From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 19:20:00 +0200
Subject: Adding upstream version 2:4.20.0+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 docs-xml/smbdotconf/winbind/applygrouppolicies.xml |  19 ++++
 docs-xml/smbdotconf/winbind/createkrb5conf.xml     |  23 ++++
 docs-xml/smbdotconf/winbind/idmapbackend.xml       |  22 ++++
 docs-xml/smbdotconf/winbind/idmapcachetime.xml     |  13 +++
 docs-xml/smbdotconf/winbind/idmapconfig.xml        | 122 +++++++++++++++++++++
 docs-xml/smbdotconf/winbind/idmapgid.xml           |  21 ++++
 .../smbdotconf/winbind/idmapnegativecachetime.xml  |  12 ++
 docs-xml/smbdotconf/winbind/idmapuid.xml           |  21 ++++
 .../smbdotconf/winbind/includesystemkrb5conf.xml   |  15 +++
 .../smbdotconf/winbind/netutralizent4emulation.xml |  18 +++
 docs-xml/smbdotconf/winbind/rejectmd5servers.xml   |  25 +++++
 docs-xml/smbdotconf/winbind/requirestrongkey.xml   |  26 +++++
 docs-xml/smbdotconf/winbind/templatehomedir.xml    |  17 +++
 docs-xml/smbdotconf/winbind/templateshell.xml      |  13 +++
 docs-xml/smbdotconf/winbind/winbindcachetime.xml   |  20 ++++
 .../smbdotconf/winbind/winbinddsocketdirectory.xml |  15 +++
 docs-xml/smbdotconf/winbind/winbindenumgroups.xml  |  19 ++++
 docs-xml/smbdotconf/winbind/winbindenumusers.xml   |  23 ++++
 .../smbdotconf/winbind/winbindexpandgroups.xml     |  35 ++++++
 .../smbdotconf/winbind/winbindignoredomains.xml    |  14 +++
 docs-xml/smbdotconf/winbind/winbindmaxclients.xml  |  19 ++++
 .../winbind/winbindmaxdomainconnections.xml        |  25 +++++
 .../smbdotconf/winbind/winbindnestedgroups.xml     |  16 +++
 .../smbdotconf/winbind/winbindnormalizenames.xml   |  30 +++++
 docs-xml/smbdotconf/winbind/winbindnssinfo.xml     |  38 +++++++
 .../smbdotconf/winbind/winbindofflinelogon.xml     |  17 +++
 .../smbdotconf/winbind/winbindreconnectdelay.xml   |  14 +++
 .../smbdotconf/winbind/winbindrefreshtickets.xml   |  15 +++
 .../smbdotconf/winbind/winbindrequesttimeout.xml   |  15 +++
 docs-xml/smbdotconf/winbind/winbindrpconly.xml     |  15 +++
 .../winbind/winbindscantrusteddomains.xml          |  29 +++++
 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml |  15 +++
 docs-xml/smbdotconf/winbind/winbindseparator.xml   |  20 ++++
 .../smbdotconf/winbind/winbindusedefaultdomain.xml |  22 ++++
 .../winbind/winbindusekrb5enterpriseprincipals.xml |  34 ++++++
 35 files changed, 817 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/applygrouppolicies.xml
 create mode 100644 docs-xml/smbdotconf/winbind/createkrb5conf.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapbackend.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapcachetime.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapconfig.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapgid.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
 create mode 100644 docs-xml/smbdotconf/winbind/idmapuid.xml
 create mode 100644 docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
 create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
 create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
 create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
 create mode 100644 docs-xml/smbdotconf/winbind/templatehomedir.xml
 create mode 100644 docs-xml/smbdotconf/winbind/templateshell.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindcachetime.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindenumgroups.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindenumusers.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindignoredomains.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindmaxclients.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindnssinfo.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindrpconly.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindseparator.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
 create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml

(limited to 'docs-xml/smbdotconf/winbind')

diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
new file mode 100644
index 0000000..67baa0d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="apply group policies"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This option controls whether winbind will execute the gpupdate
+	command defined in <smbconfoption name="gpo update command"/> on the
+	Group Policy update interval. The Group	Policy update interval is
+	defined as every 90 minutes, plus a random offset between 0 and	30
+	minutes. This applies Group Policy Machine polices to the client or
+	KDC and machine policies to a server.
+	</para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
new file mode 100644
index 0000000..4054034
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="create krb5 conf"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	Setting this parameter to <value type="example">no</value> prevents
+	winbind from creating custom krb5.conf files. Winbind normally does
+	this because the krb5 libraries are not AD-site-aware and thus would
+	pick any domain controller out of potentially very many. Winbind
+	is site-aware and makes the krb5 libraries use a local DC by
+	creating its own krb5.conf files.
+	</para>
+	<para>
+	Preventing winbind from doing this might become necessary if you
+	have to add special options into your system-krb5.conf that winbind
+	does not see.
+	</para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml
new file mode 100644
index 0000000..864a975
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="idmap backend"
+                 context="G"
+                 type="string"
+                 generated_function="0"
+                 handler="handle_idmap_backend"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap backend provides a plugin interface for Winbind to use
+	varying backends to store SID/uid/gid mapping tables.
+	</para>
+
+	<para>
+	This option specifies the default backend that is used when no special
+	configuration set, but it is now deprecated in favour of the new
+	spelling <smbconfoption name="idmap config * :  backend"/>.
+	</para>
+</description>
+
+<value type="default">tdb</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapcachetime.xml b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
new file mode 100644
index 0000000..87c6c56
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapcachetime.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="idmap cache time"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of seconds that Winbind's
+	idmap interface will cache positive SID/uid/gid query results. By
+    default, Samba will cache these results for one week.
+	</para>
+</description>
+
+<value type="default">604800</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
new file mode 100644
index 0000000..f70f11d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -0,0 +1,122 @@
+<samba:parameter name="idmap config DOMAIN : OPTION"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	ID mapping in Samba is the mapping between Windows SIDs and Unix user
+	and group IDs. This is performed by Winbindd with a configurable plugin
+	interface. Samba's ID mapping is configured by options starting with the
+	<smbconfoption name="idmap config"/> prefix.
+	An idmap option consists of the <smbconfoption name="idmap config"/>
+	prefix, followed by a domain name or the asterisk character (*),
+	a colon, and the name of an idmap setting for the chosen domain.
+	</para>
+
+	<para>
+	The idmap configuration is hence divided into groups, one group
+	for each domain to be configured, and one group with the
+	asterisk instead of a proper domain name, which specifies the
+	default configuration that is used to catch all domains that do
+	not have an explicit idmap configuration of their own.
+	</para>
+
+	<para>
+	There are three general options available:
+	</para>
+
+	<variablelist>
+		<varlistentry>
+		<term>backend = backend_name</term>
+		<listitem><para>
+		This specifies the name of the idmap plugin to use as the
+		SID/uid/gid backend for this domain. The standard backends are
+		tdb
+		(<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+		tdb2
+		(<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+		ldap
+		(<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+		rid
+		(<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+		hash
+		(<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+		autorid
+		(<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+		ad
+		(<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>)
+		and nss
+		(<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>).
+		The corresponding manual pages contain the details, but
+		here is a summary.
+		</para>
+		<para>
+		The first three of these create mappings of their own using
+		internal unixid counters and store the mappings in a database.
+		These are suitable for use in the default idmap configuration.
+		The rid and hash backends use a pure algorithmic calculation
+		to determine the unixid for a SID. The autorid module is a
+		mixture of the tdb and rid backend. It creates ranges for
+		each domain encountered and then uses the rid algorithm for each
+		of these automatically configured domains individually.
+		The ad backend uses unix ids stored in Active Directory via
+		the standard schema extensions. The nss backend reverses
+		the standard winbindd setup and gets the unix ids via names
+		from nsswitch which can be useful in an ldap setup.
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>range = low - high</term>
+		<listitem><para>
+		Defines the available matching uid and gid range for which the
+		backend is authoritative. For allocating backends, this also
+		defines the start and the end of the range for allocating
+		new unique IDs.
+		</para>
+		<para>
+		winbind uses this parameter to find the backend that is
+		authoritative for a unix ID to SID mapping, so it must be set
+		for each individually configured domain and for the default
+		configuration. The configured ranges must be mutually disjoint.
+		</para>
+		<para>
+		Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>read only = yes|no</term>
+		<listitem><para>
+		This option can be used to turn the writing backends
+		tdb, tdb2, and ldap into read only mode. This can be useful
+		e.g. in cases where a pre-filled database exists that should
+		not be extended automatically.
+		</para></listitem>
+		</varlistentry>
+	</variablelist>
+
+	<para>
+	The following example illustrates how to configure the <citerefentry>
+	<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
+	</citerefentry> backend for the CORP domain and the
+	<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> backend for all other
+	domains. This configuration assumes that the admin of CORP assigns
+	unix ids below 1000000 via the SFU extensions, and winbind is supposed
+	to use the next million entries for its own mappings from trusted
+	domains and for local groups for example.
+	</para>
+
+	<programlisting>
+	idmap config * : backend = tdb
+	idmap config * : range = 1000000-1999999
+
+	idmap config CORP : backend  = ad
+	idmap config CORP : range = 1000-999999
+	</programlisting>
+	
+</description>
+<related>min domain uid</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml
new file mode 100644
index 0000000..1b576b2
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapgid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap gid"
+                 context="G"
+                 type="string"
+                 generated_function="0"
+                 handler="handle_idmap_gid"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>winbind gid</synonym>
+<description>
+	<para>
+	The idmap gid parameter specifies the range of group ids
+	for the default idmap configuration. It is now deprecated
+	in favour of <smbconfoption name="idmap config * : range"/>.
+	</para>
+
+	<para>See the <smbconfoption name="idmap config"/> option.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
new file mode 100644
index 0000000..32c4e1f
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="idmap negative cache time"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of seconds that Winbind's
+	idmap interface will cache negative SID/uid/gid query results.
+	</para>
+</description>
+
+<value type="default">120</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml
new file mode 100644
index 0000000..f666f61
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapuid.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="idmap uid"
+                 type="string"
+                 context="G"
+                 generated_function="0"
+                 handler="handle_idmap_uid"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>winbind uid</synonym>
+<description>
+	<para>
+	The idmap uid parameter specifies the range of user ids for
+	the default idmap configuration. It is now deprecated in favour
+	of <smbconfoption name="idmap config * : range"/>.
+	</para>
+
+	<para>See the <smbconfoption name="idmap config"/> option.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">10000-20000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
new file mode 100644
index 0000000..3e53292
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="include system krb5 conf"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		Setting this parameter to <value type="example">no</value> will prevent
+		winbind to include the system /etc/krb5.conf file into the krb5.conf file
+		it creates. See also <smbconfoption name="create krb5 conf"/>. This option
+		only applies to Samba built with MIT Kerberos.
+	</para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
new file mode 100644
index 0000000..247822e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="neutralize nt4 emulation"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd sends
+	the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
+	the NT4 emulation of a domain controller.</para>
+
+	<para>Typically you should not need set this.
+	It can be useful for upgrades from NT4 to AD domains.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644
index 0000000..3bc4eaf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="reject md5 servers"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for aes support for the netlogon secure channel.</para>
+
+	<para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+	NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to yes if all domain controllers support aes.
+	This will prevent downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+	see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+
+	<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
new file mode 100644
index 0000000..9c1c1d7
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="require strong key"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for md5 strong key support for the netlogon secure channel.</para>
+
+	<para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
+	NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to no if some domain controllers only support des.
+	This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>Note for active directory domain this option is hardcoded to 'yes'</para>
+
+	<para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
+
+	<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templatehomedir.xml b/docs-xml/smbdotconf/winbind/templatehomedir.xml
new file mode 100644
index 0000000..2801edf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templatehomedir.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="template homedir"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon  uses this
+	parameter to fill in the home directory for that user. If the
+	string <parameter moreinfo="none">%D</parameter> is present it
+	is substituted  with the user's Windows NT domain name. If the
+	string <parameter  moreinfo="none">%U</parameter> is present it
+	is substituted with the user's Windows  NT user name.</para>
+</description>
+
+<value type="default">/home/%D/%U</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/templateshell.xml b/docs-xml/smbdotconf/winbind/templateshell.xml
new file mode 100644
index 0000000..891c424
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/templateshell.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="template shell"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon uses this
+	parameter to fill in the login shell for that user.</para>
+</description>
+
+<value type="default">/bin/false</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindcachetime.xml b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
new file mode 100644
index 0000000..2f69de3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindcachetime.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind cache time"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of 
+	seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon will cache 
+	user and group information before querying a Windows NT server 
+	again.</para>
+
+        <para>
+	This does not apply to authentication requests, these are always 
+	evaluated in real time unless the <smbconfoption name="winbind 
+	offline logon"/> option has been enabled.
+	</para>
+</description>
+
+<value type="default">300</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml
new file mode 100644
index 0000000..7827d36
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbindd socket directory"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This setting controls the location of the winbind daemon's socket.</para>
+	<para>Except within automated test scripts, this should not be
+	altered, as the client tools (nss_winbind etc) do not honour
+	this parameter.  Client tools must then be advised of the
+	altered path with the WINBINDD_SOCKET_DIR environment
+	variable.</para>
+</description>
+
+<value type="default">&pathconfig.WINBINDD_SOCKET_DIR;</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumgroups.xml b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
new file mode 100644
index 0000000..c3339e1
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="winbind enum groups"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be necessary to suppress 
+	the enumeration of groups through the <command moreinfo="none">setgrent()</command>,
+	<command moreinfo="none">getgrent()</command> and
+	<command moreinfo="none">endgrent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum groups</parameter> parameter is
+	<constant>no</constant>, calls to the <command moreinfo="none">getgrent()</command> system
+	call will not return any data. </para>
+
+<warning><para>Turning off group enumeration may cause some programs to behave oddly.  </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindenumusers.xml b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
new file mode 100644
index 0000000..5ce53d6
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindenumusers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="winbind enum users"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be
+	necessary to suppress the enumeration of users through the <command moreinfo="none">setpwent()</command>,
+	 <command moreinfo="none">getpwent()</command> and
+	 <command moreinfo="none">endpwent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum users</parameter> parameter is
+	 <constant>no</constant>, calls to the <command moreinfo="none">getpwent</command> system call
+	will not return any data. </para>
+
+<warning><para>Turning off user
+	enumeration may cause some programs to behave oddly.  For
+	example, the finger program relies on having access to the
+	full user list when searching for matching
+	usernames. </para></warning>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
new file mode 100644
index 0000000..5a05ecf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="winbind expand groups"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls the maximum depth that winbindd
+              will traverse when flattening nested group memberships
+	      of Windows domain groups.  This is different from the
+	      <smbconfoption name="winbind nested groups"/> option
+              which implements the Windows NT4 model of local group 
+	      nesting.  The &quot;winbind expand groups&quot;
+              parameter specifically applies to the membership of 
+	      domain groups.</para>
+
+	 <para>This option also affects the return of non nested
+	 group memberships of Windows domain users. With the
+	 new default "winbind expand groups = 0" winbind does
+	 not query group memberships at all.</para>
+
+	 <para>Be aware that a high value for this parameter can
+	 result in system slowdown as the main parent winbindd daemon
+	 must perform the group unrolling and will be unable to answer
+	 incoming NSS or authentication requests during this time.</para>
+
+	<para>The default value was changed from 1 to 0 with Samba 4.2.
+	Some broken applications (including some implementations of
+	newgrp and sg) calculate the group memberships of
+	users by traversing groups, such applications will require
+	"winbind expand groups = 1". But the new default makes winbindd
+	more reliable as it doesn't require SAMR access to domain
+	controllers of trusted domains.</para>
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindignoredomains.xml b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml
new file mode 100644
index 0000000..af99222
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="winbind:ignore domains"
+                 context="G"
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>Allows one to enter a list of trusted domains winbind should
+       ignore (untrust). This can avoid the overhead of resources from
+       attempting to login to DCs that should not be communicated with.
+       </para>
+
+</description>
+<value type="default"></value>
+<value type="example">DOMAIN1, DOMAIN2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindmaxclients.xml b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml
new file mode 100644
index 0000000..847a588
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="winbind max clients"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the maximum number of clients
+	the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon can connect with.
+	The parameter is not a hard limit.
+	The <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon configures
+	itself to be able to accept at least that many connections,
+	and if the limit is reached, an attempt is made to disconnect
+	idle clients.
+	</para>
+</description>
+
+<value type="default">200</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
new file mode 100644
index 0000000..5cd846e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="winbind max domain connections"
+                 context="G"
+                 type="integer"
+                 function="_winbind_max_domain_connections"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the maximum number of simultaneous
+	connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon should open to the
+	domain controller of one domain.
+	Setting this parameter to a value greater than 1 can improve
+	scalability with many simultaneous winbind requests,
+	some of which might be slow.
+	Changing this value requires a restart of winbindd.
+	</para>
+	<para>
+	Note that if <smbconfoption name="winbind offline logon"/> is set to
+	<constant>Yes</constant>, then only one
+	DC connection is allowed per domain, regardless of this setting.
+	</para>
+</description>
+
+<value type="default">1</value>
+<value type="example">10</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
new file mode 100644
index 0000000..a4a03eb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind nested groups"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>If set to yes, this parameter activates the support for nested
+                 groups. Nested groups are also called local groups or
+                 aliases. They work like their counterparts in Windows: Nested
+                 groups are defined locally on any machine (they are shared
+                 between DC's through their SAM) and can contain users and
+                 global groups from any trusted SAM. To be able to use nested
+                 groups, you need to run nss_winbind.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
new file mode 100644
index 0000000..362f488
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="winbind normalize names"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter controls whether winbindd will replace
+	  whitespace in user and group names with an underscore (_) character.
+	  For example, whether the name &quot;Space Kadet&quot; should be
+	  replaced with the string &quot;space_kadet&quot;.
+	  Frequently Unix shell scripts will have difficulty with usernames
+	  contains whitespace due to the default field separator in the shell.
+	  If your domain possesses names containing the underscore character,
+	  this option may cause problems unless the name aliasing feature
+	  is supported by your nss_info plugin.
+        </para>
+
+	<para>This feature also enables the name aliasing API which can
+	  be used to make domain user and group names to a non-qualified
+	  version.  Please refer to the manpage for the configured
+	  idmap and nss_info plugin for the specifics on how to configure
+	  name aliasing for a specific configuration.  Name aliasing takes
+	  precedence (and is mutually exclusive) over the whitespace
+	  replacement mechanism discussed previously.
+	  </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindnssinfo.xml b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
new file mode 100644
index 0000000..e6d17c2
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="winbind nss info"
+                 context="G"
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control how Winbind retrieves Name
+	Service Information to construct a user's home directory and login shell.
+	Currently the following settings are available:
+
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">template</parameter>
+			- The default, using the parameters of <parameter moreinfo="none">template
+			shell</parameter> and <parameter moreinfo="none">template homedir</parameter>)
+			</para>
+		</listitem>
+
+		<listitem>
+			<para><parameter moreinfo="none">&lt;sfu | sfu20 | rfc2307 &gt;</parameter>
+			- When Samba is running in security = ads and your Active Directory
+			Domain Controller does support the Microsoft "Services for Unix" (SFU)
+			LDAP schema, winbind can retrieve the login shell and the home
+			directory attributes directly from your Directory Server. For SFU 3.0 or 3.5 simply choose
+			"sfu", if you use SFU 2.0 please choose "sfu20".</para>
+			<para>Note that for the idmap backend <refentrytitle>idmap_ad</refentrytitle>
+			you need to configure those settings in the idmap configuration section.
+			Make sure to consult the documentation of the idmap backend that you are using.
+			</para>
+		</listitem>
+	</itemizedlist>
+
+</para>
+</description>
+
+<value type="default">template</value>
+<value type="example">sfu</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
new file mode 100644
index 0000000..9cf1249
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="winbind offline logon"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should
+	allow one to login with the <parameter moreinfo="none">pam_winbind</parameter> 
+	module using Cached Credentials. If enabled, winbindd will store user credentials
+	from successful logins encrypted in a local cache.
+	</para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml
new file mode 100644
index 0000000..f26fd5e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="winbind reconnect delay"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of
+	seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon will wait between
+	attempts to contact a Domain controller for a domain that is
+	determined to be down or not contactable.</para>
+</description>
+
+<value type="default">30</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
new file mode 100644
index 0000000..f6bb738
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind refresh tickets"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+	retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml
new file mode 100644
index 0000000..8c7ec56
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind request timeout"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the number of
+	seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon will wait before
+	disconnecting either a client connection with no outstanding
+	requests (idle) or a client connection with a request that has
+	remained outstanding (hung) for longer than this number of seconds.</para>
+</description>
+
+<value type="default">60</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindrpconly.xml b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
new file mode 100644
index 0000000..50795ac
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindrpconly.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind rpc only"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	Setting this parameter to <value type="example">yes</value> forces 
+	winbindd to use RPC instead of LDAP to retrieve information from Domain
+        Controllers.
+	</para>
+	
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..12e94cb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to
+    <constant>domain</constant> or <constant>ads</constant>.
+    If it is set to yes, winbindd periodically tries to scan for new
+    trusted domains and adds them to a global list inside of winbindd.
+    The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+    Setting it to yes matches the behaviour of Samba 4.7 and older.</para>
+
+    <para>The construction of that global list is not reliable and often
+    incomplete in complex trust setups. In most situations the list is
+    not needed any more for winbindd to operate correctly.
+    E.g. for plain file serving via SMB using a simple idmap setup
+    with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+    However some more complex setups require the list, e.g.
+    if you specify idmap backends for specific domains.
+    Some pam_winbind setups may also require the global list.</para>
+
+    <para>If you have a setup that doesn't require the global list, you should set
+    <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+    </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
new file mode 100644
index 0000000..016ac9b
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether any requests from winbindd to domain controllers
+		pipe will be sealed. Disabling sealing can be useful for debugging
+		purposes.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml
new file mode 100644
index 0000000..eda14f4
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="winbind separator"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter allows an admin to define the character 
+	used when listing a username of the form of <replaceable>DOMAIN
+	</replaceable>\<replaceable>user</replaceable>.  This parameter 
+	is only applicable when using the <filename moreinfo="none">pam_winbind.so</filename>
+	and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
+	</para>
+
+	<para>Please note that setting this parameter to + causes problems
+	with group membership at least on glibc systems, as the character +
+	is used as a special character for NIS in /etc/group.</para>
+</description>
+
+<value type="default">\</value>
+<value type="example">+</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
new file mode 100644
index 0000000..186398e
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="winbind use default domain"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies whether the
+	 <citerefentry><refentrytitle>winbindd</refentrytitle> 
+	<manvolnum>8</manvolnum></citerefentry> daemon should operate on users  
+	without domain component in their username. Users without a domain
+	component are treated as is part of the winbindd server's own
+	domain. While this does not benefit Windows users, it makes SSH, FTP and
+	e-mail function in a way much closer to the way they
+	would in a native unix system.</para>
+	<para>This option should be avoided if possible. It can cause confusion
+	about responsibilities for a user or group. In many situations it is
+	not clear whether winbind or /etc/passwd should be seen as authoritative
+	for a user, likewise for groups.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 0000000..d30b7f3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>winbindd is able to get kerberos tickets for
+	pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+	</para>
+
+	<para>winbindd (at least on a domain member) is never be able
+	to have a complete picture of the trust topology (which is managed by the DCs).
+	There might be uPNSuffixes and msDS-SPNSuffixes values,
+	which don't belong to any AD domain at all.
+	</para>
+
+	<para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+	winbindd doesn't even get a complete picture of the topology.
+	</para>
+
+	<para>It is not really required to know about the trust topology.
+	We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+	and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+	and follow the WRONG_REALM referrals in order to find the correct DC.
+	The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE.
+	</para>
+
+	<para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+	winbindd enterprise principals will be used.
+	</para>
+</description>
+
+<value type="default">yes</value>
+<value type="example">no</value>
+</samba:parameter>
-- 
cgit v1.2.3