1 files changed, 14 insertions, 1 deletions

diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
index 268cdfad560..b2fb2b9d293 100644
--- a/docs-xml/smbdotconf/security/invalidusers.xml
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -7,8 +7,21 @@
     to login to this service. This is really a <emphasis>paranoid</emphasis> 
     check to absolutely ensure an improper setting does not breach 
     your security.</para>
+		
+    <para>A name starting with a '@' is interpreted as an NIS 
+    netgroup first (if your system supports NIS), and then as a UNIX 
+    group if the name was not found in the NIS netgroup database.</para>
 
-    <para>A name starting with a '@' is interpreted UNIX group.</para>
+    <para>A name starting with '+' is interpreted only 
+    by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 
+    '&amp;' is interpreted only by looking in the NIS netgroup database 
+    (this requires NIS to be working on your system). The characters 
+    '+' and '&amp;' may be used at the start of the name in either order 
+    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
+    UNIX group database, followed by the NIS netgroup database, and 
+    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+    netgroup database, followed by the UNIX group database (the 
+    same as the '@' prefix).</para>
 
     <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
 		This is useful in the [homes] section.</para>