Lots of minor, mostly layout fixes.

(This used to be commit 99674fdbd12caca61baa00974a492a9a26d982e9)

1 files changed, 155 insertions, 127 deletions

diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
index ecb8a3afb3..bb8e95b8a9 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
@@ -4,40 +4,48 @@
 	&author.jht;
 	&author.jeremy;
 	&author.jerry;
+
+<!-- Authors of the ADS-HOWTO -->
+	&author.tridge;
+	&author.jelmer;
 </chapterinfo>
 
 <title>Domain Membership</title>
 
 <para>
-Domain Membership is a subject of vital concern, Samba must be able to participate
-as a member server in a Microsoft Domain security context, and Samba must be capable of
-providing Domain machine member trust accounts, otherwise it would not be capable of offering
-a viable option for many users.
+Domain Membership is a subject of vital concern, Samba must be able to
+participate as a member server in a Microsoft Domain security context, and
+Samba must be capable of providing Domain machine member trust accounts,
+otherwise it would not be capable of offering a viable option for many users.
 </para>
 
 <para>
-This chapter covers background information pertaining to domain membership, Samba
-configuration for it, and MS Windows client procedures for joining a domain.  Why is
-this necessary? Because both are areas in which there exists within the current MS
-Windows networking world and particularly in the Unix/Linux networking and administration
-world, a considerable level of mis-information, incorrect understanding, and a lack of
-knowledge. Hopefully this chapter will fill the voids.
+This chapter covers background information pertaining to domain membership,
+Samba configuration for it, and MS Windows client procedures for joining a
+domain.  Why is this necessary? Because both are areas in which there exists
+within the current MS Windows networking world and particularly in the
+Unix/Linux networking and administration world, a considerable level of
+mis-information, incorrect understanding, and a lack of knowledge. Hopefully
+this chapter will fill the voids.
 </para>
 
 <sect1>
 <title>Features and Benefits</title>
 
 <para>
-MS Windows workstations and servers that want to participate in domain security need to
+MS Windows workstations and servers that want to participate in domain
+security need to
 be made Domain members. Participating in Domain security is often called 
-<emphasis>Single Sign On</emphasis> or SSO for short. This chapter describes the process
-that must be followed to make a workstation (or another server - be it an MS Windows NT4 / 200x
+<emphasis>Single Sign On</emphasis> or <acronym>SSO</acronym> for short. This
+chapter describes the process that must be followed to make a workstation
+(or another server - be it an <application>MS Windows NT4 / 200x</application>
 server) or a Samba server a member of an MS Windows Domain security context.
 </para>
 
 <para>
-Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Windows
-Active Directory Domain as a native member server, or a Samba Domain Control network.
+Samba-3 can join an MS Windows NT4 style domain as a native member server, an 
+MS Windows Active Directory Domain as a native member server, or a Samba Domain
+Control network.
 </para>
 
 <para>
@@ -50,19 +58,21 @@ Domain membership has many advantages:
 	</para></listitem>
 
 	<listitem><para>
-	Domain user access rights and file ownership / access controls can be set from
-	the single Domain SAM (Security Accounts Management) database (works with Domain member
-	servers as well as with MS Windows workstations that are domain members)
+	Domain user access rights and file ownership / access controls can be set
+	from the single Domain SAM (Security Accounts Management) database 
+	(works with Domain member servers as well as with MS Windows workstations
+	that are domain members)
 	</para></listitem>
 
 	<listitem><para>
-	Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members
+	Only <application>MS Windows NT4 / 200x / XP Professional</application>
+	workstations that are Domain members
 	can use network logon facilities
 	</para></listitem>
 
 	<listitem><para>
-	Domain Member workstations can be better controlled through the use of Policy files
-	(NTConfig.POL) and Desktop Profiles.
+	Domain Member workstations can be better controlled through the use of
+	Policy files (<filename>NTConfig.POL</filename>) and Desktop Profiles.
 	</para></listitem>
 
 	<listitem><para>
@@ -71,10 +81,11 @@ Domain membership has many advantages:
 	</para></listitem>
 
 	<listitem><para>
-	Network administrators gain better application and user access management abilities
-	because there is no need to maintain user accounts on any network client or server,
-	other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain
-	that is back ended with an LDAP directory, or via an Active Directory infrastructure)
+	Network administrators gain better application and user access management
+	abilities because there is no need to maintain user accounts on any network
+	client or server, other than the central Domain database 
+	(either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an
+	LDAP directory, or via an Active Directory infrastructure)
 	</para></listitem>
 </itemizedlist>
 
@@ -84,7 +95,8 @@ Domain membership has many advantages:
 <title>MS Windows Workstation/Server Machine Trust Accounts</title>
 
 <para>
-A machine trust account is an account that is used to authenticate a client machine
+A machine trust account is an account that is used to authenticate a client
+machine
 (rather than a user) to the Domain Controller server.  In Windows terminology,
 this is known as a "Computer Account."
 </para>
@@ -113,10 +125,10 @@ as follows:
 
 <itemizedlist>
 	<listitem><para>
-	A Domain Security Account (stored in the <emphasis>passdb backend</emphasis>
-	that has been configured in the &smb.conf; file. The precise nature of the
-	account information that is stored depends on the type of backend database
-	that has been chosen.
+	A Domain Security Account (stored in the 
+	<parameter>passdb backend</parameter> that has been configured in the
+	&smb.conf; file. The precise nature of the account information that is
+	stored depends on the type of backend database that has been chosen.
 	</para>
 
 	<para>
@@ -127,15 +139,17 @@ as follows:
 	</para>
 
 	<para>
-	The two newer database types are called <emphasis>ldapsam, tdbsam</emphasis>.
-	Both store considerably more data than the older <filename>smbpasswd</filename>
-	file did. The extra information enables new user account controls to be used.
+	The two newer database types are called <emphasis>ldapsam</emphasis>,
+	<emphasis>tdbsam</emphasis>.  Both store considerably more data than the
+	older <filename>smbpasswd</filename> file did. The extra information
+	enables new user account controls to be used.
 	</para></listitem>
 
 	<listitem><para>
-	A corresponding Unix account, typically stored in <filename>/etc/passwd</filename>.
-	Work is in progress to allow a simplified mode of operation that does not require
-	Unix user accounts, but this may not be a feature of the early releases of Samba-3.
+	A corresponding Unix account, typically stored in
+	<filename>/etc/passwd</filename>.  Work is in progress to allow a
+	simplified mode of operation that does not require Unix user accounts, but
+	this may not be a feature of the early releases of Samba-3.
 	</para></listitem>
 </itemizedlist>
 </para>
@@ -146,20 +160,22 @@ There are three ways to create machine trust accounts:
 
 <itemizedlist>
 	<listitem><para>
-	Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding
-	Unix account are created by hand.
+	Manual creation from the Unix/Linux command line. Here, both the Samba and
+	corresponding Unix account are created by hand.
 	</para></listitem>
 
 	<listitem><para>
-	Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using
-	the Nexus toolkit available from the Microsoft web site. This tool can be run from any
-	MS Windows machine so long as the user is logged on as the administrator account.
+	Using the MS Windows NT4 Server Manager (either from an NT4 Domain member
+	server, or using the Nexus toolkit available from the Microsoft web site.
+	This tool can be run from any MS Windows machine so long as the user is
+	logged on as the administrator account.
 	</para></listitem>
 	
 	<listitem><para>
-	"On-the-fly" creation. The Samba machine trust account is automatically created by
-	Samba at the time the client is joined to the domain. (For security, this is the
-	recommended method.) The corresponding Unix account may be created automatically or manually. 
+	"On-the-fly" creation. The Samba machine trust account is automatically
+	created by Samba at the time the client is joined to the domain.
+	(For security, this is the recommended method.) The corresponding Unix
+	account may be created automatically or manually. 
 	</para></listitem>
 </itemizedlist>
 
@@ -167,26 +183,26 @@ There are three ways to create machine trust accounts:
 <title>Manual Creation of Machine Trust Accounts</title>
 
 <para>
-The first step in manually creating a machine trust account is to manually create the
-corresponding Unix account in <filename>/etc/passwd</filename>.  This can be done using
-<command>vipw</command> or other 'add user' command that is normally used to create new
-Unix accounts.  The following is an example for a Linux based Samba server:
+The first step in manually creating a machine trust account is to manually
+create the corresponding Unix account in <filename>/etc/passwd</filename>. 
+This can be done using <command>vipw</command> or another 'add user' command
+that is normally used to create new Unix accounts.  The following is an example for a Linux based Samba server:
 </para>
 
 <para>
-<prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
+<prompt>root# </prompt><userinput>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </userinput>
 </para>
 
 <para>
-<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
+<prompt>root# </prompt><userinput>passwd -l <replaceable>machine_name</replaceable>$</userinput>
 </para>
 
 <para>
-On *BSD systems, this can be done using the 'chpass' utility:
+On *BSD systems, this can be done using the <command>chpass</command> utility:
 </para>
 
 <para>
-<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
+<prompt>root# </prompt><userinput>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</userinput>
 </para>
 
 <para>
@@ -235,11 +251,11 @@ the corresponding Unix account.
 	<para>
 	Manually creating a machine trust account using this method is the 
 	equivalent of creating a machine trust account on a Windows NT PDC using 
-	the "Server Manager".  From the time at which the account is created
-	to the time which the client joins the domain and changes the password,
-	your domain is vulnerable to an intruder joining your domain using
-	a machine with the same NetBIOS name.  A PDC inherently trusts
-	members of the domain and will serve out a large degree of user 
+	the <application>Server Manager</application>.  From the time at which the 
+	account is created to the time which the client joins the domain and 
+	changes the password, your domain is vulnerable to an intruder joining 
+	your domain using a machine with the same NetBIOS name.  A PDC inherently 
+	trusts members of the domain and will serve out a large degree of user 
 	information to such clients.  You have been warned!
 	</para>
 </warning>
@@ -249,16 +265,19 @@ the corresponding Unix account.
 <title>Using NT4 Server Manager to Add Machine Accounts to the Domain</title>
 
 <para>
-If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation
-then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory
-this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4
-workstation.
+If the machine from which you are trying to manage the domain is an 
+<application>MS Windows NT4 workstation</application>
+then the tool of choice is the package called <command>SRVTOOLS.EXE</command>. 
+When executed in the target directory this will unpack 
+<command>SrvMge.exe</command> and <command>UsrMgr.exe</command> (both are 
+Domain Management tools for MS Windows NT4 workstation.
 </para>
 
 <para>
-If your workstation is any other MS Windows product you should download the Nexus.exe package
-from the Microsoft web site. When executed from the target directory this will unpack the same
-tools but for use on MS Windows 9x/Me/200x/XP.
+If your workstation is any other MS Windows product you should download the
+<command>Nexus.exe</command> package from the Microsoft web site. When executed 
+from the target directory this will unpack the same tools but for use on 
+<application>MS Windows 9x/Me/200x/XP</application>.
 </para>
 
 <para>
@@ -268,29 +287,32 @@ Launch the <command>srvmgr.exe</command> (Server Manager for Domains) and follow
 <procedure>
 <title>Server Manager Account Machine Account Management</title>
 	<step><para>
-	From the menu select Computer
+			From the menu select <guimenu>Computer</guimenu>
 	</para></step>
 
 	<step><para>
-	Click on "Select Domain"
+	Click on <guimenuitem>Select Domain</guimenuitem>
 	</para></step>
 
 	<step><para>
-	Click on the name of the domain you wish to administer in the "Select Domain" panel
-	and then Click OK.
+	Click on the name of the domain you wish to administer in the
+	<guilabel>Select Domain</guilabel> panel and then click 
+	<guibutton>OK</guibutton>.
 	</para></step>
 
 	<step><para>
-	Again from the menu select Computer
+	Again from the menu select <guimenu>Computer</guimenu>
 	</para></step>
 
 	<step><para>
-	Select "Add to Domain"
+	Select <guimenuitem>Add to Domain</guimenuitem>
 	</para></step>
 
 	<step><para>
-	In the dialog box, click on the radio button to "Add NT Workstation of Server", then
-	enter the machine name in the field provided, then Click the "Add" button.
+	In the dialog box, click on the radio button to 
+	<guilabel>Add NT Workstation of Server</guilabel>, then
+	enter the machine name in the field provided, then click the 
+	<guibutton>Add</guibutton> button.
 	</para></step>
 </procedure>
 
@@ -334,8 +356,8 @@ The procedure for making an MS Windows workstation of server a member of the dom
 with the version of Windows:
 </para>
 
-<itemizedlist>
-	<listitem><para><emphasis>Windows 200x XP Professional</emphasis></para>
+<sect3>
+	<title>Windows 200x XP Professional</title>
 
 	<para>
 	When the user elects to make the client a domain member, Windows 200x prompts for
@@ -363,9 +385,11 @@ with the version of Windows:
 	encryption key for setting the password of the machine trust
 	account. The machine trust account will be created on-the-fly, or
 	updated if it already exists.
-	</para></listitem>
+	</para>
+</sect3>
 
-	<listitem><para><emphasis>Windows NT4</emphasis></para>
+<sect3>
+	<title>Windows NT4</title>
 
 	<para>
 	If the machine trust account was created manually, on the
@@ -382,13 +406,16 @@ with the version of Windows:
 	this case, joining the domain proceeds as above for Windows 2000
 	(i.e., you must supply a Samba administrative account when
 	prompted).
-	</para></listitem>
+	</para>
+</sect3>
+
+<sect3>
+	<title>Samba</title>
 
-	<listitem><para><emphasis>Samba</emphasis></para>
 	<para>Joining a samba client to a domain is documented in 
 	the <link linkend="domain-member">Domain Member</link> chapter.
-	</para></listitem>
-</itemizedlist>
+	</para>
+</sect3>
 
 </sect2>
 </sect1>
@@ -398,38 +425,41 @@ with the version of Windows:
 
 <para>
 This mode of server operation involves the samba machine being made a member
-of a domain security context. This means by definition that all user authentication
-will be done from a centrally defined authentication regime. The authentication
-regime may come from an NT3/4 style (old domain technology) server, or it may be
-provided from an Active Directory server (ADS) running on MS Windows 2000 or later.
+of a domain security context. This means by definition that all user
+authentication will be done from a centrally defined authentication regime. 
+The authentication regime may come from an NT3/4 style (old domain technology)
+server, or it may be provided from an Active Directory server (ADS) running on
+MS Windows 2000 or later.
 </para>
 
 <para>
 <emphasis>
-Of course it should be clear that the authentication back end itself could be from any
-distributed directory architecture server that is supported by Samba. This can be
-LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.
+Of course it should be clear that the authentication back end itself could be
+from any distributed directory architecture server that is supported by Samba.
+This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory
+Server, etc.
 </emphasis>
 </para>
 
 <para>
-Please refer to the section on Howto configure Samba as a Primary Domain Controller
-and for more information regarding how to create a domain machine account for a
-domain member server as well as for information regarding how to enable the samba
-domain member machine to join the domain and to be fully trusted by it.
+Please refer to the <link linkend="samba-pdc">Samba as a Primary Domain
+Controller chapter</link> for more information regarding how to create a domain
+machine account for a domain member server as well as for information
+regarding how to enable the samba domain member machine to join the domain and
+to be fully trusted by it.
 </para>
 
 <sect2>
 <title>Joining an NT4 type Domain with Samba-3</title>
 
 <para>
-<emphasis>Assumptions:</emphasis>
-<programlisting>
-	NetBIOS name: SERV1
-	Win2K/NT domain name: DOM
-	Domain's PDC NetBIOS name: DOMPDC
-	Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
-</programlisting>
+Assumptions:
+<table><tbody>
+	<row><entry>NetBIOS name:</entry><entry>SERV1</entry></row>
+	<row><entry>Win2K/NT domain name:</entry><entry>DOM</entry></row>
+	<row><entry>Domain's PDC NetBIOS name:</entry><entry>DOMPDC</entry></row>
+	<row><entry>Domain's BDC NetBIOS names:</entry><entry>DOMBDC1 and DOMBDC2</entry></row>
+</tbody></table>
 </para>
 
 <para>
@@ -445,18 +475,19 @@ of your &smb.conf; to read:
 
 <para>
 <programlisting>
-        <command>security = domain</command>
+security = domain
 </programlisting>
 </para>
 
 <para>
 Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
-workgroup =</parameter></ulink> line in the [global] section to read: 
+workgroup</parameter></ulink> line in the <parameter>[global]</parameter>
+section to read: 
 </para>
 
 <para>
 <programlisting>
-        <command>workgroup = DOM</command>
+workgroup = DOM
 </programlisting>
 </para>
 
@@ -472,13 +503,13 @@ You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
 
 <para>
 Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
-<parameter>password server =</parameter></ulink> line in the [global]
+<parameter>password server</parameter></ulink> line in the [global]
 section to read: 
 </para>
 
 <para>
 <programlisting>
-        <command>password server = DOMPDC DOMBDC1 DOMBDC2</command>
+password server = DOMPDC DOMBDC1 DOMBDC2
 </programlisting>
 </para>
 
@@ -498,7 +529,7 @@ set this line to be:
 
 <para>
 <programlisting>
-        <command>password server = *</command>
+password server = *
 </programlisting>
 </para>
 
@@ -513,14 +544,14 @@ In order to actually join the domain, you must run this command:
 </para>
 
 <para>
-<programlisting>
-        <prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput>
-</programlisting>
+<screen>
+<prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput>
+</screen>
 </para>
 
 <para>
-If the <userinput>-S DOMPDC</userinput> argument is not given then
-the domain name will be obtained from smb.conf.
+If the <option>-S DOMPDC</option> argument is not given then
+the domain name will be obtained from &smb.conf;.
 </para>
 
 <para>
@@ -573,7 +604,7 @@ clients to begin using domain security!
 </sect2>
 
 <sect2>
-<title>Why is this better than security = server?</title>
+<title>Why is this better than <parameter>security = server</parameter>?</title>
 
 <para>
 Currently, domain security in Samba doesn't free you from 
@@ -604,11 +635,11 @@ domain PDC to an account domain PDC).
 </para>
 
 <para>
-In addition, with <command>security = server</command> every Samba 
+In addition, with <parameter>security = server</parameter> every Samba 
 daemon on a server has to keep a connection open to the 
 authenticating server for as long as that daemon lasts. This can drain 
 the connection resources on a Microsoft NT server and cause it to run 
-out of available connections. With <command>security = domain</command>, 
+out of available connections. With <parameter>security = domain</parameter>, 
 however, the Samba daemons connect to the PDC/BDC only for as long 
 as is necessary to authenticate the user, and then drop the connection, 
 thus conserving PDC connection resources.
@@ -624,8 +655,8 @@ as the user SID, the list of NT groups the user belongs to, etc.
 <note>
 <para>
 Much of the text of this document 
-was first published in the Web magazine <ulink url="http://www.linuxworld.com"> 	
-LinuxWorld</ulink> as the article <ulink
+was first published in the Web magazine 
+<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink
 url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing 
 the NIS/NT Samba</ulink>.
 </para>
@@ -646,7 +677,7 @@ Windows2000 KDC.
 <title>Setup your <filename>smb.conf</filename></title>
 
 <para>
-You must use at least the following 3 options in smb.conf:
+You must use at least the following 3 options in &smb.conf;:
 </para>
 
 <para><programlisting>
@@ -657,17 +688,18 @@ You must use at least the following 3 options in smb.conf:
 
 <para>
 In case samba can't figure out your ads server using your realm name, use the 
-<command>ads server</command> option in <filename>smb.conf</filename>:
+<parameter>ads server</parameter> option in <filename>smb.conf</filename>:
 <programlisting>
 	ads server = your.kerberos.server
 </programlisting>
 </para>
 
 <note><para>
-You do *not* need a smbpasswd file, and older clients will be authenticated as if
-<command>security = domain</command>, although it won't do any harm and allows you
-to have local users not in the domain. I expect that the above required options will
-change soon when we get better active directory integration.
+You do &not; need a smbpasswd file, and older clients will be authenticated as 
+if <parameter>security = domain</parameter>, although it won't do any harm and 
+allows you to have local users not in the domain. It is expected that the above 
+required options will change soon when active directory integration will get 
+better.
 </para></note>
 
 </sect2>
@@ -676,10 +708,6 @@ change soon when we get better active directory integration.
 <title>Setup your <filename>/etc/krb5.conf</filename></title>
 
 <para>
-Note: you will need the krb5 workstation, devel, and libs installed
-</para>
-
-<para>
 The minimal configuration for <filename>krb5.conf</filename> is:
 </para>
 
@@ -697,8 +725,8 @@ making sure that your password is accepted by the Win2000 KDC.
 </para>
 
 <note><para>
-The realm must be uppercase or you will get "Cannot find KDC for requested
-realm while getting initial credentials" error
+The realm must be uppercase or you will get <errorname>Cannot find KDC for
+requested realm while getting initial credentials</errorname> error
 </para></note>
 
 <note><para>
@@ -748,7 +776,7 @@ As a user that has write permission on the Samba private directory
 
 <para>
 <variablelist>
-	<varlistentry><term>"ADS support not compiled in"</term>
+	<varlistentry><term>ADS support not compiled in</term>
 	<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
 	(make clean all install) after the kerberos libs and headers are installed.
 	</para></listitem></varlistentry>