docs-xml: improve documentation of "map untrusted to domain"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2017-06-10 13:30:44 +0200
committer: Andrew Bartlett <abartlet@samba.org> 2017-06-16 03:21:29 +0200
commit: ab36c1d152e231be644dc7413ad5b6816f45e24f (patch)
tree: 5960cfa4c808aabb92eb6e225f265321e995247b /docs-xml
parent: bd69a3e2e9a57713c6641de4f92e7e23488e457b (diff)
download: samba-ab36c1d152e231be644dc7413ad5b6816f45e24f.tar.gz
1 files changed, 10 insertions, 15 deletions
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 496e7c24c07..a02948ace4b 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -5,27 +5,22 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-    If a client connects to smbd using an untrusted domain name, such as
-    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
+    By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    if a client connects to smbd using an untrusted domain name, such as
+    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
+    (forcing local authentication) before
     attempting to authenticate that user.  In the case where smbd is acting as
-    a PDC this will be DOMAIN\user.  In the case where smbd is acting as a
+    a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
     domain member server or a standalone server this will be WORKSTATION\user.
     </para>
 
     <para>
-    In previous versions of Samba (pre 3.4), if smbd was acting as a domain
-    member server, the BOGUS domain name would instead be replaced by the
-    primary domain which smbd was a member of.  In this case authentication
-    would be deferred off to a DC using the credentials DOMAIN\user.
+    With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
+    smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
+    the BOGUS domain name would always be replaced by the
+    primary domain before attempting to authenticate that user.
+    This will be DOMAIN\user in all server roles except active directory domain controller.
     </para>
-
-    <para>
-    When this parameter is set to <constant>yes</constant> smbd provides the
-    legacy behavior of mapping untrusted domain names to the primary domain.
-    When smbd is not acting as a domain member server, this parameter has no
-    effect.
-    </para>
-
 </description>
 
 <value type="default">no</value>
author	Stefan Metzmacher <metze@samba.org>	2017-06-10 13:30:44 +0200
committer	Andrew Bartlett <abartlet@samba.org>	2017-06-16 03:21:29 +0200
commit	ab36c1d152e231be644dc7413ad5b6816f45e24f (patch)
tree	5960cfa4c808aabb92eb6e225f265321e995247b /docs-xml
parent	bd69a3e2e9a57713c6641de4f92e7e23488e457b (diff)
download	samba-ab36c1d152e231be644dc7413ad5b6816f45e24f.tar.gz