<samba:parameter name="invalid users"
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This is a list of users that should not be allowed
to login to this service. This is really a <emphasis>paranoid</emphasis>
check to absolutely ensure an improper setting does not breach
your security.</para>
<para>A name starting with a '@' is interpreted as an NIS
netgroup first (if your system supports NIS), and then as a UNIX
group if the name was not found in the NIS netgroup database.</para>
<para>A name starting with '+' is interpreted only
by looking in the UNIX group database. A name starting with
'&' is interpreted only by looking in the NIS netgroup database
(this requires NIS to be working on your system). The characters
'+' and '&' may be used at the start of the name in either order
so the value <parameter moreinfo="none">+&group</parameter> means check the
UNIX group database, followed by the NIS netgroup database, and
the value <parameter moreinfo="none">&+group</parameter> means check the NIS
netgroup database, followed by the UNIX group database (the
same as the '@' prefix).</para>
<para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
This is useful in the [homes] section.</para>
<para>See also <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
</parameter></link>.</para>
<para>Default: <emphasis>no invalid users</emphasis></para>
<para>Example: <command moreinfo="none">invalid users = root fred admin @wheel</command></para>
</listitem>
</samba:parameter>