trying to get HEAD building again. If you want the code

[samba.git] / docs / docbook / smbdotconf / security / security.xml

diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml
index 68c5f2cdd2e3734060aab1c4748ac85fd860c241..030abc1de141099216c441c88ec89e53be311e6c 100644 (file)
--- a/docs/docbook/smbdotconf/security/security.xml
+++ b/docs/docbook/smbdotconf/security/security.xml
@@ -212,10 +212,9 @@
     does not support them.  However note that if encrypted passwords have been 
     negotiated then Samba cannot revert back to checking the UNIX password file, 
     it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check 
-    users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory 
-    <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
+       users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
 
-    <para><emphasis>Note</emphasis> this mode of operation has
+       <note><para>This mode of operation has
     significant pitfalls, due to the fact that is activly initiates a
     man-in-the-middle attack on the remote SMB server.  In particular,
     this mode of operation can cause significant resource consuption on
@@ -223,13 +222,13 @@
     of the user's session.  Furthermore, if this connection is lost,
     there is no way to reestablish it, and futher authenticaions to the
     Samba server may fail.  (From a single client, till it disconnects).
-    </para>
+       </para></note>
 
-    <para><emphasis>Note</emphasis> that from the client's point of 
+       <note><para>From the client's point of 
     view <command moreinfo="none">security = server</command> is the
     same as <command moreinfo="none">security = user</command>.  It
     only affects how the server deals  with the authentication, it does
-    not in any way affect what the  client sees.</para>
+       not in any way affect what the  client sees.</para></note>
 
     <para><emphasis>Note</emphasis> that the name of the resource being 
     requested is <emphasis>not</emphasis> sent to the server until after 
@@ -246,6 +245,23 @@
     <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password 
     server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
     <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+
+       <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
+       
+       <para>In this mode, Samba will act as a domain member in an ADS realm. To operate 
+               in this mode, the machine running Samba will need to have Kerberos installed 
+               and configured and Samba will need to be joined to the ADS realm using the 
+               net utility. </para>
+       
+       <para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
+               Controller. </para>
+       
+       <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+
+       <para>See also the <link linkend="ADSSERVER"><parameter moreinfo="none">ads server
+       </parameter></link> parameter, the <link linkend="REALM"><parameter moreinfo="none">realm
+       </parameter></link> paramter and the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
                
     <para>Default: <command moreinfo="none">security = USER</command></para>
     <para>Example: <command moreinfo="none">security = DOMAIN</command></para>