merge from 2.2

(This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456)

3 files changed, 0 insertions, 1283 deletions

diff --git a/docs/docbook/howto/DOMAIN_MEMBER.sgml b/docs/docbook/howto/DOMAIN_MEMBER.sgml
deleted file mode 100644
index 888b801742..0000000000
--- a/docs/docbook/howto/DOMAIN_MEMBER.sgml
+++ /dev/null
@@ -1,163 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-
-<article>
-
-<sect1>
-
-	<title>Joining an NT Domain with Samba 2.2</title>
-
-	<para>In order for a Samba-2 server to join an NT domain, 
-	you must first add the NetBIOS name of the Samba server to the 
-	NT domain on the PDC using Server Manager for Domains.  This creates 
-	the machine account in the domain (PDC) SAM. Note that you should 
-	add the Samba server as a "Windows NT Workstation or Server", 
-	<emphasis>NOT</emphasis> as a Primary or backup domain controller.</para>
-
-	<para>Assume you have a Samba-2 server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining an NT domain called
-	<constant>DOM</constant>, which has a PDC with a NetBIOS name
-	of <constant>DOMPDC</constant> and two backup domain controllers 
-	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
-	</constant>.</para>
-
-	<para>In order to join the domain, first stop all Samba daemons 
-	and run the command:</para>
-
-	<para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
-	</userinput></para>
-
-	<para>as we are joining the domain DOM and the PDC for that domain 
-	(the only machine that has write access to the domain SAM database) 
-	is DOMPDC. If this is successful you will see the message:</para>
-
-	<para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
-	</para>
-
-	<para>in your terminal window. See the <ulink url="smbpasswd.8.html">
-	smbpasswd(8)</ulink> man page for more details.</para>
-
-	<para>This command goes through the machine account password 
-	change protocol, then writes the new (random) machine account 
-	password for this Samba server into a file in the same directory 
-	in which an smbpasswd file would be stored - normally :</para>
-
-	<para><filename>/usr/local/samba/private</filename></para>
-
-	<para>In Samba 2.0.x, the filename looks like this:</para>
-
-	<para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.
-	<replaceable>&lt;Samba Server Name&gt;</replaceable>.mac</filename></para>
-	
-	<para>The <filename>.mac</filename> suffix stands for machine account 
-	password file. So in our example above, the file would be called:</para>
-
-	<para><filename>DOM.SERV1.mac</filename></para>
-
-	<para>In Samba 2.2, this file has been replaced with a TDB 
-	(Trivial Database) file named <filename>secrets.tdb</filename>.
-	</para>
-
-
-	<para>This file is created and owned by root and is not 
-	readable by any other user. It is the key to the domain-level 
-	security for your system, and should be treated as carefully 
-	as a shadow password file.</para>
-
-	<para>Now, before restarting the Samba daemons you must 
-	edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
-	</ulink> file to tell Samba it should now use domain security.</para>
-	
-	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
-	<parameter>security =</parameter></ulink> line in the [global] section 
-	of your smb.conf to read:</para>
-
-	<para><command>security = domain</command></para>
-
-	<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
-	workgroup =</parameter></ulink> line in the [global] section to read: </para>
-
-	<para><command>workgroup = DOM</command></para>
-
-	<para>as this is the name of the domain we are joining. </para>
-
-	<para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
-	<parameter>encrypt passwords</parameter></ulink> set to <constant>yes
-	</constant> in order for your users to authenticate to the NT PDC.</para>
-
-	<para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
-	<parameter>password server =</parameter></ulink> line in the [global]
-	section to read: </para>
-
-	<para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
-
-	<para>These are the primary and backup domain controllers Samba 
-	will attempt to contact in order to authenticate users. Samba will 
-	try to contact each of these servers in order, so you may want to 
-	rearrange this list in order to spread out the authentication load 
-	among domain controllers.</para>
-
-	<para>Alternatively, if you want smbd to automatically determine 
-	the list of Domain controllers to use for authentication, you may 
-	set this line to be :</para>
-
-	<para><command>password server = *</command></para>
-
-	<para>This method, which was introduced in Samba 2.0.6, 
-	allows Samba to use exactly the same mechanism that NT does. This 
-	method either broadcasts or uses a WINS database in order to
-	find domain controllers to authenticate against.</para>
-
-	<para>Finally, restart your Samba daemons and get ready for 
-	clients to begin using domain security!</para>
-</sect1>
-
-<sect1>
-	<title>Why is this better than security = server?</title>
-
-	<para>Currently, domain security in Samba doesn't free you from 
-	having to create local Unix users to represent the users attaching 
-	to your server. This means that if domain user <constant>DOM\fred
-	</constant> attaches to your domain security Samba server, there needs 
-	to be a local Unix user fred to represent that user in the Unix 
-	filesystem. This is very similar to the older Samba security mode 
-	<ulink url="smb.conf.5.html#SECURITYEQUALSERVER">security = server</ulink>, 
-	where Samba would pass through the authentication request to a Windows 
-	NT server in the same way as a Windows 95 or Windows 98 server would.
-	</para>
-
-	<para>The advantage to domain-level security is that the 
-	authentication in domain-level security is passed down the authenticated 
-	RPC channel in exactly the same way that an NT server would do it. This 
-	means Samba servers now participate in domain trust relationships in 
-	exactly the same way NT servers do (i.e., you can add Samba servers into 
-	a resource domain and have the authentication passed on from a resource
-	domain PDC to an account domain PDC.</para>
-
-	<para>In addition, with <command>security = server</command> every Samba 
-	daemon on a server has to keep a connection open to the 
-	authenticating server for as long as that daemon lasts. This can drain 
-	the connection resources on a Microsoft NT server and cause it to run 
-	out of available connections. With <command>security = domain</command>, 
-	however, the Samba daemons connect to the PDC/BDC only for as long 
-	as is necessary to authenticate the user, and then drop the connection, 
-	thus conserving PDC connection resources.</para>
-
-	<para>And finally, acting in the same manner as an NT server 
-	authenticating to a PDC means that as part of the authentication 
-	reply, the Samba server gets the user identification information such 
-	as the user SID, the list of NT groups the user belongs to, etc. All 
-	this information will allow Samba to be extended in the future into 
-	a mode the developers currently call appliance mode. In this mode, 
-	no local Unix users will be necessary, and Samba will generate Unix 
-	uids and gids from the information passed back from the PDC when a 
-	user is authenticated, making a Samba server truly plug and play 
-	in an NT domain environment. Watch for this code soon.</para>
-
-	<para><emphasis>NOTE:</emphasis> Much of the text of this document 
-	was first published in the Web magazine <ulink url="http://www.linuxworld.com"> 	
-	LinuxWorld</ulink> as the article <ulink
-	url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing 
-	the NIS/NT Samba</ulink>.</para>
-
-</sect1>
-</article>
diff --git a/docs/docbook/howto/NT_Security.sgml b/docs/docbook/howto/NT_Security.sgml
deleted file mode 100644
index 62550bfaa6..0000000000
--- a/docs/docbook/howto/NT_Security.sgml
+++ /dev/null
@@ -1,342 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-
-<article>
-
-
-<sect1>
-	<title>Viewing and changing UNIX permissions using the NT 
-	security dialogs</title>
-
-
-	<para>New in the Samba 2.0.4 release is the ability for Windows 
-	NT clients to use their native security settings dialog box to 
-	view and modify the underlying UNIX permissions.</para>
-
-	<para>Note that this ability is careful not to compromise 
-	the security of the UNIX host Samba is running on, and 
-	still obeys all the file permission rules that a Samba 
-	administrator can set.</para>
-
-	<para>In Samba 2.0.4 and above the default value of the 
-	parameter <ulink url="smb.conf.5.html#NTACLSUPPOR"><parameter>
-	nt acl support</parameter></ulink> has been changed from 
-	<constant>false</constant> to <constant>true</constant>, so 
- 	manipulation of permissions is turned on by default.</para>
-</sect1>
-
-<sect1>
-	<title>How to view file security on a Samba share</title>
-
-	<para>From an NT 4.0 client, single-click with the right 
-	mouse button on any file or directory in a Samba mounted 
-	drive letter or UNC path. When the menu pops-up, click 
-	on the <emphasis>Properties</emphasis> entry at the bottom of 
-	the menu. This brings up the normal file properties dialog
-	box, but with Samba 2.0.4 this will have a new tab along the top
-	marked <emphasis>Security</emphasis>. Click on this tab and you 
-	will see three buttons, <emphasis>Permissions</emphasis>, 	
-	<emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>. 
-	The <emphasis>Auditing</emphasis> button will cause either 
-	an error message <errorname>A requested privilege is not held 
-	by the client</errorname> to appear if the user is not the 
-	NT Administrator, or a dialog which is intended to allow an 
-	Administrator to add auditing requirements to a file if the 
-	user is logged on as the NT Administrator. This dialog is 
-	non-functional with a Samba share at this time, as the only 
-	useful button, the <command>Add</command> button will not currently 
-	allow a list of users to be seen.</para>
-
-</sect1>
-<sect1>
-	<title>Viewing file ownership</title>
-
-	<para>Clicking on the <command>"Ownership"</command> button 
-	brings up a dialog box telling you who owns the given file. The 
-	owner name will be of the form :</para>
-
-	<para><command>"SERVER\user (Long name)"</command></para>
-
-	<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of 
-	the Samba server, <replaceable>user</replaceable> is the user name of 
-	the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
-	is the discriptive string identifying the user (normally found in the
-	GECOS field of the UNIX password database). Click on the <command>Close
-	</command> button to remove this dialog.</para>
-
-	<para>If the parameter <parameter>nt acl support</parameter>
-	is set to <constant>false</constant> then the file owner will 
-	be shown as the NT user <command>"Everyone"</command>.</para>
-
-	<para>The <command>Take Ownership</command> button will not allow 
-	you to change the ownership of this file to yourself (clicking on 
-	it will display a dialog box complaining that the user you are 
-	currently logged onto the NT client cannot be found). The reason 
-	for this is that changing the ownership of a file is a privilaged 
-	operation in UNIX, available only to the <emphasis>root</emphasis> 
-	user. As clicking on this button causes NT to attempt to change 
-	the ownership of a file to the current user logged into the NT 
-	client this will not work with Samba at this time.</para>
-
-	<para>There is an NT chown command that will work with Samba 
-	and allow a user with Administrator privillage connected 
-	to a Samba 2.0.4 server as root to change the ownership of 
-	files on both a local NTFS filesystem or remote mounted NTFS 
-	or Samba drive. This is available as part of the <emphasis>Seclib
-	</emphasis> NT security library written by Jeremy Allison of 
-	the Samba Team, available from the main Samba ftp site.</para>
-
-</sect1>
-
-<sect1>
-	<title>Viewing file or directory permissions</title>
-
-	<para>The third button is the <command>"Permissions"</command> 
-	button. Clicking on this brings up a dialog box that shows both 
-	the permissions and the UNIX owner of the file or directory. 
-	The owner is displayed in the form :</para>
-
-	<para><command>"SERVER\user (Long name)"</command></para>
-
-	<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of 
-	the Samba server, <replaceable>user</replaceable> is the user name of 
-	the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
-	is the discriptive string identifying the user (normally found in the
-	GECOS field of the UNIX password database).</para>
-
-	<para>If the parameter <parameter>nt acl support</parameter>
-	is set to <constant>false</constant> then the file owner will 
-	be shown as the NT user <command>"Everyone"</command> and the 
-	permissions will be shown as NT "Full Control".</para>
-
-
-	<para>The permissions field is displayed differently for files 
-	and directories, so I'll describe the way file permissions 
-	are displayed first.</para>
-
-	<sect2>
-		<title>File Permissions</title>
-
-		<para>The standard UNIX user/group/world triple and 
-		the correspinding "read", "write", "execute" permissions 
-		triples are mapped by Samba into a three element NT ACL 
-		with the 'r', 'w', and 'x' bits mapped into the corresponding 
-		NT permissions. The UNIX world permissions are mapped into 
-		the global NT group <command>Everyone</command>, followed 
-		by the list of permissions allowed for UNIX world. The UNIX 
-		owner and group permissions are displayed as an NT 
-		<command>user</command> icon and an NT <command>local 
-		group</command> icon respectively followed by the list 
-	 	of permissions allowed for the UNIX user and group.</para>
-
-		<para>As many UNIX permission sets don't map into common 
-		NT names such as <command>"read"</command>, <command>
-		"change"</command> or <command>"full control"</command> then 
-		usually the permissions will be prefixed by the words <command>
-		"Special Access"</command> in the NT display list.</para>
-
-		<para>But what happens if the file has no permissions allowed 
-		for a particular UNIX user group or world component ? In order 
-		to  allow "no permissions" to be seen and modified then Samba 
-		overloads the NT <command>"Take Ownership"</command> ACL attribute 
-		(which has no meaning in UNIX) and reports a component with 
-		no permissions as having the NT <command>"O"</command> bit set. 
-		This was chosen of course to make it look like a zero, meaning 
-		zero permissions. More details on the decision behind this will 
-		be given below.</para>
-	</sect2>
-	
-	<sect2>
-		<title>Directory Permissions</title>
-
-		<para>Directories on an NT NTFS file system have two 
-		different sets of permissions. The first set of permissions 
-		is the ACL set on the directory itself, this is usually displayed 
-		in the first set of parentheses in the normal <command>"RW"</command> 
-		NT style. This first set of permissions is created by Samba in 
-		exactly the same way as normal file permissions are, described 
-		above, and is displayed in the same way.</para>
-
-		<para>The second set of directory permissions has no real meaning 
-		in the UNIX permissions world and represents the <command>
-		"inherited"</command> permissions that any file created within 
-		this directory would inherit.</para>
-
-		<para>Samba synthesises these inherited permissions for NT by 
-		returning as an NT ACL the UNIX permission mode that a new file 
-		created by Samba on this share would receive.</para>
-	</sect2>
-</sect1>
-	
-<sect1>
-	<title>Modifying file or directory permissions</title>
-
-	<para>Modifying file and directory permissions is as simple 
-	as changing the displayed permissions in the dialog box, and 
-	clicking the <command>OK</command> button. However, there are 
-	limitations that a user needs to be aware of, and also interactions 
-	with the standard Samba permission masks and mapping of DOS 
-	attributes that need to also be taken into account.</para>
-
-	<para>If the parameter <parameter>nt acl support</parameter>
-	is set to <constant>false</constant> then any attempt to set 
-	security permissions will fail with an <command>"Access Denied"
-	</command> message.</para>
-
-	<para>The first thing to note is that the <command>"Add"</command> 
-	button will not return a list of users in Samba 2.0.4 (it will give 
-	an error message of <command>"The remote proceedure call failed 
-	and did not execute"</command>). This means that you can only 
-	manipulate the current user/group/world permissions listed in 
-	the dialog box. This actually works quite well as these are the 
-	only permissions that UNIX actually has.</para>
-
-	<para>If a permission triple (either user, group, or world) 
-	is removed from the list of permissions in the NT dialog box, 
-	then when the <command>"OK"</command> button is pressed it will 
-	be applied as "no permissions" on the UNIX side. If you then 
-	view the permissions again the "no permissions" entry will appear 
-	as the NT <command>"O"</command> flag, as described above. This 
-	allows you to add permissions back to a file or directory once 
-	you have removed them from a triple component.</para>
-
-	<para>As UNIX supports only the "r", "w" and "x" bits of 
-	an NT ACL then if other NT security attributes such as "Delete 
-	access" are selected then they will be ignored when applied on 
-	the Samba server.</para>
-
-	<para>When setting permissions on a directory the second 
-	set of permissions (in the second set of parentheses) is 
-	by default applied to all files within that directory. If this 
-	is not what you want you must uncheck the <command>"Replace 
-	permissions on existing files"</command> checkbox in the NT 
-	dialog before clicking <command>"OK"</command>.</para>
-
-	<para>If you wish to remove all permissions from a 
-	user/group/world  component then you may either highlight the 
-	component and click the <command>"Remove"</command> button, 
-	or set the component to only have the special <command>"Take
-	Ownership"</command> permission (dsplayed as <command>"O"
-	</command>) highlighted.</para>
-</sect1>
-
-<sect1>
-	<title>Interaction with the standard Samba create mask 
-	parameters</title>
-
-	<para>Note that with Samba 2.0.5 there are four new parameters 
-	to control this interaction.  These are :</para>
-
-	<para><parameter>security mask</parameter></para>
-	<para><parameter>force security mode</parameter></para>
-	<para><parameter>directory security mask</parameter></para>
-	<para><parameter>force directory security mode</parameter></para>
-
-	<para>Once a user clicks <command>"OK"</command> to apply the 
-	permissions Samba maps the given permissions into a user/group/world 
-	r/w/x triple set, and then will check the changed permissions for a 
-	file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK"> 
-	<parameter>security mask</parameter></ulink> parameter. Any bits that 
-	were changed that are not set to '1' in this parameter are left alone 
-	in the file permissions.</para>
-
-	<para>Essentially, zero bits in the <parameter>security mask</parameter>
-	mask may be treated as a set of bits the user is <emphasis>not</emphasis> 
-	allowed to change, and one bits are those the user is allowed to change.
-	</para>
-
-	<para>If not set explicitly this parameter is set to the same value as 
-	the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask
-	</parameter></ulink> parameter to provide compatibility with Samba 2.0.4 
-	where this permission change facility was introduced. To allow a user to 
-	modify all the user/group/world permissions on a file, set this parameter 
-	to 0777.</para>
-
-	<para>Next Samba checks the changed permissions for a file against 
-	the bits set in the <ulink url="smb.conf.5.html#FORCESECURITYMODE">
-	<parameter>force security mode</parameter></ulink> parameter. Any bits 
-	that were changed that correspond to bits set to '1' in this parameter 
-	are forced to be set.</para>
-
-	<para>Essentially, bits set in the <parameter>force security mode
-	</parameter> parameter may be treated as a set of bits that, when 
-	modifying security on a file, the user has always set to be 'on'.</para>
-
-	<para>If not set explicitly this parameter is set to the same value 
-	as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force 
-	create mode</parameter></ulink> parameter to provide compatibility
-	with Samba 2.0.4 where the permission change facility was introduced.
-	To allow a user to modify all the user/group/world permissions on a file,
-	with no restrictions set this parameter to 000.</para>
-
-	<para>The <parameter>security mask</parameter> and <parameter>force 
-	security mode</parameter> parameters are applied to the change 
-	request in that order.</para>
-
-	<para>For a directory Samba will perform the same operations as 
-	described above for a file except using the parameter <parameter>
-	directory security mask</parameter> instead of <parameter>security 
-	mask</parameter>, and <parameter>force directory security mode
-	</parameter> parameter instead of <parameter>force security mode
-	</parameter>.</para>
-
-	<para>The <parameter>directory security mask</parameter> parameter 
-	by default is set to the same value as the <parameter>directory mask
-	</parameter> parameter and the <parameter>force directory security 
-	mode</parameter> parameter by default is set to the same value as 
- 	the <parameter>force directory mode</parameter> parameter to provide 
-	compatibility with Samba 2.0.4 where the permission change facility 
-	was introduced.</para>
-
-	<para>In this way Samba enforces the permission restrictions that 
-	an administrator can set on a Samba share, whilst still allowing users 
-	to modify the permission bits within that restriction.</para>
-
-	<para>If you want to set up a share that allows users full control
-	in modifying the permission bits on their files and directories and
-	doesn't force any particular bits to be set 'on', then set the following
-	parameters in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)
-	</filename></ulink> file in that share specific section :</para>
-
-	<para><parameter>security mask = 0777</parameter></para>
-	<para><parameter>force security mode = 0</parameter></para>
-	<para><parameter>directory security mask = 0777</parameter></para>
-	<para><parameter>force directory security mode = 0</parameter></para>
-
-	<para>As described, in Samba 2.0.4 the parameters :</para>
-
-	<para><parameter>create mask</parameter></para>
-	<para><parameter>force create mode</parameter></para>
-	<para><parameter>directory mask</parameter></para>
-	<para><parameter>force directory mode</parameter></para>
-
-	<para>were used instead of the parameters discussed here.</para>
-</sect1>
-
-<sect1>
-	<title>Interaction with the standard Samba file attribute 
-	mapping</title>
-
-	<para>Samba maps some of the DOS attribute bits (such as "read 
-	only") into the UNIX permissions of a file. This means there can 
-	be a conflict between the permission bits set via the security 
-	dialog and the permission bits set by the file attribute mapping.
-	</para>
-
-	<para>One way this can show up is if a file has no UNIX read access
-	for the owner it will show up as "read only" in the standard 
-	file attributes tabbed dialog. Unfortunately this dialog is
-	the same one that contains the security info in another tab.</para>
-
-	<para>What this can mean is that if the owner changes the permissions
-	to allow themselves read access using the security dialog, clicks
-	<command>"OK"</command> to get back to the standard attributes tab 
-	dialog, and then clicks <command>"OK"</command> on that dialog, then 
-	NT will set the file permissions back to read-only (as that is what 
-	the attributes still say in the dialog). This means that after setting 
-	permissions and clicking <command>"OK"</command> to get back to the 
-	attributes dialog you should always hit <command>"Cancel"</command> 
-	rather than <command>"OK"</command> to ensure that your changes 
-	are not overridden.</para>
-</sect1>
-
-</article>
diff --git a/docs/docbook/howto/samba-pdc-howto.sgml b/docs/docbook/howto/samba-pdc-howto.sgml
deleted file mode 100644
index 4b8380dd9e..0000000000
--- a/docs/docbook/howto/samba-pdc-howto.sgml
+++ /dev/null
@@ -1,778 +0,0 @@
-	
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<book id="samba-pdc-howto">
-
-<title>The Samba 2.2 PDC HowTo </title>
-
-<!--  ========================================================
-
-  To produce html from this file
-
-         jade -E10 -t sgml -d html.dsl ntdom.sgml
-
-    This assumes that html.dsl is present in the current dir, it includes
-    a couple of defines and then refers to the DSSSL html stylesheet.
- 
-    =========================================================== -->
-
-
-<bookinfo>
-    <author><firstname>David</><surname>Bannon</>
-	<affiliation><orgname>La Trobe University</orgname></affiliation>
-    </author>
-    <pubdate>November 2000</pubdate>
-</bookinfo>
-
-<dedication><title></title>
-
-    <para>Comments, corrections and additions to <email>dbannon@samba.org</email></para>
-
-    <para>
-	This document explains how to setup Samba as a Primary Domain Controller and 
-	applies to version 2.2.0. 
-	Before
-	using these functions make sure you understand what the controller can and cannot do.
-	Please read the sections below in the Introduction. 
-	As 2.2.0 is incrementally updated
-	this document will change or become out of date very quickly, make sure you are
-	reading the most current version.
-    </para>
-
-    <para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, 
-    Samba 2.0.7, TNG nor HEAD branch.</para>
-
-    <para>It does apply to the current (post November 27th) cvs.</para>
-
-    <para>
-	Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html">
-    FAQ</> that will answer lots of 
-	the special 'tuning' questions that are not covered here. Over the next couple of weeks
-	some of the items here will be moved to the FAQ.
-    </para>
-
-
-</dedication>
-
-<toc>     </toc>
-
-<!-- ================ I N T R O D U C T I O N  ==================== -->
-
-<chapter><title>Introduction</title>
-
-<para>
-This document will show you one way of making Version 2.2.0  
-of Samba perform some of the tasks of a 
-NT Primary Domain Controller. The facilities described are built into Samba as a result of 
-development work done over a number of years by a large number of people. These facilities 
-are only just beginning to be officially supported and although they do appear to work reliably, 
-if you use them then you take the risks upon your self.  This document does not cover the
-developmental versions of Samba, particularly 
-<ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink>
-
-
-</para>
-
-
-<para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</>
-    supports significently less of the NT Domain facilities compared with 2.2.0
-    </para>
-
-<para>
-	This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
-	John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
-	more detail and an insight to the development
-	cycle and should be considered 'further reading'.
-
-</para>
-
-
-<sect1><title>What can we do ?</title>
-<itemizedlist>
-    <listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central 
-	password database. WRT W2K, please see the section about adding machine 
-	accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem>
-    <listitem><para>Grant Administrator privileges to particular domain users on an 
-	NT or W2K workstation.</para></listitem> 
-    <listitem><para>Apply policies from a domain policy file to NT and W2K (?) 
-	workstation.</para></listitem> 
-    <listitem><para>Run the appropriate logon script when a user logs on to the domain
-	.</para></listitem>
-    <listitem><para>Maintain a user's local profile on the server.</para></listitem>
-    <listitem><para>Validate a user using another system via smb (such as smb_pam) and 
-	soon winbind (?).</para></listitem> 
-</itemizedlist>
-</sect1>
-
-
-<sect1><title>What can't we do ?</title>
-<itemizedlist>
-    <listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem>
-    <listitem><para> Participate in any sort of trust relationship (with either Samba or NT 
-	Servers).</para></listitem>
-    <listitem><para> Offer a list of domain users to User Manager for Domains 
-	on the Security Tab etc).</para></listitem>
-    <listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like
-	an NT PDC, W2K workstations connect in legacy mode.</para></listitem>
-</itemizedlist>
-</sect1>
-
-</chapter>
-
-
-<!-- ================== I N S T A L L I N G  ===================== -->
-
-<chapter><title>Installing</title> 
-
-	<para>Installing consists of the usual download, configure, make and make 
-	install process. These steps are well documented elsewhere.
-	The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS. 
- 	Then you need to configure the server.</para>
-
-<sect1><title>Start Up Script</title>
-	<para>Skip this section if you have a working Samba already. 
-	Everyone has their own favourite startup script. Here is mine, offered with no warrantee
-	at all !</para>
-
-<programlisting> 
-
-	#!/bin/sh
-	# Script to control Samba server, David Bannon, 14-6-96
-	#
-	#
-	PATH=/bin:/usr/sbin:/usr/bin
-	export PATH
-	case "$1" in
-	'start')
-        	if [ -f /usr/local/samba/bin/smbd ]
-        	then
-                	/usr/local/samba/bin/smbd -D
-                	/usr/local/samba/bin/nmbd -D
-                	echo "Starting Samba Server"
-        	fi
-        	;;
-	'conf')
-        	if [ -f /usr/local/samba/lib/smb.conf ]
-        	then
-                	vi /usr/local/samba/lib/smb.conf
-        	fi
-        	;;
-	'pw')
-        	if [ -f /usr/local/samba/private/smbpasswd ]
-        	then
-                	vi /usr/local/samba/private/smbpasswd
-        	fi
-        	;;
-	'who')
-        	/usr/local/samba/bin/smbstatus -b
-        	;;
-	'restart')
-        	psline=`/bin/ps  x | grep smbd | grep -v grep`
-
-        	if [ "$psline" != "" ]
-        	then
-                	while [ "$psline" != "" ]
-                	do
-                        	psline=`/bin/ps x | fgrep smbd | grep -v grep`
-                      	  	if [ "$psline" ]
-                      	  	then
-                                	set -- $psline
-                                	pid=$1
-                                	/bin/kill -HUP $pid
-                                	echo "Stopped $pid line = $psline"
-                                	sleep 2
-                       	 	fi
-                	done
-        	fi
-        	echo "Stopped Samba servers"
-        	;;
-	'stop')
-        	psline=`/bin/ps  x | grep smbd | grep -v grep`
-
-        	if [ "$psline" != "" ]
-        	then
-                	while [ "$psline" != "" ]
-                	do
-                        	psline=`/bin/ps x | fgrep smbd | grep -v grep`
-                        	if [ "$psline" ]
-                        	then
-                                	set -- $psline
-                                	pid=$1
-                                	/bin/kill -9 $pid
-                                	echo "Stopped $pid line = $psline"
-                                	sleep 2
-                        	fi
-                	done
-        	fi
-        	echo "Stopped Samba servers"
-        	psline=`/bin/ps x | grep nmbd | grep -v grep`
-        	if [ "$psline" ]
-        	then
-                	set -- $psline
-                	pid=$1
-                	/bin/kill -9 $pid
-                	echo "Stopped Name Server "
-        	fi
-        	echo "Stopped Name Servers"
-        	;;
-	*)
-        	echo "usage: samba {start | restart |stop | conf | pw | who}"
-        	;;
-	esac
-    
-</programlisting>
-
-<para>	Use this script, or some other one, you will need to ensure its used while the machine
-	is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be 
-	assuming that there is a script called
-	samba in <filename>/etc/rc.d/init.d</filename> further down in this document.)
-</para>
-</sect1>
-
-<sect1><title>Config File</title>
-
-<sect2><title id=configfile>A sample conf file</title>
-	<para>Here is a fairly minimal config file to do PDC. It will also make the server 
-	become the browse master for the
-	specified domain (not necessary but usually desirable). You will need to change only 
-	two parameters to make this
-	file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus
-    you will need to put your own name (not mine!) in the <filename>domain admin users</> fields. 
-	Some of the parameters are discussed further down this document.</para>
-
-	<para>Assuming you have used the default install directories, this file should appear as 
-	<filename>/usr/local/samba/lib/smb.conf</filename>. It should not be 
-	writable by anyone except root.</para>
-
-	<note><para>The 'add user script' parameter is a work-around, watch for changes !</></>
-
-    <programlisting> 
-
-	[global]  
-	security = user 
-	status = yes 
- 	workgroup = { Your domain name here }
-	wins server = { ip of a wins server if you have one } 
-	encrypt passwords = yes 
-	domain logons =yes 
-	logon script = scripts\%U.bat 
-	domain admin group = @adm 
-	add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$	
-	guest account = ftp 
-	share modes=no 
-	os level=65 
-	[homes] 
-	guest ok = no 
-	read only = no 
-	create mask = 0700 
-	directory mask = 0700 
-	oplocks = false 
-	locking = no 
-	[netlogon] 
-	path = /usr/local/samba/netlogon 
-	writeable = no 
-	guest ok = no 
-   
-</programlisting>
-
-</sect2>
-
-<sect2><title>PDC Config Parameters</title>
-
-
-<variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some 
-	that may be of interest	to a PDC are :</title>
-
-<varlistentry><term>add user script</term>
-	<listitem><para>This parameter specifies a script (or program) that will be run
-	to add a user to the system. Here it is being used to add a machine, not a user.
-	This is probably not very nice and may change. But it does work !</para>
-
-    <para>For this example, I have a group called 'machines', entries can be added to
-    <filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and 
-    the other parameters are chosen as suitable for a machine account. Works for
-    RH Linux, your system may require changes.</para>
-	</listitem>
-</varlistentry>
-
-
-<varlistentry><term>domain admin group = @adm</term>
-	<listitem><para>This parameter specifies a unix group whose members will be granted 
-    admin privileges on a NT workstation when
-	logged onto that workstation. See the section called <link linkend=domainadmin>
-    Domain Admin</> Accounts.</para>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>domain admin users = user1 users2</term>
-	<listitem><para>It appears that this parameter does not funtion correctly at present.
-    Use the 'domain admin group' instread. This parameter specifies a unix user who will 
-    be granted admin privileges 
-	on a NT workstation when
-	logged onto that workstation. See the section called <link linkend=domainadmin>
-    Domain Admin</> Accounts.</para>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>encrypt passwords = yes</term>
-	<listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
-	turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
-	should) you must use encrypted passwords.</para>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>logon script = scripts\%U.bat</term>
-	<listitem><para>This will make samba look for a logon script named after the user 
-	(eg joeblow.bat). 
-	 See the section further on called <link linkend=logonscript>Logon Scripts</></para>
-	<note><para>Note that the slash is like this '\', not like this '/'. 
-	NT is happy with both, win95 is not !</para></note>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>logon path</term>
-	<listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users
-	home directory, does encourage a bit of fiddling.</para>
-	</listitem>
-</varlistentry>
-
-
-</variablelist>
-
-
-</sect2>
-</sect1>
-
-<sect1><title>Special directories</title>
-	<para>You need to create a couple of special files and directories. Its nice 
-	to have some of the binaries handy too, so I create links to them. Assuming 
-	you have used the default samba location and have not
-	changed the locations mentioned in the sample config file, do the following :</para>
-
-    <programlisting> 
-
-	mkdir /usr/local/samba/netlogon 
-	mkdir /usr/local/samba/netlogon/scripts
-	mkdir /usr/local/samba/private
-	touch /usr/local/samba/private/smbpasswd
-	chmod go-rwx /usr/local/samba/private/smbpasswd
-	cd /usr/local/sbin
-	ln -s /usr/local/samba/bin/smbpasswd
-	ln -s /usr/local/samba/bin/smbclient
-	ln -s /etc/rc.d/init.d/samba
-</programlisting>
-
-	<para>Make sure permissions are appropriate !</para> 
-
-	<para>OK, if you have used the scripts above and have a path to where the links are do this to start up 
-	the Samba Server :</para>
-
-	<para><command>samba start</command></para>
-
-	<para>Instead, you might like to reboot the machine to make sure that you 
-	got the init stuff right. Any way, a quick look in the logs 
-	<filename>/usr/local/samba/var/log.smbd</filename> and <filename>
-	/usr/local/samba/var/log/nmbd</filename>
-	will give you an idea of what's happening. Assuming all is well, lets create 
-	some accounts...</para> 
-</sect1>
-</chapter>
-
-	<!-- ================== U S E R  and M A C H I N E   A C C O U N  T S ================ -->
-
-<chapter><title>User and Machine Accounts</title>
-<sect1><title>Logon Accounts</title>
-
-	<para><emphasis role=bold>This section is very nearly out of date already !</emphasis>  It 
-	appears that while you are reading it, Jean Francois Micou is making it 
-	redundant ! Jean Francois is adding facilities to add users
-	(via User Manager) and machines (when joining the domain) and it looks like these facilities will
-	make it into the official release of 2.2.</para>
-
-
-	<para>Every user and NTws (and other samba servers) that will be on the domain 
-	must have its own passwd entry in both <filename>/etc/passwd</filename> and 
-	<filename>/usr/local/samba/private/smbpasswd</filename> . 
-	The <filename>/etc/passwd</filename> entry is really 
-	only to reserve a user ID. The NT encrypted password is stored in 
-	<filename>/usr/local/samba/private/smbpasswd</filename>. 
-	(Note that win95/98 machines don't need an account as they don't do 
-	any security aware things.)</para>
-
-	<para>Samba 2.2 will now create these entries for us. Carefull set up is required
-	and there may well be some changes to this system before its released. 
-	</para>
-</sect1>
-
-<sect1 id=machineaccount><title>Machine Accounts</title>
-
-	<note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create
-	machine entries manually.</para></note>
-
-
-<variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins 
-	the domain a number of conditions must be met :</title>
-
-<varlistentry><term>Only root can do it !</term>
-	<listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename>
-	for root and root must be mentioned in <filename>domain admins</filename>. This may
-	be fixed some time in the future so any 'domain admin' can do it. If you don't 
-	like having root as a windows logon account, make the machine
-	entries manually (both of them).</para>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>Use the <filename>add user script</></term>
-	<listitem><para>Again, this looks a bit like a 'work around'. Use a suitable
-	command line to add a machine account <link linkend=configfile>see above</link>,
-	and pass it %m$, that is %m to get machine name plus the '$'. Now, this
-	means you cannot use the <filename>add user script</> to really add users .... </para>
-	</listitem>
-</varlistentry>
-
-<varlistentry><term>Only for W2K</term>
-    <listitem><para>This automatic creation of machine accounts does not work for
-    NT4ws at present. Watch this space.</para></listitem></varlistentry>
-</variablelist>
-
-</sect1>
-
-<sect1><title>Joining the Domain</title>
-
-	<para>You must have either added the machine account entries manually (NT4 ws)
-	or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link>
-	before proceeding.</para>
-
-<variablelist>
-<varlistentry><term><command>Windows NT</></term><listitem>
-<itemizedlist>
-    <listitem><para> (<emphasis>this step may not be necessary some time in the near future</>).
-        On the samba server that is the PDC, add a machine account manually
-        as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</> 
-        Then give the command <command>smbpasswd -a -m {machine}</> substituting in the 
-        client machine name.</para></listitem>
-    <listitem><para> Logon to the NTws in question as a local admin, go to the 
-	<command>Control Panel, Network IdentificationTag</command>.</para></listitem> 
-    <listitem><para> Press the <command>Change</> button.</para></listitem> 
-    <listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) 
-	in the Domain Field.</para></listitem> 
-<!--    <listitem><para> Now enter a user name
-	and password for a Domain Admin <emphasis>(Who must be root 
-	until a pre-release bug is fixed)</emphasis> and press
-	'OK'.</para></listitem> -->
-    <listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. 
-	Allow to reboot.</para></listitem>
-</itemizedlist>
-</listitem></varlistentry>
-
-<varlistentry><term><command>Windows 2000</></term><listitem>
-<itemizedlist>
-    <listitem><para>Logon to the W2k machine as Administrator, go to the Control 
-	Panel and double click on <command>Network and Dialup Connections</>. 
-	</para></listitem>
-    <listitem><para>Pull down the <command>Advanced</> menu and choose 
-	<command>Network Identification</>. Press <command>Properties
-	</>. </para></listitem> 
-    <listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem> 
-    <listitem><para>Now enter a user name and password for a Domain Admin 
-	<emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press
-	'OK'.</para></listitem> 
-    <listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem>
-</itemizedlist>
-    <para>To remove a W2K machine from the domain, follow the first two steps then 
-    choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow 
-    the prompts.</para>
-</listitem></varlistentry>
-
-
-</variablelist>
-	
-</sect1>
-
-<sect1><title id=useraccount>User Accounts</title>
-
-	<para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release).
-	</emphasis>
-	In our simple case every domain user should have an account on the PDC. The 
-	account may have a null shell if they are not allowed to log on to the unix 
-	prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and
-	<filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is 
-	not necessary in <filename>/etc/passwd</filename> but the location 
-	of the home directory is honoured. 
-	To make an entry for a user called Joe Blow you would typically do the following :</para>
-
-    <para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para>
-
-    <para><command>smbpasswd -a joeblow</command></para>
-
-	<para>And you will prompted to enter a password for Joe. Ideally he will be 
-	hovering over your shoulder and will, when asked, type in a password of 
-	his choice. There are a number of scripts and systems to ease the migration of users
-	from somewhere to samba. Better start looking !</para>
-</sect1>
-
-<sect1><title id=domainadmin>Domain Admin Accounts</title>
-
-	<para>Certain operations demand that the logged on user has Administrator 
-	privileges, typically installing software and
-	doing maintenance tasks. It is very simple to appoint some users as Domain Admins, 
-	most likely yourself. Make
-	sure you trust the appointee !</para> 
-
-	<para>Samba 2.2 recognizes particular users as being
-	domain admins and tells the NTws when it thinks that it has got one logged on. 
-	In the smb.conf file we declare
-	that the <filename>Domain Admin group = @adm</filename>. 
-	Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when 
-	logged onto the Domain. They will have full Administrator rights 
-	including the rights to change permissions on files and run the system 
-	utilities such as Disk Administrator. Add users to the group by editing <filename>
-    /etc/group/</>. You do not need to use the 'adm' group, choose any one you like.</para> 
-
-	<para>Further, and this is very new, they will be allowed to create a 
-	new machine account when first connecting a new NT or W2K machine to 
-	the domain. <emphasis>However, at present, ie pre-release, only a Domain Admin who
-	also happens to be root can do so. </emphasis></para>
-</sect1>
-</chapter>
-
-
-<!-- ======== P R O F I L E S   P O L I C I E S  and  L O G O N   S C R I P T S ======= -->
-
-<chapter><title>Profiles, Policies and Logon Scripts</title>
-
-<sect1><title>Profiles</title> 
-
-	<para>NT Profiles should work if you have followed the setup so far. 
-	A user's profile contains a whole lot of their personal	settings, 
-	the contents of their desktop, personal 'My Documents' and so on. 
-	When they log off, all of the profile is copied to their directory 
-	on the server and is downloaded again when they logon on again, possibly 
-	on another client machine.</para> 
-
-	<para>Sounds great but can be a bit of a bug bear sometimes. Users let 
-	their profiles get too big and then complain about how long it takes 
-	to log on each time. This sample setup only supports NT profiles, 
-	rumor has it that it is also possible to do the same on Win95, my 
-	users don't know and I'm not telling them.</para>
-
-    <note><para>There is more info about Profiles (including for W95/98) 
-        in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note>
-</sect1>
-
-<sect1><title>Policies</title> 
-
-	<para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
-	file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
-	Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
-	maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
-	on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
-	that comes with NTws.</para> 
-
-    <note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note>
-
-	<para>The Policy Editor (and associated files) will create a 
-	<filename>ntconfig.pol</filename> file using the 
-	parameters Microsoft thought of and parameters you specify by making your own 
-	template file.</para>
-
-	<para>In our example configuration here, Samba will expect to find 
-	the <filename>ntconfig.pol</filename> file in 
-	<filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !), 
-	it is vitally important that ordinary users don't have 
-	write permission to the Policy files.</para>
-</sect1>
-
-<sect1><title id=logonscript>Logon Scripts</title>
-
-	<para>In the sample config file above there is a line 
-	<filename>logon script = scripts\%U.bat</filename></para>
-
-	<note><para>Note that the slash is like this '\' not like this '/'. 
-	NT is happy with both, win95 is not !</para></note>
-
-	<para>This allows you to run a dos batch file every time someone logs on. The batch 
-	file is located on the server, in the sample install mentioned here, 
-	its in <filename>/usr/local/samba/netlogon/scripts</filename> and 
-	is named after the user with <filename>.bat</filename> appended, eg Joe
-	Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para>
-
-    <note><para>There is a suggestion that user names longer than 8 characters may cause
-	problems with some systems being unable to run logon scripts. This is confirmed in earlier
-    versions when connecting using W95, comments about other combinations ??</para></note>
-
-    <para>You could use a line like this <filename>logon script = default.bat</> and samba
-    will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every
-    user. Maybe you could use %m and get a client machine dependant logon script.
-    You get the idea...</para>
-
-	<para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client 
-	computer with the logon	user's permissions. It must be a dos file with each line ending with 
-	the dos cr/lf not a nice clean newline. Generally,
-	its best to create the initial file on a DOS system and copy it across.</para>
-
-	<para>There is lots of very clever uses of the Samba replaceable variables such 
-	( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to 
-	give you control over which script runs when a particular person logs
-	on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para>
-
-	<para>Again, it is vitally important that ordinary users don't have write 
-	permission to other peoples, or even probably their own, logon script files.</para>
-
-	<para>A typical logon script is reproduced below. Note that it runs separate 
-	commands for win95 and NT, that's because NT has slightly different behaviour 
-	when using the <filename>net use ..</filename> command. Its useful for lots of 
-	other situations too. I	don't know what syntax to use for win98, I don't use it 
-	here.</para>
-
-<programlisting> 
-
-		rem Default logon script, create links to this file.
-
-		net time \\bioserve /set /yes
-		@echo off
-		if %OS%.==Windows_NT. goto WinNT
-
-		:Win95
-		net use k: \\trillion\bio_prog
-		net use p: \\bcfile\homes
-		goto end
-		:WinNT
-		net use k: \\trillion\bio_prog /persistent:no
-		net use p: \\bcfile\homes /persistent:no
-
-		:end
-	
-</programlisting>
-</sect1>
-</chapter>
-
-<chapter><title>Passwords and Authentication</title>
-
-	<para>So far our configuration assumes that ordinary users don't have unix logon access. A change
-	to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon 
-	but it would be with passwords that may 
-	be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
-	that they need to change their passwords in two seperate places is not fun. 
-	Further, even if they cannot do a unix logon there are other processes that 
-	might require authentication. We have a nice securely encrypted password in 
-	<filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para>
-
-<sect1><title></>
-<sect2><title>Syncing Passwords</title>
-
-	<para>Yes, its possible and seems the easiest  way (initially anyway). 
-    The <ulink url="samba-pdc-faq.html">FAQ</> details how to 
-    do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis>
-    How do I get remote password (unix and SMB) changing working ?</></para>
-
-</sect2>
-
-<sect2><title>Using PAM</title>
-	<para>Pam enabled systems have a much better solution available. The Samba 
-	PDC server will	offer to authenticate domain users to other processes 
-	(either on this server or on the domain). With a suitable pam stack 
-	such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink> 
-	you can get any pam aware application looking to the samba password and 
-	can leave the password field in <filename>/etc/shadow</filename>
-	or <filename>/etc/passwd</filename> invalid.</para>
-</sect2>
-
-<sect2><title>Authenticating other Samba Servers</title>
-	<para>In a domain that has a number of servers you only need one password database. 
-	The machines that don't have their own ask the PDC  to check for them.
-    This will work fine for a domain controlled by either a Samba or NT machine.</para>
-
-    <para>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
-    See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to 
-    become a member ( not PDC ) of an NT domain?</></para>
- 
-
-</sect2>
-</sect1>
-</chapter>
-
-
-<chapter><title>Background</title>
-
-<sect1><title></title>
-<sect2><title>History</title>
-
-	<para>It might help you understand the limitations of the PDC in Samba if you
-	read something of its history. Well, the history as I understand it anyway.</para>
-
-	<para>For many years the Samba team have been developing Samba, some time ago 
-	a number of people, possibly lead by Luke Leighton started contributing NT 
-	PDC stuff. This was added to the 'head' stream (that would eventually
-	become the next version) and later to a seperate stream (NTDom). They did so 
-	much that eventually this development stream was so mutated that it could not 
-	be merged back into the main stream and was abandoned towards the end of 1999. 
-	And that was very sad because many users, myself include had become heavily
-	dependant on the NTController facilities it offered. Oh well...</para>
-
-	<para>The NTDom team continued on with their new found knowledge however and 
-	built the TNG stream. Intended to be carefully controlled so that it can be 
-	merged back into the main stream and benefiting from what they learnt, it is 
-	a very different product to the origional NTDom product. However, for a 
-    number of reasons, the merge did not take place and now TNG is being developed 
-    at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para>
-
-	<para>Now, the NTDom things that the main strean 2.0.x version does is based more 
-	on the old (initial version) abandoned code than on the TNG ideas. It appears 
-	that version 2.2.0 will also include an improved version of the 2.0.7 domain 
-	controller charactistics, not the TNG ways. The developers have indicated 
-	that 2.2.0 will be further developed incrementally and the ideas from TNG 
-	incorporated into it.</para>
-
-	<para>One more little wriggle is worth mentioning. At one stage the NTDom 
-	stream was called Samba 2.1.0-prealpha and similar names. This is most 
-	unfortunate because at least one book published advises people who want to 
-	use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon 
-	be called 2.2.0  and NOT officially supporting NTDom Controlling functions, 
-	the potential for confusion is certainly there.</para>
-</sect2>
-
-<sect2><title>The Future</title> 
-
-	<para>There is a document on the Samba mirrors called <emphasis>'Development'
-	</emphasis>. It offers the 'best guess'	of what is planned for future releases 
-	of Samba.</para>
-
-	<para>The future of Samba as a Primary Domain Controller appears rosie, however 
-	be aware that its the future, not the present. The developers are strongly committed 
-	to building a full featured PDC into Samba but it will	take time. If this 
-	version does not meet your requirements then you should consider (in no particular 
-	order) :</para>
-
-    <itemizedlist>
-	<listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem>
-	<listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added
-	all the time. Realise that development code is often unstable, poorly documented and subject to change.
-	You will need to use cvs to download development versions.</para></listitem>
-	<listitem><para>Join one of the Samba mailing lists so that you can find out 
-	what is happening on the 'bleeding edge'.</para></listitem>
-    </itemizedlist>
-</sect2>
-
-<sect2><title>Getting further help</title>
-
-	<para>This document cannot possibly answer all your questions. Please understand that its very
-	likely that someone has been confrounted by the same problem that you have. The 
-    <ulink url="samba-pdc-faq.html">FAQ</>
-    discusses a number of possible paths to take to get further help :</para>
-
-
-    <itemizedlist>
-	    <listitem><para>Documents on the Samba Sites.</para></listitem>
-	    <listitem><para>Other web sites.</para></listitem>
-	    <listitem><para>Mailing list.</para></listitem>
-    </itemizedlist>
-
-	<para>There is some discussion about guide lines for using the Mailing Lists on the 
-    accompanying <ulink url="samba-pdc-faq.html">FAQ</>,
-    please read them before posting.</para>
-
-</sect2>
-</sect1>
-</chapter>
-
-</book>