Updates and additions.

(This used to be commit 9b35377f0cf5022519385a2b70237c05c7978158)

3 files changed, 248 insertions, 33 deletions

diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
index 138095e02c..dc2a78f5a6 100644
--- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
+++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
@@ -269,8 +269,23 @@ Those wishing to use more elaborate or capable logon processing system should ch
 <simplelist>
 	<member>http://www.craigelachie.org/rhacer/ntlogon</member>
 	<member>http://www.kixtart.org</member>
+	<member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member>
 </simplelist>
 
+<sect2>
+<title>Adding printers without user intervention</title>
+
+<para>
+Printers may be added automatically during logon script processing through the use of:
+
+<programlisting>
+	rundll32 printui.dll,PrintUIEntry /?
+</programlisting>
+
+See the documentation in the Microsoft knowledgebase article no: 189105 referred to above.
+</para>
+</sect2>
+
 </sect1>
 </chapter>
 
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 3640c78942..6e40709081 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services).
 </para>
 
 <para>
-What are the features the Samba-3 can NOT provide?
+What are the features that Samba-3 can NOT provide?
 </para>
 
-<simplelist>
-    <member>Active Directory Server</member>
-    <member>Group Policy Objects (in Active Direcrtory)</member>
-    <member>Machine Policy objects</member>
-    <member>Logon Scripts in Active Directorty</member>
-    <member>Software Application and Access Controls in Active Directory</member>
-</simplelist>
+<itemizedlist>
+<listitem>
+	<para>Active Directory Server<para>
+</listitem>
+<listitem>
+	<para>Group Policy Objects (in Active Direcrtory)<para>
+</listitem>
+<listitem>
+	<para>Machine Policy objects<para>
+</listitem>
+<listitem>
+	<para>Logon Scripts in Active Directorty<para>
+</listitem>
+<listitem>
+	<para>Software Application and Access Controls in Active Directory<para>
+</listitem>
+</itemizedlist>
+
+<para>
+The features that Samba-3 DOES provide and that may be of compelling interest to your site
+includes:
+</para>
+
+<itemizedlist>
+<listitem>
+	<para>Lower Cost of Ownership</para>
+</listitem>
+<listitem>
+	<para>Global availability of support with no strings attached</para>
+</listitem>
+<listitem>
+	<para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para>
+</listitem>
+<listitem>
+	<para>Creation of on-the-fly logon scripts</para>
+</listitem>
+<listitem>
+	<para>Creation of on-the-fly Policy Files</para>
+</listitem>
+<listitem>
+	<para>Greater Stability, Reliability, Performance and Availability</para>
+</listitem>
+<listitem>
+	<para>Manageability via an ssh connection</para>
+</listitem>
+<listitem>
+	<para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para>
+</listitem>
+<listitem>
+	<para>Ability to implement a full single-signon architecture</para>
+</listitem>
+<listitem>
+	<para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para>
+</listitem>
+</itemizedlist>
+
+<para>
+Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
+considered. Users should be educated about changes they may experience so that the change will be a
+welcome one and not become an obstacle to the work they need to do. The following are some of the
+factors that will go into a successful migration:
+</para>
+
+<sect3>
+<title>Domain Layout</title>
+
+<para>
+Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
+a secondary controller), a domain member, or as a stand-alone server. The Windows network security
+domain context should be sized and scoped before implementation. Particular attention needs to be
+paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
+It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
+chooses to use an LDAP authentication backend then the same database can be used by several different
+domains. This means that in a complex organisation there can be a single LDAP database, that itself
+can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
+</para>
+
+<para>
+It is recommended that from a design perspective, the number of users per server, as well as the number
+of servers, per domain should be scaled according to needs and should also consider server capacity
+and network bandwidth.
+</para>
+
+<para>
+A physical network segment may house several domains, each of which may span multiple network segments.
+Where domains span routed network segments it is most advisable to consider and test the performance
+implications of the design and layout of a network. A Centrally located domain controller that is being
+designed to server mulitple route network segments may result in severe performance problems if the
+response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
+where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
+the local authentication and access control server.
+</para>
+</sect3>
+
+<sect3>
+<title>Server Share and Directory Layout</title>
+
+<para>
+There are few cardinal rules to effective network design that can be broken with impunity.
+The most important rule of effective network management is that simplicity is king in every
+well controlled network. Every part of the infrastructure must be managed, the more complex
+it is, the greater will be the demand of keeping systems secure and functional.
+</para>
+
+<para>
+The nature of the data that must be stored needs to be born in mind when deciding how many
+shares must be created. The physical disk space layout should also be taken into account
+when designing where share points will be created. Keep in mind that all data needs to be
+backed up, thus the simpler the disk layout the easier it will be to keep track of what must
+be backed up to tape or other off-line storage medium. Always plan and implement for minimum
+maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
+Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
+</para>
+
+<para>
+Users should be grouped according to data access control needs. File and directory access 
+is best controlled via group permissions and the use of the "sticky bit" on group controlled
+directories may substantially avoid file access complaints from samba share users.
+</para>
+
+<para>
+Many network administrators who are new to the game will attempt to use elaborate techniques
+to set access controls, on files, directories, shares, as well as in share definitions.
+There is the ever present danger that that administrator's successor will not understand the
+complex mess that has been inherited. Remember, apparent job security through complex design
+and implementation may ultimately cause loss of operations and downtime to users as the new
+administrator learns to untangle your web. Keep access controls simple and effective and
+make sure that users will never be interrupted by the stupidity of complexity.
+</para>
+</sect3>
+
+<sect3>
+<title>Logon Scripts</title>
+
+<para>
+Please refer to the section of this document on Advanced Network Adminsitration for information
+regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
+all users gain share and printer connections they need.
+</para>
+
+<para>
+Logon scripts can be created on-the-fly so that all commands executed are specific to the
+rights and privilidges granted to the user. The preferred controls should be affected through
+group membership so that group information can be used to custom create a logong script using
+the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share.
+</para>
+
+<para>
+Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled
+user environment. In any case you may wish to do a google search for logon script process controls.
+In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
+deals with how to add printers without user intervention via the logon script process.
+</para>
+</sect3>
+
+<sect3>
+<title>Profile Migration/Creation</title>
+
+<para>
+User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
+Management.
+</para>
+
+<para>
+Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows
+the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
+to be changed to the SID of the Samba-3 domain.
+</para>
+</sect3>
+
+<sect3>
+<title>User and Group Accounts</title>
+
+<para>
+It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
+ attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
+groups that are present on the MS Windows NT4 domain <ephasis>AND</emphasis> to connect these to
+suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
+should migrate painlessly.
+</para>
+</sect3>
 
 </sect2>
+
 <sect2>
 <title>Steps In Migration Process</title>
 
 <para>
 This is not a definitive ste-by-step process yet - just a place holder so the info 
 is not lost.
+</para>
 
-1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+<itemizedlist>
+<listitem><para>
+You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+</para></listitem>
 
-2. Samba-3 set up as a DC with netlogon share, profile share, etc.
+<listitem><para>
+Samba-3 set up as a DC with netlogon share, profile share, etc.
+</para></listitem>
+</itemizedlist>
 
-3. Process:
-	a. Create a BDC account for the samba server using NT Server Manager
+<para><programlisting>
+Process:
+	Create a BDC account for the samba server using NT Server Manager
 		- Samba must NOT be running
 
-	b. rpcclient NT4PDC -U Administrator%passwd
+	rpcclient NT4PDC -U Administrator%passwd
 		lsaquery
 
 		Note the SID returned by step b.
 
-	c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
+	net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
 
 		Note the SID in step c.
 
-	d. net getlocalsid
+	net getlocalsid
 
 		Note the SID, now check that all three SIDS reported are the same!
 
-	e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
+	net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
 
-	f. net rpc vampire -S NT4PDC -U administrator%passwd
+	net rpc vampire -S NT4PDC -U administrator%passwd
 
-	g. pdbedit -l
+	pdbedit -l
 
 		Note - did the users migrate?
 
-	h. initGrps.sh DOMNAME
+	initGrps.sh DOMNAME
 
-	i. smbgroupedit -v
+	smbgroupedit -v
 
 		Now check that all groups are recognised
 
-	j. net rpc campire -S NT4PDC -U administrator%passwd
+	net rpc campire -S NT4PDC -U administrator%passwd
 
-	k. pdbedit -lv
+	pdbedit -lv
 
 		Note - check that all group membership has been migrated.
+</programlisting></para>
 
-
+<para>
 Now it is time to migrate all the profiles, then migrate all policy files.
-
-Moe later.
+More later.
 </para>
 
 </sect2>
diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml
index 0de0376df8..776c79f095 100644
--- a/docs/docbook/projdoc/passdb.sgml
+++ b/docs/docbook/projdoc/passdb.sgml
@@ -341,8 +341,9 @@ include:
 <para>
 The second item can be accomplished by using LDAP NSS and PAM modules.  LGPL
 versions of these libraries can be obtained from PADL Software
-(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>).  However,
-the details of configuring these packages are beyond the scope of this document.
+(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). More
+information about the configuration of these packages may be found at "LDAP,
+System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS".
 </para>
 
 </sect2>
@@ -375,7 +376,7 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in
 </para>
 
 <para><programlisting>
-objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY
      DESC 'Samba Account'
      MUST ( uid $ rid )
      MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
@@ -476,6 +477,11 @@ index rid           eq
 ##index gidNumber     eq
 ##index cn            eq
 ##index memberUid     eq
+
+# (both fetched via ldapsearch):
+index   primaryGroupID  eq
+index   displayName     pres,eq
+
 </programlisting></para>
 </sect3>
 
@@ -485,16 +491,20 @@ index rid           eq
 
 <para>
 The following parameters are available in smb.conf only with <parameter>--with-ldapsam</parameter>
-was included with compiling Samba.
+was included when compiling Samba.
 </para>
 
 <itemizedlist>
+        <listitem><para><ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend [ldapsam|ldapsam_nua]:url</ulink></para></listitem>
 	<listitem><para><ulink url="smb.conf.5.html#LDAPSSL">ldap ssl</ulink></para></listitem>
-	<listitem><para><ulink url="smb.conf.5.html#LDAPSERVER">ldap server</ulink></para></listitem>
 	<listitem><para><ulink url="smb.conf.5.html#LDAPADMINDN">ldap admin dn</ulink></para></listitem>
 	<listitem><para><ulink url="smb.conf.5.html#LDAPSUFFIX">ldap suffix</ulink></para></listitem>
 	<listitem><para><ulink url="smb.conf.5.html#LDAPFILTER">ldap filter</ulink></para></listitem>
 	<listitem><para><ulink url="smb.conf.5.html#LDAPPORT">ldap port</ulink></para></listitem>
+        <listitem><para><ulink url="smb.conf.5.html#LDAPMACHINSUFFIX">ldap machine suffix</ulink></para></listitem>
+        <listitem><para><ulink url="smb.conf.5.html#LDAPUSERSUFFIX">ldap user suffix</ulink></para></listitem>
+        <listitem><para><ulink url="smb.conf.5.html#LDAPDELETEDN">ldap delete dn</ulink></para></listitem>
+
 </itemizedlist>
 
 <para>
@@ -521,13 +531,20 @@ use with an LDAP directory could appear as
      # changes, this password will need to be reset.
      ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
 
-     #  specify the LDAP server's hostname (defaults to locahost)
-     ldap server = ahab.samba.org
-
      # Define the SSL option when connecting to the directory
      # ('off', 'start tls', or 'on' (default))
      ldap ssl = start tls
 
+     passdb backend ldapsam:ldap://ahab.samba.org
+
+     # smbpasswd -x delete the entire dn-entry
+     ldap delete dn = no
+
+     # the machine and user suffix added to the base suffix
+     # wrote WITHOUT quotes. NULL siffixes by default
+     ldap user suffix = ou=People
+     ldap machine suffix = ou=Systems
+
      # define the port to use in the LDAP session (defaults to 636 when
      # "ldap ssl = on")
      ldap port = 389