Put Johns' changes back in again.

(This used to be commit d5a730fc097311f498dd7c3fb2516a1fc0fa1fe7)

14 files changed, 301 insertions, 350 deletions

diff --git a/docs/Samba3-ByExample/SBE-500UserNetwork.xml b/docs/Samba3-ByExample/SBE-500UserNetwork.xml
index fda931fa0e..357af42453 100644
--- a/docs/Samba3-ByExample/SBE-500UserNetwork.xml
+++ b/docs/Samba3-ByExample/SBE-500UserNetwork.xml
@@ -642,10 +642,10 @@ root = Administrator
 			<indexterm><primary>/etc/mime.convs</primary></indexterm>
 			<indexterm><primary>application/octet-stream</primary></indexterm>
 			This step, as well as the next one, may be omitted where CUPS version 1.1.18
-			or later is in use.  Although it does no harm to follow it anyhow, and may
-			help to avoid later time spent trying to figure out why print jobs may be
-			disappearing without trace. Look at these two steps as <emphasis>insurance</emphasis>
-			against lost time. Edit  file <filename>/etc/cups/mime.convs</filename> to 
+			or later is in use.  Although it does no harm to follow it anyway, and may
+			help to avoid time spent later trying to figure out why print jobs may be
+			disappearing without a trace. Look at these two steps as <emphasis>insurance</emphasis>
+			against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to 
 			uncomment the line:
 <screen>
 application/octet-stream     application/vnd.cups-raw      0     -
@@ -694,7 +694,7 @@ application/octet-stream
 	<para>
 	There are some steps that apply to particular server functionality only. Each step is critical
 	to correct server operation. The following step-by-step installation guidance will assist you 
-	to work through the process of configuring the PDC and then both BDC's.
+	in working through the process of configuring the PDC and then both BDC's.
 	</para>
 
 		<sect3>
@@ -893,7 +893,7 @@ Added user <parameter>username</parameter>.
 		<title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
 
 		<para>
-		The following steps will guide you trough the nuances of imlplementing BDC's for the broadcast
+		The following steps will guide you through the nuances of implementing BDCs for the broadcast
 		isolated network segments. Remember that if the target installation platform is not Linux, it may
 		be necessary to adapt some commands to the equivalent on the target platform.
 		</para>
diff --git a/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml b/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml
index 78c76c91eb..7415da34b9 100644
--- a/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml
+++ b/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml
@@ -113,7 +113,7 @@
 			<indexterm><primary>accounts</primary><secondary>authoritative</secondary></indexterm>
 			<indexterm><primary>PDC</primary></indexterm>
 			<indexterm><primary>BDC</primary></indexterm>
-			A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain.
+			A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
 			This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
 			to the same values that the PDC resolved them to.
 			</para></listitem>
@@ -190,41 +190,32 @@
 			casual user.
 			</para></listitem>
 
-	  <listitem><para><indexterm>
-		<primary>winbind enable local accounts</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Member</primary>
-		<secondary>servers</secondary>
-	      </indexterm><indexterm>
-		<primary>Domain Controllers</primary>
-	      </indexterm>
+			<listitem><para>
+			<indexterm><primary>winbind trusted domains only</primary></indexterm>
+			<indexterm><primary>domain member</primary><secondary>servers</secondary></indexterm>
+			<indexterm><primary>domain controllers</primary></indexterm>
 			If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
-			of being resolved using) the NSS facility, it is imperative to use the 
-			<smbconfoption name="winbind enable local accounts">Yes</smbconfoption>
-			in the &smb.conf; file. This parameter specifically applies only to domain controllers, 
-			not to domain member servers.
+			of being resolved using) the NSS facility, it is possible to use the 
+			<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
+			in the &smb.conf; file. This parameter specifically applies to domain controllers, 
+			and to domain member servers.
 			</para></listitem>
+
 		</itemizedlist>
 
-	<para><indexterm>
-	    <primary>Posix accounts</primary>
-	  </indexterm><indexterm>
-	    <primary>Samba accounts</primary>
-	  </indexterm><indexterm>
-	    <primary>LDAP</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>Posix accounts</primary></indexterm>
+		<indexterm><primary>Samba accounts</primary></indexterm>
+		<indexterm><primary>LDAP</primary></indexterm>
 		For many administrators, it should be plain that the use of an LDAP-based repository for all network
 		accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
 		controllable facility. You eventually appreciate the decision to use LDAP.
 		</para>
 
-	<para><indexterm>
-	    <primary>nss_ldap</primary>
-	  </indexterm><indexterm>
-	    <primary>identifiers</primary>
-	  </indexterm><indexterm>
-	    <primary>resolve</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>nss_ldap</primary></indexterm>
+		<indexterm><primary>identifiers</primary></indexterm>
+		<indexterm><primary>resolve</primary></indexterm>
 		If your network account information resides in an LDAP repository, you should use it ahead of any
 		alternative method. This means that if it is humanly possible to use the <command>nss_ldap</command>
 		tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides
@@ -232,20 +223,13 @@
 		throughout the network.
 		</para>
 
-		<para><indexterm>
-	    <primary>Domain Member</primary>
-	    <secondary>server</secondary>
-	  </indexterm><indexterm>
-	    <primary>winbind trusted domains only</primary>
-	  </indexterm><indexterm>
-	    <primary>getpwnam</primary>
-	  </indexterm><indexterm>
-	    <primary>smbd</primary>
-	  </indexterm><indexterm>
-	    <primary>Trusted Domains</primary>
-	  </indexterm><indexterm>
-	    <primary>External Domains</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
+		<indexterm><primary>winbind trusted domains only</primary></indexterm>
+		<indexterm><primary>getpwnam</primary></indexterm>
+		<indexterm><primary>smbd</primary></indexterm>
+		<indexterm><primary>Trusted Domains</primary></indexterm>
+		<indexterm><primary>External Domains</primary></indexterm>
 		In the situation where UNIX accounts are held on the domain member server itself, the only effective
 		way to use them involves the &smb.conf; entry 
 		<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>. This forces 
@@ -254,17 +238,12 @@
 		disables the use of Samba with trusted domains (i.e., external domains).
 		</para>
 
-	<para><indexterm>
-	    <primary>appliance mode</primary>
-	  </indexterm><indexterm>
-	    <primary>Domain Member</primary>
-	    <secondary>server</secondary>
-	  </indexterm><indexterm>
-	    <primary>winbindd</primary>
-	  </indexterm><indexterm>
-	    <primary>automatically allocate</primary>
-	  </indexterm>
-	        Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
+		<para>
+		<indexterm><primary>appliance mode</primary></indexterm>
+		<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
+		<indexterm><primary>winbindd</primary></indexterm>
+		<indexterm><primary>automatically allocate</primary></indexterm>
+		Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
 		is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation
 		is made for all accounts that connect to that domain member server, whether within its own domain or from
 		trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database.
@@ -273,9 +252,8 @@
 		is stored in the <filename>winbindd_idmap.tdb</filename> and <filename>winbindd_cache.tdb</filename> files.
 		</para>
 	
-	<para><indexterm>
-	    <primary>mapping</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>mapping</primary></indexterm>
 		The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
 		mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
 		servers so configured. This solves one of the major headaches for network administrators who need to copy
@@ -287,16 +265,11 @@
 	<sect2>
 		<title>Political Issues</title>
 
-	<para><indexterm>
-	    <primary>OpenLDAP</primary>
-	  </indexterm><indexterm>
-	    <primary>NIS</primary>
-	  </indexterm><indexterm>
-	    <primary>yellow pages</primary>
-	    <see>NIS</see>
-	  </indexterm><indexterm>
-	    <primary>identity management</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>OpenLDAP</primary></indexterm>
+		<indexterm><primary>NIS</primary></indexterm>
+		<indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
+		<indexterm><primary>identity management</primary></indexterm>
 		One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
 		particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
 		is different and requires a new approach to the need for a better identity management solution. The more
@@ -311,11 +284,9 @@
 		commercial integration products. But it's not what Active Directory was designed for.
 		</para>
 
-	<para><indexterm>
-	    <primary>directory</primary>
-	  </indexterm><indexterm>
-	    <primary>management</primary>
-	  </indexterm>
+		<para>
+		<indexterm><primary>directory</primary></indexterm>
+		<indexterm><primary>management</primary></indexterm>
 		A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
 		is the first application group to almost force network administrators to use LDAP. It should be pointed
 		out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has
@@ -330,25 +301,18 @@
 <sect1>
 	<title>Implementation</title>
 
-      <para><indexterm>
-	  <primary>Domain Member</primary>
-	  <secondary>server</secondary>
-	</indexterm><indexterm>
-	  <primary>Domain Member</primary>
-	  <secondary>client</secondary>
-	</indexterm><indexterm>
-	  <primary>Domain Controller</primary>
-	</indexterm>
-	The domain Member server and the domain member client are at the center of focus in this chapter.
+	<para>
+	<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
+	<indexterm><primary>Domain Member</primary><secondary>client</secondary></indexterm>
+	<indexterm><primary>Domain Controller</primary></indexterm>
+	The domain member server and the domain member client are at the center of focus in this chapter.
 	Configuration of Samba-3 domain controller is covered in earlier chapters, so if your 
 	interest is in domain controller configuration, you will not find that here. You will find good
 	oil that helps you to add domain member servers and clients.
 	</para>
 
-      <para><indexterm>
-	  <primary>Domain Member</primary>
-	  <secondary>workstations</secondary>
-	</indexterm>
+	<para>
+	<indexterm><primary>Domain Member</primary><secondary>workstations</secondary></indexterm>
 	In practice, domain member servers and domain member workstations are very different entities, but in
 	terms of technology they share similar core infrastructure. A technologist would argue that servers
 	and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
@@ -357,22 +321,18 @@
 	but a server is viewed as a core component of the business.
 	</para>
 
-      <para><indexterm>
-	  <primary>workstation</primary>
-	</indexterm>
+	<para>
+	<indexterm><primary>workstation</primary></indexterm>
 	We can look at this another way. If a workstation breaks down, one user is affected, but if a
 	server breaks down, hundreds of users may not be able to work. The services that a workstation
 	must provide are document- and file-production oriented; a server provides information storage
 	and is distribution oriented.
 	</para>
 
-      <para><indexterm>
-	  <primary>authentication process</primary>
-	</indexterm><indexterm>
-	  <primary>logon process</primary>
-	</indexterm><indexterm>
-	  <primary>user identities</primary>
-	</indexterm>
+	<para>
+	<indexterm><primary>authentication process</primary></indexterm>
+	<indexterm><primary>logon process</primary></indexterm>
+	<indexterm><primary>user identities</primary></indexterm>
 	<emphasis>Why is this important?</emphasis> For starters, we must identify what
 	components of the operating system and its environment must be configured. Also, it is necessary
 	to recognize where the interdependencies between the various services to be used are.
@@ -388,52 +348,52 @@
 	</para>
 
 	<sect2 id="sdcsdmldap">
-		<title>Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP</title>
+	<title>Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP</title>
 
-	<para><indexterm>
-	    <primary>ldapsam</primary>
-	  </indexterm><indexterm>
-	    <primary>ldapsam backend</primary>
-	  </indexterm><indexterm>
-	    <primary>IDMAP</primary>
-	  </indexterm><indexterm>
-	    <primary>mapping</primary>
-	    <secondary>consistent</secondary>
-	  </indexterm><indexterm>
-	    <primary>winbindd</primary>
-	  </indexterm><indexterm>
-	    <primary>foreign SID</primary>
-	  </indexterm>
+	<para>
+	<indexterm><primary>ldapsam</primary></indexterm>
+	<indexterm><primary>ldapsam backend</primary></indexterm>
+	<indexterm><primary>IDMAP</primary></indexterm>
+	<indexterm><primary>mapping</primary><secondary>consistent</secondary></indexterm>
+	<indexterm><primary>winbindd</primary></indexterm>
+	<indexterm><primary>foreign SID</primary></indexterm>
 	In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
 	an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
 	containers for use by the IDMAP facility. This makes it possible to have globally consistent
-	mapping of SIDs to and from UIDs and GIDs. This means that you are running <command>winbindd</command>
-	as part of your configuration. The primary purpose of running <command>winbindd</command> (within
-	this operational context) is to permit mapping of foreign SIDs (those not originating from our 
-	own domain). Foreign SIDs can come from any external domain or from Windows clients that do not 
-	belong to a domain.
+	mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run 
+	<command>winbindd</command> as part of your configuration. The primary purpose of running
+	<command>winbindd</command> (within this operational context) is to permit mapping of foreign
+	SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any
+	domain member client or server, or from Windows clients that do not belong to a domain. Another
+	way to explain the necessity to run <command>winbindd</command> is that Samba can locally
+	resolve only accounts that belong to the security context of its own machine SID. Winbind
+	handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated
+	from the parameter values set in the &smb.conf; file for the <parameter>idmap uid</parameter> and
+	<parameter>idmap gid</parameter> ranges. Where LDAP is used, the mappings can be stored in LDAP
+	so that all domain member servers can use a consistent mapping.
 	</para>
 
-	<para><indexterm>
-	    <primary>winbindd</primary>
-	  </indexterm><indexterm>
-	    <primary>getpwnam</primary>
-	  </indexterm><indexterm>
-	    <primary>NSS</primary>
-	  </indexterm>
-	If your installation is accessed only from clients that are members of your own domain, then
-	it is not necessary to run <command>winbindd</command> as long as all users can be resolved
-	locally via the <command>getpwnam()</command> system call. On NSS-enabled systems, this condition
-	is met by having
+	<para>
+	<indexterm><primary>winbindd</primary></indexterm>
+	<indexterm><primary>getpwnam</primary></indexterm>
+	<indexterm><primary>NSS</primary></indexterm>
+	If your installation is accessed only from clients that are members of your own domain, and all 
+	user accounts are present in a local passdb backend then it is not necessary to run
+	<command>winbindd</command>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam.
+	</para>
+
+	<para>
+	It is possible to use a local passdb backend with any convenient means of resolving the POSIX
+	user and group account information. The POSIX information is usually obtained using the
+	<command>getpwnam()</command> system call. On NSS-enabled systems, the actual POSIX account
+	source can be provided from
 	</para>
 
 	<itemizedlist>
-	  <listitem><para><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/group</primary>
-	      </indexterm>
-		All accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
+		<listitem><para>
+		<indexterm><primary>/etc/passwd</primary></indexterm>
+		<indexterm><primary>/etc/group</primary></indexterm>
+		Accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
 		</para></listitem>
 
 		<listitem><para>
@@ -455,6 +415,12 @@
 		</para></listitem>
 	</itemizedlist>
 
+	<note><para>
+	To advoid confusion the use of the term <literal>local passdb backend</literal> means that
+	the user account backend is not shared by any other Samba server &smbmdash; instead, it is
+	used only locally on the Samba domain member server under discussion.
+	</para></note>
+
 	<para>
 	<indexterm><primary>Identity resolution</primary></indexterm>
 	The diagram in <link linkend="ch9-sambadc"/> demonstrates the relationship of Samba and system 
@@ -467,11 +433,9 @@
 	<imagefile scale="60">chap9-SambaDC</imagefile>
 </figure>
 
-	<para><indexterm>
-	    <primary>IDMAP</primary>
-	  </indexterm><indexterm>
-	    <primary>foreign</primary>
-	  </indexterm>
+	<para>
+	<indexterm><primary>IDMAP</primary></indexterm>
+	<indexterm><primary>foreign</primary></indexterm>
 	In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
 	to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
 	backend so that it can be shared by all domain member servers so that every user will have a
@@ -487,25 +451,30 @@
 	</para>
 
 	<procedure>
-	<title>Configuration of LDAP-Based Identity Resolution</title>
+	<title>Configuration of NSS_LDAP-Based Identity Resolution</title>
 
 		<step><para>
 		Create the &smb.conf; file as shown in <link linkend="ch9-sdmsdc"/>. Locate
 		this file in the directory <filename>/etc/samba</filename>.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>ldap.conf</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>ldap.conf</primary></indexterm>
 		Configure the file that will be used by <constant>nss_ldap</constant> to
 		locate and communicate with the LDAP server. This file is called <filename>ldap.conf</filename>.
 		If your implementation of <constant>nss_ldap</constant> is consistent with
 		the defaults suggested by PADL (the authors), it will be located in the
 		<filename>/etc</filename> directory. On some systems, the default location is
-		the <filename>/etc/openldap</filename> directory. Change the parameters inside
-		the file that is located on your OS so it matches <link linkend="ch9-sdmlcnf"/>.
-		To find the correct location of this file, you can obtain this from the
-		library that will be used by executing the following:
+		the <filename>/etc/openldap</filename> directory, however this file is intended
+		for use by the OpenLDAP utilities and should not really be used by the nss_ldap
+		utility since its content and structure serves the specific purpose of enabling
+		the resolution of user and group IDs via NSS.
+		</para>
+
+		<para>
+		Change the parameters inside the file that is located on your OS so it matches
+		<link linkend="ch9-sdmlcnf"/>.  To find the correct location of this file, you
+		can obtain this from the library that will be used by executing the following:
 <screen>
 &rootprompt; strings /lib/libnss_ldap* | grep ldap.conf
 /etc/ldap.conf
@@ -513,15 +482,13 @@
 		</para></step>
 
 		<step><para>
-		Configure the NSS control file so it matches the one shown
-		in <link linkend="ch9-sdmnss"/>.
+		Configure the NSS control file so it matches the one shown in
+		<link linkend="ch9-sdmnss"/>.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>Identity resolution</primary>
-	      </indexterm><indexterm>
-		<primary>getent</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>Identity resolution</primary></indexterm>
+		<indexterm><primary>getent</primary></indexterm>
 		Before proceeding to configure Samba, validate the operation of the NSS identity 
 		resolution via LDAP by executing:
 <screen>
@@ -556,24 +523,21 @@ Finances:x:1001:
 PIOps:x:1002:
 sammy:x:4321:
 </screen>
-	      <indexterm>
-		<primary>secondary group</primary>
-	      </indexterm><indexterm>
-		<primary>primary group</primary>
-	      </indexterm><indexterm>
-		<primary>group membership</primary>
-	      </indexterm>
+		<indexterm><primary>secondary group</primary></indexterm>
+		<indexterm><primary>primary group</primary></indexterm>
+		<indexterm><primary>group membership</primary></indexterm>
 		This shows that all is working as it should be. Notice that in the LDAP database
 		the users' primary and secondary group memberships are identical. It is not
 		necessary to add secondary group memberships (in the group database) if the
 		user is already a member via primary group membership in the password database.
 		When using winbind, it is in fact undesirable to do this because it results in
-		doubling up of group memberships and may break winbind under certain conditions.
+		doubling up of group memberships and may cause problems with winbind under certain 
+		conditions. It is intended that these limitations with winbind will be resolved soon
+		after Samba-3.0.20 has been released.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>slapcat</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>slapcat</primary></indexterm>
 		The LDAP directory must have a container object for IDMAP data. There are several ways you can
 		check that your LDAP database is able to receive IDMAP information. One of the simplest is to
 		execute:
@@ -582,25 +546,28 @@ sammy:x:4321:
 dn: ou=Idmap,dc=abmas,dc=biz
 ou: idmap
 </screen>
-	      <indexterm>
-		<primary>ldapadd</primary>
-	      </indexterm>
-	        If the execution of this command does not return IDMAP entries, you need to create an LDIF
-		template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using the following command:
+		<indexterm><primary>ldapadd</primary></indexterm>
+		If the execution of this command does not return IDMAP entries, you need to create an LDIF
+		template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using
+		the following command:
 <screen>
 &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
 		-w not24get &lt; /etc/openldap/idmap.LDIF
 </screen>
-		Samba automatically populates this LDAP directory container when it needs to.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>net</primary>
-		<secondary>rpc</secondary>
-		<tertiary>join</tertiary>
-	      </indexterm><indexterm>
-		<primary>Domain join</primary>
-	      </indexterm>
+		<step><para>
+		Samba automatically populates the LDAP directory container when it needs to. To permit Samba
+		write access to the LDAP directory it is necessary to set the LDAP administrative password
+		in the <filename>secrets.tdb</filename> file as shown here:
+<screen>
+&rootprompt; smbpasswd -w not24get
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
+		<indexterm><primary>Domain join</primary></indexterm>
 		The system is ready to join the domain. Execute the following:
 <screen>
 &rootprompt; net rpc join -U root%not24get
@@ -632,9 +599,9 @@ Joined domain MEGANET2.
 		<indexterm><primary>failed join</primary></indexterm>
 		<indexterm><primary>rejected</primary></indexterm>
 		<indexterm><primary>restrict anonymous</primary></indexterm>
-		Note: Use "root" for UNIX/Linux and Samba, use "Administrator"for Windows NT4/200X. If the cause of
+		Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
 		the failure appears to be related to a rejected or failed NT_SESSION_SETUP*  or an error message that
-		says NT_STATUS_ACCESS_DENIED  immediately check the Windows registry setting that controls the
+		says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
 		<constant>restrict anonymous</constant> setting. Set this to the value 0 so that an anonymous connection
 		can be sustained, then try again.
 		</para>
@@ -665,12 +632,12 @@ Join to 'MEGANET2' failed.
 		<step><para>
 		<indexterm><primary>wbinfo</primary></indexterm>
 		Just joining the domain is not quite enough; you must now provide a privileged set
-		of credentials through which <command>winbindd</command> can interact with the ADS
+		of credentials through which <command>winbindd</command> can interact with the 
 		domain servers. Execute the following to implant the necessary credentials:
 <screen>
 &rootprompt; wbinfo --set-auth-user=Administrator%not24get
 </screen>
-		The configuration is now ready to obtain ADS domain user and group information.
+		The configuration is now ready to obtain the Samba domain user and group information.
 		</para></step>
 
 		<step><para>
@@ -786,7 +753,7 @@ aliases:        files
 	</sect2>
 
 	<sect2 id="wdcsdm">
-		<title>NT4/Samba Domain with Samba Domain Member Server: Using Winbind</title>
+		<title>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</title>
 
 	<para>
 	You need to use this method for creating a Samba domain member server if any of the following conditions
@@ -803,32 +770,27 @@ aliases:        files
 		</para></listitem>
 
 		<listitem><para>
-		The Samba domain member server must be part of a Windows NT4 Domain.
+		The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
 		</para></listitem>
 	</itemizedlist>
 
-	<para><indexterm>
-	    <primary>Windows ADS Domain</primary>
-	  </indexterm><indexterm>
-	    <primary>Samba Domain</primary>
-	  </indexterm><indexterm>
-	    <primary>LDAP</primary>
-	  </indexterm>
+	<para>
+	<indexterm><primary>Windows ADS Domain</primary></indexterm>
+	<indexterm><primary>Samba Domain</primary></indexterm>
+	<indexterm><primary>LDAP</primary></indexterm>
 	Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
 	Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
 	domain and/or does not use LDAP.
 	</para>
 
-	<note><para><indexterm>
-	      <primary>duplicate accounts</primary>
-	    </indexterm>
+	<note><para>
+	<indexterm><primary>duplicate accounts</primary></indexterm>
 	If you use <command>winbind</command> for identity resolution, make sure that there are no
 	duplicate accounts.
 	</para>
 
-	  <para><indexterm>
-	      <primary>/etc/passwd</primary>
-	    </indexterm>
+	<para>
+	<indexterm><primary>/etc/passwd</primary></indexterm>
 	For example, do not have more than one account that has UID=0 in the password database. If there 
 	is an account called <constant>root</constant> in the <filename>/etc/passwd</filename> database, 
 	it is okay to have an account called <constant>root</constant> in the LDAP ldapsam or in the 
@@ -837,29 +799,20 @@ aliases:        files
 	<constant>root</constant>.
 	</para>
 
-	  <para><indexterm>
-	      <primary>/etc/passwd</primary>
-	    </indexterm><indexterm>
-	      <primary>ldapsam</primary>
-	    </indexterm><indexterm>
-	      <primary>tdbsam</primary>
-	    </indexterm>
+	<para>
+	<indexterm><primary>/etc/passwd</primary></indexterm>
+	<indexterm><primary>ldapsam</primary></indexterm>
+	<indexterm><primary>tdbsam</primary></indexterm>
 	Winbind will break if there is an account in <filename>/etc/passwd</filename> that has 
 	the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
 	</para></note>
 
-	<para><indexterm>
-	    <primary>credentials</primary>
-	  </indexterm><indexterm>
-	    <primary>traverse</primary>
-	  </indexterm><indexterm>
-	    <primary>wide-area</primary>
-	  </indexterm><indexterm>
-	    <primary>network</primary>
-	    <secondary>wide-area</secondary>
-	  </indexterm><indexterm>
-	    <primary>tdbdump</primary>
-	  </indexterm>
+	<para>
+	<indexterm><primary>credentials</primary></indexterm>
+	<indexterm><primary>traverse</primary></indexterm>
+	<indexterm><primary>wide-area</primary></indexterm>
+	<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
+	<indexterm><primary>tdbdump</primary></indexterm>
 	The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
 	The winbind information is locally cached in the <filename>winbindd_cache.tdb winbindd_idmap.tdb</filename>
 	files. This provides considerable performance benefits compared with the LDAP solution, particularly
@@ -876,32 +829,26 @@ aliases:        files
 		shown in <link linkend="ch0-NT4DSDM"/>.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>/etc/nsswitch.conf</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
 		Edit the <filename>/etc/nsswitch.conf</filename> so it has the entries shown in
 		<link linkend="ch9-sdmnss"/>.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>net</primary>
-		<secondary>rpc</secondary>
-		<tertiary>join</tertiary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
 		The system is ready to join the domain. Execute the following:
 <screen>
 net rpc join -U root%not2g4et
 Joined domain MEGANET2.
 </screen>
-                This indicates that the domain join succeed.
+		This indicates that the domain join succeed.
 
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>winbind</primary>
-	      </indexterm><indexterm>
-		<primary>wbinfo</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>winbind</primary></indexterm>
+		<indexterm><primary>wbinfo</primary></indexterm>
 		Validate operation of <command>winbind</command> using the <command>wbinfo</command>
 		tool as follows:
 <screen>
@@ -929,13 +876,10 @@ MEGANET2+PIOps
 		This shows that domain groups have been correctly obtained also.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>NSS</primary>
-	      </indexterm><indexterm>
-		<primary>getent</primary>
-	      </indexterm><indexterm>
-		<primary>winbind</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>NSS</primary></indexterm>
+		<indexterm><primary>getent</primary></indexterm>
+		<indexterm><primary>winbind</primary></indexterm>
 		The next step verifies that NSS is able to obtain this information
 		correctly from <command>winbind</command> also.
 <screen>
@@ -979,6 +923,7 @@ MEGANET2+PIOps:x:10005:
 		<step><para>
 		The Samba member server of a Windows NT4 domain is ready for use.
 		</para></step>
+
 	</procedure>
 
 <example id="ch0-NT4DSDM">
@@ -1063,7 +1008,7 @@ MEGANET2+PIOps:x:10005:
 net rpc join -U root%not24get
 Joined domain MEGANET2.
 </screen>
-                This indicates that the domain join succeed.
+		This indicates that the domain join succeed.
 		</para></step>
 
 		<step><para>
@@ -1180,9 +1125,8 @@ Joined domain MEGANET2.
 	<procedure>
 	<title>Joining a Samba Server as an ADS Domain Member</title>
 
-	  <step><para><indexterm>
-		<primary>smbd</primary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>smbd</primary></indexterm>
 		Before you try to use Samba-3, you want to know for certain that your executables have
 		support for Kerberos and for LDAP. Execute the following to identify whether or
 		not this build is perhaps suitable for use:
@@ -1498,11 +1442,8 @@ Server time offset: 2
 		In any case, the output we obtained confirms that all systems are operational.
 		</para></step>
 
-	  <step><para><indexterm>
-		<primary>net</primary>
-		<secondary>ads</secondary>
-		<tertiary>status</tertiary>
-	      </indexterm>
+		<step><para>
+		<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>status</tertiary></indexterm>
 		There is one more action you elect to take, just because you are paranoid and disbelieving,
 		so you execute the following command:
 <programlisting>
@@ -1583,6 +1524,7 @@ Permissions:
 		called <constant>FRAN</constant> is able to communicate fully with the ADS
 		domain controllers.
 		</para></step>
+
 	</procedure>
 
 
@@ -2023,7 +1965,7 @@ ssl     no
                 </para></step>
 
                 <step><para>
-                Configure an LDAP server and initialize the directory with the top level entries needed by IDMAP
+                Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
                 as shown in the following LDIF file:
 <screen>
 dn: dc=snowshow,dc=com
@@ -2237,8 +2179,8 @@ hosts:  files wins
         </itemizedlist>
 
 	<para>
-	The following guidelines are pertinent the deployment of winbind-based authentication
-	and identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops
+	The following guidelines are pertinent to the deployment of winbind-based authentication
+	and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops
 	using Windows network domain user credentials (username and password).
 	</para>
 
@@ -2261,7 +2203,7 @@ hosts:  files wins
 	<indexterm><primary>PAM</primary></indexterm>
 	<indexterm><primary>Identity resolution</primary></indexterm>
 	<indexterm><primary>NSS</primary></indexterm>
-	To permit users to log onto a Linux system using Windows network credentials, you need to
+	To permit users to log on to a Linux system using Windows network credentials, you need to
 	configure identity resolution (NSS) and PAM. This means that the basic steps include those
 	outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
 	usually do not need to provide file and print services to a group of users, the configuration
@@ -2443,7 +2385,7 @@ session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
 		The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
 		learned how to integrate such servers so that the UID/GID mappings they use can be consistent
 		across all domain member servers. You also discovered how to implement the ability to use Samba
-		or Windows domain account credentials to log onto a UNIX/Linux client.
+		or Windows domain account credentials to log on to a UNIX/Linux client.
 		</para>
 
 		<para>
@@ -2624,7 +2566,7 @@ session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
 	<question>
 
 		<para>
-		Are you suggesting that users should not log onto a domain member server? If so, why?
+		Are you suggesting that users should not log on to a domain member server? If so, why?
 		</para>
 
 	</question>
diff --git a/docs/Samba3-ByExample/SBE-Appendix1.xml b/docs/Samba3-ByExample/SBE-Appendix1.xml
index 5e9fd1f07b..cc22e4ca9d 100644
--- a/docs/Samba3-ByExample/SBE-Appendix1.xml
+++ b/docs/Samba3-ByExample/SBE-Appendix1.xml
@@ -1224,10 +1224,10 @@ to LAM using only SSL.
 	</para>
 	
 	<para>
-	The next major release, LAM 0.5, will have less restrictions and support the latest Samba features
-	(e.g. logon hours). The new plugin based architecture also allows to manage much more different
-	account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another
-	important point is the tree view which allows to browse and edit LDAP objects directly.
+	The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features
+	(e.g., logon hours). The new plugin-based architecture also allows management of much more different
+	account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another
+	important point is the tree view which allows browsing and editing LDAP objects directly.
 	</para>
 
 <example id="lamcfg">
@@ -1419,7 +1419,7 @@ drw-rw-r--    2 bobj     Domain Users  12346 Dec 18 18:11 maryvfile.txt
 	<title>Microsoft Access</title>
 
 	<para>
-	The best advice that can be given is to carefully read the Microsoft knowledge base articles that
+	The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
 	cover this area. Examples of relevant documents include:
 	</para>
 
diff --git a/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml b/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml
index 4ca9a097a8..2913873692 100644
--- a/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml
+++ b/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml
@@ -36,7 +36,7 @@
 	With this acquisition comes new challenges for you and your team. Abmas Snack 
 	Foods is a well-developed business with a huge and heterogeneous network. It 
 	already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. 
-	The network is mature and well established, and there is no question of its chosen 
+	The network is mature and well-established, and there is no question of its chosen 
 	user authentication scheme being changed for now. You need to take a wise new 
 	approach.
 	</para>
@@ -792,7 +792,7 @@ group: files winbind
 	</para></blockquote>
 
 	<para>
-	You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
+	You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
 	Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run 
 	out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
 	</para>
diff --git a/docs/Samba3-ByExample/SBE-HighAvailability.xml b/docs/Samba3-ByExample/SBE-HighAvailability.xml
index a309f3aea8..db94af4d2f 100644
--- a/docs/Samba3-ByExample/SBE-HighAvailability.xml
+++ b/docs/Samba3-ByExample/SBE-HighAvailability.xml
@@ -253,10 +253,10 @@
 		<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
 		<indexterm><primary>resolve</primary></indexterm>
 		A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
-		in a network environment that is part of the fully qualified Internet domain namespace known
-		as <constant>parrots.com</constant> results in DNS name lookups for <constant>fred.parrots.com</constant>
+		in a network environment that is part of the fully-qualified Internet domain namespace known
+		as <constant>parrots.com</constant>, results in DNS name lookups for <constant>fred.parrots.com</constant>
 		and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
-		(workgroup) <constant>collision.parrots.com,</constant> since this results in DNS lookup
+		(workgroup) <constant>collision.parrots.com</constant>, since this results in DNS lookup
 		attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
 		fails given that you probably do not have this in your DNS namespace.
 		</para>
@@ -375,7 +375,7 @@
 	</para>
 
 	<para>
-	As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also.
+	As the size of the &smb.conf; file grows, the risk of introducing parsing errors also increases.
 	It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
 	with an optimized file.
 	</para>
@@ -479,7 +479,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
 	<indexterm><primary>Domain Controller</primary></indexterm>
 	As a general guide, instead of adding domain member servers to a network, you would be better advised
 	to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
-	domain member servers. This practice ensures that there is always sufficient domain controllers
+	domain member servers. This practice ensures that there are always sufficient domain controllers
 	to handle logon requests and authentication traffic.
 	</para>
 
@@ -617,33 +617,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
 
 	<para>
 	There exist applications that create or manage directories containing many thousands of files. Such
-	applications typically generate many small files (less than 100 KB). At the best of times under UNIX
-	listing of the files in a directory that contains many files is slow. By default Windows NT, 200x, 
+	applications typically generate many small files (less than 100 KB). At the best of times, under UNIX,
+	listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, 
 	and XP Pro cause network file system directory lookups on a Samba server to be performed for both 
 	the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead
 	on the Samba server that may slow down the system dramatically.
 	</para>
 
 	<para>
-	In an extreme case the performance impact was dramatic. File transfer from the Samba server to a Windows
+	In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows
 	XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately
-	30 MB/sec. But when tranfering a directory containng 120,000 files, all from 50KB to 60KB in size, the
+	30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the
 	transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was
-	of the order of a factor of 20-fold slower.
+	on the order of a factor of 20-fold slower.
 	</para>
 
 	<para>
 	The symptoms that will be observed on the Samba server when a large directory is accessed will be that
-	aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredably
+	aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly
 	long while at the same time the read queue is large. Close observation will show that the hard drive
 	that the file system is on will be thrashing wildly.
 	</para>
 
 	<para>
-	Samba-3.0.12, and later, includes new code that radically improves Samba perfomance. The secret to this is
+	Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is
 	really in the <smbconfoption name="case sensitive">True</smbconfoption> line. This tells smbd never to scan
 	for case-insensitive versions of names. So if an application asks for a file called <filename>FOO</filename>,
-	and it can not be found by a simple stat call, then smbd will return file not found immediately without
+	and it can not be found by a simple stat call, then smbd will return "file not found" immediately without
 	scanning the containing directory for a version of a different case.
 	</para>
 
diff --git a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml
index 42546c1256..58ac2b6931 100644
--- a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml
+++ b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml
@@ -292,7 +292,7 @@
 		<para>
 		You agreed with Stan's recommendations and hired a consultant to help defuse the powder
 		keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
-		to support his or her claims, keep emotions to a side, and answer technically.
+		to support his or her claims, keep emotions to the side, and answer technically.
 		</para>
 
 	</sect2>
@@ -464,7 +464,7 @@
 		</indexterm>
 				Windows network administrators may be dismayed to find that <command>winbind</command> 
 				exposes all domain users so that they may use their domain account credentials to 
-				log onto a UNIX/Linux system. The fact that all users in the domain can see the 
+				log on to a UNIX/Linux system. The fact that all users in the domain can see the 
 				UNIX/Linux server in their Network Neighborhood and can browse the shares on the 
 				server seems to excite them further.
 				</para>
@@ -676,9 +676,9 @@
 		</indexterm>
 				The release of Samba-4 is expected around late 2004 to early 2005 and involves a near 
 				complete rewrite to permit extensive modularization and to prepare Samba for new 
-				functionality planned for addition  during the next-generation series. The Samba Team 
+				functionality planned for addition during the next-generation series. The Samba Team 
 				is responsible and can be depended upon; the history to date suggests a high 
-				degree of dependability as well on charter development consistent with published 
+				degree of dependability and on charter development consistent with published 
 				roadmap projections.
 				</para>
 
@@ -877,7 +877,7 @@
 	    </indexterm>
 	Kerberos is a network authentication protocol that provides secure authentication for 
 	client-server applications by using secret-key cryptography. Firewalls are an insufficient 
-	barrier mechanism in todays networking world; at best they only restrict incoming network 
+	barrier mechanism in today's networking world; at best they only restrict incoming network 
 	traffic but cannot prevent network traffic that comes from authorized locations from 
 	performing unauthorized activities.
 	</para>
@@ -924,7 +924,7 @@
 	    </indexterm>
 	Kerberos was, until recently, a technology that was restricted from being exported from the United States.
 	For many years that hindered global adoption of more secure networking technologies both within the United States
-	and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
+	and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
 	and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
 	In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
 	It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
@@ -966,7 +966,7 @@
 	    </indexterm>
 	It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
 	fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
-	particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability
+	particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability
 	issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
 	there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
 	(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
@@ -1027,7 +1027,7 @@
 	      </indexterm><indexterm>
 		<primary>account</primary>
 	      </indexterm>
-		From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator 
+		From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 
 		account (on Samba domains, this is usually the account called <constant>root</constant>).
 		</para></step>
 
@@ -1142,7 +1142,7 @@
 	  </indexterm><indexterm>
 	    <primary>hierarchy of control</primary>
 	  </indexterm>
-	It must be emphasized that the controls here discussed can act as a filter or give rights of passage
+	It must be emphasized that the controls discussed here can act as a filter or give rights of passage
 	that act as a superstructure over normal directory and file access controls. However, share-level
 	ACLs act at a higher level than do share definition controls because the user must filter through the
 	share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
@@ -1525,7 +1525,7 @@
 
 	<procedure>
 		<step><para>
-		From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator 
+		From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 
 		account (on Samba domains, this is usually the account called <constant>root</constant>).
 		</para></step>
 
@@ -1728,7 +1728,7 @@ other::r-x
 		</indexterm><indexterm>
 		  <primary>inheritance</primary>
 		</indexterm>
-		It is highly recommend that you read the online manual page for the <command>setfacl</command>
+		It is highly recommended that you read the online manual page for the <command>setfacl</command>
 		and <command>getfacl</command> commands. This provides information regarding how to set/read the default
 		ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
 		of setting <constant>inheritance</constant> properties.
diff --git a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml
index d40414eda4..ff22c79201 100644
--- a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml
+++ b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml
@@ -2132,7 +2132,7 @@ Let's start configuring the smbldap-tools scripts ...
 
 . workgroup name: name of the domain Samba act as a PDC
   workgroup name [MEGANET2] > 
-. netbios name: netbios name of the samba controler
+. netbios name: netbios name of the samba controller
   netbios name [MASSIVE] > 
 . logon drive: local path to which the home directory will 
                                 be connected (for NT Workstations). Ex: 'H:'
@@ -3739,8 +3739,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
 	</procedure>
 
 	<para>
-	Before puching out new desktop images for the client workstations, it is perhaps a good idea that
-	desktop behavior should be returned to the original Microsoft settings. The followin steps achieve
+	Before punching out new desktop images for the client workstations, it is perhaps a good idea that
+	desktop behavior should be returned to the original Microsoft settings. The following steps achieve
 	that ojective:
 	</para>
 
diff --git a/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml b/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
index bcc1181f34..548aee69ea 100644
--- a/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
+++ b/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
@@ -120,7 +120,7 @@
 	Do not forget to validate the security descriptors in the profiles share as well as network logon
 	scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
 	as a good time to update desktop systems also. In all, the extra effort should constitute no
-	real disruption to users, but rather, with due diligence and care should make their network experience
+	real disruption to users, but rather, with due diligence and care, should make their network experience
 	a much happier one.
 	</para>
 
@@ -683,7 +683,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
 		Install the Idealx <command>smbldap-tools</command> software package, following
 		the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
 		should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
-		Change into that location, or whereever the scripts have been installed. Execute the
+		Change into that location, or wherever the scripts have been installed. Execute the
 		<filename>configure.pl</filename> script to configure the Idealx package for use.
 		Note: Use the domain SID obtained from the step above. The following is
 		an example configuration session:
@@ -1525,7 +1525,7 @@ Users                 Ordinary users
 		<para>
 		When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
 		UID of each account is taken together with the account information in the 
-		<filename>/etc/passwd,</filename> and both sets of data are used to create the account
+		<filename>/etc/passwd</filename>, and both sets of data are used to create the account
 		entry in the LDAP database. 
 		</para>
 
diff --git a/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml b/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
index 9a896e256b..7b290c6de7 100644
--- a/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
+++ b/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
@@ -29,7 +29,7 @@
 	<indexterm><primary>migration</primary></indexterm>
 	Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
 	years who surfaced on the Samba mailing list with a barrage of questions and who
-	regularly now helps other administrators to solve thorny Samba migration questions.
+	regularly helps other administrators to solve thorny Samba migration questions.
 	</para>
 
 	<para>
@@ -52,7 +52,7 @@
 
 	<para>
 	The priority that Misty faced was one of migration of the data files off the NetWare 4.11
-	server and onto a Samba-ased Windows file and print server. This chapter does not pretend
+	server and onto a Samba-based Windows file and print server. This chapter does not pretend
 	to document all the different methods that could be used to migrate user and group accounts
 	off a NetWare server. Its focus is on migration of data files.
 	</para>
@@ -232,7 +232,7 @@
 	entering everything from the printed company directory. This used only the inetOrgPerson
 	object class from the OpenLDAP schemas. The next step was to write a shell script that
 	would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
-	files on our mail server and create a LDIF file from which the information could be
+	files on our mail server and create an LDIF file from which the information could be
 	imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
 	and SMTP.
 	</para>
@@ -971,7 +971,7 @@ The Idealx smbldap-tools package can be configured using a script called
 <command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
 for an example of its use. Many administrators, like Misty, choose to do this manually
 so as to maintain greater awareness of how the tool-chain works and possibly to avoid
-undesirable actions from occurring un-noticed.
+undesirable actions from occurring unnoticed.
 </para></note>
 
 	<para>
@@ -1203,7 +1203,7 @@ masterPw="verysecret"
 	The next step was to run the <command>smbldap-populate</command> command, which populates
 	the LDAP tree with the appropriate default users, groups, and UID and GID pools.
 	It creates a user called Administrator with UID=0 and GID=0 matching the
-	Domain Admins group. This is fine because you can still log on a root to a Windows system,
+	Domain Admins group. This is fine because you can still log on as root to a Windows system,
 	but it will break cached credentials if you need to log on as the administrator
 	to a system that is not on the network.
 	</para>
@@ -1384,7 +1384,7 @@ sambaAcctFlags: [W          ]
 
 	<para>
 	<indexterm><primary>netlogon</primary></indexterm>
-	So now I could log on with a test user from the machine w2kengrspare. It was all fine and
+	So now I could log on with a test user from the machine w2kengrspare. It was all well and
 	good, but that user was in no groups yet and so had pretty boring access.  I fixed that
 	by writing the login script! To write the login script, I used
 	<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
@@ -1619,7 +1619,7 @@ ENDIF
 	One option is to check the OS as part of the Kixtart script, and if it
 	is Win9x and is the first login, copy a premade
 	<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
-	have onlythree such machines, and one is going away in the very near future,
+	have only three such machines, and one is going away in the very near future,
 	so it was easier to do it by hand.
 	</para>
 
diff --git a/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml b/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml
index 1a43987222..ba695994c3 100644
--- a/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml
+++ b/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml
@@ -1516,9 +1516,9 @@ hosts:      files dns wins
 	<title>Printer Configuration</title>
 
 	<para>
-	Network administrators who are new to CUPS based printing typically experience some difficulty mastering
+	Network administrators who are new to CUPS based-printing typically experience some difficulty mastering
 	its powerful features. The steps outlined in this section are designed to navigate around the distractions
-	of learning CUPS. Instead of implementing smart features and capabilties our approach is to use it as a
+	of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a
 	transparent print queue that performs no filtering, and only minimal handling of each print job that is
 	submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that
 	the correct printer driver must be installed on all clients.
@@ -1609,7 +1609,7 @@ application/octet-stream
 
 	<para>
 	Note: If the parameter <parameter>cups options = Raw</parameter> is specified in the &smb.conf; file,
-	the last two steps can be omitted where CUPS version 1.1.18, or later.
+	the last two steps can be omitted with CUPS version 1.1.18, or later.
 	</para>
 
 	<para>
@@ -1826,7 +1826,7 @@ hosts:       files dns wins
 <screen>
 &rootprompt; testparm -s
 Load smb config files from smb.conf
-rocessing section "[homes]"
+Processing section "[homes]"
 Processing section "[printers]"
 Processing section "[netlogon]"
 Processing section "[profiles]"
@@ -2298,14 +2298,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
 		</para></step>
 
 		<step><para>
-		Log onto the machine as the local Administrator (the only option), and join the machine to
+		Log on to the machine as the local Administrator (the only option), and join the machine to
 		the Domain, following the procedure set out in Appendix A, <link linkend="domjoin"/>. The system is now 
 		ready for the user to log on, provided you have created a network logon account for that 
 		user, of course.
 		</para></step>
 
 		<step><para>
-		Instruct all users to log onto the workstation using their assigned username and password.
+		Instruct all users to log on to the workstation using their assigned username and password.
 		</para></step>
 	</procedure>
 
diff --git a/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml b/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml
index 1c41ec9811..9ba4d867de 100644
--- a/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml
+++ b/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml
@@ -10,7 +10,7 @@
 	is the end of the road because their needs will have been adequately met. For others, this chapter is
 	the beginning of a journey that will take them well past the contents of this book. This book provides
 	example configurations of, for the greater part, complete networking solutions. The intent of this book
-	is to help you to get your Samba installation working with least amount of pain and aggravation.
+	is to help you to get your Samba installation working with the least amount of pain and aggravation.
 	</para>
 
 <sect1>
@@ -570,12 +570,12 @@ Password changed
 				<step><para>
 				Install the &smb.conf; file shown in <link linkend="charity-smbconfnew"/> in the
 				<filename>/etc/samba</filename> directory. This newer &smb.conf; file uses user-mode security
-				and is more suited to the mode of operation of Samba-3 that the older share-mode security
+				and is more suited to the mode of operation of Samba-3 than the older share-mode security
 				configuration that was shown in the first edition of this book.
 				</para>
 
 				<para>
-				Note: If you want to use the older style configuration that uses share-mode security, you
+				Note: If you want to use the older-style configuration that uses share-mode security, you
 				can install the file shown in <link linkend="charity-smbconf"/> in the
 				<filename>/etc/samba</filename> directory.
 				</para></step>
diff --git a/docs/Samba3-ByExample/SBE-UpgradingSamba.xml b/docs/Samba3-ByExample/SBE-UpgradingSamba.xml
index ded03bcba5..1bc1f1f7ed 100644
--- a/docs/Samba3-ByExample/SBE-UpgradingSamba.xml
+++ b/docs/Samba3-ByExample/SBE-UpgradingSamba.xml
@@ -83,7 +83,7 @@ to perform a major upgrade. Many administrators have experienced the consequence
 of failure to take adequate precautions. So what is adequate? That is simple!
 If data is lost during an upgrade or update and it can not be restored,
 the precautions taken were inadequate. If a backup was not needed, but was available,
-precaution was on the side of the victor.
+caution was on the side of the victor.
 </para>
 
 	<sect2>
@@ -127,7 +127,7 @@ precaution was on the side of the victor.
 	There is an old axiom that says, <quote>The greater the volume of the documentation,
 	the greater the risk that noone will read it, but where there is no documentation,
 	noone can read it!</quote> While true, some documentation is an evil necessity.
-	It is to be hoped that this update to the documentation will avoid both extremes.
+	It is hoped that this update to the documentation will avoid both extremes.
 	</para>
 
 	<sect3>
@@ -965,7 +965,7 @@ that are compatible with the original OS vendor's practices.
 <para>
 <indexterm><primary>binary package</primary></indexterm>
 <indexterm><primary>binary files</primary></indexterm>
-If you are not sure whether or a binary package complies with the OS
+If you are not sure whether a binary package complies with the OS
 vendor's practices, it is better to ask the package maintainer via
 email than to waste much time dealing with the nuances.
 Alternately, just diagnose the paths specified by the binary files following
@@ -1116,8 +1116,8 @@ back to searching the 'ldap suffix' in some cases.
 	is stored in the <constant>smbpasswd</constant> or in the
 	<constant>tdbsam</constant> format, the user and group account information
 	for UNIX accounts that match the Samba accounts will reside in the system
-	<filename>/etc/passwd, /etc/shadow</filename>, and
-	<filename>/etc/group</filename> files. In this case be sure to copy these
+	<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and
+	<filename>/etc/group</filename> files. In this case, be sure to copy these
 	account entries to the new target server.
 	</para>
 
@@ -1152,7 +1152,7 @@ back to searching the 'ldap suffix' in some cases.
 	<itemizedlist>
 		<listitem><para>
 		Where UNIX (POSIX) user and group accounts are stored in the system
-		<filename>/etc/passwd, /etc/shadow</filename>, and 
+		<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and 
 		<filename>/etc/group</filename> files, be sure to add the same accounts
 		with identical UID and GID values for each user.
 		</para>
diff --git a/docs/Samba3-ByExample/SBE-foreword.xml b/docs/Samba3-ByExample/SBE-foreword.xml
index e8fa80ce31..d90aead066 100644
--- a/docs/Samba3-ByExample/SBE-foreword.xml
+++ b/docs/Samba3-ByExample/SBE-foreword.xml
@@ -19,14 +19,14 @@ of open-source software solutions globally, and in particular within the United
 <para>
 The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the
 Open Source Consortium. Both the OSSI and the OSC share a common objective to expand the use of open-source
-software in federal, state and municipal government agencies and in academic institutions. We represent
+software in federal, state, and municipal government agencies; and in academic institutions. We represent
 businesses that provide professional support services that answer the needs of our target organizational
-information technology consumers in an effective and cost efficient manner.
+information technology consumers in an effective and cost-efficient manner.
 </para>
 
 <para>
 Open source software has matured greatly over the past 5 years with the result that an increasing number of
-people who hold key influential decision-making positions want to know how the business model works. They
+people who hold key decision-making positions want to know how the business model works. They
 want to understand how problems get resolved, how questions get answered, and how the development model
 is sustained. Information and Communications Technology directors in defense organizations, and in other
 government agencies that deal with sensitive information, want to become familiar with development road-maps
@@ -36,38 +36,38 @@ and, in particular, seek to evaluate the track record of the main-stream open-so
 <para>
 Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the 
 benchmark against which open-source software solutions are measured. Two open-source software projects
-are key to our ability to present a structured, and convincing, proposition that there are alternatives
-to the incumbent proprietary means of meeting information technology needs. They are the Apache Web server
+are key to our ability to present a structured and convincing proposition that there are alternatives
+to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server
 and Samba.
 </para>
 
 <para>
-Just as the Apache web server is the standard in web serving technology, Samba is the definitive standard
-for providing inter-operability with UNIX systems and other non-Microsoft operating system platforms. Both
+Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard
+for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both
 open-source applications have a truly remarkable track record that extends well over a decade. Both have
-demonstrated unique capacity to innovate and to maintain a level of development that has not only kept
-pace with demands, but in many areas each project has also proven to be an industry leader.
+demonstrated the unique capacity to innovate and maintain a level of development that has not only kept
+pace with demands, but, in many areas, each project has also proven to be an industry leader.
 </para>
 
 <para>
 One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI
-was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly well
-written books to help Samba software users to deploy, maintain and trouble-shoot Windows networking
+was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly
+well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking
 installations. We were concerned that, given the large volume of documentation, the challenge to maintain
 it and keep it current might prove difficult.
 </para>
 
 <para>
-This second edition of the book, <quote>Samba-3 by Example</quote> barely one year following the release
-of the first edition has removed all concerns and is proof that open-source solutions are a compelling choice.
+This second edition of the book, <quote>Samba-3 by Example</quote>, barely one year following the release
+of the first edition, has removed all concerns and is proof that open-source solutions are a compelling choice.
 The first edition was released shortly following the release of Samba version 3.0 itself, and has become
 the authoritative instrument for training and for guiding deployment.
 </para>
 
 <para>
-I am personally aware how much effort has gone into this second edition. John Terpstra has worked with
+I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with
 government bodies and with large organizations that have deployed Samba-3 since it was released. He also
-worked to ensure that this book gained community following. He asked those who have worked at the coal-face
+worked to ensure that this book gained community following. He asked those who have worked at the coalface
 of large and small organizations alike, to contribute their experiences. He has captured that in this book
 and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people
 who use Samba.
@@ -77,7 +77,7 @@ who use Samba.
 This book is the first source you should turn to before you deploy Samba and as you are mastering its
 deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has
 reached maturity that is demonstrated by reiteration that every step in deployment must be validated.
-This book makes it easy to succeed, and difficulty to fail to gain a stable network environment.
+This book makes it easy to succeed, and difficult to fail, to gain a stable network environment.
 </para>
 
 <para>
diff --git a/docs/Samba3-ByExample/SBE-inside-cover.xml b/docs/Samba3-ByExample/SBE-inside-cover.xml
index b55a333f9e..492a581cf5 100644
--- a/docs/Samba3-ByExample/SBE-inside-cover.xml
+++ b/docs/Samba3-ByExample/SBE-inside-cover.xml
@@ -4,32 +4,41 @@
 <title>About the Cover Artwork</title>
 
 	<para>
-	The cover artwork of this book continues a theme chosen for the book, 
-	<emphasis>The Official Samba-3 HOWTO and Reference Guide,</emphasis>
-	the cover of which features a Confederate scene. Samba has had a major 
-	impact on the network deployment of Microsoft Windows desktop systems. 
-	The cover artwork of the two official Samba books tells of events that 
-	likewise had a major impact on the future.
+	The cover artwork of this book continues the freedom theme of the first
+	edition of <quote>Samba-3 by Example</quote>. The history of civilization
+	demonstrates the fragile nature of freedom. It can be lost in a moment,
+	and once lost, the cost of recovering liberty can be incredible. The last
+	edition cover featured Alfred the Great who liberated England from the
+	constant assault of Vikings and Norsemen. Events in England that
+	that finally liberated the common people came about in small steps, but
+	the result should not be under-estimated. Today, as always, freedom and
+	liberty are seldom appreciated until they are lost. If we can not quantify
+	what is the value of freedom, we shall be little motivated to protect it.
 	</para>
 
 	<para>
-	<emphasis>Samba-3 by Example Cover Artwork:</emphasis> King Alfred the Great 
-	(born 849, ruled 871-899) was one of the most amazing kings ever to 
-	rule England. He defended Anglo-Saxon England from Viking raids, formulated 
-	a code of laws, and fostered a rebirth of religious and scholarly activity. 
-	His reign exhibits military skill and innovation, sound governance and the 
-	ability to inspire men to plan for the future. Alfred liberated England
-	at a time when all resistence seemed futile.
+	<emphasis>Samba-3 by Example Cover Artwork:</emphasis> The British houses
+	of parliament are a symbol of the Westminster system of government. This form
+	of government permits the people to govern themselves at the lowest level, yet
+	it provides for courts of appeal that are designed to protect freedom and to
+	hold back all forces of tyranny. The clock is a pertinent symbol of the
+	importance of time and place.
 	</para>
 
 	<para>
-	Samba is a network interoperability solution that provides real choice for network
-	administrators. It is an adjunct to Microsoft Windows networks that provides 
-	interoperability of UNIX systems with Microsoft Windows desktop and server systems.
-	You may use Samba to realize the freedom it provides for your network environment 
-	thanks to a dedicated team who work behind the scenes to give you a better choice. 
-	The efforts of these few dedicated developers continues to shape the future of 
-	the Windows interoperability landscape. Enjoy!
+	The information technology industry is being challenged by the imposition of
+	new laws, hostile litigation, and the imposition of significant constraint 
+	of practice that threatens to remove the freedom to develop and deploy open 
+	source software solutions. Samba is a software solution that epitomizes freedom
+	of choice in network interoperability for Microsoft Windows clients.
+	</para>
+
+	<para>
+	I hope you will take the time needed to deploy it well, and that you may realize
+	the greatest benefits may be obtained. You are free to use it in ways never
+	considered, but in doing so there may be some obstacles. Every obstacle that is
+	overcome adds to the freedom you can enjoy. Use Samba well, and it will serve
+	you well.
 	</para>
 
 </preface>