From: Samuel Cabrero <scabrero@samba.org>
Date: Fri, 3 Jun 2022 12:12:01 +0000 (+0200)
Subject: Revert "docs-xml: Update documentation for removal of NIS support"
X-Git-Tag: tevent-0.13.0~467
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f74e284a9d7fa8dc45f22b70dcea27f1aa8bd232;p=thirdparty%2Fsamba.git

Revert "docs-xml: Update documentation for removal of NIS support"

This partly reverts commit a72bc3e15d3ed62e9ad2c0a97ce5d6d653abb048.

Revert only the chunks related to netgroups and skip NIS related ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml
index a052e7f79cd..8b4b62268a3 100644
--- a/docs-xml/smbdotconf/security/hostsallow.xml
+++ b/docs-xml/smbdotconf/security/hostsallow.xml
@@ -41,6 +41,13 @@
 
     <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
 
+    <para>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but 
+    deny access from one particular host</para>
+
+    <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+    <para><command moreinfo="none">hosts deny = pirate</command></para>
+
     <note><para>Note that access still requires suitable user-level passwords.</para></note>
 
     <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
index 268cdfad560..b2fb2b9d293 100644
--- a/docs-xml/smbdotconf/security/invalidusers.xml
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -7,8 +7,21 @@
     to login to this service. This is really a <emphasis>paranoid</emphasis> 
     check to absolutely ensure an improper setting does not breach 
     your security.</para>
+		
+    <para>A name starting with a '@' is interpreted as an NIS 
+    netgroup first (if your system supports NIS), and then as a UNIX 
+    group if the name was not found in the NIS netgroup database.</para>
 
-    <para>A name starting with a '@' is interpreted UNIX group.</para>
+    <para>A name starting with '+' is interpreted only 
+    by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 
+    '&amp;' is interpreted only by looking in the NIS netgroup database 
+    (this requires NIS to be working on your system). The characters 
+    '+' and '&amp;' may be used at the start of the name in either order 
+    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
+    UNIX group database, followed by the NIS netgroup database, and 
+    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+    netgroup database, followed by the UNIX group database (the 
+    same as the '@' prefix).</para>
 
     <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
 		This is useful in the [homes] section.</para>
diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml
index eab72bb8672..809a54c1e2f 100644
--- a/docs-xml/smbdotconf/security/usernamemap.xml
+++ b/docs-xml/smbdotconf/security/usernamemap.xml
@@ -58,6 +58,11 @@
 	</para>
 
 
+    <para>
+	If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+	moreinfo="none">/etc/group </filename> database for matching groups.
+	</para>
+
     <para>
 	You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
 <programlisting>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
index 6b0bacfd78a..0b681a1fef5 100644
--- a/docs-xml/smbdotconf/security/validusers.xml
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -4,10 +4,9 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-        This is a list of users that should be allowed to login to this service.
-        Names starting with an '@' are interpreted using the same rules as
-        described in the
-        <parameter moreinfo="none">invalid users</parameter> parameter.
+    This is a list of users that should be allowed to login to this service. Names starting with 
+    '@', '+' and  '&amp;' are interpreted using the same rules as described in the 
+    <parameter moreinfo="none">invalid users</parameter> parameter.
     </para>
 
     <para>
diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml
index 9be46109cd6..eda14f4e03a 100644
--- a/docs-xml/smbdotconf/winbind/winbindseparator.xml
+++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml
@@ -10,9 +10,9 @@
 	and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
 	</para>
 
-	<para>Please note that setting this parameter to + can cause problems
+	<para>Please note that setting this parameter to + causes problems
 	with group membership at least on glibc systems, as the character +
-	was used as a special character for NIS in /etc/group.</para>
+	is used as a special character for NIS in /etc/group.</para>
 </description>
 
 <value type="default">\</value>