Add all the source files from the old CVS tree,

add the 5 missing chapters from the HOWTO
and add jht's Samba by Example book.
(This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)

1 files changed, 100 insertions, 0 deletions

diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..19bf015435
--- /dev/null
+++ b/docs/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,100 @@
+<samba:parameter name="password server"
+                 context="G"
+				 type="list"
+                 advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://samba.org/common">
+<description>
+    <para>By specifying the name of another SMB server 
+    or Active Directory domain controller with this option, 
+    and using <command moreinfo="none">security = [ads|domain|server]</command> 
+    it is possible to get Samba to 
+    to do all its username/password validation using a specific remote server.</para>
+
+    <para>This option sets the name or IP address of the password server to use. 
+    New syntax has been added to support defining the port to use when connecting 
+    to the server the case of an ADS realm.  To define a port other than the
+    default LDAP port of 389, add the port number using a colon after the 
+    name or IP address (e.g. 192.168.1.100:389).  If you do not specify a port,
+    Samba will use the standard LDAP port of tcp/389.  Note that port numbers
+    have no effect on password servers for Windows NT 4.0 domains or netbios 
+    connections.</para>
+
+    <para>If parameter is a name, it is looked up using the 
+    parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name 
+    resolve order</parameter></link> and so may resolved
+    by any method and order described in that parameter.</para>
+
+    <para>The password server must be a machine capable of using 
+    the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
+    user level security mode.</para>
+
+    <note><para>Using a password server  means your UNIX box (running
+    Samba) is only as secure as your  password server. <emphasis>DO NOT
+    CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
+    </para></note>
+		
+    <para>Never point a Samba server at itself for password serving.
+    This will cause a loop and could lock up your Samba  server!</para>
+
+    <para>The name of the password server takes the standard 
+    substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+    </parameter>, which means the Samba server will use the incoming 
+    client as the password server. If you use this then you better 
+    trust your clients, and you had better restrict them with hosts allow!</para>
+
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+    <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this 
+    option must be a list of Primary or Backup Domain controllers for the
+    Domain or the character '*', as the Samba server is effectively
+    in that domain, and will use cryptographically authenticated RPC calls
+    to authenticate the user logging on. The advantage of using <command moreinfo="none">
+    security = domain</command> is that if you list several hosts in the 
+    <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+    </command> will try each in turn till it finds one that responds.  This
+    is useful in case your primary server goes down.</para>
+
+    <para>If the <parameter moreinfo="none">password server</parameter> option is set 
+    to the character '*', then Samba will attempt to auto-locate the 
+    Primary or Backup Domain controllers to authenticate against by 
+    doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
+    and then contacting each server returned in the list of IP 
+    addresses from the name resolution source. </para>
+
+    <para>If the list of servers contains both names/IP's and the '*'
+    character, the list is treated as a list of preferred 
+    domain controllers, but an auto lookup of all remaining DC's
+    will be added to the list as well.  Samba will not attempt to optimize 
+    this list by locating the closest DC.</para>
+		
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is 
+    set to <constant>server</constant>, then there are different
+    restrictions that <command moreinfo="none">security = domain</command> doesn't 
+    suffer from:</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para>You may list several password servers in 
+	    the <parameter moreinfo="none">password server</parameter> parameter, however if an 
+	    <command moreinfo="none">smbd</command> makes a connection to a password server, 
+	    and then the password server fails, no more users will be able 
+	    to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
+	    restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+	    </command> mode and cannot be fixed in Samba.</para>
+	</listitem>
+	    
+	<listitem>
+	    <para>If you are using a Windows NT server as your 
+	    password server then you will have to ensure that your users 
+	    are able to login from the Samba server, as when in <command moreinfo="none">
+	    security = server</command>  mode the network logon will appear to 
+	    come from there rather than from the users workstation.</para>
+	</listitem>
+    </itemizedlist>
+</description>
+
+<related>security</related>
+<value type="default"></value>
+<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
+<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
+<value type="example">*</value>
+</samba:parameter>