel seal:NASBOX$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversigning.xml b/docs-xml/smbdotconf/security/serversigning.xml
new file mode 100644
index 0000000..0b7755a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversigning.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="server signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values
+ are <emphasis>default</emphasis>, <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>By default, and when smb signing is set to
+ <emphasis>default</emphasis>, smb signing is required when
+ <smbconfoption name="server role"/> is <emphasis>active directory
+ domain controller</emphasis> and disabled otherwise.</para>
+
+ <para>When set to auto, SMB1 signing is offered, but not enforced.
+ When set to mandatory, SMB1 signing is required and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>For the SMB2 protocol, by design, signing cannot be disabled. In the case
+ where SMB2 is negotiated, if this parameter is set to <emphasis>disabled</emphasis>,
+ it will be treated as <emphasis>auto</emphasis>. Setting it to <emphasis>mandatory</emphasis>
+ will still require SMB2 clients to use signing.</para>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml
new file mode 100644
index 0000000..5f38b46
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml
@@ -0,0 +1,241 @@
+<samba:parameter name="server smb encrypt"
+ context="S"
+ type="enum"
+ enumlist="enum_smb_encryption_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter controls whether a remote client is allowed or required
+ to use SMB encryption. It has different effects depending on whether
+ the connection uses SMB1 or SMB2 and newer:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ If the connection uses SMB1, then this option controls the use
+ of a Samba-specific extension to the SMB protocol introduced in
+ Samba 3.2 that makes use of the Unix extensions.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ If the connection uses SMB2 or newer, then this option controls
+ the use of the SMB-level encryption that is supported in SMB
+ version 3.0 and above and available in Windows 8 and newer.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ This parameter can be set globally and on a per-share bases.
+ Possible values are
+
+ <emphasis>off</emphasis>,
+ <emphasis>if_required</emphasis>,
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>.
+ A special value is <emphasis>default</emphasis> which is
+ the implicit default setting of <emphasis>if_required</emphasis>.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><emphasis>Effects for SMB1</emphasis></term>
+ <listitem>
+ <para>
+ The Samba-specific encryption of SMB1 connections is an
+ extension to the SMB protocol negotiated as part of the UNIX
+ extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
+ ability to encrypt and sign every request/response in a SMB
+ protocol stream. When enabled it provides a secure method of
+ SMB/CIFS communication, similar to an ssh protected session, but
+ using SMB/CIFS authentication to negotiate encryption and
+ signing keys. Currently this is only supported smbclient of by
+ Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
+ clients. Windows clients do not support this feature.
+ </para>
+
+ <para>This may be set on a per-share
+ basis, but clients may chose to encrypt the entire session, not
+ just traffic to a specific share. If this is set to mandatory
+ then all traffic to a share <emphasis>must</emphasis>
+ be encrypted once the connection has been made to the share.
+ The server would return "access denied" to all non-encrypted
+ requests on such a share. Selecting encrypted traffic reduces
+ throughput as smaller packet sizes must be used (no huge UNIX
+ style read/writes allowed) as well as the overhead of encrypting
+ and signing all the data.
+ </para>
+
+ <para>
+ If SMB encryption is selected, Windows style SMB signing (see
+ the <smbconfoption name="server signing"/> option) is no longer
+ necessary, as the GSSAPI flags use select both signing and
+ sealing of the data.
+ </para>
+
+ <para>
+ When set to auto or default, SMB encryption is offered, but not
+ enforced. When set to mandatory, SMB encryption is required and
+ if set to disabled, SMB encryption can not be negotiated.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>Effects for SMB2 and newer</emphasis></term>
+ <listitem>
+ <para>
+ Native SMB transport encryption is available in SMB version 3.0
+ or newer. It is only offered by Samba if
+ <emphasis>server max protocol</emphasis> is set to
+ <emphasis>SMB3</emphasis> or newer.
+ Clients supporting this type of encryption include
+ Windows 8 and newer,
+ Windows server 2012 and newer,
+ and smbclient of Samba 4.1 and newer.
+ </para>
+
+ <para>
+ The protocol implementation offers various options:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ The capability to perform SMB encryption can be
+ negotiated during protocol negotiation.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Data encryption can be enabled globally. In that case,
+ an encryption-capable connection will have all traffic
+ in all its sessions encrypted. In particular all share
+ connections will be encrypted.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Data encryption can also be enabled per share if not
+ enabled globally. For an encryption-capable connection,
+ all connections to an encryption-enabled share will be
+ encrypted.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Encryption can be enforced. This means that session
+ setups will be denied on non-encryption-capable
+ connections if data encryption has been enabled
+ globally. And tree connections will be denied for
+ non-encryption capable connections to shares with data
+ encryption enabled.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ These features can be controlled with settings of
+ <emphasis>server smb encrypt</emphasis> as follows:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>if_required</emphasis> globally will enable
+ negotiation of encryption but will not turn on
+ data encryption globally or per share.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those clients
+ that support it.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>required</emphasis> globally
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>off</emphasis> globally will
+ completely disable the encryption feature for all
+ connections. Setting <parameter>server smb encrypt =
+ required</parameter> for individual shares (while it's
+ globally off) will deny access to this shares for all
+ clients.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>desired</emphasis> on a share
+ will turn on data encryption for this share for clients
+ that support encryption if negotiation has been
+ enabled globally.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>required</emphasis> on a share
+ will enforce data encryption for this share if
+ negotiation has been enabled globally. I.e. clients that
+ do not support encryption will be denied access to the
+ share.
+ </para>
+ <para>
+ Note that this allows per-share enforcing to be
+ controlled in Samba differently from Windows:
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+ is a global setting, and if it is set, all shares with
+ data encryption turned on
+ are automatically enforcing encryption. In order to
+ achieve the same effect in Samba, one
+ has to globally set <emphasis>server smb encrypt</emphasis> to
+ <emphasis>if_required</emphasis>, and then set all shares
+ that should be encrypted to
+ <emphasis>required</emphasis>.
+ Additionally, it is possible in Samba to have some
+ shares with encryption <emphasis>required</emphasis>
+ and some other shares with encryption only
+ <emphasis>desired</emphasis>, which is not possible in
+ Windows.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Setting it to <emphasis>off</emphasis> or
+ <emphasis>if_required</emphasis> for a share has
+ no effect.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
new file mode 100644
index 0000000..2dd2db9
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="server smb3 encryption algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ encryption algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of AES-128-CCM from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
+ available algorithm for these dialects.
+ </para>
+</description>
+
+<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value>
+<value type="example">AES-256-GCM</value>
+<value type="example">-AES-128-GCM -AES-128-CCM</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
new file mode 100644
index 0000000..7884e60
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="server smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of AES-128-CMAC from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">-AES-128-CMAC</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
new file mode 100644
index 0000000..6027120
--- /dev/null
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="smb encrypt"
+ context="S"
+ type="enum"
+ enumlist="enum_smb_encryption_vals"
+ function="server_smb_encrypt"
+ synonym="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is a synonym for <smbconfoption name="server smb encrypt"/>.
+ </para>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbpasswdfile.xml b/docs-xml/smbdotconf/security/smbpasswdfile.xml
new file mode 100644
index 0000000..fab7037
--- /dev/null
+++ b/docs-xml/smbdotconf/security/smbpasswdfile.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="smb passwd file"
+ type="string"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option sets the path to the encrypted smbpasswd file. By
+ default the path to the smbpasswd file is compiled into Samba.</para>
+
+ <para>
+ An example of use is:
+<programlisting>
+smb passwd file = /etc/samba/smbpasswd
+</programlisting>
+ </para>
+</description>
+
+<value type="default">&pathconfig.SMB_PASSWD_FILE;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlscafile.xml b/docs-xml/smbdotconf/security/tlscafile.xml
new file mode 100644
index 0000000..bcbac62
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlscafile.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="tls cafile"
+ type="string"
+ context="G"
+ function="_tls_cafile"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a file (PEM format)
+ containing CA certificates of root CAs to trust to sign
+ certificates or intermediate CA certificates.</para>
+ <para>This path is relative to <smbconfoption name="private dir"/> if the path
+ does not start with a /.</para>
+ </description>
+
+ <related>tls certfile</related>
+ <related>tls crlfile</related>
+ <related>tls dh params file</related>
+ <related>tls enabled</related>
+ <related>tls keyfile</related>
+ <value type="default">tls/ca.pem</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlscertfile.xml b/docs-xml/smbdotconf/security/tlscertfile.xml
new file mode 100644
index 0000000..cf70954
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlscertfile.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="tls certfile"
+ type="string"
+ context="G"
+ function="_tls_certfile"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a file (PEM format)
+ containing the RSA certificate. </para>
+ <para>This path is relative to <smbconfoption name="private dir"/> if the path
+ does not start with a /.</para>
+</description>
+
+ <related>tls keyfile</related>
+ <related>tls crlfile</related>
+ <related>tls dh params file</related>
+ <related>tls enabled</related>
+ <related>tls cafile</related>
+ <value type="default">tls/cert.pem</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlscrlfile.xml b/docs-xml/smbdotconf/security/tlscrlfile.xml
new file mode 100644
index 0000000..1f42b85
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlscrlfile.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="tls crlfile"
+ type="string"
+ context="G"
+ function="_tls_crlfile"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a file containing a certificate
+ revocation list (CRL).</para>
+ <para>This path is relative to <smbconfoption name="private dir"/> if the path
+ does not start with a /.</para>
+</description>
+
+ <related>tls certfile</related>
+ <related>tls crlfile</related>
+ <related>tls dh params file</related>
+ <related>tls enabled</related>
+ <related>tls cafile</related>
+ <value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlsdhparamsfile.xml b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml
new file mode 100644
index 0000000..5bf59aa
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="tls dh params file"
+ type="string"
+ context="G"
+ function="_tls_dhpfile"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a file with Diffie-Hellman parameters
+ which will be used with DH ciphers.
+ </para>
+ <para>This path is relative to <smbconfoption name="private dir"/> if the path
+ does not start with a /.</para>
+</description>
+
+ <related>tls certfile</related>
+ <related>tls crlfile</related>
+ <related>tls cafile</related>
+ <related>tls enabled</related>
+ <related>tls keyfile</related>
+ <value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlsenabled.xml b/docs-xml/smbdotconf/security/tlsenabled.xml
new file mode 100644
index 0000000..411b928
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlsenabled.xml
@@ -0,0 +1,10 @@
+<samba:parameter name="tls enabled"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>If this option is set to <constant>yes</constant>, then Samba
+ will use TLS when possible in communication.</para>
+ </description>
+ <value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlskeyfile.xml b/docs-xml/smbdotconf/security/tlskeyfile.xml
new file mode 100644
index 0000000..9caa824
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlskeyfile.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="tls keyfile"
+ type="string"
+ context="G"
+ function="_tls_keyfile"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a file (PEM format)
+ containing the RSA private key. This file must be accessible without
+ a pass-phrase, i.e. it must not be encrypted.</para>
+ <para>This path is relative to <smbconfoption name="private dir"/> if the path
+ does not start with a /.</para>
+ </description>
+
+ <related>tls certfile</related>
+ <related>tls crlfile</related>
+ <related>tls dh params file</related>
+ <related>tls enabled</related>
+ <related>tls cafile</related>
+ <value type="default">tls/key.pem</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
new file mode 100644
index 0000000..471dc25
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="tls priority"
+ type="string"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a string describing the TLS protocols
+ to be supported in the parts of Samba that use GnuTLS, specifically
+ the AD DC.
+ </para>
+ <para>The string is appended to the default priority list of GnuTLS.</para>
+ <para>The valid options are described in the
+ <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
+ Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
+ </para>
+ <para>The SSL3.0 protocol will be disabled.</para>
+ </description>
+
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
new file mode 100644
index 0000000..4f47dd4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="tls verify peer"
+ context="G"
+ type="enum"
+ enumlist="enum_tls_verify_peer_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls if and how strict the client will verify the peer's certificate and name.
+ Possible values are (in increasing order):
+ <constant>no_check</constant>,
+ <constant>ca_only</constant>,
+ <constant>ca_and_name_if_available</constant>,
+ <constant>ca_and_name</constant>
+ and
+ <constant>as_strict_as_possible</constant>.</para>
+
+ <para>When set to <constant>no_check</constant> the certificate is not verified at
+ all, which allows trivial man in the middle attacks.
+ </para>
+
+ <para>When set to <constant>ca_only</constant> the certificate is verified to
+ be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
+ Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+ The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
+ option is configured, the certificate is also verified against the ca crl.
+ </para>
+
+ <para>When set to <constant>ca_and_name_if_available</constant> all checks from
+ <constant>ca_only</constant> are performed. In addition, the peer hostname is verified
+ against the certificate's name, if it is provided by the application layer and
+ not given as an ip address string.
+ </para>
+
+ <para>When set to <constant>ca_and_name</constant> all checks from
+ <constant>ca_and_name_if_available</constant> are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+ </para>
+
+ <para>When set to <constant>as_strict_as_possible</constant> all checks from
+ <constant>ca_and_name</constant> are performed. In addition the
+ <smbconfoption name="tls crl file"/> needs to be configured.
+ Future versions of Samba may implement additional checks.
+ </para>
+</description>
+
+<value type="default">as_strict_as_possible</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml
new file mode 100644
index 0000000..89b0158
--- /dev/null
+++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="unix password sync"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
+ program</parameter> parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>This option has no effect if <command moreinfo="none">samba</command>
+ is running as an active directory domain controller, in that case have a
+ look at the <smbconfoption name="password hash gpg key ids"/> option and the
+ <command moreinfo="none">samba-tool user syncpasswords</command> command.</para>
+</description>
+
+<related>passwd program</related>
+<related>passwd chat</related>
+<related>password hash gpg key ids</related>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamelevel.xml b/docs-xml/smbdotconf/security/usernamelevel.xml
new file mode 100644
index 0000000..f5248c0
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamelevel.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="username level"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
+
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
+
+ <para>This parameter is needed only on UNIX systems that have case
+ sensitive usernames.</para>
+</description>
+
+<value type="default">0</value>
+<value type="example">5</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml
new file mode 100644
index 0000000..809a54c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamemap.xml
@@ -0,0 +1,130 @@
+<samba:parameter name="username map"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option allows you to specify a file containing a mapping of usernames from the clients to the server.
+ This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows
+ machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they
+ can more easily share files.
+ </para>
+
+ <para>
+ Please note that for user mode security, the username map is applied prior to validating the user
+ credentials. Domain member servers (domain or ads) apply the username map after the user has been
+ successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g.
+ biddle = <literal>DOMAIN\foo</literal>).
+ </para>
+
+ <para>
+ The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '='
+ followed by a list of usernames on the right. The list of usernames on the right may contain names of the form
+ @group in which case they will match any UNIX username in that group. The special client name '*' is a
+ wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
+ </para>
+
+ <para>
+ The file is processed on each line by taking the supplied username and comparing it with each username on the
+ right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it
+ is replaced with the name on the left. Processing then continues with the next line.
+ </para>
+
+ <para>
+ If any line begins with a '#' or a ';' then it is ignored.
+ </para>
+
+ <para>
+ If any line begins with an '!' then the processing will stop after that line if a mapping was done by the
+ line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a
+ wildcard mapping line later in the file.
+ </para>
+
+ <para>
+ For example to map from the name <constant>admin</constant> or <constant>administrator</constant> to the UNIX
+ name <constant> root</constant> you would use:
+<programlisting>
+<command moreinfo="none">root = admin administrator</command>
+</programlisting>
+ Or to map anyone in the UNIX group <constant>system</constant> to the UNIX name <constant>sys</constant> you would use:
+<programlisting>
+<command moreinfo="none">sys = @system</command>
+</programlisting>
+ </para>
+
+ <para>
+ You can have as many mappings as you like in a username map file.
+ </para>
+
+
+ <para>
+ If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+ moreinfo="none">/etc/group </filename> database for matching groups.
+ </para>
+
+ <para>
+ You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
+<programlisting>
+<command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command>
+</programlisting>
+ would map the windows username &quot;Andrew Tridgell&quot; to the unix username &quot;tridge&quot;.
+ </para>
+
+ <para>
+ The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on that line:
+<programlisting format="linespecific">
+!sys = mary fred
+guest = *
+</programlisting>
+ </para>
+
+ <para>
+ Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
+ <constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to
+ \\server\mary and will need to supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to a Domain Controller (if you have one). The DC will receive whatever username the client
+ supplies without modification.
+ </para>
+
+ <para>
+ Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
+ mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print
+ job.
+ </para>
+
+ <para>
+ Samba versions prior to 3.0.8 would only support reading the fully qualified username
+ (e.g.: <literal>DOMAIN\user</literal>) from
+ the username map when performing a kerberos login from a client. However, when looking up a map entry for a
+ user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent
+ behavior sometimes even on the same server.
+ </para>
+
+ <para>
+ The following functionality is obeyed in version 3.0.8 and later:
+ </para>
+
+ <para>
+ When performing local authentication, the username map is applied to the login name before attempting to authenticate
+ the connection.
+ </para>
+
+ <para>
+ When relying upon a external domain controller for validating authentication requests, smbd will apply the username map
+ to the fully qualified username (i.e. <literal>DOMAIN\user</literal>) only after the user has been successfully authenticated.
+ </para>
+
+ <para>
+ An example of use is:
+<programlisting>
+username map = /usr/local/samba/lib/users.map
+</programlisting>
+ </para>
+
+</description>
+
+<value type="default"><comment>no username map</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamemapcachetime.xml b/docs-xml/smbdotconf/security/usernamemapcachetime.xml
new file mode 100644
index 0000000..974026c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamemapcachetime.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="username map cache time"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Mapping usernames with the <smbconfoption name="username map"/>
+ or <smbconfoption name="username map script"/>
+ features of Samba can be relatively expensive.
+ During login of a user, the mapping is done several times.
+ In particular, calling the <smbconfoption name="username map script"/>
+ can slow down logins if external databases have to be queried from
+ the script being called.
+ </para>
+
+ <para>
+ The parameter <smbconfoption name="username map cache time"/>
+ controls a mapping cache. It specifies the number of seconds a
+ mapping from the username map file or script is to be efficiently cached.
+ The default of 0 means no caching is done.
+ </para>
+</description>
+
+<value type="default">0</value>
+<value type="example">60</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml
new file mode 100644
index 0000000..7123c53
--- /dev/null
+++ b/docs-xml/smbdotconf/security/usernamemapscript.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="username map script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This script is a mutually exclusive alternative to the
+ <smbconfoption name="username map"/> parameter. This parameter
+ specifies an external program or script that must accept a single
+ command line option (the username transmitted in the authentication
+ request) and return a line on standard output (the name to which
+ the account should mapped). In this way, it is possible to store
+ username map tables in an LDAP directory services.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/etc/samba/scripts/mapusers.sh</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
new file mode 100644
index 0000000..0b681a1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="valid users"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is a list of users that should be allowed to login to this service. Names starting with
+ '@', '+' and '&amp;' are interpreted using the same rules as described in the
+ <parameter moreinfo="none">invalid users</parameter> parameter.
+ </para>
+
+ <para>
+ If this is empty (the default) then any user can login. If a username is in both this list
+ and the <parameter moreinfo="none">invalid users</parameter> list then access is denied
+ for that user.
+ </para>
+
+ <para>
+ The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
+ This is useful in the [homes] section.
+ </para>
+
+ <para><emphasis>Note: </emphasis>When used in the [global] section this
+ parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see
+ <parameter moreinfo="none">local master</parameter>,
+ <parameter moreinfo="none">os level</parameter>,
+ <parameter moreinfo="none">domain master</parameter>,
+ <parameter moreinfo="none">preferred master</parameter>) this option
+ will prevent workstations from being able to browse the network.
+ </para>
+
+</description>
+
+<related>invalid users</related>
+
+<value type="default"><comment>No valid users list (anyone can login) </comment></value>
+<value type="example">greg, @pcusers</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/writeable.xml b/docs-xml/smbdotconf/security/writeable.xml
new file mode 100644
index 0000000..5433849
--- /dev/null
+++ b/docs-xml/smbdotconf/security/writeable.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="writeable"
+ context="S"
+ type="boolean-rev"
+ function="read_only"
+ synonym="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>writable</synonym>
+<synonym>write ok</synonym>
+<description>
+ <para>Inverted synonym for <smbconfoption name="read only"/>.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml
new file mode 100644
index 0000000..a9b9e8b
--- /dev/null
+++ b/docs-xml/smbdotconf/security/writelist.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="write list"
+ context="S"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is a list of users that are given read-write access to a service. If the
+ connecting user is in this list then they will be given write access, no matter
+ what the <smbconfoption name="read only"/> option is set to. The list can
+ include group names using the @group syntax.
+ </para>
+
+ <para>
+ Note that if a user is in both the read list and the write list then they will be
+ given write access.
+ </para>
+
+</description>
+
+<related>read list</related>
+
+<value type="default"></value>
+<value type="example">admin, root, @staff</value>
+</samba:parameter>