First of a string of edits over the next weeks.

(This used to be commit 5e600d41d07bc0cc4a0baaccad7493d244a940e2)

1 files changed, 88 insertions, 21 deletions

diff --git a/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml b/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml
index 76aa54a9b1..6c2af32a75 100644
--- a/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml
@@ -6,12 +6,35 @@
 	&author.jerry;
 </chapterinfo>
 
-<title>Important Samba-3.0.23 Change Notes</title>
+<title>Important and Critical Change Notes for the Samba 3.x Series</title>
+<para>
+Please read this chapter carefully before update or upgrading Samba.  You should expect to find only critical
+or very important information here. Comprehensive change notes and guidance information can be found in the
+section <link linkend="upgrading-to-3.0">Updating and Upgrading Samba</link>.
+</para>
+
+<sect1>
+
+<title>Important Samba-3.2.x Change Notes</title>
+<para>
+!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!!
+</para>
+
+</sect1>
+
+<sect1>
+
+<title>Important Samba-3.0.x Change Notes</title>
+<para>
+These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25
+update).  Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are
+documented in this documention - See <link linkend="oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</link>.
+</para>
 
 <para>
-Samba is a fluid and ever changing project. Sometimes it is difficult to figure out which part,
-or parts, of the HOWTO documentation should be updated tio reflect the impact of new or modified
-features. At other times it becomes clear that the documentation is in need of being restructured.
+Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to
+reflect the impact of new or modified features. At other times it becomes clear that the documentation is in
+need of being restructured.
 </para>
 
 <para>
@@ -28,7 +51,7 @@ This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes mu
 in the <filename>WHATSNEW.txt</filename> file that is included with the Samba source code release tarball.
 </para>
 
-<sect1>
+<sect2>
 <title>User and Group Changes</title>
 
 <para>
@@ -55,7 +78,7 @@ when migrating a Windows domain to a Samba domain by executing:
 <indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
 Unmapped users are now assigned a SID in the <literal>S-1-22-1</literal> domain and unmapped
 groups are assigned a SID in the <literal>S-1-22-2</literal> domain.  Previously they were
-assign a RID within the SAM on the Samba server.  For a domain controller this would have been under the
+assigned a RID within the SAM on the Samba server.  For a domain controller this would have been under the
 authority of the domain SID where as on a member server or standalone server, this would have
 been under the authority of the local SAM (see the man page for <command>net getlocalsid</command>).
 </para>
@@ -86,7 +109,7 @@ An example helps to illustrate the change:
 Assume that a group named <emphasis>developers</emphasis> exists with a UNIX GID of 782. In this
 case this user does not exist in Samba's group mapping table. It would be perfectly normal for
 this group to be appear in an ACL editor.  Prior to Samba-3.0.23, the group SID might appear as
-<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal>. 
+<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal>.
 </para>
 
 <para>
@@ -94,13 +117,12 @@ this group to be appear in an ACL editor.  Prior to Samba-3.0.23, the group SID
 <indexterm><primary>NTFS</primary></indexterm>
 <indexterm><primary>access</primary></indexterm>
 <indexterm><primary>group permissions</primary></indexterm>
-With the release of Samba-3.0.23, the group SID would be reported as <literal>S-1-22-2-782</literal>.
-Any security descriptors associated with files stored on a Windows NTFS disk partition will not allow
-access based on the group permissions if the user was not a member of the
-<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal>  group. 
-Because this group SID is <literal>S-1-22-2-782</literal> and not reported in a user's token,
-Windows would fail the authorization check even though both SIDs in some respect refer to the
-same UNIX group.
+With the release of Samba-3.0.23, the group SID would be reported as <literal>S-1-22-2-782</literal>.  Any
+security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based
+on the group permissions if the user was not a member of the
+<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal>  group.  Because this group SID is
+<literal>S-1-22-2-782</literal> and not reported in a user's token, Windows would fail the authorization check
+even though both SIDs in some respect refer to the same UNIX group.
 </para>
 
 <para>
@@ -111,10 +133,54 @@ entry for the group <emphasis>developers</emphasis> to point at the
 <literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal> SID. With the release of Samba-3.0.23 this
 workaround is no longer needed.
 </para>
+</sect2>
 
-</sect1>
+<sect2>
+<title>Essential Group Mappings</title>
+<para>
+Samba 3.0.x series  releases before 3.0.23 automatically created group mappings for the essential Windows
+domain groups <literal>Domain Admins, Domain Users, Domain Guests</literal>. Commencing with Samba 3.0.23
+these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to
+correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto
+the Windows client.
+</para>
 
-<sect1>
+<note><para>
+Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not
+require these group mappings.
+</para></note>
+
+<para>
+The following mappings are required:
+</para>
+
+<table frame="all" id="TOSH-domgroups">
+	<title>Essential Domain Group Mappings</title>
+	<tgroup align="center" cols="3">
+	<thead>
+		<row><entry>Domain Group</entry><entry>RID</entry><entry>Example UNIX Group</entry></row>
+	</thead>
+	<tbody>
+		<row><entry>Domain Admins</entry><entry>512</entry><entry>root</entry></row>
+		<row><entry>Domain Users</entry><entry>513</entry><entry>users</entry></row>
+		<row><entry>Domain Guests</entry><entry>514</entry><entry>nobody</entry></row>
+	</tbody>
+	</tgroup>
+</table>
+
+<para>
+When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these <literal>domadmins, domusers,
+domguests</literal> respectively.
+</para>
+
+<para>
+For further information regarding group mappings see <link linkend="groupmapping">Group Mapping: MS Windows
+and UNIX</link>.
+</para>
+
+</sect2>
+
+<sect2>
 <title>Passdb Changes</title>
 
 <para>
@@ -128,9 +194,9 @@ removed in the Samba-3.0.23 release.  More information regarding external suppor
 passdb module can be found on the  <ulink url="http://pdbsql.sourceforge.net/">pdbsql</ulink> web site.
 </para>
 
-</sect1>
+</sect2>
 
-<sect1>
+<sect2>
 <title>Group Mapping Changes in Samba-3.0.23</title>
 
 <para>
@@ -153,9 +219,9 @@ Windows group SID to UNIX GID mappings.  This change has no effect on winbindd's
 for domain groups.
 </para>
 
-</sect1>
+</sect2>
 
-<sect1>
+<sect2>
 <title>LDAP Changes in Samba-3.0.23</title>
 
 <para>
@@ -167,11 +233,12 @@ for domain groups.
 There has been a minor update the Samba LDAP schema file. A substring matching rule has been
 added to the <literal>sambaSID</literal> attribute definition.  For OpenLDAP servers, this
 will require the addition of <literal>index sambaSID sub</literal> to the
-<filename>slapd.conf</filename> configuration file.  It will be necessary to execute the 
+<filename>slapd.conf</filename> configuration file.  It will be necessary to execute the
 <command>slapindex</command> command after making this change. There has been no change to the
 actual data storage schema.
 </para>
 
+</sect2>
 </sect1>
 
 </chapter>