docs-xml: improve documentation of "map untrusted to domain"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
smfrench · Jun 16, 2017 · ab36c1d · ab36c1d
1 parent bd69a3e
commit ab36c1d
Showing 1 changed file with 10 additions and 15 deletions.
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -5,27 +5,22 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-    If a client connects to smbd using an untrusted domain name, such as
-    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
+    By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    if a client connects to smbd using an untrusted domain name, such as
+    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
+    (forcing local authentication) before
     attempting to authenticate that user.  In the case where smbd is acting as
-    a PDC this will be DOMAIN\user.  In the case where smbd is acting as a
+    a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
     domain member server or a standalone server this will be WORKSTATION\user.
     </para>
 
     <para>
-    In previous versions of Samba (pre 3.4), if smbd was acting as a domain
-    member server, the BOGUS domain name would instead be replaced by the
-    primary domain which smbd was a member of.  In this case authentication
-    would be deferred off to a DC using the credentials DOMAIN\user.
+    With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
+    smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
+    the BOGUS domain name would always be replaced by the
+    primary domain before attempting to authenticate that user.
+    This will be DOMAIN\user in all server roles except active directory domain controller.
     </para>
-
-    <para>
-    When this parameter is set to <constant>yes</constant> smbd provides the
-    legacy behavior of mapping untrusted domain names to the primary domain.
-    When smbd is not acting as a domain member server, this parameter has no
-    effect.
-    </para>
-
 </description>
 
 <value type="default">no</value>