sync 3_0 branch with HEAD

(This used to be commit 19ab776bf9c91cf4e56887fd7a63d3253b7e36ef)

7 files changed, 288 insertions, 36 deletions

diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in
index 0a21b73f6f..0320081876 100644
--- a/docs/docbook/Makefile.in
+++ b/docs/docbook/Makefile.in
@@ -61,7 +61,9 @@ HOWTOSRC=projdoc/DOMAIN_MEMBER.sgml projdoc/NT_Security.sgml \
 	projdoc/Samba-PDC-HOWTO.sgml projdoc/ENCRYPTION.sgml \
 	projdoc/CVS-Access.sgml projdoc/Integrating-with-Windows.sgml \
 	projdoc/PAM-Authentication-And-Samba.sgml projdoc/Samba-LDAP-HOWTO.sgml \
-	projdoc/Samba-BDC-HOWTO.sgml
+	projdoc/Samba-BDC-HOWTO.sgml projdoc/Printing.sgml projdoc/Diagnosis.sgml \
+	projdoc/security_level.sgml projdoc/Browsing.sgml projdoc/Bugs.sgml \
+	projdoc/Speed.sgml
 
 
 
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index 641e36f57a..1e713147c9 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -728,7 +728,7 @@
 		<listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem>
 		<listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
 		<listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
-
+                <listitem><para><link linkend="SPNEGO"><parameter>use spnego</parameter></link></para></listitem>
 		<listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
 		<listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
 		<listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
@@ -1102,7 +1102,13 @@
 		%u</command></para>
 		</listitem>
 		</varlistentry>
+<varlistentry><term><anchor id="ADDGROUPSCRIPT">add group script (G)</term>
+<listitem><para>This is the full pathname to a script that will 
+		be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8) when a new group is requested. It will expand any <parameter>%g</parameter> to the group name passed.  This script is only useful for installations using the Windows NT domain administration tools.
+		</ulink> 
 
+</para></listitem>
+</varlistentry>
 
 
 		<varlistentry>
@@ -1910,6 +1916,7 @@
                 <para>This script is called when a remote client removes a user
                 from the server, normally using 'User Manager for Domains' or
                 <command>rpcclient</command>.
+		</para>
 
 		<para>This script should delete the given UNIX username. 
 		</para>
@@ -2762,6 +2769,10 @@
 		<command>su -</command> command) and trying to print using the 
 		system print command such as <command>lpr(1)</command> or <command>
 		lp(1)</command>.</para>
+
+	        <para>This paramater does not accept % marcos, becouse
+	        many parts of the system require this value to be
+	        constant for correct operation</para>
 		
 		<para>Default: <emphasis>specified at compile time, usually 
 		"nobody"</emphasis></para>
@@ -3281,10 +3292,9 @@
 
 		<varlistentry>
 		<term><anchor id="LDAPADMINDN">ldap admin dn (G)</term>
-		<para>
-		The <parameter>ldap admin dn</parameter> defines the Distinguished 
-		Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap
-		server</link> when retreiving user account information. The <parameter>ldap
+		<listitem><para> The <parameter>ldap admin dn</parameter> defines the Distinguished 
+		Name (DN) name used by Samba to contact the ldap server when retreiving 
+		user account information. The <parameter>ldap
 		admin dn</parameter> is used in conjunction with the admin dn password
 		stored in the <filename>private/secrets.tdb</filename> file.  See the
 		<ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man
@@ -3301,8 +3311,7 @@
 
 		<varlistentry>
 		<term><anchor id="LDAPFILTER">ldap filter (G)</term>
-		<para>
-		This parameter specifies the RFC 2254 compliant LDAP search filter.
+		<listitem><para>This parameter specifies the RFC 2254 compliant LDAP search filter.
 		The default is to match the login name with the <constant>uid</constant> 
 		attribute for all entries matching the <constant>sambaAccount</constant>		
 		objectclass.  Note that this filter should only return one entry.
@@ -3316,10 +3325,9 @@
 
 		<varlistentry>
 		<term><anchor id="LDAPSSL">ldap ssl (G)</term>
-		<para>
-		This option is used to define whether or not Samba should
-		use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap
-		server</parameter></link>.  This is <emphasis>NOT</emphasis> related to
+		<listitem><para>This option is used to define whether or not Samba should
+		use SSL when connecting to the ldap server
+		This is <emphasis>NOT</emphasis> related to
 		Samba's previous SSL support which was enabled by specifying the 
 		<command>--with-ssl</command> option to the <filename>configure</filename> 
 		script.
@@ -3365,7 +3373,7 @@
 
 
 		<varlistentry>
-		<term><anchor id="LDAPSUFFIX">ldap machine suffix (G)</term>
+		<term><anchor id="LDAPMACHINESUFFIX">ldap machine suffix (G)</term>
 		<listitem><para>It specifies where machines should be 
                 added to the ldap tree.
 		</para>
@@ -3606,15 +3614,18 @@
 
 		<varlistentry>
 		<term><anchor id="LOGLEVEL">log level (G)</term>
-		<listitem><para>The value of the parameter (an integer) allows 
+		<listitem><para>The value of the parameter (a astring) allows 
 		the debug level (logging level) to be specified in the 
-		<filename>smb.conf</filename> file. This is to give greater 
+		<filename>smb.conf</filename> file. This parameter has been
+		extended since 2.2.x series, now it allow to specify the debug
+		level for multiple debug classes. This is to give greater 
 		flexibility in the configuration of the system.</para>
 
 		<para>The default will be the log level specified on 
 		the command line or level zero if none was specified.</para>
 
-		<para>Example: <command>log level = 3</command></para></listitem>
+		<para>Example: <command>log level = 3 passdb:5 auth:10 winbind:2
+		</command></para></listitem>
 		</varlistentry>
 
 
@@ -6959,7 +6970,12 @@
 		/usr/local/smb_env_vars</command></para>
 		</listitem>
 		</varlistentry>
-
+<varlistentry>
+<term><anchor id="SPNEGO">use spnego (G)</term>
+<listitem><para> This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.  As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller.  It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.</para>
+<para>Default:  <emphasis>use spnego = yes</emphasis></para>
+</listitem>
+</varlistentry>
 
 		<varlistentry>
 		<term><anchor id="STATCACHE">stat cache (G)</term>
@@ -7570,6 +7586,12 @@
 		connection is made to a Samba server. Sites may use this to record the
 		user connecting to a Samba share.</para>
 
+	        <para>Due to the requirements of the utmp record, we
+	        are required to create a unique identifier for the
+	        incoming user.  Enabling this option creates an n^2
+	        algorithm to find this number.  This may impede
+	        performance on large installations. </para>
+
 		<para>See also the <link linkend="UTMPDIRECTORY"><parameter>
 		utmp directory</parameter></link> parameter.</para>
 
diff --git a/docs/docbook/manpages/smbcontrol.1.sgml b/docs/docbook/manpages/smbcontrol.1.sgml
index 517e2ca41f..9a6f31b336 100644
--- a/docs/docbook/manpages/smbcontrol.1.sgml
+++ b/docs/docbook/manpages/smbcontrol.1.sgml
@@ -76,7 +76,7 @@
 		<constant>force-election</constant>, <constant>ping
 		</constant>, <constant>profile</constant>, <constant>
 		debuglevel</constant>, <constant>profilelevel</constant>, 
-		or <constant>printer-notify</constant>.</para>
+		or <constant>printnotify</constant>.</para>
 
 		<para>The <constant>close-share</constant> message-type sends a 
 		message to smbd which will then close the client connections to
@@ -119,11 +119,55 @@
 		setting is returned by a  "profilelevel" message. This can be sent 
 		to any smbd or nmbd destinations.</para>
 
-		<para>The <constant>printer-notify</constant> message-type sends a 
+		<para>The <constant>printnotify</constant> message-type sends a 
 		message to smbd which in turn sends a printer notify message to 
-		any Windows NT clients connected to  a printer.  This message-type 
-		takes an argument of the printer name to  send notify messages to.   
-		This message can only be sent to <constant>smbd</constant>.</para>
+		any Windows NT clients connected to  a printer. This message-type
+		takes the following arguments:
+
+		<variablelist>
+
+		    <varlistentry>
+		    <term>queuepause printername</term>
+		    <listitem><para>Send a queue pause change notify
+		    message to the printer specified.</para></listitem>
+ 		    </varlistentry>
+
+		    <varlistentry>
+		    <term>queueresume printername</term>
+		    <listitem><para>Send a queue resume change notify
+		    message for the printer specified.</para></listitem>
+ 		    </varlistentry>
+
+		    <varlistentry>
+		    <term>jobpause printername unixjobid</term>
+		    <listitem><para>Send a job pause change notify
+		    message for the printer and unix jobid
+		    specified.</para></listitem> 
+ 		    </varlistentry>
+
+		    <varlistentry>
+		    <term>jobresume printername unixjobid</term>
+		    <listitem><para>Send a job resume change notify
+		    message for the printer and unix jobid
+		    specified.</para></listitem>  
+		    </varlistentry>
+
+		    <varlistentry>
+		    <term>jobdelete printername unixjobid</term>
+		    <listitem><para>Send a job delete change notify
+		    message for the printer and unix jobid
+		    specified.</para></listitem> 
+		    </varlistentry>
+
+		</variablelist>
+
+		Note that this message only sends notification that an
+		event has occured.  It doesn't actually cause the
+		event to happen.
+
+		This message can only be sent to <constant>smbd</constant>. 
+		</para>
+
 		</listitem>
 		</varlistentry>
 
diff --git a/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml
index c6c04ccab8..a66df0c767 100644
--- a/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml
@@ -326,7 +326,7 @@ use with an LDAP directory could appear as
      ldap suffix = "ou=people,dc=samba,dc=org"
 
      # generally the default ldap search filter is ok
-     # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
+     # ldap filter = "(&amp;(uid=%u)(objectclass=sambaAccount))"
 </programlisting></para>
 
 
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 475b66598c..5b21e0a535 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -1652,7 +1652,7 @@ I think this is all bogus, but have not deleted it. (Richard Sharpe)
 </warning>
 
 <para>
-The default logon path is \\%N\U%.  NT Workstation will attempt to create
+The default logon path is \\%N\%U.  NT Workstation will attempt to create
 a directory "\\samba-server\username.PDS" if you specify the logon path
 as "\\samba-server\username" with the NT User Manager.  Therefore, you
 will need to specify (for example) "\\samba-server\username\profile".
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 28baa7f609..0ec9efe014 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -13,6 +13,12 @@
 <!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml">
 <!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml">
 <!ENTITY Samba-LDAP SYSTEM "Samba-LDAP-HOWTO.sgml">
+<!ENTITY Diagnosis SYSTEM "Diagnosis.sgml">
+<!ENTITY PRINTING SYSTEM "Printing.sgml">
+<!ENTITY BUGS SYSTEM "Bugs.sgml">
+<!ENTITY SECURITY-LEVEL SYSTEM "security_level.sgml">
+<!ENTITY SPEED SYSTEM "Speed.sgml">
+<!ENTITY BROWSING SYSTEM "Browsing.sgml">
 <!ENTITY INDEX-FILE SYSTEM "index.sgml">
 ]>
 
@@ -31,7 +37,7 @@
 <title>Abstract</title>
 
 <para>
-<emphasis>Last Update</emphasis> : Mon Apr  1 08:47:26 CST 2002
+<emphasis>Last Update</emphasis> : Thu Aug 15 12:48:45 CDT 2002
 </para>
 
 <para>
@@ -58,18 +64,24 @@ Cheers, jerry
 
 <!-- Chapters -->
 &UNIX-INSTALL;
+&Diagnosis;
 &IntegratingWithWindows;
 &Samba-PAM;
 &MS-Dfs-Setup;
 &NT-Security;
 &PRINTER-DRIVER2;
+&PRINTING;
+&SECURITY-LEVEL;
 &DOMAIN-MEMBER;
+&WINBIND;
 &Samba-PDC-HOWTO;
 &Samba-BDC-HOWTO;
 &Samba-LDAP;
-&WINBIND;
+&BROWSING;
+&SPEED;
 &OS2-Client;
 &CVS-Access;
+&BUGS;
 
 <!-- Autogenerated Index -->
 &INDEX-FILE;
diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
index 62e065914b..d70c1a3679 100644
--- a/docs/docbook/projdoc/winbind.sgml
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -23,9 +23,19 @@
 			<address><email>jtrostel@snapserver.com</email></address>
 		</affiliation>
 	</author>
-	
-		
-	<pubdate>16 Oct 2000</pubdate>
+	<author>
+		<firstname>Naag</firstname><surname>Mummaneni</surname>
+		<affiliation>
+			<address><email>getnag@rediffmail.com</email></address>
+		</affiliation>
+	</author>
+	<author>
+		<firstname>Jelmer</firstname><surname>Vernooij</surname>
+		<affiliation>
+			<address><email>jelmer@nl.linux.org</email></address>
+		</affiliation>
+	</author>
+	<pubdate>27 June 2002</pubdate>
 </chapterinfo>
 
 <title>Unified Logons between Windows NT and UNIX using Winbind</title>
@@ -489,6 +499,13 @@ I also found it necessary to make the following symbolic link:
 <prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
 </para>
 
+<para>And, in the case of Sun solaris:</para>
+<para>
+<prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</command>
+<prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</command>
+<prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</command>
+</para>
+
 <para>
 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to 
 allow user and group entries to be visible from the <command>winbindd</command> 
@@ -682,14 +699,18 @@ The same thing can be done for groups with the command
 
 
 <sect3>
-<title>Fix the <filename>/etc/rc.d/init.d/smb</filename> startup files</title>
+<title>Fix the init.d startup scripts</title>
+
+<sect4>
+<title>Linux</title>
 
 <para>
 The <command>winbindd</command> daemon needs to start up after the 
 <command>smbd</command> and <command>nmbd</command> daemons are running.  
-To accomplish this task, you need to modify the <filename>/etc/init.d/smb</filename>
+To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and 
+<filename>/etc/init.d/samba</filename> in Debian.
 script to add commands to invoke this daemon in the proper sequence.  My 
-<filename>/etc/init.d/smb</filename> file starts up <command>smbd</command>, 
+startup script starts up <command>smbd</command>, 
 <command>nmbd</command>, and <command>winbindd</command> from the 
 <filename>/usr/local/samba/bin</filename> directory directly.  The 'start' 
 function in the script looks like this:
@@ -744,18 +765,79 @@ stop() {
         return $RETVAL
 }
 </programlisting></para>
+</sect4>
+
+<sect4>
+<title>Solaris</title>
 
+<para>On solaris, you need to modify the 
+<filename>/etc/init.d/samba.server</filename> startup script. It usually 
+only starts smbd and nmbd but should now start winbindd too. If you 
+have samba installed in <filename>/usr/local/samba/bin</filename>, 
+the file could contains something like this:
+</para>
+
+<para><programlisting>
+##
+## samba.server
+##
+
+if [ ! -d /usr/bin ]
+then                    # /usr not mounted
+        exit
+fi
+
+killproc() {            # kill the named process(es)
+        pid=`/usr/bin/ps -e |
+             /usr/bin/grep -w $1 |
+             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
+        [ "$pid" != "" ] && kill $pid
+}
+ 
+# Start/stop processes required for samba server
+
+case "$1" in
+
+'start')
+#
+# Edit these lines to suit your installation (paths, workgroup, host)
+#
+echo Starting SMBD
+   /usr/local/samba/bin/smbd -D -s \
+	/usr/local/samba/smb.conf
+
+echo Starting NMBD
+   /usr/local/samba/bin/nmbd -D -l \
+	/usr/local/samba/var/log -s /usr/local/samba/smb.conf
+
+echo Starting Winbind Daemon
+   /usr/local/samba/bin/winbindd
+   ;;
+
+'stop')
+   killproc nmbd
+   killproc smbd
+   killproc winbindd
+   ;;
+
+*)
+   echo "Usage: /etc/init.d/samba.server { start | stop }"
+   ;;
+esac
+</programlisting></para>
+</sect4>
+
+<sect4>
+<title>Restarting</title>
 <para>
 If you restart the <command>smbd</command>, <command>nmbd</command>, 
 and <command>winbindd</command> daemons at this point, you
 should be able to connect to the samba server as a domain member just as
 if you were a local user.
 </para>
-
+</sect4>
 </sect3>
 
-
-
 <sect3>
 <title>Configure Winbind and PAM</title>
 
@@ -781,13 +863,17 @@ by invoking the command
 from the <filename>../source</filename> directory.  The
 <filename>pam_winbind.so</filename> file should be copied to the location of
 your other pam security modules.  On my RedHat system, this was the
-<filename>/lib/security</filename> directory.
+<filename>/lib/security</filename> directory. On Solaris, the pam security 
+modules reside in <filename>/usr/lib/security</filename>.
 </para>
 
 <para>
 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
 </para>
 
+<sect4>
+<title>Linux/FreeBSD-specific PAM configuration</title>
+
 <para>
 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I 
 just left this fileas it was:
@@ -875,6 +961,92 @@ line after the <command>winbind.so</command> line to get rid of annoying
 double prompts for passwords.
 </para>
 
+</sect4>
+
+<sect4>
+<title>Solaris-specific configuration</title>
+
+<para>
+The /etc/pam.conf needs to be changed. I changed this file so that my Domain
+users can logon both locally as well as telnet.The following are the changes
+that I made.You can customize the pam.conf file as per your requirements,but
+be sure of those changes because in the worst case it will leave your system
+nearly impossible to boot.
+</para>
+
+<para><programlisting>
+#
+#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
+#
+# Copyright (c) 1996-1999, Sun Microsystems, Inc.
+# All Rights Reserved.
+#
+# PAM configuration
+#
+# Authentication management
+#
+login   auth required   /usr/lib/security/pam_winbind.so
+login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
+login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
+#
+rlogin  auth sufficient /usr/lib/security/pam_winbind.so
+rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
+rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+#
+dtlogin auth sufficient /usr/lib/security/pam_winbind.so
+dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+#
+rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
+other   auth sufficient /usr/lib/security/pam_winbind.so
+other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+#
+# Account management
+#
+login   account sufficient      /usr/lib/security/pam_winbind.so
+login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+#
+dtlogin account sufficient      /usr/lib/security/pam_winbind.so
+dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+#
+other   account sufficient      /usr/lib/security/pam_winbind.so
+other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+#
+# Session management
+#
+other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
+#
+# Password management
+#
+#other   password sufficient     /usr/lib/security/pam_winbind.so
+other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
+dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
+#
+# Support for Kerberos V5 authentication (uncomment to use Kerberos)
+#
+#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+</programlisting></para>
+
+<para>
+I also added a try_first_pass line after the winbind.so line to get rid of
+annoying double prompts for passwords.
+</para>
+
+<para>
+Now restart your Samba & try connecting through your application that you
+configured in the pam.conf.
+</para>
+
+</sect4>
 
 </sect3>