Document force unknown acl user

diff --git a/docs/smbdotconf/security/forceunknownacluser.xml b/docs/smbdotconf/security/forceunknownacluser.xml
new file mode 100644 (file)
index 0000000..c54b9b0
--- /dev/null
+++ b/docs/smbdotconf/security/forceunknownacluser.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="force unknown acl user"
+                 context="S"
+                                type="boolean"
+                 xmlns:samba="http://samba.org/common">
+
+<description>
+    <para>If this parameter is set, a Windows NT ACL that contains an unknown
+              SID (security descriptor, or representation of a user or group
+              id) as the owner or group owner of the file will be silently
+              mapped into the current UNIX uid or gid of the currently
+              connected user.</para>
+
+    <para>This is designed to allow Windows NT clients to copy files and
+              folders containing ACLs that were created locally on the client
+              machine and contain users local to that machine only (no domain
+              users) to be copied to a Samba server (usually with XCOPY /O)
+              and have the unknown userid and groupid of the file owner map to
+              the current connected user.  This can only be fixed correctly
+              when winbindd allows arbitrary mapping from any Windows NT SID
+              to a UNIX uid or gid.</para>
+
+    <para>Try using this parameter when XCOPY /O gives an ACCESS_DENIED
+    error.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>