4 files changed, 29 insertions, 5 deletions

diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml
index a052e7f79cd..8b4b62268a3 100644
--- a/docs-xml/smbdotconf/security/hostsallow.xml
+++ b/docs-xml/smbdotconf/security/hostsallow.xml
@@ -41,6 +41,13 @@
 
     <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
 
+    <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but 
+    deny access from one particular host</para>
+
+    <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+    <para><command moreinfo="none">hosts deny = pirate</command></para>
+
     <note><para>Note that access still requires suitable user-level passwords.</para></note>
 
     <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
index 268cdfad560..b2fb2b9d293 100644
--- a/docs-xml/smbdotconf/security/invalidusers.xml
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -7,8 +7,21 @@
     to login to this service. This is really a <emphasis>paranoid</emphasis> 
     check to absolutely ensure an improper setting does not breach 
     your security.</para>
+		
+    <para>A name starting with a '@' is interpreted as an NIS 
+    netgroup first (if your system supports NIS), and then as a UNIX 
+    group if the name was not found in the NIS netgroup database.</para>
 
-    <para>A name starting with a '@' is interpreted UNIX group.</para>
+    <para>A name starting with '+' is interpreted only 
+    by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 
+    '&amp;' is interpreted only by looking in the NIS netgroup database 
+    (this requires NIS to be working on your system). The characters 
+    '+' and '&amp;' may be used at the start of the name in either order 
+    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
+    UNIX group database, followed by the NIS netgroup database, and 
+    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+    netgroup database, followed by the UNIX group database (the 
+    same as the '@' prefix).</para>
 
     <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
 		This is useful in the [homes] section.</para>
diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml
index eab72bb8672..809a54c1e2f 100644
--- a/docs-xml/smbdotconf/security/usernamemap.xml
+++ b/docs-xml/smbdotconf/security/usernamemap.xml
@@ -59,6 +59,11 @@
 
 
     <para>
+	If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+	moreinfo="none">/etc/group </filename> database for matching groups.
+	</para>
+
+    <para>
 	You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
 <programlisting>
 <command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
index 6b0bacfd78a..0b681a1fef5 100644
--- a/docs-xml/smbdotconf/security/validusers.xml
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -4,10 +4,9 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-        This is a list of users that should be allowed to login to this service.
-        Names starting with an '@' are interpreted using the same rules as
-        described in the
-        <parameter moreinfo="none">invalid users</parameter> parameter.
+    This is a list of users that should be allowed to login to this service. Names starting with 
+    '@', '+' and  '&amp;' are interpreted using the same rules as described in the 
+    <parameter moreinfo="none">invalid users</parameter> parameter.
     </para>
 
     <para>