+
+label(domainusermap)
+dit(bf(domain user map (G)))
+
+This option allows you to specify a file containing unique mappings
+of individual NT Domain User names (in any domain) to UNIX user
+names. This allows NT domain users to be presented correctly to
+NT systems, despite the lack of native support for the NT Security model
+(based on VAX/VMS) in UNIX. The reader is advised to become familiar
+with the NT Domain system and its administration.
+
+This option is used in conjunction with link(bf('local group map'))(localgroupmap)
+and link(bf('domain group map'))(domaingroupmap). The use of these three
+options is trivial and often unnecessary in the case where Samba is
+not expected to interact with any other SAM databases (whether local
+workstations or Domain Controllers).
+
+This option, which provides (and maintains) a one-to-one link between
+UNIX and NT users, is em(DIFFERENT) from link(bf('username map'))
+(usernamemap), which does em(NOT) maintain a distinction between the
+name(s) it can map to and the name it maps.
+
+
+The map file is parsed line by line. If any line begins with a tt('#')
+or a tt(';') then the line is ignored. Each line should contain a single UNIX
+user name on the left then a single NT Domain User name on the right,
+separated by a tabstop or tt('='). If either name contains spaces then
+it should be enclosed in quotes.
+The line can be either of the form:
+
+tt( UNIXusername \\DOMAIN_NAME\\DomainUserName )
+
+or:
+
+tt( UNIXusername DomainUserName )
+
+In the case where Samba is either an bf(EXPERIMENTAL) Domain Controller
+or it is a member of a domain using link(bf("security = domain"))(security),
+the latter format can be used: the default Domain name is the Samba Server's
+Domain name, specified by link(bf("workgroup = MYGROUP"))(workgroup).
+
+Any UNIX users that are em(NOT) specified in this map file are assumed
+to be either Domain or Workstation Users, depending on the role of the
+Samba Server.
+
+In the case when Samba is an bf(EXPERIMENTAL) Domain Controller, Samba
+will present em(ALL) such unspecified UNIX users as its own NT Domain
+Users, with the same name.
+
+In the case where Samba is member of a domain using
+link(bf("security = domain"))(security), Samba will check the UNIX name with
+its Domain Controller (see link(bf("password server"))(passwordserver))
+as if it was an NT Domain User. If the Domain Controller says that it is not,
+such unspecified (unmapped) UNIX users which also are not NT Domain
+Users are treated as Local Users in the Samba Server's local SAM database.
+NT Administrators will recognise these as Workstation Users,
+which are managed by running bf(USRMGR.EXE) and selecting a remote
+Domain named "\\WORKSTATION_NAME", or by running bf(MUSRMGR.EXE) on
+a local Workstation.
+
+This may sound complicated, but it means that a Samba Server as
+either a member of a domain or as an bf(EXPERIMENTAL) Domain Controller
+will act like an NT Workstation (with a local SAM database) or an NT PDC
+(with a Domain SAM database) respectively, without the need for any of
+the map files at all. If you bf(want) to get fancy, however, you can.
+
+Note that adding an entry to map an arbitrary NT User in an arbitrary
+Domain to an arbitrary UNIX user em(REQUIRES) the following:
+
+startit()
+
+it() that the UNIX user exists on the UNIX server.
+
+it() that the NT Domain User exists in the specified NT Domain.
+
+it() that the UNIX Server knows about the specified Domain.
+
+Failure to meet any of these requirements may result in either (or
+both) errors reported in the log files or (and) incorrect or missing
+access rights granted to users.
+
+