docs-xml: document "map untrusted to domain = auto"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2017-03-22 12:11:26 +0100
committer: Andrew Bartlett <abartlet@samba.org> 2017-06-16 03:21:29 +0200
commit: b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29 (patch)
tree: 9154cad8fa1e9dff0cf3e20d7e042a188b2438f3 /docs-xml/smbdotconf
parent: ab36c1d152e231be644dc7413ad5b6816f45e24f (diff)
download: samba-b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29.tar.gz
1 files changed, 22 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index a02948ace4b..095ce6e5760 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -1,10 +1,21 @@
 <samba:parameter name="map untrusted to domain"
                  context="G"
-                 type="boolean"
+                 type="enum"
+                 enumlist="enum_bool_auto"
                  deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
+    With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+    smbd will defer the decision whether the domain name provided by the
+    client is a valid domain name to the Domain Controller (DC) of
+    the domain it is a member of, if it is not a DC.  If the DC indicates
+    that the domain portion is unknown, then a local authentication is performed.
+    Standalone servers always ignore the domain.  This is basically the same as
+    the behavior implemented in Windows.
+    </para>
+
+    <para>
     By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
     if a client connects to smbd using an untrusted domain name, such as
     BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
@@ -12,6 +23,11 @@
     attempting to authenticate that user.  In the case where smbd is acting as
     a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
     domain member server or a standalone server this will be WORKSTATION\user.
+    While this appears similar to the behaviour of
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
+    the difference is that smbd will use a cached (maybe incomplete) list
+    of trusted domains in order to classify a domain as "untrusted"
+    before contacting any DC first.
     </para>
 
     <para>
@@ -21,6 +37,11 @@
     primary domain before attempting to authenticate that user.
     This will be DOMAIN\user in all server roles except active directory domain controller.
     </para>
+
+    <para>
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+    with Samba 4.7.0.
+    </para>
 </description>
 
 <value type="default">no</value>
author	Stefan Metzmacher <metze@samba.org>	2017-03-22 12:11:26 +0100
committer	Andrew Bartlett <abartlet@samba.org>	2017-06-16 03:21:29 +0200
commit	b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29 (patch)
tree	9154cad8fa1e9dff0cf3e20d7e042a188b2438f3 /docs-xml/smbdotconf
parent	ab36c1d152e231be644dc7413ad5b6816f45e24f (diff)
download	samba-b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29.tar.gz