Changeset 988 for vendor/current/docs-xml/smbdotconf/security

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

Location:

vendor/current/docs-xml/smbdotconf/security

Files:

• accessbasedshareenum.xml (modified) (1 diff)
• aclgroupcontrol.xml (modified) (4 diffs)
• adminusers.xml (modified) (2 diffs)
• algorithmicridbase.xml (modified) (2 diffs)
• allowdcerpcauthlevelconnect.xml (modified) (1 diff)
• allowtrusteddomains.xml (modified) (1 diff)
• authmethods.xml (modified) (1 diff)
• checkpasswordscript.xml (modified) (2 diffs)
• clientipcsigning.xml (modified) (2 diffs)
• clientlanmanauth.xml (modified) (1 diff)
• clientntlmv2auth.xml (modified) (1 diff)
• clientplaintextauth.xml (modified) (1 diff)
• clientschannel.xml (modified) (2 diffs)
• clientsigning.xml (modified) (2 diffs)
• clientusepsnegoprincipal.xml (modified) (3 diffs)
• createmask.xml (modified) (2 diffs)
• dedicatedkeytabfile.xml (modified) (1 diff)
• directorymask.xml (modified) (2 diffs)
• directorysecuritymask.xml (modified) (1 diff)
• encryptpasswords.xml (modified) (2 diffs)
• forcecreatemode.xml (modified) (2 diffs)
• forcedirectorymode.xml (modified) (2 diffs)
• forcedirectorysecuritymode.xml (modified) (1 diff)
• forcegroup.xml (modified) (1 diff)
• forcesecuritymode.xml (modified) (1 diff)
• forceunknownacluser.xml (modified) (1 diff)
• forceuser.xml (modified) (1 diff)
• guestaccount.xml (modified) (1 diff)
• guestok.xml (modified) (1 diff)
• guestonly.xml (modified) (1 diff)
• hostsallow.xml (modified) (1 diff)
• hostsdeny.xml (modified) (1 diff)
• inheritacls.xml (modified) (1 diff)
• inheritowner.xml (modified) (2 diffs)
• inheritpermissions.xml (modified) (1 diff)
• invalidusers.xml (modified) (1 diff)
• kerberosmethod.xml (modified) (2 diffs)
• kpasswdport.xml (added)
• krb5port.xml (added)
• lanmanauth.xml (modified) (2 diffs)
• lognttokencommand.xml (added)
• maptoguest.xml (modified) (2 diffs)
• mapuntrustedtodomain.xml (modified) (1 diff)
• ntlmauth.xml (modified) (1 diff)
• ntpsigndsocketdirectory.xml (added)
• nullpasswords.xml (modified) (1 diff)
• obeypamrestrictions.xml (modified) (1 diff)
• oldpasswordallowedperiod.xml (added)
• onlyuser.xml (modified) (1 diff)
• pampasswordchange.xml (modified) (1 diff)
• passdbbackend.xml (modified) (1 diff)
• passdbexpandexplicit.xml (modified) (1 diff)
• passwdchat.xml (modified) (2 diffs)
• passwdchatdebug.xml (modified) (1 diff)
• passwdchattimeout.xml (modified) (1 diff)
• passwdprogram.xml (modified) (1 diff)
• passwordlevel.xml (deleted)
• passwordserver.xml (modified) (2 diffs)
• preloadmodules.xml (modified) (1 diff)
• printeradmin.xml (deleted)
• privatedir.xml (modified) (2 diffs)
• readlist.xml (modified) (2 diffs)
• readonly.xml (modified) (1 diff)
• renameuserscript.xml (modified) (2 diffs)
• restrictanonymous.xml (modified) (2 diffs)
• rootdirectory.xml (modified) (2 diffs)
• sambakcccommand.xml (added)
• security.xml (modified) (5 diffs)
• securitymask.xml (modified) (1 diff)
• sendspengoprincipal.xml (deleted)
• serverrole.xml (added)
• serverschannel.xml (modified) (1 diff)
• serversigning.xml (modified) (2 diffs)
• smbencrypt.xml (modified) (1 diff)
• smbpasswdfile.xml (modified) (2 diffs)
• tlscafile.xml (added)
• tlscertfile.xml (added)
• tlscrlfile.xml (added)
• tlsdhparamsfile.xml (added)
• tlsenabled.xml (added)
• tlskeyfile.xml (added)
• tlspriority.xml (added)
• tlsverifypeer.xml (added)
• unixpasswordsync.xml (modified) (1 diff)
• username.xml (modified) (1 diff)
• usernamelevel.xml (modified) (1 diff)
• usernamemap.xml (modified) (3 diffs)
• usernamemapcachetime.xml (modified) (1 diff)
• usernamemapscript.xml (modified) (2 diffs)
• validusers.xml (modified) (2 diffs)
• writeable.xml (modified) (1 diff)
• writelist.xml (modified) (2 diffs)

vendor/current/docs-xml/smbdotconf/security/accessbasedshareenum.xml

@@ -1 +1 @@
 <samba:parameter name="access based share enum"
-                 type="boolean"
+                 type="boolean"
                  context="S"
-                 basic="1" advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
  <description>
      <para>If this parameter is <constant>yes</constant> for a
     service, then the share hosted by the service will only be visible
     to users who have read or write access to the share during share
-    enumeration (for example net view \\sambaserver).  This has
+    enumeration (for example net view \\sambaserver). The share ACLs
+    which allow or deny the access to the share can be modified using
+    for example the <command moreinfo="none">sharesec</command> command
+    or using the appropriate Windows tools. This has
     parallels to access based enumeration, the main difference being
     that only share permissions are evaluated, and security

vendor/current/docs-xml/smbdotconf/security/aclgroupcontrol.xml

@@ -1 +1 @@
 <samba:parameter name="acl group control"
                  context="S"
-                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -15 +15 @@
         on a point in the filesystem to the group owner of a directory and anything below it also owned
         by that group. This means there are multiple people with permissions to modify ACLs on a file
-        or directory, easing managability.
+        or directory, easing manageability.
         </para>
         <para>
@@ -25 +25 @@
         <para>
         This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
-        on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
+        on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
         on them, which causes new files and directories created within it to inherit the group
         ownership from the containing directory. 
@@ -31 +31 @@
 
         <para>
-        This is parameter has been was deprecated in Samba 3.0.23, but re-activated in
+        This parameter was deprecated in Samba 3.0.23, but re-activated in
         Samba 3.0.31 and above, as it now only controls permission changes if the user
         is in the owning primary group. It is now no longer equivalent to the

vendor/current/docs-xml/smbdotconf/security/adminusers.xml

@@ -1 +1 @@
 <samba:parameter name="admin users"
                  context="S"
-                                 type="list"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -12 +12 @@
     irrespective of file permissions.</para>
 
-    <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
-    Samba 3.0.  This is by design.</para>
-
 </description>
 

vendor/current/docs-xml/smbdotconf/security/algorithmicridbase.xml

@@ -1 +1 @@
 <samba:parameter name="algorithmic rid base"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="integer"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This determines how Samba will use its
@@ -12 +11 @@
     <para>Setting this option to a larger value could be useful to sites
     transitioning from WinNT and Win2k, as existing user and 
-    group rids would otherwise clash with sytem users etc. 
+    group rids would otherwise clash with system users etc. 
     </para>
 

vendor/current/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml

@@ -8 +8 @@
         but no per message integrity nor privacy protection.</para>
 
-        <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
-        winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+        <para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of
+        <constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of
+        <constant>yes</constant>.
+        </para>
 
-        <para>This option yields precedence to the implentation specific restrictions.
+        <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+        winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
+
+        <para>This option yields precedence to the implementation specific restrictions.
         E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
-        While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+        The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
         </para>
 </description>

vendor/current/docs-xml/smbdotconf/security/allowtrusteddomains.xml

@@ -1 +1 @@
 <samba:parameter name="allow trusted domains"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>

vendor/current/docs-xml/smbdotconf/security/authmethods.xml

@@ -1 +1 @@
 <samba:parameter name="auth methods"
                  context="G"
-                                 type="list"
-                 basic="1" advanced="1" wizard="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 

vendor/current/docs-xml/smbdotconf/security/checkpasswordscript.xml

@@ -1 +1 @@
 <samba:parameter name="check password script"
                  context="G"
-                                 type="string"
-                 advanced="1" developer="1"
+                 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -18 +17 @@
 </description>
 
-<value type="default">Disabled</value>
+<value type="default"><comment>Disabled</comment></value>
 <value type="example">/usr/local/sbin/crackcheck</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/clientipcsigning.xml

@@ -2 +2 @@
                  context="G"
                  type="enum"
+                 function="_client_ipc_signing"
                  enumlist="enum_smb_signing_vals"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This controls whether the client is allowed or required to use SMB signing for IPC$
-    connections as DCERPC transport inside of winbind. Possible values
+    connections as DCERPC transport. Possible values
     are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
     and <emphasis>disabled</emphasis>.
     </para>
+
+    <para>When set to mandatory or default, SMB signing is required.</para>
 
     <para>When set to auto, SMB signing is offered, but not enforced and if set
@@ -20 +23 @@
 <related>client signing</related>
 
-<value type="default">mandatory</value>
+<value type="default">default</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/clientlanmanauth.xml

@@ -1 +1 @@
 <samba:parameter name="client lanman auth"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/clientntlmv2auth.xml

@@ -1 @@
-<samba:parameter name="client ntlmv2 auth"
+<samba:parameter name="client NTLMv2 auth"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/clientplaintextauth.xml

@@ -1 +1 @@
 <samba:parameter name="client plaintext auth"
                  context="G"
-                                 type="boolean"
-                 basic="1" advanced="1" wizard="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
         <para>Specifies whether a client should send a plaintext 

vendor/current/docs-xml/smbdotconf/security/clientschannel.xml

@@ -1 +1 @@
 <samba:parameter name="client schannel"
                  context="G"
-                 basic="1"
-                                 type="boolean-auto"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="enum"
+                 enumlist="enum_bool_auto"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 
@@ -13 +13 @@
     if the server is not able to speak netlogon schannel. 
     </para>
+
+    <para>Note that for active directory domains this is hardcoded to
+    <smbconfoption name="client schannel">yes</smbconfoption>.</para>
+
+    <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
 </description>
 <value type="default">auto</value>

vendor/current/docs-xml/smbdotconf/security/clientsigning.xml

@@ -1 +1 @@
 <samba:parameter name="client signing"
                  context="G"
-                                 type="boolean-auto"
-                 basic="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="enum"
+                 enumlist="enum_smb_signing_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This controls whether the client is allowed or required to use SMB signing. Possible values 
@@ -10 +10 @@
     </para>
 
-    <para>When set to auto, SMB signing is offered, but not enforced. 
-    When set to mandatory, SMB signing is required and if set 
-        to disabled, SMB signing is not offered either.
+    <para>When set to auto or default, SMB signing is offered, but not enforced.</para>
+
+    <para>When set to mandatory, SMB signing is required and if set
+    to disabled, SMB signing is not offered either.</para>
 
     <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
     <smbconfoption name="client ipc signing"/> option.</para>
-</para>
 </description>
 
-<value type="default">auto</value>
+<related>client ipc signing</related>
+
+<value type="default">default</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml

@@ -1 +1 @@
 <samba:parameter name="client use spnego principal"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -15 +15 @@
     ordinarily cannot function in this situation. </para>
 
+    <para>This is a VERY BAD IDEA for security reasons, and so this
+    parameter SHOULD NOT BE USED. It will be removed in a future
+    version of Samba.</para>
+
     <para>If disabled, Samba will use the name used to look up the
     server when asking the KDC for a ticket.  This avoids situations
@@ -24 +28 @@
     this behaviour, and Windows Vista and later servers no longer
     supply this 'rfc4178 hint' principal on the server side.</para>
+
+    <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+    (along with the functionality) in a later release of Samba.</para>
 </description>
 <value type="default">no</value>

vendor/current/docs-xml/smbdotconf/security/createmask.xml

@@ -1 +1 @@
 <samba:parameter name="create mask"
                  context="S"
-                                 type="string"
+                 type="octal"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 
@@ -27 +27 @@
         for details.
         </para>
-
-    <para>
-        Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
-        administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
-        name="security mask"/>.
-        </para>
 </description>
 

vendor/current/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml

@@ -1 @@
-<samba:parameter name="dedicated keytab file" context="G" type="string"
-                 advanced="1" developer="1"
+<samba:parameter name="dedicated keytab file"
+                 context="G"
+                 type="string"
+                 constant="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/directorymask.xml

@@ -1 +1 @@
 <samba:parameter name="directory mask"
-        context="S"
-        type="string"
+                 context="S"
+                 type="octal"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>directory mode</synonym>
@@ -24 +24 @@
     created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. 
     This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
-
-    <para>Note that this parameter does not apply to permissions
-    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
-    a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
 </description>
 
 <related>force directory mode</related>
 <related>create mask</related>
-<related>directory security mask</related>
 <related>inherit permissions</related>
 <value type="default">0755</value>

vendor/current/docs-xml/smbdotconf/security/directorysecuritymask.xml

@@ -1 +1 @@
 <samba:parameter name="directory security mask"
                  context="S"
-                                 type="string"
+                 removed="1"
+                 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter controls what UNIX permission bits
-    will be set when a Windows NT client is manipulating the UNIX
-    permission on a directory using the native NT security dialog
-    box.</para>
-
     <para>
-        This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
-        any bits not in this mask.  Make sure not to mix up this parameter with <smbconfoption name="force
-        directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
-        Essentially, zero bits in this mask are a set of bits that will always be set to zero.
-        </para>
-
-    <para>
-        Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
-        file permissions regardless of the previous status of this bits on the file.
+        This parameter has been removed for Samba 4.0.0.
     </para>
-
-    <para>If not set explicitly this parameter is set to 0777
-    meaning a user is allowed to set all the user/group/world
-    permissions on a directory.</para>
-
-    <para><emphasis>Note</emphasis> that users who can access the 
-    Samba server through other means can easily bypass this restriction, 
-    so it is primarily useful for standalone &quot;appliance&quot; systems.  
-    Administrators of most normal systems will probably want to leave
-        it as the default of <constant>0777</constant>.</para>
 </description>
 
-<related>force directory security mode</related>
-<related>security mask</related>
-<related>force security mode</related>
-<value type="default">0777</value>
-<value type="example">0700</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/encryptpasswords.xml

@@ -1 +1 @@
 <samba:parameter name="encrypt passwords"
                  context="G"
-                                 type="boolean"
-                 basic="1" advanced="1" wizard="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This boolean controls whether encrypted passwords 
@@ -33 +32 @@
     <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
     <manvolnum>8</manvolnum></citerefentry> program for information on how to set up 
-    and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which 
+    and maintain this file), or set the <smbconfoption name="security">[domain|ads]</smbconfoption> parameter which
     causes <command moreinfo="none">smbd</command> to authenticate against another 
         server.</para>

vendor/current/docs-xml/smbdotconf/security/forcecreatemode.xml

@@ -1 +1 @@
 <samba:parameter name="force create mode"
                  context="S"
+                 type="octal"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -20 +21 @@
 <related>inherit permissions</related>
 
-<value type="default">000</value>
+<value type="default">0000</value>
 <value type="example">0755</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/forcedirectorymode.xml

@@ -1 +1 @@
 <samba:parameter name="force directory mode"
                  context="S"
-                                 type="string"
+                 type="octal"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -18 +18 @@
 </description>
 
-<value type="default">000</value>
+<value type="default">0000</value>
 <value type="example">0755</value>
 

vendor/current/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml

@@ -1 +1 @@
 <samba:parameter name="force directory security mode"
                  context="S"
-                                 type="string"
+                 type="string"
+                 removed="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
-        the UNIX permission on a directory using the native NT security dialog box.
-        </para>
-
-    <para>
-        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
-        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
-        name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
-        of an OR. 
-        </para>
-
-        <para>
-        Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 
-        to will enable (1) any flags that are off (0) but which the mask has set to on (1).
-        </para>
-
-    <para>
-        If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
-        permissions on a directory without restrictions.
-        </para>
-
-    <note><para>
-        Users who can access the Samba server through other means can easily bypass this restriction, so it is
-        primarily useful for standalone &quot;appliance&quot; systems.  Administrators of most normal systems will
-        probably want to leave it set as 0000.
-        </para></note>
-
+        This parameter has been removed for Samba 4.0.0.
+    </para>
 </description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>directory security mask</related>
-<related>security mask</related>
-<related>force security mode</related>
-
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/forcegroup.xml

@@ -1 +1 @@
 <samba:parameter name="force group"
                  context="S"
-                                 type="string"
+                 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>group</synonym>

vendor/current/docs-xml/smbdotconf/security/forcesecuritymode.xml

@@ -1 +1 @@
 <samba:parameter name="force security mode"
                  context="S"
-                                 type="string"
+                 type="string"
+                 removed="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 
-    the UNIX permission on a file using the native NT security dialog box.
-        </para>
-                
-    <para>
-        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
-        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
-        name="security mask"/>, which works similar like this one but uses logical AND instead of OR. 
-        </para>
-
-        <para>
-        Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
-        the user has always set to be on.
-        </para>
-
-    <para>
-        If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
-        permissions on a file, with no restrictions.
-        </para>
-                
-    <para><emphasis>
-        Note</emphasis> that users who can access the Samba server through other means can easily bypass this
-        restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
-        normal systems will probably want to leave this set to 0000.
-        </para>
-
+        This parameter has been removed for Samba 4.0.0.
+    </para>
 </description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>security mask</related>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/forceunknownacluser.xml

@@ -1 +1 @@
 <samba:parameter name="force unknown acl user"
                  context="S"
-                                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 

vendor/current/docs-xml/smbdotconf/security/forceuser.xml

@@ -1 +1 @@
 <samba:parameter name="force user"
-                                 type="string"
+                 type="string"
                  context="S"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">

vendor/current/docs-xml/smbdotconf/security/guestaccount.xml

@@ -1 +1 @@
 <samba:parameter name="guest account"
                  context="G"
-                                 type="string"
-                 basic="1" advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This is a username which will be used for access 

vendor/current/docs-xml/smbdotconf/security/guestok.xml

@@ -1 +1 @@
 <samba:parameter name="guest ok"
-                                 type="boolean"
+                 type="boolean"
                  context="S"
-                 basic="1" advanced="1" print="1" developer="1"
-                                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>public</synonym>
 <description>

vendor/current/docs-xml/smbdotconf/security/guestonly.xml

@@ -1 +1 @@
 <samba:parameter name="guest only"
                  context="S"
-                                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>only guest</synonym>

vendor/current/docs-xml/smbdotconf/security/hostsallow.xml

@@ -1 +1 @@
 <samba:parameter name="hosts allow"
                  context="S"
-                                 type="list"
-                 basic="1" advanced="1" print="1" developer="1"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>allow hosts</synonym>

vendor/current/docs-xml/smbdotconf/security/hostsdeny.xml

@@ -1 +1 @@
 <samba:parameter name="hosts deny"
                  context="S"
-                                 type="list"
-                 basic="1" advanced="1" print="1" developer="1"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>deny hosts</synonym>

vendor/current/docs-xml/smbdotconf/security/inheritacls.xml

@@ -1 +1 @@
 <samba:parameter name="inherit acls"
                  context="S"
-                                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/inheritowner.xml

@@ -1 +1 @@
 <samba:parameter name="inherit owner"
                  context="S"
-                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -11 +11 @@
         
         <para>Common scenarios where this behavior is useful is in 
-        implementing drop-boxes where users can create and edit files but not 
-        delete them and to ensure that newly create files in a user's
-        roaming profile directory are actually owner by the user.</para>
+        implementing drop-boxes, where users can create and edit files but
+        not delete them and ensuring that newly created files in a user's
+        roaming profile directory are actually owned by the user.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/security/inheritpermissions.xml

@@ -1 +1 @@
 <samba:parameter name="inherit permissions"
                  context="S"
-                                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/invalidusers.xml

@@ -1 +1 @@
 <samba:parameter name="invalid users"
                  context="S"
-                                 type="list"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/kerberosmethod.xml

@@ -1 @@
-<samba:parameter name="kerberos method" context="G" type="enum"
-                 advanced="1" developer="1"
+<samba:parameter name="kerberos method"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_kerberos_method"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -36 +38 @@
 </description>
 <related>dedicated keytab file</related>
-<value type="default">secrets only</value>
+<value type="default">default</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/lanmanauth.xml

@@ -1 +1 @@
 <samba:parameter name="lanman auth"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -22 +21 @@
     blanked after the next password change. As a result of that
     lanman clients won't be able to authenticate, even if lanman
-    auth is reenabled later on.
+    auth is re-enabled later on.
     </para>
                 

vendor/current/docs-xml/smbdotconf/security/maptoguest.xml

@@ -1 +1 @@
 <samba:parameter name="map to guest"
-                                 type="enum"
+                 type="enum"
                  context="G"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 enumlist="enum_map_to_guest"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter is only useful in <smbconfoption name="SECURITY">
-    security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> 
-    and <parameter moreinfo="none">security = server</parameter>
-    - i.e. <constant>user</constant>, and <constant>domain</constant>.</para>
-
     <para>This parameter can take four different values, which tell
     <citerefentry><refentrytitle>smbd</refentrytitle>
@@ -56 +51 @@
 
     <para>Note that this parameter is needed to set up &quot;Guest&quot; 
-    share services when using <parameter moreinfo="none">security</parameter> modes other than 
-    share and server. This is because in these modes the name of the resource being
+    share services. This is because in these modes the name of the resource being
     requested is <emphasis>not</emphasis> sent to the server until after 
     the server has successfully authenticated the client so the server 
     cannot make authentication decisions at the correct time (connection 
-    to the share) for &quot;Guest&quot; shares. This parameter is not useful with
-    <parameter moreinfo="none">security = server</parameter> as in this security mode
-    no information is returned about whether a user logon failed due to
-    a bad username or bad password, the same error is returned from a modern server
-    in both cases.</para>
-
-    <para>For people familiar with the older Samba releases, this 
-    parameter maps to the old compile-time setting of the <constant>
-                GUEST_SESSSETUP</constant> value in local.h.</para>
+    to the share) for &quot;Guest&quot; shares. </para>
 </description>
 

vendor/current/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml

@@ -1 +1 @@
 <samba:parameter name="map untrusted to domain"
                  context="G"
-                 type="boolean"
-                 advanced="1"
-                 developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>

vendor/current/docs-xml/smbdotconf/security/ntlmauth.xml

@@ -1 +1 @@
 <samba:parameter name="ntlm auth"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/nullpasswords.xml

@@ -1 +1 @@
 <samba:parameter name="null passwords"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="boolean"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>Allow or disallow client access to accounts that have null passwords. </para>

vendor/current/docs-xml/smbdotconf/security/obeypamrestrictions.xml

@@ -1 +1 @@
 <samba:parameter name="obey pam restrictions"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>When Samba 3.0 is configured to enable PAM support

vendor/current/docs-xml/smbdotconf/security/onlyuser.xml

@@ -1 +1 @@
 <samba:parameter name="only user"
-                                        type="boolean"
+                 type="boolean"
                  context="S"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This is a boolean option that controls whether 
-    connections with usernames not in the <parameter moreinfo="none">user</parameter> 
-    list will be allowed. By default this option is disabled so that a 
-    client can supply a username to be used by the server.  Enabling
-    this parameter will force the server to only use the login 
-    names from the <parameter moreinfo="none">user</parameter> list and is only really
-    useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
+    <para>To restrict a service to a particular set of users you
+    can use the <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>Note that this also means Samba won't try to deduce 
-    usernames from the service name. This can be annoying for 
-    the [homes] section. To get around this you could use <command moreinfo="none">user =
-    %S</command> which means your <parameter moreinfo="none">user</parameter> list
-    will be just the service name, which for home directories is the 
-    name of the user.</para>
+    <para>This parameter is deprecated</para>
+
+    <para>However, it currently operates only in conjunction with
+    <smbconfoption name="username"/>.  The supported way to restrict
+    a service to a particular set of users is the
+    <smbconfoption name="valid users"/> parameter.</para>
+
 </description>
 

vendor/current/docs-xml/smbdotconf/security/pampasswordchange.xml

@@ -1 +1 @@
 <samba:parameter name="pam password change"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>With the addition of better PAM support in Samba 2.2, 

vendor/current/docs-xml/smbdotconf/security/passdbbackend.xml

@@ -1 +1 @@
 <samba:parameter name="passdb backend"
                  context="G"
-                 type="list"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 

vendor/current/docs-xml/smbdotconf/security/passdbexpandexplicit.xml

@@ -1 +1 @@
 <samba:parameter name="passdb expand explicit"
                  context="G"
-                 advanced="1" developer="0"
-                                 type="boolean"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>

vendor/current/docs-xml/smbdotconf/security/passwdchat.xml

@@ -2 +2 @@
                  context="G"
                  type="string"
-                 advanced="1" developer="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -56 +55 @@
 <related>pam password change</related>
 
-<value type="default">*new*password* %n\n*new*password* %n\n *changed*</value>
+<value type="default">*new*password* %n\n *new*password* %n\n *changed*</value>
 <value type="example">&quot;*Enter NEW password*&quot; %n\n &quot;*Reenter NEW password*&quot; %n\n &quot;*Password changed*&quot;</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/passwdchatdebug.xml

@@ -1 +1 @@
 <samba:parameter name="passwd chat debug"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="boolean"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/passwdchattimeout.xml

@@ -1 +1 @@
 <samba:parameter name="passwd chat timeout"
                  context="G"
-                                 type="integer"
-                 advanced="1" developer="1"
+                 type="integer"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/passwdprogram.xml

@@ -1 +1 @@
 <samba:parameter name="passwd program"
                  context="G"
-                                 type="string"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
  <description>
     <para>The name of a program that can be used to set 

vendor/current/docs-xml/smbdotconf/security/passwordserver.xml

@@ -1 +1 @@
 <samba:parameter name="password server"
                  context="G"
-                                 type="list"
-                 advanced="1" wizard="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>By specifying the name of another SMB server 
-    or Active Directory domain controller with this option, 
-    and using <command moreinfo="none">security = [ads|domain|server]</command> 
+    <para>By specifying the name of a domain controller with this option,
+    and using <command moreinfo="none">security = [ads|domain]</command>
     it is possible to get Samba
     to do all its username/password validation using a specific remote server.</para>
 
-    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
-    <constant>domain</constant> or <constant>ads</constant>, then this option
-    <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba
-    to determine the best DC to contact dynamically, just as all other hosts in an
-    AD domain do.  This allows the domain to be maintained without modification to
-    the smb.conf file.  The cryptograpic protection on the authenticated RPC calls
+    <para>Ideally, this option
+    <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba 
+    to determine the best DC to contact dynamically, just as all other hosts in an 
+    AD domain do.  This allows the domain to be maintained (addition
+    and removal of domain controllers) without modification to
+    the smb.conf file.  The cryptographic protection on the authenticated RPC calls
     used to verify passwords ensures that this default is safe.</para>
 
@@ -36 +35 @@
     this list by locating the closest DC.</para>
                 
-    <para>If parameter is a name, it is looked up using the
+    <para>If parameter is a name, it is looked up using the 
     parameter <smbconfoption name="name resolve order"/> and so may resolved
     by any method and order described in that parameter.</para>
 
-    <para>If the <parameter moreinfo="none">security</parameter> parameter is 
-    set to <constant>server</constant>, these additional restrictions apply:</para>
-
-    <itemizedlist>
-        <listitem>
-            <para>You may list several password servers in 
-            the <parameter moreinfo="none">password server</parameter> parameter, however if an 
-            <command moreinfo="none">smbd</command> makes a connection to a password server, 
-            and then the password server fails, no more users will be able 
-            to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
-            restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
-            </command> mode and cannot be fixed in Samba.</para>
-        </listitem>
-            
-        <listitem>
-            <para>You will have to ensure that your users
-            are able to login from the Samba server, as when in <command moreinfo="none">
-            security = server</command>  mode the network logon will appear to 
-            come from the Samba server rather than from the users workstation.</para>
-        </listitem>
-
-        <listitem>
-            <para>The client must not select NTLMv2 authentication.</para>
-        </listitem>
-
-        <listitem>
-          <para>The password server must be a machine capable of using
-          the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
-          user level security mode.</para>
-        </listitem>
-
-        <listitem>
-          <para>Using a password server  means your UNIX box (running
-          Samba) is only as secure as (a host masqurading as) your password server. <emphasis>DO NOT
-          CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
-          </para>
-        </listitem>
-
-        <listitem>
-          <para>Never point a Samba server at itself for password serving.
-          This will cause a loop and could lock up your Samba  server!</para>
-        </listitem>
-
-        <listitem>
-          <para>The name of the password server takes the standard
-          substitutions, but probably the only useful one is <parameter moreinfo="none">%m
-          </parameter>, which means the Samba server will use the incoming
-          client as the password server. If you use this then you better
-          trust your clients, and you had better restrict them with hosts allow!</para>
-        </listitem>
-
-    </itemizedlist>
 </description>
 

vendor/current/docs-xml/smbdotconf/security/preloadmodules.xml

@@ -1 +1 @@
 <samba:parameter name="preload modules"
-                type="list"
-                 context="G"
-                 basic="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="cmdlist"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
         <para>This is a list of paths to modules that should

vendor/current/docs-xml/smbdotconf/security/privatedir.xml

@@ -1 +1 @@
 <samba:parameter name="private dir"
                  context="G"
-                                 type="string"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>private directory</synonym>
 <description>
     <para>This parameters defines the directory
@@ -11 +12 @@
 </description>
 
-<value type="default">${prefix}/private</value>
+<value type="default">&pathconfig.PRIVATE_DIR;</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/readlist.xml

@@ -1 +1 @@
 <samba:parameter name="read list"
                  context="S"
-                                 type="list"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -10 +10 @@
         parameter.
         </para>
-  
-    <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in 
-    Samba 3.0.  This is by design.</para>
 </description>
-
 <related>write list</related>
 <related>invalid users</related>

vendor/current/docs-xml/smbdotconf/security/readonly.xml

@@ -1 +1 @@
 <samba:parameter name="read only"
                  context="S"
-                                 type="boolean"
-                 basic="1" advanced="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/renameuserscript.xml

@@ -1 +1 @@
 <samba:parameter name="rename user script"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="boolean"
-                                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
@@ -30 +29 @@
 </description>
 
-<value type="default">no</value>
+<value type="default"></value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/restrictanonymous.xml

@@ -1 +1 @@
 <samba:parameter name="restrict anonymous"
-        type="integer"
+                 type="integer"
                  context="G"
-                 advanced="1" developer="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -14 +13 @@
         registry key in Windows 2000 and Windows NT.  When set to 0, user
         and group list information is returned to anyone who asks.  When set
-    to 1, only an authenticated user can retrive user and
+    to 1, only an authenticated user can retrieve user and
     group list information.  For the value 2, supported by
     Windows 2000/XP and Samba, no anonymous connections are allowed at

vendor/current/docs-xml/smbdotconf/security/rootdirectory.xml

@@ -1 +1 @@
 <samba:parameter name="root directory"
-        context="G"
-        type="string"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>root</synonym>
 <synonym>root dir</synonym>
@@ -31 +30 @@
 </description>
 
-<value type="default">/</value>
+<value type="default"></value>
 <value type="example">/homes/smb</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/security.xml

@@ -1 +1 @@
 <samba:parameter name="security"
                  context="G"
-                                 type="enum"
-                 basic="1" advanced="1" wizard="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-                 <when_value value="security">
-                         <requires option="encrypted passwords">/(yes|true)/</requires>
-                 </when_value>
+                 type="enum"
+                 function="_security"
+                 enumlist="enum_security"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<when_value value="security">
+    <requires option="encrypted passwords">/(yes|true)/</requires>
+</when_value>
 <description>
     <para>This option affects how clients respond to 
@@ -12 +13 @@
     smb.conf</filename> file.</para>
 
-    <para>The option sets the &quot;security mode bit&quot; in replies to 
-    protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide 
-    based on this bit whether (and how) to transfer user and password 
-    information to the server.</para>
-
-
     <para>The default is <command moreinfo="none">security = user</command>, as this is
-    the most common setting needed when talking to Windows 98 and 
-    Windows NT.</para>
+    the most common setting, used for a standalone file server or a DC.</para>
 
     <para>The alternatives are
     <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
-    </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
+    </command>, which support joining Samba to a Windows domain</para>
 
-    <para>In versions of Samba prior to 2.0.0, the default was 
-    <command moreinfo="none">security = share</command> mainly because that was
-    the only option at one stage.</para>
-
-    <para>You should use <command moreinfo="none">security = user</command> and
-    <smbconfoption name="map to guest"/> if you
+    <para>You should use <command moreinfo="none">security = user</command> and 
+    <smbconfoption name="map to guest"/> if you 
     want to mainly setup shares without a password (guest shares). This 
     is commonly used for a shared printer server. </para>
                 
-    <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
-    hybrid mode</emphasis> where it is offers both user and share 
-    level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
-
     <para>The different settings will now be explained.</para>
 
 
+    <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
+
+    <para>This is the default security setting in Samba, and causes Samba to consult
+    the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
+
     <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
 
-    <para>This is the default security setting in Samba.
-    With user-level security a client must first &quot;log-on&quot; with a
-    valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+    <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba. 
+    With user-level security a client must first &quot;log-on&quot; with a 
+    valid username and password (which can be mapped using the <smbconfoption name="username map"/> 
     parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
     be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
-        name="guest only"/> if set      are then applied and
-    may change the UNIX user to use on this connection, but only after
+        name="guest only"/> if set      are then applied and 
+    may change the UNIX user to use on this connection, but only after 
     the user has been successfully authenticated.</para>
-
-    <para><emphasis>Note</emphasis> that the name of the resource being
-    requested is <emphasis>not</emphasis> sent to the server until after
-    the server has successfully authenticated the client. This is why
-    guest shares don't work in user level security without allowing
-    the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
-    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
-    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
-
-    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> has been used to add this
-    machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
-        parameter to be set to <constant>yes</constant>. In this
-    mode Samba will try to validate the username/password by passing
-    it to a Windows NT Primary or Backup Domain Controller, in exactly
-    the same way that a Windows NT Server would do.</para>
-
-    <para><emphasis>Note</emphasis> that a valid UNIX user must still
-    exist as well as the account on the Domain Controller to allow
-    Samba to have a valid UNIX account to map file access to.</para>
-
-    <para><emphasis>Note</emphasis> that from the client's point
-    of view <command moreinfo="none">security = domain</command> is the same
-    as <command moreinfo="none">security = user</command>. It only
-    affects how the server deals with the authentication,
-    it does not in any way affect what the client sees.</para>
-
-    <para><emphasis>Note</emphasis> that the name of the resource being
-    requested is <emphasis>not</emphasis> sent to the server until after
-    the server has successfully authenticated the client. This is why
-    guest shares don't work in user level security without allowing
-    the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
-    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
-    <para>See also the <smbconfoption name="password server"/> parameter and
-         the <smbconfoption name="encrypted passwords"/> parameter.</para>
-
-    <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> 
-
-    <note><para>This option is deprecated as it is incompatible with SMB2</para></note>
-                
-    <para>When clients connect to a share level security server, they 
-    need not log onto the server with a valid username and password before 
-    attempting to connect to a shared resource (although modern clients 
-    such as Windows 95/98 and Windows NT will send a logon request with 
-    a username but no password when talking to a <command moreinfo="none">security = share
-    </command> server). Instead, the clients send authentication information 
-    (passwords) on a per-share basis, at the time they attempt to connect 
-    to that share.</para>
-
-    <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> 
-    uses a valid UNIX user to act on behalf of the client, even in
-    <command moreinfo="none">security = share</command> level security.</para>
-
-    <para>As clients are not required to send a username to the server
-    in share level security, <command moreinfo="none">smbd</command> uses several
-    techniques to determine the correct UNIX user to use on behalf
-    of the client.</para>
-
-    <para>A list of possible UNIX usernames to match with the given
-    client password is constructed using the following methods :</para>
-
-    <itemizedlist>
-        <listitem>
-            <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other 
-            stages are missed and only the <smbconfoption name="guest account"/> username is checked.
-            </para>
-        </listitem>
-
-        <listitem>
-            <para>Is a username is sent with the share connection 
-            request, then this username (after mapping - see <smbconfoption name="username map"/>), 
-            is added as a potential username.
-            </para>
-        </listitem>
-
-        <listitem>
-            <para>If the client did a previous <emphasis>logon
-            </emphasis> request (the SessionSetup SMB call) then the 
-            username sent in this SMB will be added as a potential username.
-            </para>
-        </listitem>
-
-        <listitem>
-            <para>The name of the service the client requested is 
-            added as a potential username.
-            </para>
-        </listitem>
-
-        <listitem>
-            <para>The NetBIOS name of the client is added to 
-            the list as a potential username.
-            </para>
-        </listitem>
-
-        <listitem>
-            <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
-            </para>
-        </listitem>
-    </itemizedlist>
-
-    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
-    not set, then this list is then tried with the supplied password. 
-    The first user for whom the password matches will be used as the 
-    UNIX user.</para>
-
-    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
-    set, or no username can be determined then if the share is marked 
-    as available to the <parameter moreinfo="none">guest account</parameter>, then this 
-    guest user will be used, otherwise access is denied.</para>
-
-    <para>Note that it can be <emphasis>very</emphasis> confusing 
-    in share-level security as to which UNIX username will eventually
-    be used in granting access.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
-    <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
-
-    <para>
-        In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an
-        NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
-        <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
-        server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
-        revert back to checking the UNIX password file, it must have a valid <filename
-        moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
-        the Samba HOWTO Collection for details on how to set this up.
-</para>
-
-        <note><para>This mode of operation has
-    significant pitfalls since it is more vulnerable to
-    man-in-the-middle attacks and server impersonation.  In particular,
-    this mode of operation can cause significant resource consumption on
-    the PDC, as it must maintain an active connection for the duration
-    of the user's session.  Furthermore, if this connection is lost,
-    there is no way to reestablish it, and further authentications to the
-    Samba server may fail (from a single client, till it disconnects).
-        </para></note>
-
-        <note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis>
-        </para></note>
-
-        <note><para>From the client's point of 
-    view, <command moreinfo="none">security = server</command> is the
-    same as <command moreinfo="none">security = user</command>.  It
-    only affects how the server deals  with the authentication, it does
-        not in any way affect what the  client sees.</para></note>
-
-    <note><para>This option is deprecated, and may be removed in future</para></note>
 
     <para><emphasis>Note</emphasis> that the name of the resource being 
@@ -217 +51 @@
     See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
 
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> has been used to add this
+    machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+        parameter to be set to <constant>yes</constant>. In this 
+    mode Samba will try to validate the username/password by passing
+    it to a Windows NT Primary or Backup Domain Controller, in exactly 
+    the same way that a Windows NT Server would do.</para>
+
+    <para><emphasis>Note</emphasis> that a valid UNIX user must still 
+    exist as well as the account on the Domain Controller to allow 
+    Samba to have a valid UNIX account to map file access to.</para>
+
+    <para><emphasis>Note</emphasis> that from the client's point 
+    of view <command moreinfo="none">security = domain</command> is the same 
+    as <command moreinfo="none">security = user</command>. It only 
+    affects how the server deals with the authentication, 
+    it does not in any way affect what the client sees.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the <smbconfoption name="password server"/> parameter and
+         the <smbconfoption name="encrypted passwords"/> parameter.</para>
+
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
 
     <para>See also the <smbconfoption name="password server"/> parameter and the 
@@ -232 +101 @@
         <para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
                 Controller. </para>
-        
+
+        <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
+        and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
+
         <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
 </description>
@@ -239 +111 @@
 <related>encrypt passwords</related>
 
-<value type="default">USER</value>
+<value type="default">AUTO</value>
 <value type="example">DOMAIN</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/securitymask.xml

@@ -1 +1 @@
 <samba:parameter name="security mask"
                  context="S"
-                                 type="string"
+                 type="string"
+                 removed="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-        This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
-        UNIX permission on a file using the native NT security dialog box.
-        </para>
-
-    <para>
-        This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
-        any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
-        security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
-        </para>
-
-    <para>
-        Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
-        file permissions regardless of the previous status of this bits on the file.
+        This parameter has been removed for Samba 4.0.0.
     </para>
-
-    <para>
-        If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
-    </para>
-
-    <para><emphasis>
-        Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
-    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
-        most normal systems will probably want to leave it set to <constant>0777</constant>.
-        </para>
 </description>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>force security mode</related>
-
-<value type="default">0777</value>
-<value type="example">0770</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/serverschannel.xml

@@ -1 +1 @@
 <samba:parameter name="server schannel"
                  context="G"
-                                 type="boolean-auto"
-                 basic="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="enum"
+                 enumlist="enum_bool_auto"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>

vendor/current/docs-xml/smbdotconf/security/serversigning.xml

@@ -1 +1 @@
 <samba:parameter name="server signing"
                  context="G"
-                                 type="enum"
-                 basic="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="enum"
+                 enumlist="enum_smb_signing_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 
     <para>This controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values
-    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+    are <emphasis>default</emphasis>, <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
     and <emphasis>disabled</emphasis>.
     </para>
+
+    <para>By default, and when smb signing is set to
+    <emphasis>default</emphasis>, smb signing is required when
+    <smbconfoption name="server role"/> is <emphasis>active directory
+    domain controller</emphasis> and disabled otherwise.</para>
 
     <para>When set to auto, SMB1 signing is offered, but not enforced.
@@ -21 +26 @@
 </description>
 
-<value type="default">Disabled</value>
+<value type="default">default</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/smbencrypt.xml

@@ -1 +1 @@
 <samba:parameter name="smb encrypt"
                  context="S"
-                                 type="enum"
-                 basic="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 type="enum"
+                 enumlist="enum_smb_signing_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-
-    <para>This is a new feature introduced with Samba 3.2 and above. It is an
-    extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
-    SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
-    and sign every request/response in a SMB protocol stream. When
-    enabled it provides a secure method of SMB/CIFS communication,
-    similar to an ssh protected session, but using SMB/CIFS authentication
-    to negotiate encryption and signing keys. Currently this is only
-    supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
-    and MacOS/X clients. Windows clients do not support this feature.
-    </para>
-
-    <para>This controls whether the remote client is allowed or required to use SMB encryption. Possible values 
-    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
-    and <emphasis>disabled</emphasis>. This may be set on a per-share
-    basis, but clients may chose to encrypt the entire session, not
-    just traffic to a specific share. If this is set to mandatory
-    then all traffic to a share <emphasis>must</emphasis> must
-    be encrypted once the connection has been made to the share.
-    The server would return "access denied" to all non-encrypted
-    requests on such a share. Selecting encrypted traffic reduces
-    throughput as smaller packet sizes must be used (no huge UNIX
-    style read/writes allowed) as well as the overhead of encrypting
-    and signing all the data.
-    </para>
-
-    <para>If SMB encryption is selected, Windows style SMB signing (see
-    the <smbconfoption name="server signing"/> option) is no longer necessary,
-    as the GSSAPI flags use select both signing and sealing of the data.
-    </para>
-
-    <para>When set to auto, SMB encryption is offered, but not enforced. 
-    When set to mandatory, SMB encryption is required and if set 
-    to disabled, SMB encryption can not be negotiated.</para>
+        <para>
+        This parameter controls whether a remote client is allowed or required
+        to use SMB encryption. It has different effects depending on whether
+        the connection uses SMB1 or SMB2 and newer:
+        </para>
+
+        <itemizedlist>
+        <listitem>
+                <para>
+                If the connection uses SMB1, then this option controls the use
+                of a Samba-specific extension to the SMB protocol introduced in
+                Samba 3.2 that makes use of the Unix extensions.
+                </para>
+        </listitem>
+
+        <listitem>
+                <para>
+                If the connection uses SMB2 or newer, then this option controls
+                the use of the SMB-level encryption that is supported in SMB
+                version 3.0 and above and available in Windows 8 and newer.
+                </para>
+        </listitem>
+        </itemizedlist>
+
+        <para>
+                This parameter can be set globally and on a per-share bases.
+                Possible values are
+                <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+                <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+                <emphasis>if_required</emphasis>),
+                <emphasis>desired</emphasis>,
+                and
+                <emphasis>required</emphasis>
+                (or <emphasis>mandatory</emphasis>).
+                A special value is <emphasis>default</emphasis> which is
+                the implicit default setting of <emphasis>enabled</emphasis>.
+        </para>
+
+        <variablelist>
+                <varlistentry>
+                <term><emphasis>Effects for SMB1</emphasis></term>
+                <listitem>
+                <para>
+                The Samba-specific encryption of SMB1 connections is an
+                extension to the SMB protocol negotiated as part of the UNIX
+                extensions.  SMB encryption uses the GSSAPI (SSPI on Windows)
+                ability to encrypt and sign every request/response in a SMB
+                protocol stream. When enabled it provides a secure method of
+                SMB/CIFS communication, similar to an ssh protected session, but
+                using SMB/CIFS authentication to negotiate encryption and
+                signing keys. Currently this is only supported smbclient of by
+                Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
+                clients. Windows clients do not support this feature.
+                </para>
+
+                <para>This may be set on a per-share
+                basis, but clients may chose to encrypt the entire session, not
+                just traffic to a specific share. If this is set to mandatory
+                then all traffic to a share <emphasis>must</emphasis>
+                be encrypted once the connection has been made to the share.
+                The server would return "access denied" to all non-encrypted
+                requests on such a share. Selecting encrypted traffic reduces
+                throughput as smaller packet sizes must be used (no huge UNIX
+                style read/writes allowed) as well as the overhead of encrypting
+                and signing all the data.
+                </para>
+
+                <para>
+                If SMB encryption is selected, Windows style SMB signing (see
+                the <smbconfoption name="server signing"/> option) is no longer
+                necessary, as the GSSAPI flags use select both signing and
+                sealing of the data.
+                </para>
+
+                <para>
+                When set to auto or default, SMB encryption is offered, but not
+                enforced.  When set to mandatory, SMB encryption is required and
+                if set to disabled, SMB encryption can not be negotiated.
+                </para>
+                </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                <term><emphasis>Effects for SMB2</emphasis></term>
+                <listitem>
+                <para>
+                Native SMB transport encryption is available in SMB version 3.0
+                or newer. It is only offered by Samba if
+                <emphasis>server max protocol</emphasis> is set to
+                <emphasis>SMB3</emphasis> or newer.
+                Clients supporting this type of encryption include
+                Windows 8 and newer,
+                Windows server 2012 and newer,
+                and smbclient of Samba 4.1 and newer.
+                </para>
+
+                <para>
+                The protocol implementation offers various options:
+                </para>
+
+                <itemizedlist>
+                        <listitem>
+                        <para>
+                        The capability to perform SMB encryption can be
+                        negotiated during protocol negotiation.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Data encryption can be enabled globally. In that case,
+                        an encryption-capable connection will have all traffic
+                        in all its sessions encrypted. In particular all share
+                        connections will be encrypted.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Data encryption can also be enabled per share if not
+                        enabled globally. For an encryption-capable connection,
+                        all connections to an encryption-enabled share will be
+                        encrypted.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Encryption can be enforced. This means that session
+                        setups will be denied on non-encryption-capable
+                        connections if data encryption has been enabled
+                        globally. And tree connections will be denied for
+                        non-encryption capable connections to shares with data
+                        encryption enabled.
+                        </para>
+                        </listitem>
+                </itemizedlist>
+
+                <para>
+                These features can be controlled with settings of
+                <emphasis>smb encrypt</emphasis> as follows:
+                </para>
+
+                <itemizedlist>
+                        <listitem>
+                        <para>
+                        Leaving it as default, explicitly setting
+                        <emphasis>default</emphasis>, or setting it to
+                        <emphasis>enabled</emphasis> globally will enable
+                        negotiation of encryption but will not turn on
+                        data encryption globally or per share.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>desired</emphasis> globally
+                        will enable negotiation and will turn on data encryption
+                        on sessions and share connections for those clients
+                        that support it.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>required</emphasis> globally
+                        will enable negotiation and turn on data encryption
+                        on sessions and share connections. Clients that do
+                        not support encryption will be denied access to the
+                        server.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>off</emphasis> globally will
+                        completely disable the encryption feature.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>desired</emphasis> on a share
+                        will turn on data encryption for this share for clients
+                        that support encryption if negotiation has been
+                        enabled globally.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>required</emphasis> on a share
+                        will enforce data encryption for this share if
+                        negotiation has been enabled globally. I.e. clients that
+                        do not support encryption will be denied access to the
+                        share.
+                        </para>
+                        <para>
+                        Note that this allows per-share enforcing to be
+                        controlled in Samba differently from Windows:
+                        In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+                        is a global setting, and if it is set, all shares with
+                        data encryption turned on
+                        are automatically enforcing encryption. In order to
+                        achieve the same effect in Samba, one
+                        has to globally set <emphasis>smb encrypt</emphasis> to
+                        <emphasis>enabled</emphasis>, and then set all shares
+                        that should be encrypted to
+                        <emphasis>required</emphasis>.
+                        Additionally, it is possible in Samba to have some
+                        shares with encryption <emphasis>required</emphasis>
+                        and some other shares with encryption only
+                        <emphasis>desired</emphasis>, which is not possible in
+                        Windows.
+                        </para>
+                        </listitem>
+
+                        <listitem>
+                        <para>
+                        Setting it to <emphasis>off</emphasis> or
+                        <emphasis>enabled</emphasis> for a share has
+                        no effect.
+                        </para>
+                        </listitem>
+                </itemizedlist>
+                </listitem>
+                </varlistentry>
+        </variablelist>
 </description>
 
-<value type="default">auto</value>
+<value type="default">default</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/smbpasswdfile.xml

@@ -1 +1 @@
 <samba:parameter name="smb passwd file"
-        type="string"
+                 type="string"
                  context="G"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This option sets the path to the encrypted smbpasswd file. By
@@ -16 +16 @@
 </description>
 
-<value type="default">${prefix}/private/smbpasswd</value>
+<value type="default">&pathconfig.SMB_PASSWD_FILE;</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/unixpasswordsync.xml

@@ -1 +1 @@
 <samba:parameter name="unix password sync"
                  context="G"
-                                 type="boolean"
-                 advanced="1" developer="1"
+                 type="boolean"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/username.xml

@@ -1 +1 @@
 <samba:parameter name="username"
-        context="S"
-        type="string"
+                 context="S"
+                 type="string"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>user</synonym>
 <synonym>users</synonym>
 <description>
-    <para>Multiple users may be specified in a comma-delimited 
-    list, in which case the supplied password will be tested against 
-    each username in turn (left to right).</para>
-
-    <para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when
-    the PC is unable to supply its own username. This is the case 
-    for the COREPLUS protocol or where your users have different WfWg 
-    usernames to UNIX usernames. In both these cases you may also be 
-    better using the \\server\share%user syntax instead.</para>
-
-    <para>The <parameter moreinfo="none">username</parameter> line is not a great 
-    solution in many cases as it means Samba will try to validate 
-    the supplied password against each of the usernames in the 
-    <parameter moreinfo="none">username</parameter> line in turn. This is slow and 
-    a bad idea for lots of users in case of duplicate passwords. 
-    You may get timeouts or security breaches using this parameter 
-    unwisely.</para>
-
-    <para>Samba relies on the underlying UNIX security. This 
-    parameter does not restrict who can login, it just offers hints 
-    to the Samba server as to what usernames might correspond to the 
-    supplied password. Users can login as whoever they please and 
-    they will be able to do no more damage than if they started a 
-    telnet session. The daemon runs as the user that they log in as, 
-    so they cannot do anything that user cannot do.</para>
-
     <para>To restrict a service to a particular set of users you 
     can use the <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>If any of the usernames begin with a '@' then the name 
-    will be looked up first in the NIS netgroups list (if Samba 
-    is compiled with netgroup support), followed by a lookup in 
-    the UNIX groups database and will expand to a list of all users 
-    in the group of that name.</para>
-                
-    <para>If any of the usernames begin with a '+' then the name 
-    will be looked up only in the UNIX groups database and will 
-    expand to a list of all users in the group of that name.</para>
+    <para>This parameter is deprecated</para>
 
-    <para>If any of the usernames begin with a '&amp;' then the name 
-    will be looked up only in the NIS netgroups database (if Samba 
-    is compiled with netgroup support) and will expand to a list 
-    of all users in the netgroup group of that name.</para>
+    <para>However, it currently operates only in conjunction with
+    <smbconfoption name="only user"/>.  The supported way to restrict
+    a service to a particular set of users is the
+    <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>Note that searching though a groups database can take 
-    quite some time, and some clients may time out during the 
-    search.</para>
-
-    <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
-        USERNAME/PASSWORD VALIDATION</link> for more information on how 
-        this parameter determines access to the services.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/security/usernamelevel.xml

@@ -1 +1 @@
 <samba:parameter name="username level"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="integer"
+                 type="integer"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/usernamemap.xml

@@ -1 +1 @@
 <samba:parameter name="username map"
                  context="G"
-                 advanced="1" developer="1"
-                                 type="string"
+                 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -13 +12 @@
 
     <para>
-        Please note that for user or share mode security, the username map is applied prior to validating the user
+        Please note that for user mode security, the username map is applied prior to validating the user
         credentials.  Domain member servers (domain or ads) apply the username map after the user has been
-        successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g.
+        successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g.
         biddle = <literal>DOMAIN\foo</literal>).
         </para>
@@ -85 +84 @@
         <constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to
         \\server\mary and will need to supply a password suitable for <constant>mary</constant> not
-        <constant>fred</constant>. The only exception to this is the username passed to the <smbconfoption
-        name="password server"/> (if you have one). The password server will receive whatever username the client
+        <constant>fred</constant>. The only exception to this is the
+        username passed to a Domain Controller (if you have one). The DC will receive whatever username the client
         supplies without  modification.
     </para>

vendor/current/docs-xml/smbdotconf/security/usernamemapcachetime.xml

@@ -1 +1 @@
 <samba:parameter name="username map cache time"
                  context="G"
-                 advanced="1" developer="0"
-                                 type="integer"
+                 type="integer"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

vendor/current/docs-xml/smbdotconf/security/usernamemapscript.xml

@@ -1 +1 @@
 <samba:parameter name="username map script"
                  context="G"
-                 type="string"
-                 advanced="1" developer="1"
+                 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -9 +8 @@
         specifies and external program or script that must accept a single 
         command line option (the username transmitted in the authentication
-        request) and return a line line on standard output (the name to which 
+        request) and return a line on standard output (the name to which
         the account should mapped).  In this way, it is possible to store
         username map tables in an LDAP or NIS directory services.

vendor/current/docs-xml/smbdotconf/security/validusers.xml

@@ -1 +1 @@
 <samba:parameter name="valid users"
                  context="S"
-                                 type="list"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -20 +20 @@
     This is useful in the [homes] section.
     </para>
+
+    <para><emphasis>Note: </emphasis>When used in the [global] section this
+    parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see
+    <parameter moreinfo="none">local master</parameter>,
+    <parameter moreinfo="none">os level</parameter>,
+    <parameter moreinfo="none">domain master</parameter>,
+    <parameter moreinfo="none">preferred master</parameter>) this option
+    will prevent workstations from being able to browse the network.
+    </para>
+
 </description>
 

vendor/current/docs-xml/smbdotconf/security/writeable.xml

@@ -1 +1 @@
 <samba:parameter name="writeable"
                  context="S"
-                                 type="boolean"
+                 type="boolean-rev"
+                 function="read_only"
+                 synonym="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>writable</synonym>
+<synonym>write ok</synonym>
 <description>
     <para>Inverted synonym for <smbconfoption name="read only"/>.</para>

vendor/current/docs-xml/smbdotconf/security/writelist.xml

@@ -1 +1 @@
 <samba:parameter name="write list"
                  context="S"
-                                 type="list"
+                 type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -16 +16 @@
     </para>
 
-    <para>
-    By design, this parameter will not work with the 
-    <smbconfoption name="security">share</smbconfoption> in Samba 3.0.
-    </para>
-
 </description>