merge from 2.2

(This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456)

1 files changed, 587 insertions, 283 deletions

diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html
index 5fe4f3cf97..f60cd595cf 100644
--- a/docs/htmldocs/smb.conf.5.html
+++ b/docs/htmldocs/smb.conf.5.html
@@ -638,8 +638,8 @@ CLASS="VARIABLELIST"
 ><P
 >the architecture of the remote
 		machine. Only some are recognized, and those may not be 
-		100% reliable. It currently recognizes Samba, WfWg, 
-		WinNT and Win95. Anything else will be known as 
+		100% reliable. It currently recognizes Samba, WfWg, Win95,
+		WinNT and Win2k. Anything else will be known as 
 		"UNKNOWN". If it gets it wrong then sending a level 
 		3 log to <A
 HREF="mailto:samba@samba.org"
@@ -1461,6 +1461,78 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
+HREF="#LDAPADMINDN"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap admin dn</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPFILTER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap filter</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap port</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap server</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSSL"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap ssl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSUFFIX"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap suffix</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
 HREF="#LMANNOUNCE"
 ><TT
 CLASS="PARAMETER"
@@ -1881,18 +1953,6 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
-HREF="#NTACLSUPPORT"
-><TT
-CLASS="PARAMETER"
-><I
->nt acl support</I
-></TT
-></A
-></P
-></LI
-><LI
-><P
-><A
 HREF="#NTPIPESUPPORT"
 ><TT
 CLASS="PARAMETER"
@@ -2433,6 +2493,42 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
+HREF="#SSLEGDSOCKET"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl egd socket</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLENTROPYBYTES"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy bytes</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
 HREF="#SSLHOSTS"
 ><TT
 CLASS="PARAMETER"
@@ -2673,6 +2769,18 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
+HREF="#USEMMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>use mmap</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
 HREF="#USERHOSTS"
 ><TT
 CLASS="PARAMETER"
@@ -2891,7 +2999,7 @@ CLASS="PARAMETER"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN934"
+NAME="AEN970"
 ></A
 ><H2
 >COMPLETE LIST OF SERVICE PARAMETERS</H2
@@ -3684,6 +3792,18 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
+HREF="#NTACLSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
 HREF="#ONLYGUEST"
 ><TT
 CLASS="PARAMETER"
@@ -4068,6 +4188,18 @@ CLASS="PARAMETER"
 ><LI
 ><P
 ><A
+HREF="#STRICTALLOCATE"
+><TT
+CLASS="PARAMETER"
+><I
+>strict allocate</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
 HREF="#STRICTLOCKING"
 ><TT
 CLASS="PARAMETER"
@@ -4298,7 +4430,7 @@ CLASS="PARAMETER"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN1402"
+NAME="AEN1446"
 ></A
 ><H2
 >EXPLANATION OF EACH PARAMETER</H2
@@ -7500,11 +7632,11 @@ CLASS="PARAMETER"
 > it is in. Samba 2.2 also 
 		has limited capability to act as a domain controller for Windows 
 		NT 4 Domains.  For more details on setting up this feature see 
-		the file DOMAINS.txt in the Samba documentation directory <TT
+		the Samba-PDC-HOWTO included in the <TT
 CLASS="FILENAME"
->docs/
-		</TT
-> shipped with the source code.</P
+>htmldocs/</TT
+>
+		directory shipped with the source code.</P
 ><P
 >Default: <B
 CLASS="COMMAND"
@@ -8055,22 +8187,6 @@ CLASS="PARAMETER"
 > 
 		parameter is applied.</P
 ><P
->Note that by default this parameter does not apply to permissions
-		set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
-		this mask on access control lists also, they need to set the <A
-HREF="#RESTRICTACLWITHMASK"
-><TT
-CLASS="PARAMETER"
-><I
->restrict acl with 
-		mask</I
-></TT
-></A
-> to <TT
-CLASS="CONSTANT"
->true</TT
->.</P
-><P
 >See also the parameter <A
 HREF="#CREATEMASK"
 ><TT
@@ -8130,22 +8246,6 @@ CLASS="PARAMETER"
 > is 
 		applied.</P
 ><P
->Note that by default this parameter does not apply to permissions
-		set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
-		this mask on access control lists also, they need to set the <A
-HREF="#RESTRICTACLWITHMASK"
-><TT
-CLASS="PARAMETER"
-><I
->restrict acl with 
-		mask</I
-></TT
-></A
-> to <TT
-CLASS="CONSTANT"
->true</TT
->.</P
-><P
 >See also the parameter <A
 HREF="#DIRECTORYMASK"
 ><TT
@@ -9569,6 +9669,250 @@ CLASS="COMMAND"
 ></DD
 ><DT
 ><A
+NAME="LDAPADMINDN"
+></A
+>ldap admin dn (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>		The <TT
+CLASS="PARAMETER"
+><I
+>ldap admin dn</I
+></TT
+> defines the Distinguished 
+		Name (DN) name used by Samba to contact the <A
+HREF="#LDAPSERVER"
+>ldap
+		server</A
+> when retreiving user account information. The <TT
+CLASS="PARAMETER"
+><I
+>ldap
+		admin dn</I
+></TT
+> is used in conjunction with the admin dn password
+		stored in the <TT
+CLASS="FILENAME"
+>private/secrets.tdb</TT
+> file.  See the
+		<A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+> man
+		page for more information on how to accmplish this.
+		</P
+><P
+>Default : <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="LDAPFILTER"
+></A
+>ldap filter (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>		This parameter specifies the RFC 2254 compliant LDAP search filter.
+		The default is to match the login name with the <TT
+CLASS="CONSTANT"
+>uid</TT
+> 
+		attribute for all entries matching the <TT
+CLASS="CONSTANT"
+>sambaAccount</TT
+>		
+		objectclass.  Note that this filter should only return one entry.
+		</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap filter = (&#38;(uid=%u)(objectclass=sambaAccount))</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPPORT"
+></A
+>ldap port (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>		This option is used to control the tcp port number used to contact
+		the <A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap server</I
+></TT
+></A
+>.
+		The default is to use the stand LDAP port 389.
+		</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap port = 389</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSERVER"
+></A
+>ldap server (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>		This parameter should contains the FQDN of the ldap directory 
+		server which should be queried to locate user account information.
+		</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap server = localhost</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSSL"
+></A
+>ldap ssl (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>		This option is used to define whether or not Samba should
+		use SSL when connecting to the <A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap
+		server</I
+></TT
+></A
+>.  This is <EM
+>NOT</EM
+> related to
+		Samba SSL support which is enabled by specifying the 
+		<B
+CLASS="COMMAND"
+>--with-ssl</B
+> option to the <TT
+CLASS="FILENAME"
+>configure</TT
+> 
+		script (see <A
+HREF="#SSL"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl</I
+></TT
+></A
+>).
+		</P
+><P
+>		The <TT
+CLASS="PARAMETER"
+><I
+>ldap ssl</I
+></TT
+> can be set to one of three values:
+		(a) <B
+CLASS="COMMAND"
+>on</B
+> - Always use SSL when contacting the 
+		<TT
+CLASS="PARAMETER"
+><I
+>ldap	server</I
+></TT
+>, (b) <B
+CLASS="COMMAND"
+>off</B
+> -
+		Never use SSL when querying the directory, or (c) <B
+CLASS="COMMAND"
+>start 
+		tls</B
+> - Use the LDAPv3 StartTLS extended operation 
+		(RFC2830) for communicating with the directory server.
+		</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap ssl = off</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSUFFIX"
+></A
+>ldap suffix (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+		configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+		at compile time. This option should be considered experimental and
+		under active development.
+		</P
+><P
+>Default : <EM
+>none</EM
+></P
+></DD
+><DT
+><A
 NAME="LEVEL2OPLOCKS"
 ></A
 >level2 oplocks (S)</DT
@@ -11958,7 +12302,7 @@ CLASS="COMMAND"
 >		--with-msdfs</B
 > option.  If set to <TT
 CLASS="CONSTANT"
->yes&#62;</TT
+>yes</TT
 >, 
 		Samba treats the share as a Dfs root and  allows clients to browse 
 		the distributed file system tree rooted at the share directory. 
@@ -12038,7 +12382,7 @@ CLASS="FILENAME"
 CLASS="FILENAME"
 >/etc/nsswitch.conf</TT
 > 
-			file).  Note that this method is only used if the NetBIOS name 
+			file.  Note that this method is only used if the NetBIOS name 
 			type being queried is the 0x20 (server) name type, otherwise 
 			it is ignored.</P
 ></LI
@@ -12228,7 +12572,7 @@ CLASS="COMMAND"
 ><A
 NAME="NTACLSUPPORT"
 ></A
->nt acl support (G)</DT
+>nt acl support (S)</DT
 ><DD
 ><P
 >This boolean parameter controls whether 
@@ -12237,7 +12581,9 @@ HREF="smbd.8.html"
 TARGET="_top"
 >smbd(8)</A
 > will attempt to map 
-		UNIX permissions into Windows NT access control lists.</P
+		UNIX permissions into Windows NT access control lists.
+		This parameter was formally a global parameter in releases
+		prior to 2.2.2.</P
 ><P
 >Default: <B
 CLASS="COMMAND"
@@ -12825,7 +13171,7 @@ CLASS="PARAMETER"
 ></TT
 ></A
 > parameter is set to true, the chat pairs
-                may be matched in any order, and sucess is determined by the PAM result, 
+                may be matched in any order, and success is determined by the PAM result, 
                 not any particular output. The \n macro is ignored for PAM conversions.
   		</P
 ><P
@@ -13720,8 +14066,14 @@ CLASS="PARAMETER"
 		</I
 ></TT
 > will be replaced by the appropriate printer name. The 
-		spool file name is generated automatically by the server, the printer 
-		name is discussed below.</P
+		spool file name is generated automatically by the server.  The 
+		<TT
+CLASS="PARAMETER"
+><I
+>%J</I
+></TT
+> macro can be used to access the job 
+		name as transmitted by the client.</P
 ><P
 >The print command <EM
 >MUST</EM
@@ -13811,7 +14163,7 @@ CLASS="COMMAND"
 ><P
 >For <B
 CLASS="COMMAND"
->printing = SYS or HPUX :</B
+>printing = SYSV or HPUX :</B
 ></P
 ><P
 ><B
@@ -14294,7 +14646,7 @@ CLASS="PARAMETER"
 > if specified in the 
 		[global] section.</P
 ><P
->Currently eight printing styles are supported. They are
+>Currently nine printing styles are supported. They are
 		<TT
 CLASS="CONSTANT"
 >BSD</TT
@@ -14773,108 +15125,6 @@ CLASS="COMMAND"
 ></DD
 ><DT
 ><A
-NAME="RESTRICTACLWITHMASK"
-></A
->restrict acl with mask (S)</DT
-><DD
-><P
->This is a boolean parameter.  If set to <TT
-CLASS="CONSTANT"
->false</TT
-> (default), then 
-		creation of files with access control lists (ACLS) and modification of ACLs
-		using the Windows NT/2000 ACL editor will be applied directly to the file
-		or directory.</P
-><P
->If set to <TT
-CLASS="CONSTANT"
->true</TT
->, then all requests to set an ACL on a file will have the
-		parameters <A
-HREF="#CREATEMASK"
-><TT
-CLASS="PARAMETER"
-><I
->create mask</I
-></TT
-></A
->,
-		<A
-HREF="#FORCECREATEMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force create mode</I
-></TT
-></A
->
-		applied before setting the ACL, and all requests to set an ACL on a directory will
-		have the parameters <A
-HREF="#DIRECTORYMASK"
-><TT
-CLASS="PARAMETER"
-><I
->directory 
-		mask</I
-></TT
-></A
->, <A
-HREF="#FORCEDIRECTORYMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force 
-		directory mode</I
-></TT
-></A
-> applied before setting the ACL.
-		</P
-><P
->See also <A
-HREF="#CREATEMASK"
-><TT
-CLASS="PARAMETER"
-><I
->create mask</I
-></TT
-></A
->,
-		<A
-HREF="#FORCECREATEMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force create mode</I
-></TT
-></A
->,
-		<A
-HREF="#DIRECTORYMASK"
-><TT
-CLASS="PARAMETER"
-><I
->directory mask</I
-></TT
-></A
->,
-		<A
-HREF="#FORCEDIRECTORYMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force directory mode</I
-></TT
-></A
->
-		</P
-><P
->Default: <B
-CLASS="COMMAND"
->restrict acl with mask = no</B
-></P
-></DD
-><DT
-><A
 NAME="RESTRICTANONYMOUS"
 ></A
 >restrict anonymous (G)</DT
@@ -15176,7 +15426,7 @@ CLASS="COMMAND"
 		</B
 >.</P
 ><P
->In versions of Samba prior to 2..0, the default was 
+>In versions of Samba prior to 2.0.0, the default was 
 		<B
 CLASS="COMMAND"
 >security = share</B
@@ -16290,14 +16540,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This variable enables or disables the entire SSL mode. If 
 		it is set to <TT
 CLASS="CONSTANT"
@@ -16346,14 +16588,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This variable defines where to look up the Certification
 		Authorities. The given directory should contain one file for 
 		each CA that Samba will trust.  The file name must be the hash 
@@ -16383,14 +16617,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This variable is a second way to define the trusted CAs. 
 		The certificates of the trusted CAs are collected in one big 
 		file and this variable points to the file. You will probably 
@@ -16421,14 +16647,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This variable defines the ciphers that should be offered 
 		during SSL negotiation. You should not set this variable unless 
 		you know what you are doing.</P
@@ -16448,14 +16666,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >The certificate in this file is used by <A
 HREF="smbclient.1.html"
 TARGET="_top"
@@ -16487,14 +16697,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This is the private key for <A
 HREF="smbclient.1.html"
 TARGET="_top"
@@ -16526,18 +16728,10 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
->This variable defines whether SSLeay should be configured 
+>This variable defines whether OpenSSL should be configured 
 		for bug compatibility with other SSL implementations. This is 
 		probably not desirable because currently no clients with SSL 
-		implementations other than SSLeay exist.</P
+		implementations other than OpenSSL exist.</P
 ><P
 >Default: <B
 CLASS="COMMAND"
@@ -16546,6 +16740,104 @@ CLASS="COMMAND"
 ></DD
 ><DT
 ><A
+NAME="SSLEGDSOCKET"
+></A
+>ssl egd socket (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was 
+		given at configure time.</P
+><P
+>		This option is used to define the location of the communiation socket of 
+		an EGD or PRNGD daemon, from which entropy can be retrieved. This option 
+		can be used instead of or together with the <A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy file</I
+></TT
+></A
+> 
+		directive. 255 bytes of entropy will be retrieved from the daemon.
+		</P
+><P
+>Default: <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="SSLENTROPYBYTES"
+></A
+>ssl entropy bytes (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was 
+		given at configure time.</P
+><P
+>		This parameter is used to define the number of bytes which should 
+		be read from the <A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy 
+		file</I
+></TT
+></A
+> If a -1 is specified, the entire file will
+		be read.
+		</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl entropy bytes = 255</B
+></P
+></DD
+><DT
+><A
+NAME="SSLENTROPYFILE"
+></A
+>ssl entropy file (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was 
+		given at configure time.</P
+><P
+>		This parameter is used to specify a file from which processes will 
+		read "random bytes" on startup.  In order to seed the internal pseudo 
+		random number generator, entropy must be provided. On system with a 
+		<TT
+CLASS="FILENAME"
+>/dev/urandom</TT
+> device file, the processes
+		will retrieve its entropy from the kernel. On systems without kernel
+		entropy support, a file can be supplied that will be read on startup
+		and that will be used to seed the PRNG.
+		</P
+><P
+>Default: <EM
+>none</EM
+></P
+></DD
+><DT
+><A
 NAME="SSLHOSTS"
 ></A
 >ssl hosts (G)</DT
@@ -16576,14 +16868,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >These two variables define whether Samba will go 
 		into SSL mode or not. If none of them is defined, Samba will 
 		allow only SSL connections. If the <A
@@ -16658,14 +16942,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >If this variable is set to <TT
 CLASS="CONSTANT"
 >yes</TT
@@ -16724,14 +17000,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >If this variable is set to <TT
 CLASS="CONSTANT"
 >yes</TT
@@ -16777,14 +17045,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This is the file containing the server's certificate. 
 		The server <EM
 >must</EM
@@ -16813,14 +17073,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This file contains the private key of the server. If 
 		this variable is not defined, the key is looked up in the 
 		certificate file (it may be appended to the certificate). 
@@ -16853,14 +17105,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.</P
 ><P
-><EM
->Note</EM
-> that for export control reasons 
-		this code is <EM
->NOT</EM
-> enabled by default in any 
-		current binary version of Samba.</P
-><P
 >This enumeration variable defines the versions of the 
 		SSL protocol that will be used. <TT
 CLASS="CONSTANT"
@@ -16955,6 +17199,43 @@ CLASS="COMMAND"
 ></DD
 ><DT
 ><A
+NAME="STRICTALLOCATE"
+></A
+>strict allocate (S)</DT
+><DD
+><P
+>This is a boolean that controls the handling of 
+		disk space allocation in the server. When this is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+> 
+		the server will change from UNIX behaviour of not committing real
+		disk storage blocks when a file is extended to the Windows behaviour
+		of actually forcing the disk system to allocate real storage blocks
+		when a file is created or extended to be a given size. In UNIX
+		terminology this means that Samba will stop creating sparse files.
+		This can be slow on some systems.</P
+><P
+>When strict allocate is <TT
+CLASS="CONSTANT"
+>no</TT
+> the server does sparse
+		disk block allocation when a file is extended.</P
+><P
+>Setting this to <TT
+CLASS="CONSTANT"
+>yes</TT
+> can help Samba return
+		out of quota messages on systems that are restricting the disk quota
+		of users.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict allocate = no</B
+></P
+></DD
+><DT
+><A
 NAME="STRICTLOCKING"
 ></A
 >strict locking (S)</DT
@@ -17458,6 +17739,30 @@ CLASS="COMMAND"
 ></DD
 ><DT
 ><A
+NAME="USEMMAP"
+></A
+>use mmap (G)</DT
+><DD
+><P
+>This global parameter determines if the tdb internals of Samba can
+		depend on mmap working correctly on the running system. Samba requires a coherent
+		mmap/read-write system memory cache. Currently only HPUX does not have such a
+		coherent cache, and so this parameter is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> by
+		default on HPUX. On all other systems this parameter should be left alone. This
+		parameter is provided to help the Samba developers track down problems with
+		the tdb internal code.
+		</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>use mmap = yes</B
+></P
+></DD
+><DT
+><A
 NAME="USERHOSTS"
 ></A
 >use rhosts (G)</DT
@@ -18152,15 +18457,14 @@ WIDTH="90%"
 ><TD
 ><PRE
 CLASS="PROGRAMLISTING"
->	   ; Veto any files containing the word Security, 
-    	; any ending in .tmp, and any directory containing the
-    	; word root.
-		veto files = /*Security*/*.tmp/*root*/
+>; Veto any files containing the word Security, 
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
 
-		; Veto the Apple specific files that a NetAtalk server
-    	; creates.
-		veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
-		</PRE
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/</PRE
 ></TD
 ></TR
 ></TABLE
@@ -18416,7 +18720,7 @@ CLASS="COMMAND"
 ><P
 >Default: <B
 CLASS="COMMAND"
->winbind enum groups = no </B
+>winbind enum groups = yes </B
 >
 		</P
 ></DD
@@ -18883,7 +19187,7 @@ CLASS="COMMAND"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN5953"
+NAME="AEN6052"
 ></A
 ><H2
 >WARNINGS</H2
@@ -18913,7 +19217,7 @@ TARGET="_top"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN5959"
+NAME="AEN6058"
 ></A
 ><H2
 >VERSION</H2
@@ -18924,7 +19228,7 @@ NAME="AEN5959"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN5962"
+NAME="AEN6061"
 ></A
 ><H2
 >SEE ALSO</H2
@@ -19003,7 +19307,7 @@ CLASS="COMMAND"
 ><DIV
 CLASS="REFSECT1"
 ><A
-NAME="AEN5982"
+NAME="AEN6081"
 ></A
 ><H2
 >AUTHOR</H2