large sync up with 2.2

(This used to be commit 96523293da19df201703fed6130f1ff9ba25324b)

1 files changed, 1252 insertions, 0 deletions

diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html
new file mode 100644
index 0000000000..668f7f9aff
--- /dev/null
+++ b/docs/htmldocs/Samba-PDC-HOWTO.html
@@ -0,0 +1,1252 @@
+<HTML
+><HEAD
+><TITLE
+>How to Configure Samba 2.2.x as a Primary Domain Controller</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="ARTICLE"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="ARTICLE"
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+><A
+NAME="AEN1"
+>How to Configure Samba 2.2.x as a Primary Domain Controller</A
+></H1
+><HR></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN3"
+>Background</A
+></H1
+><P
+><I
+CLASS="EMPHASIS"
+>Author's Note :</I
+> This document
+is a combination of David Bannon's Samba 2.2 PDC HOWTO
+and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P
+><P
+>Version of Samba prior to release 2.2 had marginal capabilities to
+act as a Windows NT 4.0 Primary Domain Controller (PDC).  The following 
+functionality should work in 2.2.0:</P
+><P
+></P
+><UL
+><LI
+><P
+>domain logons for Windows NT 4.0/2000 clients</P
+></LI
+><LI
+><P
+>placing a Windows 9x client in user level security</P
+></LI
+><LI
+><P
+>retrieving a list of users and groups from a Samba PDC to
+	Windows 9x/NT/2000 clients </P
+></LI
+><LI
+><P
+>roving user profiles</P
+></LI
+><LI
+><P
+>Windows NT 4.0 style system policies</P
+></LI
+></UL
+><P
+>The following pieces of functionality are not included in the 2.2 release:</P
+><P
+></P
+><UL
+><LI
+><P
+>Windows NT 4 domain trusts</P
+></LI
+><LI
+><P
+>Sam replication with Windows NT 4.0 Domain Controllers
+	(i.e. a Samba PDC and a Windows NT BDC or vice versa) </P
+></LI
+><LI
+><P
+>Adding users via the User Manager for Domains</P
+></LI
+><LI
+><P
+>Acting as a Windows 2000 Domain Controller (i.e. Kerberos
+	and Active Directory)</P
+></LI
+></UL
+><P
+>Please note that Windows 9x clients are not true members of a domain
+for reasons outlined in this article.  Therefore the protocol for
+support Windows 9x style domain logons is completely different
+from NT4 domain logons and has been officially supported for some 
+time.</P
+><P
+>Beginning with Samba 2.2.0, we are proud to announce official 
+support for Windows NT 4.0 style domain logons from Windows NT
+4.0 and Windows 2000 (including SP1) clients.  This article 
+outlines the steps necessary for configuring Samba as a PDC.
+Note that it is necessary to have a working Samba server
+prior to implementing the PDC functionality.  If you have not 
+followed the steps outlined in <A
+HREF="UNIX_INSTALL.html"
+TARGET="_top"
+>UNIX_INSTALL.html</A
+>, please make sure that your server 
+is configured correctly before proceeding.  Another good 
+resource in the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+>smb.conf(5) man 
+page</A
+>.</P
+><P
+>Implementing a Samba PDC can basically be divided into 2 broad
+steps.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Configuring the Samba Domain Controller
+	</P
+></LI
+><LI
+><P
+>Creating machine trust accounts
+	and joining clients to the domain</P
+></LI
+></OL
+><P
+>There are other minor details such as user profiles, system
+policies, etc...  However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking
+concepts.  They will be mentioned only briefly here.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN40"
+>Configuring the Samba Domain Controller</A
+></H1
+><P
+>The first step in creating a working Samba PDC is to 
+understand the parameters necessary in smb.conf.  I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+> the smb.conf
+man page</A
+>.  For convenience, the parameters have been
+linked with the actual smb.conf description.</P
+><P
+>Here is an example smb.conf for acting as a PDC:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+    ; Basic server settings
+    <A
+HREF="smb.conf.5.html#NETBIOSNAME"
+TARGET="_top"
+>netbios name</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>POGO</I
+></TT
+>
+    <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+>workgroup</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>NARNIA</I
+></TT
+>
+
+    ; we should act as the domain and local master browser
+    <A
+HREF="smb.conf.5.html#OSLEVEL"
+TARGET="_top"
+>os level</A
+> = 64
+    <A
+HREF="smb.conf.5.html#PERFERREDMASTER"
+TARGET="_top"
+>preferred master</A
+> = yes
+    <A
+HREF="smb.conf.5.html#DOMAINMASTER"
+TARGET="_top"
+>domain master</A
+> = yes
+    <A
+HREF="smb.conf.5.html#LOCALMASTER"
+TARGET="_top"
+>local master</A
+> = yes
+    
+    ; security settings (must user security = user)
+    <A
+HREF="smb.conf.5.html#SECURITYEQUALSUSER"
+TARGET="_top"
+>security</A
+> = user
+    
+    ; encrypted passwords are a requirement for a PDC
+    <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+>encrypt passwords</A
+> = yes
+    
+    ; support domain logons
+    <A
+HREF="smb.conf.5.html#DOMAINLOGONS"
+TARGET="_top"
+>domain logons</A
+> = yes
+    
+    ; where to store user profiles?
+    <A
+HREF="smb.conf.5.html#LOGONPATH"
+TARGET="_top"
+>logon path</A
+> = \\%N\profiles\%u
+    
+    ; where is a user's home directory and where should it
+    ; be mounted at?
+    <A
+HREF="smb.conf.5.html#LOGONDRIVE"
+TARGET="_top"
+>logon drive</A
+> = H:
+    <A
+HREF="smb.conf.5.html#LOGONHOME"
+TARGET="_top"
+>logon home</A
+> = \\homeserver\%u
+    
+    ; specify a generic logon script for all users
+    ; this is a relative path to the [netlogon] share
+    <A
+HREF="smb.conf.5.html#LOGONSCRIPT"
+TARGET="_top"
+>logon script</A
+> = logon.cmd
+
+; necessary share for domain controller
+[netlogon]
+    <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /usr/local/samba/lib/netlogon
+    <A
+HREF="smb.conf.5.html#WRITEABLE"
+TARGET="_top"
+>writeable</A
+> = no
+    <A
+HREF="smb.conf.5.html#WRITELIST"
+TARGET="_top"
+>write list</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>ntadmin</I
+></TT
+>
+    
+; share for storing user profiles
+[profiles]
+    <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /export/smb/ntprofile
+    <A
+HREF="smb.conf.5.html#WRITEABLE"
+TARGET="_top"
+>writeable</A
+> = yes
+    <A
+HREF="smb.conf.5.html#CREATEMASK"
+TARGET="_top"
+>create mask</A
+> = 0600
+    <A
+HREF="smb.conf.5.html#DIRECTORYMASK"
+TARGET="_top"
+>directory mask</A
+> = 0700</PRE
+></P
+><P
+>There are a couple of points to emphasize in the above
+configuration.</P
+><P
+></P
+><UL
+><LI
+><P
+>encrypted passwords must be enabled.
+	For more details on how to do this, refer to 
+	<A
+HREF="ENCRYPTION.html"
+TARGET="_top"
+>ENCRYPTION.html</A
+>.
+	</P
+></LI
+><LI
+><P
+>The server must support domain logons
+	and a <TT
+CLASS="FILENAME"
+>[netlogon]</TT
+> share</P
+></LI
+><LI
+><P
+>The server must be the domain master browser
+	in order for Windows client to locate the server as a DC.</P
+></LI
+></UL
+><P
+>As Samba 2.2 does not offer a complete implementation of group mapping between 
+Windows NT groups and UNIX groups (this is really quite complicated to explain 
+in a short space), you should refer to the <A
+HREF="smb.conf.5.html#DOMAINADMONUSERS"
+TARGET="_top"
+>domain 
+admin users</A
+> and <A
+HREF="smb.conf.5.html#DOMAINADMINGROUP"
+TARGET="_top"
+>domain 
+admin group</A
+> smb.conf parameters for information of creating a Domain Admins 
+style accounts.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN83"
+>Creating Machine Trust Accounts and Joining Clients 
+to the Domain</A
+></H1
+><P
+>First you must understand what a machine trust account is and what 
+it is used for.</P
+><P
+>A machine trust account is a user account owned by a computer.  
+The account password acts as the shared secret for secure 
+communication with the Domain Controller.  Hence the reason that
+a Windows 9x host is never a true member of a domain because
+it does not posses a machine trust account and thus has no shared
+secret with the DC.</P
+><P
+>On a Windows NT PDC, these machine trust account passwords are stored
+in the registry.  A Samba PDC stores these accounts in he same location
+as user LanMan and NT password hashes (currently <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>).
+However, machine trust accounts only possess the NT password hash.</P
+><P
+>There are two means of creating machine trust accounts.</P
+><P
+></P
+><UL
+><LI
+><P
+>Manual creation before joining the client
+	to the domain.  In this case, the password is set to a known
+	value -- the lower case of the machine's netbios name.</P
+></LI
+><LI
+><P
+>Creation of the account at the time of 
+	joining the domain.  In this case, the session key of the 
+	administrative account used to join the client to the domain acts
+	as an encryption key for setting the password to a random value.</P
+></LI
+></UL
+><P
+>Because Samba requires machine accounts to possess a UNIX uid from
+which an Windows NT SID can be generated, all of these accounts
+will have an entry in <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> and smbpasswd.  
+Future releases will alleviate the need to create 
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entries.</P
+><P
+>The <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry will list the machine name 
+with a $ appended, won't have a passwd, will have a null shell and no 
+home directory. For example a machine called 'doppy' would have an 
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry like this :</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE
+></P
+><P
+>If you are manually creating the machine accounts, it is necessary
+to add the <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> (or NIS passwd
+map) entry prior to adding the <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>
+entry.  The following command will create a new machine account
+ready for use.</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+> smbpasswd -a -m <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+></P
+><P
+>where <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+> is the machine's netbios
+name.</P
+><P
+><I
+CLASS="EMPHASIS"
+>If you manually create a machine account, immediately join
+the client to the domain.</I
+>  An open account like this
+can allow intruders to gain access to user account information
+in your domain.</P
+><P
+>The second way of creating machine trust accounts is to add
+them on the fly at the time the client is joined to the domain.
+You will need to include a value for the 
+<A
+HREF="smb.conf.5.html#ADDUSERSCRIPT"
+TARGET="_top"
+>add user script</A
+>
+parameter.  Below is an example I use on a RedHat 6.2 Linux system.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
+></P
+><P
+>In Samba 2.2.0, <I
+CLASS="EMPHASIS"
+>only the root account</I
+> can be used to create
+machine accounts on the fly like this.  Therefore, it is required
+to create an entry in smbpasswd for <I
+CLASS="EMPHASIS"
+>root</I
+>.
+The password <I
+CLASS="EMPHASIS"
+>SHOULD</I
+> be set to s different
+password that the associated <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>
+entry for security reasons.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN122"
+>Common Problems and Errors</A
+></H1
+><P
+></P
+><P
+><I
+CLASS="EMPHASIS"
+>I cannot include a '$' in a machine name.</I
+></P
+><P
+>A 'machine name' in (typically) <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> 	
+of the machine name with a '$' appended. FreeBSD (and other BSD 
+systems ?) won't create a user with a '$' in their name.</P
+><P
+>The problem is only in the program used to make the entry, once 
+made, it works perfectly. So create a user without the '$' and 
+use <B
+CLASS="COMMAND"
+>vipw</B
+> to edit the entry, adding the '$'. Or create 
+the whole entry with vipw if you like, make sure you use a 
+unique uid !</P
+><P
+><I
+CLASS="EMPHASIS"
+>I get told "You already have a connection to the Domain...." 
+when creating a machine account.</I
+></P
+><P
+>This happens if you try to create a machine account from the 
+machine itself and use a user name that does not work (for whatever 
+reason) and then try another (possibly valid) user name.
+Exit out of the network applet to close the initial connection 
+and try again.</P
+><P
+>Further, if the machine is a already a 'member of a workgroup' that 
+is the same name as the domain you are joining (bad idea) you will 
+get this message.  Change the workgroup name to something else, it 
+does not matter what, reboot, and try again.</P
+><P
+><I
+CLASS="EMPHASIS"
+>I get told "Cannot join domain, the credentials supplied 
+conflict with an existing set.."</I
+></P
+><P
+>This is the same basic problem as mentioned above, "You already 
+have a connection..."</P
+><P
+><I
+CLASS="EMPHASIS"
+>"The system can not log you on (C000019B)...."</I
+></P
+><P
+>I joined the domain successfully but after upgrading 
+to a newer version of the Samba code I get the message, "The system 
+can not log you on (C000019B), Please try a gain or consult your 
+system administrator" when attempting to logon.</P
+><P
+>This occurs when the domain SID stored in 
+<TT
+CLASS="FILENAME"
+>private/WORKGROUP.SID</TT
+> is 
+changed.  For example, you remove the file and <B
+CLASS="COMMAND"
+>smbd</B
+> automatically 
+creates a new one.  Or you are swapping back and forth between 
+versions 2.0.7, TNG and the HEAD branch code (not recommended).  The 
+only way to correct the problem is to restore the original domain 
+SID or 	remove the domain client from the domain and rejoin.</P
+><P
+><I
+CLASS="EMPHASIS"
+>"The machine account for this computer either does not 
+exist or is not accessible."</I
+></P
+><P
+>When I try to join the domain I get the message "The machine account 
+for this computer either does not exist or is not accessible". Whats 
+wrong ?</P
+><P
+>This problem is caused by the PDC not having a suitable machine account. 
+If you are using the <B
+CLASS="COMMAND"
+>add user script =</B
+> method to create 
+accounts then this would indicate that it has not worked. Ensure the domain 
+admin user system is working.</P
+><P
+>Alternatively if you are creating account entries manually then they 
+have not been created correctly. Make sure that you have the entry 
+correct for the machine account in smbpasswd file on the Samba PDC. 
+If you added the account using an editor rather than using the smbpasswd 
+utility, make sure that the account name is the machine netbios name 
+with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
+in both /etc/passwd and the smbpasswd file. Some people have reported 
+that inconsistent subnet masks between the Samba server and the NT 
+client have caused this problem.   Make sure that these are consistent 
+for both client and server.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN150"
+>System Policies and Profiles</A
+></H1
+><P
+>Much of the information necessary to implement System Policies and
+Roving User Profiles in a Samba domain is the same as that for 
+implementing these same items in a Windows NT 4.0 domain. 
+You should read the white paper <A
+HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
+TARGET="_top"
+>Implementing
+Profiles and Policies in Windows NT 4.0</A
+> available from Microsoft.</P
+><P
+>Here are some additional details:</P
+><P
+><I
+CLASS="EMPHASIS"
+>What about Windows NT Policy Editor ?</I
+></P
+><P
+>To create or edit <TT
+CLASS="FILENAME"
+>ntconfig.pol</TT
+> you must use 
+the NT Server Policy Editor, <B
+CLASS="COMMAND"
+>poledit.exe</B
+>	which 
+is included with NT Server but <I
+CLASS="EMPHASIS"
+>not NT Workstation</I
+>. 
+There is a Policy Editor on a NTws 
+but it is not suitable for creating <I
+CLASS="EMPHASIS"
+>Domain Policies</I
+>. 
+Further, although the Windows 95 
+Policy Editor can be installed on an NT Workstation/Server, it will not
+work with NT policies because the registry key that are set by the policy templates. 
+However, the files from the NT Server will run happily enough on an NTws. 
+You need <TT
+CLASS="FILENAME"
+>poledit.exe, common.adm</TT
+> and <TT
+CLASS="FILENAME"
+>winnt.adm</TT
+>. It is convenient
+to put the two *.adm files in <TT
+CLASS="FILENAME"
+>c:\winnt\inf</TT
+> which is where
+the binary will look for them unless told otherwise. Note also that that 
+directory is 'hidden'.</P
+><P
+>The Windows NT policy editor is also included with the 
+Service Pack 3 (and later) for Windows NT 4.0. Extract the files using 
+<B
+CLASS="COMMAND"
+>servicepackname /x</B
+>, ie thats <B
+CLASS="COMMAND"
+>Nt4sp6ai.exe 
+/x</B
+> for service pack 6a.  The policy editor, <B
+CLASS="COMMAND"
+>poledit.exe</B
+> and the 
+associated template files (*.adm) should
+be extracted as well.  It is also possible to downloaded the policy template 
+files for Office97 and get a copy of the policy editor.  Another possible 
+location is with the Zero Administration Kit available for download from Microsoft.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Can Win95 do Policies ?</I
+></P
+><P
+>Install the group policy handler for Win9x to pick up group 
+policies.   Look on the Win98 CD in <TT
+CLASS="FILENAME"
+>\tools\reskit\netadmin\poledit</TT
+>. 
+Install group policies on a Win9x client by double-clicking 
+<TT
+CLASS="FILENAME"
+>grouppol.inf</TT
+>. Log off and on again a couple of 
+times and see if Win98 picks up group policies.  Unfortunately this needs 
+to be done on every Win9x machine that uses group policies....</P
+><P
+>If group policies don't work one reports suggests getting the updated 
+(read: working) grouppol.dll for Windows 9x. The group list is grabbed 
+from /etc/group.</P
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get 'User Manager' and 'Server Manager'</I
+></P
+><P
+>Since I don't need to buy an NT Server CD now, how do I get 
+the 'User Manager for Domains', the 'Server Manager' ?</P
+><P
+>Microsoft distributes a version of 
+these tools called nexus for installation on Windows 95 systems.  The 
+tools set includes</P
+><P
+></P
+><UL
+><LI
+><P
+>Server Manager</P
+></LI
+><LI
+><P
+>User Manager for Domains</P
+></LI
+><LI
+><P
+>Event Viewer</P
+></LI
+></UL
+><P
+>Click here to download the archived file <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
+></P
+><P
+>The Windows NT 4.0 version of the 'User Manager for 
+Domains' and 'Server Manager' are available from Microsoft via ftp 
+from <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN190"
+>What other help can I get ?</A
+></H1
+><P
+>There are many sources of information available in the form 
+of mailing lists, RFC's and documentation.  The docs that come 
+with the samba distribution contain very good explanations of 
+general SMB topics such as browsing.</P
+><P
+><I
+CLASS="EMPHASIS"
+>What are some diagnostics tools I can use to debug the domain logon 
+process and where can I	find them?</I
+></P
+><P
+>	One of the best diagnostic tools for debugging problems is Samba itself.  
+	You can use the -d option for both smbd and nmbd to specifiy what 
+	'debug level' at which to run.  See the man pages on smbd, nmbd  and 
+	smb.conf for more information on debugging options.  The debug 
+	level can range from 1 (the default) to 10 (100 for debugging passwords).
+	</P
+><P
+>	Another helpful method of debugging is to compile samba using the 
+	<B
+CLASS="COMMAND"
+>gcc -g </B
+> flag.   This will include debug 
+	information in the binaries and allow you to attach gdb to the 
+	running smbd / nmbd process.  In order to attach gdb to an smbd 
+	process for an NT workstation, first get the workstation to make the 
+	connection. Pressing ctrl-alt-delete and going down to the domain box 
+	is sufficient (at least, on the first time you join the domain) to 
+	generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation 
+	maintains an open connection, and therefore there will be an smbd 
+	process running (assuming that you haven't set a really short smbd 
+	idle timeout)  So, in between pressing ctrl alt delete, and actually 
+	typing in your password, you can gdb attach and continue.
+	</P
+><P
+>	Some useful samba commands worth investigating:
+	</P
+><P
+></P
+><UL
+><LI
+><P
+>testparam | more</P
+></LI
+><LI
+><P
+>smbclient -L //{netbios name of server}</P
+></LI
+></UL
+><P
+>	An SMB enabled version of tcpdump is available from 
+    <A
+HREF="http://www.tcpdump.org/"
+TARGET="_top"
+>http://www.tcpdup.org/</A
+>.
+	Ethereal, another good packet sniffer for UNIX and Win32
+	hosts, can be downloaded from <A
+HREF="http://www.ethereal.com/"
+TARGET="_top"
+>http://www.ethereal.com</A
+>.
+	</P
+><P
+>	For tracing things on the Microsoft Windows NT, Network Monitor 
+	(aka. netmon) is available on the Microsoft Developer Network CD's, 
+	the Windows NT Server install CD and the SMS CD's.  The version of 
+	netmon that ships with SMS allows for dumping packets between any two 
+	computers (ie. placing the network interface in promiscuous mode).  
+	The version on the NT Server install CD will only allow monitoring 
+	of network traffic directed to the local NT box and broadcasts on the 
+	local subnet.  Be aware that Ethereal can read and write netmon 
+	formatted files.
+	</P
+><P
+><I
+CLASS="EMPHASIS"
+>How do I install 'Network Monitor' on an NT Workstation 
+or a Windows 9x box?</I
+></P
+><P
+>	Installing netmon on an NT workstation requires a couple 
+	of steps.  The following are for installing Netmon V4.00.349, which comes 
+	with Microsoft Windows NT Server 4.0, on Microsoft Windows NT 
+	Workstation 4.0.  The process should be similar for other version of 
+	Windows NT / Netmon.  You will need both the Microsoft Windows 
+	NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+	</P
+><P
+>	Initially you will need to install 'Network Monitor Tools and Agent' 
+	on the NT Server.  To do this 
+	</P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel - 
+		Network - Services - Add </P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Tools and Agent' and 
+		click on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+		</P
+></LI
+><LI
+><P
+>Insert the Windows NT Server 4.0 install CD 
+		when prompted.</P
+></LI
+></UL
+><P
+>	At this point the Netmon files should exist in 
+	<TT
+CLASS="FILENAME"
+>%SYSTEMROOT%\System32\netmon\*.*</TT
+>.    
+	Two subdirectories exist as well, <TT
+CLASS="FILENAME"
+>parsers\</TT
+> 
+	which contains the necessary DLL's for parsing the netmon packet 
+	dump, and <TT
+CLASS="FILENAME"
+>captures\</TT
+>.
+	</P
+><P
+>	In order to install the Netmon tools on an NT Workstation, you will 
+	first need to install the 'Network  Monitor Agent' from the Workstation 
+	install CD.
+	</P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel - 
+		Network - Services - Add</P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Agent' and click 
+		on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+		</P
+></LI
+><LI
+><P
+>Insert the Windows NT Workstation 4.0 install 
+		CD when prompted.</P
+></LI
+></UL
+><P
+>	Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* 
+	to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set 
+	permissions as  you deem appropriate for your site. You will need 
+	administrative rights on the NT box to run netmon.
+	</P
+><P
+>	To install Netmon on a Windows 9x box install the network monitor agent 
+	from the Windows 9x CD (\admin\nettools\netmon).  There is a readme 
+	file located with the netmon driver files on the CD if you need 
+	information on how to do this.  Copy the files from a working 
+	Netmon installation.
+	</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN237"
+>URLs and similar</A
+></H2
+><P
+></P
+><UL
+><LI
+><P
+>Home of Samba site <A
+HREF="http://samba.org"
+TARGET="_top"
+>        http://samba.org</A
+>. We have a mirror near you !</P
+></LI
+><LI
+><P
+> The <I
+CLASS="EMPHASIS"
+>Development</I
+> document 
+	on the Samba mirrors might mention your problem. If so,
+	it might mean that the developers are working on it.</P
+></LI
+><LI
+><P
+>See how Scott Merrill simulates a BDC behavior at 
+        <A
+HREF="http://www.skippy.net/linux/smb-howto.html"
+TARGET="_top"
+>        http://www.skippy.net/linux/smb-howto.html</A
+>. </P
+></LI
+><LI
+><P
+>Although 2.0.7 has almost had its day as a PDC, David Bannon will
+        keep the 2.0.7 PDC pages at <A
+HREF="http://bioserve.latrobe.edu.au/samba"
+TARGET="_top"
+>        http://bioserve.latrobe.edu.au/samba</A
+> going for a while yet.</P
+></LI
+><LI
+><P
+>Misc links to CIFS information 
+        <A
+HREF="http://samba.org/cifs/"
+TARGET="_top"
+>http://samba.org/cifs/</A
+></P
+></LI
+><LI
+><P
+>NT Domains for Unix <A
+HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
+TARGET="_top"
+>        http://mailhost.cb1.com/~lkcl/ntdom/</A
+></P
+></LI
+><LI
+><P
+>FTP site for older SMB specs: 
+        <A
+HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
+TARGET="_top"
+>        ftp://ftp.microsoft.com/developr/drg/CIFS/</A
+></P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN261"
+>Mailing Lists</A
+></H2
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get help from the mailing lists ?</I
+></P
+><P
+>There are a number of Samba related mailing lists. Go to <A
+HREF="http://samba.org"
+TARGET="_top"
+>http://samba.org</A
+>, click on your nearest mirror
+and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and then click on <B
+CLASS="COMMAND"
+>Samba related mailing lists</B
+>.</P
+><P
+>For questions relating to Samba TNG go to
+<A
+HREF="http://www.samba-tng.org/"
+TARGET="_top"
+>http://www.samba-tng.org/</A
+> 
+It has been requested that you don't post questions about Samba-TNG to the
+main stream Samba lists.</P
+><P
+>If you post a message to one of the lists please observe the following guide lines :</P
+><P
+></P
+><UL
+><LI
+><P
+> Always remember that the developers are volunteers, they are 
+		not paid and they never guarantee to produce a particular feature at 
+		a particular time. Any time lines are 'best guess' and nothing more.
+		</P
+></LI
+><LI
+><P
+> Always mention what version of samba you are using and what 
+		operating system its running under. You should probably list the
+        relevant sections of your smb.conf file, at least the options 
+        in [global] that affect PDC support.</P
+></LI
+><LI
+><P
+>In addition to the version, if you obtained Samba via
+        CVS mention the date when you last checked it out.</P
+></LI
+><LI
+><P
+> Try and make your question clear and brief, lots of long, 
+		convoluted questions get deleted before	they are completely read ! 
+		Don't post html encoded messages (if you can select colour or font 
+		size its html).</P
+></LI
+><LI
+><P
+> If you run one of those nifty 'I'm on holidays' things when 
+		you are away, make sure its configured	to not answer mailing lists.
+		</P
+></LI
+><LI
+><P
+> Don't cross post. Work out which is the best list to post to 
+		and see what happens, ie don't post to both samba-ntdom and samba-technical.
+        Many people active on the lists subscribe to more 
+		than one list and get annoyed to see the same message two or more times. 
+		Often someone will see a message and thinking it would be better dealt 
+		with on another, will forward it on for you.</P
+></LI
+><LI
+><P
+>You might include <I
+CLASS="EMPHASIS"
+>partial</I
+>
+        log files written at a debug level set to as much as 20.  
+        Please don't send the entire log but enough to give the context of the 
+        error messages.</P
+></LI
+><LI
+><P
+>(Possibly) If you have a complete netmon trace ( from the opening of 
+        the pipe to the error ) you can send the *.CAP file as well.</P
+></LI
+><LI
+><P
+>Please think carefully before attaching a document to an email.
+        Consider pasting the relevant parts into the body of the message. The samba
+        mailing lists go to a huge number of people, do they all need a copy of your 
+        smb.conf in their attach directory ?</P
+></LI
+></UL
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get off the mailing lists ?</I
+></P
+><P
+>To have your name removed from a samba mailing list, go to the
+        same place you went to to get on it. Go to <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+>http://lists.samba.org</A
+>, click 
+		on your nearest mirror and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and 
+		then click on <B
+CLASS="COMMAND"
+> Samba related mailing lists</B
+>. Or perhaps see 
+        <A
+HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
+TARGET="_top"
+>here</A
+></P
+><P
+>	Please don't post messages to the list asking to be removed, you will just
+        be referred to the above address (unless that process failed in some way...)
+    </P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN300"
+>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
+></H1
+><P
+>This appendix was originally authored by John H Terpstra of the Samba Team
+and is included here for posterity.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE :</I
+> 
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on 
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the 
+Windows NT SAM.</P
+><P
+>Windows NT Server can be installed as either a plain file and print server
+(WORKGROUP workstation or server) or as a server that participates in Domain
+Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P
+><P
+>The same is true for OS/2 Warp Server, Digital Pathworks and other similar
+products, all of which can participate in Domain Control along with Windows NT.
+However only those servers which have licensed Windows NT code in them can be
+a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P
+><P
+>To many people these terms can be confusing, so let's try to clear the air.</P
+><P
+>Every Windows NT system (workstation or server) has a registry database.
+The registry contains entries that describe the initialization information
+for all services (the equivalent of Unix Daemons) that run within the Windows
+NT environment. The registry also contains entries that tell application
+software where to find dynamically loadable libraries that they depend upon.
+In fact, the registry contains entries that describes everything that anything
+may need to know to interact with the rest of the system.</P
+><P
+>The registry files can be located on any Windows NT machine by opening a
+command prompt and typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT\&#62;</TT
+> dir %SystemRoot%\System32\config</P
+><P
+>The environment variable %SystemRoot% value can be obtained by typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT&#62;</TT
+>echo %SystemRoot%</P
+><P
+>The active parts of the registry that you may want to be familiar with are
+the files called: default, system, software, sam and security.</P
+><P
+>In a domain environment, Microsoft Windows NT domain controllers participate
+in replication of the SAM and SECURITY files so that all controllers within
+the domain have an exactly identical copy of each.</P
+><P
+>The Microsoft Windows NT system is structured within a security model that
+says that all applications and services must authenticate themselves before
+they can obtain permission from the security manager to do what they set out
+to do.</P
+><P
+>The Windows NT User database also resides within the registry. This part of
+the registry contains the user's security identifier, home directory, group
+memberships, desktop profile, and so on.</P
+><P
+>Every Windows NT system (workstation as well as server) will have its own
+registry. Windows NT Servers that participate in Domain Security control
+have a database that they share in common - thus they do NOT own an
+independent full registry database of their own, as do Workstations and
+plain Servers.</P
+><P
+>The User database is called the SAM (Security Access Manager) database and
+is used for all user authentication as well as for authentication of inter-
+process authentication (ie: to ensure that the service action a user has
+requested is permitted within the limits of that user's privileges).</P
+><P
+>The Samba team have produced a utility that can dump the Windows NT SAM into 
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This 
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.</P
+><P
+>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
+can participate in a Domain security system that is controlled by Windows NT
+servers that have been correctly configured. At most every domain will have
+ONE Primary Domain Controller (PDC). It is desirable that each domain will
+have at least one Backup Domain Controller (BDC).</P
+><P
+>The PDC and BDCs then participate in replication of the SAM database so that
+each Domain Controlling participant will have an up to date SAM component
+within its registry.</P
+></DIV
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file