mega-merge from 2.2

(This used to be commit c76bf8ed3275e217d1b691879153fe9137bcbe38)

1 files changed, 38 insertions, 35 deletions

diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 0b86bcba63..b980b99e22 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -1,4 +1,4 @@
-<chapter>
+<chapter id="samba-pdc">
 
 
 <chapterinfo>
@@ -32,12 +32,12 @@ How to Configure Samba 2.2 as a Primary Domain Controller
 <title>Prerequisite Reading</title>
 
 <para>
-Before you continue readingin this chapter, please make sure 
+Before you continue reading in this chapter, please make sure 
 that you are comfortable with configuring basic files services
-in smb.conf and how to enable and administrate password 
+in smb.conf and how to enable and administer password 
 encryption in Samba.  Theses two topics are covered in the
 <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink> 
-manpage and the <ulink url="EMCRYPTION.html">Encryption chapter</ulink> 
+manpage and the <ulink url="ENCRYPTION.html">Encryption chapter</ulink> 
 of this HOWTO Collection.
 </para>
 
@@ -60,13 +60,14 @@ Background
 <para>
 <emphasis>Author's Note :</emphasis> This document is a combination 
 of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. 
-Both documents are superceeded by this one.
+Both documents are superseded by this one.
 </para>
 </note>
 
 <para>
 Version of Samba prior to release 2.2 had marginal capabilities to
-act as a Windows NT 4.0 Primary Domain Controller (PDC).  Beginning with 
+act as a Windows NT 4.0 Primary DOmain Controller <indexterm><primary>Primary 
+Domain Controller</primary></indexterm> (PDC).  Beginning with 
 Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 
 style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through 
 SP1) clients.  This article outlines the steps necessary for configuring Samba 
@@ -264,9 +265,8 @@ There are a couple of points to emphasize in the above configuration.
 <para>
 As Samba 2.2 does not offer a complete implementation of group mapping between 
 Windows NT groups and UNIX groups (this is really quite complicated to explain 
-in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINUSERS">domain 
-admin users</ulink> and <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain 
-admin group</ulink> smb.conf parameters for information of creating a Domain Admins 
+in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain 
+admin group</ulink> smb.conf parameter for information of creating "Domain Admins"
 style accounts.
 </para>
 
@@ -281,7 +281,7 @@ to the Domain</title>
 A machine trust account is a samba user account owned by a computer.  
 The account password acts as the shared secret for secure 
 communication with the Domain Controller.  This is a security feature
-to prevent an unauthorized machine with the same netbios name from 
+to prevent an unauthorized machine with the same NetBIOS name from 
 joining the domain and gaining access to domain user/group accounts.  
 Hence a Windows 9x host is never a true member of a domain because it does 
 not posses a machine trust account, and thus has no shared secret with the DC.
@@ -310,7 +310,7 @@ There are two means of creating machine trust accounts.
 	<listitem><para>
 	Manual creation before joining the client to the domain.  In this case, 
 	the password is set to a known value -- the lower case of the 
-	machine's netbios name.
+	machine's NetBIOS name.
 	</para></listitem>
 	
 	<listitem><para>
@@ -333,8 +333,11 @@ based Samba server:
 </para>
 
 <para>
-<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>
-machine_nickname</replaceable> -m -s /bin/false <replaceable>machine_name</replaceable>$
+<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine 
+nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ 
+</para>
+<para>
+<prompt>root# </prompt>passwd -l <replaceable>machine_name</replaceable>$
 </para>
 
 <para>
@@ -351,7 +354,7 @@ doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/fals
 <para>
 Above, <replaceable>machine_nickname</replaceable> can be any descriptive name for the
 pc i.e. BasementComputer. The <replaceable>machine_name</replaceable> absolutely must be 
-the netbios name of the pc to be added to the domain.  The "$" must append the netbios
+the NetBIOS name of the pc to be added to the domain.  The "$" must append the NetBIOS
 name of the pc or samba will not recognize this as a machine account
 </para>
 
@@ -369,7 +372,7 @@ as shown here:
 </para>
 
 <para>
-where <replaceable>machine_name</replaceable> is the machine's netbios
+where <replaceable>machine_name</replaceable> is the machine's NetBIOS
 name. 
 </para>
 
@@ -382,7 +385,7 @@ name.
 	the "Server Manager".  From the time at which the account is created
 	to the time which th client joins the domain and changes the password,
 	your domain is vulnerable to an intruder joining your domain using a
-	a machine with the same netbios name.  A PDC inherently trusts
+	a machine with the same NetBIOS name.  A PDC inherently trusts
 	members of the domain and will serve out a large degree of user 
 	information to such clients.  You have been warned!
 	</para>
@@ -409,7 +412,7 @@ add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
 In Samba 2.2.1, <emphasis>only the root account</emphasis> can be used to create
 machine accounts like this.  Therefore, it is required to create 
 an entry in smbpasswd for <emphasis>root</emphasis>.  The password 
-<emphasis>SHOULD</emphasis> be set to s different password that the 
+<emphasis>SHOULD</emphasis> be set to a different password that the 
 associated <filename>/etc/passwd</filename> entry for security reasons.
 </para>
 </sect2>
@@ -519,8 +522,8 @@ associated <filename>/etc/passwd</filename> entry for security reasons.
 	have not been created correctly. Make sure that you have the entry 
 	correct for the machine account in smbpasswd file on the Samba PDC. 
 	If you added the account using an editor rather than using the smbpasswd 
-	utility, make sure that the account name is the machine netbios name 
-	with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
+	utility, make sure that the account name is the machine NetBIOS name 
+	with a '$' appended to it ( i.e. computer_name$ ). There must be an entry 
 	in both /etc/passwd and the smbpasswd file. Some people have reported 
 	that inconsistent subnet masks between the Samba server and the NT 
 	client have caused this problem.   Make sure that these are consistent 
@@ -543,7 +546,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons.
  
 	<para>
 	At first be ensure to enable the useraccounts with <command>smbpasswd -e 
-	%user%</command>, this is normaly done, when you create an account.
+	%user%</command>, this is normally done, when you create an account.
 	</para>
 
 	<para>
@@ -619,7 +622,7 @@ Here are some additional details:
 	<para>
 	The Windows NT policy editor is also included with the Service Pack 3 (and 
 	later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, 
-	ie thats <command>Nt4sp6ai.exe /x</command> for service pack 6a.  The policy editor, 
+	i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a.  The policy editor, 
 	<command>poledit.exe</command> and the associated template files (*.adm) should
 	be extracted as well.  It is also possible to downloaded the policy template 
 	files for Office97 and get a copy of the policy editor.  Another possible 
@@ -715,7 +718,7 @@ general SMB topics such as browsing.</para>
 
    <para>
 	One of the best diagnostic tools for debugging problems is Samba itself.  
-	You can use the -d option for both smbd and nmbd to specifiy what 
+	You can use the -d option for both smbd and nmbd to specify what 
 	'debug level' at which to run.  See the man pages on smbd, nmbd  and 
 	smb.conf for more information on debugging options.  The debug 
 	level can range from 1 (the default) to 10 (100 for debugging passwords).
@@ -758,7 +761,7 @@ general SMB topics such as browsing.</para>
 	(aka. netmon) is available on the Microsoft Developer Network CD's, 
 	the Windows NT Server install CD and the SMS CD's.  The version of 
 	netmon that ships with SMS allows for dumping packets between any two 
-	computers (ie. placing the network interface in promiscuous mode).  
+	computers (i.e. placing the network interface in promiscuous mode).  
 	The version on the NT Server install CD will only allow monitoring 
 	of network traffic directed to the local NT box and broadcasts on the 
 	local subnet.  Be aware that Ethereal can read and write netmon 
@@ -934,7 +937,7 @@ general SMB topics such as browsing.</para>
 		</para></listitem> 
 
 	<listitem><para> Don't cross post. Work out which is the best list to post to 
-		and see what happens, ie don't post to both samba-ntdom and samba-technical.
+		and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
         Many people active on the lists subscribe to more 
 		than one list and get annoyed to see the same message two or more times. 
 		Often someone will see a message and thinking it would be better dealt 
@@ -1026,7 +1029,7 @@ When an SMB client in a domain wishes to logon it broadcast requests for a
 logon server.  The first one to reply gets the job, and validates its
 password using whatever mechanism the Samba administrator has installed.
 It is possible (but very stupid) to create a domain where the user
-database is not shared between servers, ie they are effectively workgroup
+database is not shared between servers, i.e. they are effectively workgroup
 servers advertising themselves as participating in a domain.  This
 demonstrates how authentication is quite different from but closely
 involved with domains.
@@ -1124,7 +1127,7 @@ at how a Win9X client performs a logon:
 <listitem>
 	<para>
 	The client then connects to the user's home share and searches for the 
-	user's profile. As it turns out, you can specify the users home share as
+	user's profile. As it turns out, you can specify the user's home share as
 	a sharename and path. For example, \\server\fred\.profile.
 	If the profiles are found, they are implemented.
 	</para>
@@ -1229,7 +1232,7 @@ logon script = scripts\%U.bat
 
 <listitem>
 	<para>
-	you will probabaly find that your clients automatically mount the
+	you will probably find that your clients automatically mount the
 	\\SERVER\NETLOGON share as drive z: while logging in. You can put
 	some useful programs there to execute from the batch files.
 	</para>
@@ -1255,7 +1258,7 @@ or not Samba must be the domain master browser for its workgroup
 when operating as a DC.  While it may technically be possible
 to configure a server as such (after all, browsing and domain logons
 are two distinctly different functions), it is not a good idea to
-so.  You should remember that the DC must register the DOMAIN#1b netbios 
+so.  You should remember that the DC must register the DOMAIN#1b NetBIOS 
 name.  This is the name used by Windows clients to locate the DC.
 Windows clients do not distinguish between the DC and the DMB.
 For this reason, it is very wise to configure the Samba DC as the DMB.
@@ -1302,7 +1305,7 @@ Win9X and WinNT clients implement these features.
 <para>
 Win9X clients send a NetUserGetInfo request to the server to get the user's
 profiles location. However, the response does not have room for a separate 
-profiles location field, only the users home share. This means that Win9X 
+profiles location field, only the user's home share. This means that Win9X 
 profiles are restricted to being in the user's home directory.
 </para>
 
@@ -1414,7 +1417,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
 These directories and their contents will be merged with the local
 versions stored in c:\windows\profiles\username on subsequent logins,
 taking the most recent from each.  You will need to use the [global]
-options "preserve case = yes", "short case preserve = yes" and
+options "preserve case = yes", "short preserve case = yes" and
 "case sensitive = no" in order to maintain capital letters in shortcuts
 in any of the profile folders.
 </para>
@@ -1551,7 +1554,7 @@ they will be told that they are logging in "for the first time".
 
 <listitem>
 	<para>
-	search for the user's .PWL password-cacheing file in the c:\windows
+	search for the user's .PWL password-caching file in the c:\windows
 	directory, and delete it.
 	</para>
 </listitem>
@@ -1654,11 +1657,11 @@ matter to be resolved].
 </para>
 
 <para>
-[lkcl 20aug97 - after samba digest correspondance, one user found, and
+[lkcl 20aug97 - after samba digest correspondence, one user found, and
 another confirmed, that profiles cannot be loaded from a samba server
 unless "security = user" and "encrypt passwords = yes" (see the file
 ENCRYPTION.txt) or "security = server" and "password server = ip.address.
-of.yourNTserver" are used.  either of these options will allow the NT
+of.yourNTserver" are used.  Either of these options will allow the NT
 workstation to access the samba server using LAN manager encrypted
 passwords, without the user intervention normally required by NT
 workstation for clear-text passwords].
@@ -1843,7 +1846,7 @@ plain Servers.
 <para>
 The User database is called the SAM (Security Access Manager) database and
 is used for all user authentication as well as for authentication of inter-
-process authentication (ie: to ensure that the service action a user has
+process authentication (i.e. to ensure that the service action a user has
 requested is permitted within the limits of that user's privileges).
 </para>
 
@@ -1858,7 +1861,7 @@ to Samba systems.
 <para>
 Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
 can participate in a Domain security system that is controlled by Windows NT
-servers that have been correctly configured. At most every domain will have
+servers that have been correctly configured. Almost every domain will have
 ONE Primary Domain Controller (PDC). It is desirable that each domain will
 have at least one Backup Domain Controller (BDC).
 </para>