another merge from 2.2

(This used to be commit f8e4876a04add168a17652431e85a9c2b5b6c619)

10 files changed, 3595 insertions, 4 deletions

diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
new file mode 100644
index 0000000000..c6dbda15a3
--- /dev/null
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -0,0 +1,228 @@
+<chapter>
+
+<chapterinfo>
+	<author>
+		<firstname>Jeremy</firstname><surname>Allison</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address>
+				<email>samba@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	<author>
+		<firstname>Jerry</firstname><surname>Carter</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address>
+				<email>jerry@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate>16 Apr 2001</pubdate>
+</chapterinfo>
+
+
+<title>security = domain in Samba 2.x</title>
+
+<sect1>
+
+	<title>Joining an NT Domain with Samba 2.2</title>
+
+	<para>In order for a Samba-2 server to join an NT domain, 
+	you must first add the NetBIOS name of the Samba server to the 
+	NT domain on the PDC using Server Manager for Domains.  This creates 
+	the machine account in the domain (PDC) SAM. Note that you should 
+	add the Samba server as a "Windows NT Workstation or Server", 
+	<emphasis>NOT</emphasis> as a Primary or backup domain controller.</para>
+
+	<para>Assume you have a Samba-2 server with a NetBIOS name of 
+	<constant>SERV1</constant> and are joining an NT domain called
+	<constant>DOM</constant>, which has a PDC with a NetBIOS name
+	of <constant>DOMPDC</constant> and two backup domain controllers 
+	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
+	</constant>.</para>
+
+	<para>In order to join the domain, first stop all Samba daemons 
+	and run the command:</para>
+
+	<para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
+	</userinput></para>
+
+	<para>as we are joining the domain DOM and the PDC for that domain 
+	(the only machine that has write access to the domain SAM database) 
+	is DOMPDC. If this is successful you will see the message:</para>
+
+	<para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
+	</para>
+
+	<para>in your terminal window. See the <ulink url="smbpasswd.8.html">
+	smbpasswd(8)</ulink> man page for more details.</para>
+	
+	<para>There is existing development code to join a domain
+	without having to create the machine trust account on the PDC
+	beforehand.  This code will hopefully be available soon
+	in release branches as well.</para>
+
+	<para>This command goes through the machine account password 
+	change protocol, then writes the new (random) machine account 
+	password for this Samba server into a file in the same directory 
+	in which an smbpasswd file would be stored - normally :</para>
+
+	<para><filename>/usr/local/samba/private</filename></para>
+
+	<para>In Samba 2.0.x, the filename looks like this:</para>
+
+	<para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba 
+	Server Name&gt;</replaceable>.mac</filename></para>
+	
+	<para>The <filename>.mac</filename> suffix stands for machine account 
+	password file. So in our example above, the file would be called:</para>
+
+	<para><filename>DOM.SERV1.mac</filename></para>
+
+	<para>In Samba 2.2, this file has been replaced with a TDB 
+	(Trivial Database) file named <filename>secrets.tdb</filename>.
+	</para>
+
+
+	<para>This file is created and owned by root and is not 
+	readable by any other user. It is the key to the domain-level 
+	security for your system, and should be treated as carefully 
+	as a shadow password file.</para>
+
+	<para>Now, before restarting the Samba daemons you must 
+	edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+	</ulink> file to tell Samba it should now use domain security.</para>
+	
+	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
+	<parameter>security =</parameter></ulink> line in the [global] section 
+	of your smb.conf to read:</para>
+
+	<para><command>security = domain</command></para>
+
+	<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
+	workgroup =</parameter></ulink> line in the [global] section to read: </para>
+
+	<para><command>workgroup = DOM</command></para>
+
+	<para>as this is the name of the domain we are joining. </para>
+
+	<para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
+	<parameter>encrypt passwords</parameter></ulink> set to <constant>yes
+	</constant> in order for your users to authenticate to the NT PDC.</para>
+
+	<para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
+	<parameter>password server =</parameter></ulink> line in the [global]
+	section to read: </para>
+
+	<para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
+
+	<para>These are the primary and backup domain controllers Samba 
+	will attempt to contact in order to authenticate users. Samba will 
+	try to contact each of these servers in order, so you may want to 
+	rearrange this list in order to spread out the authentication load 
+	among domain controllers.</para>
+
+	<para>Alternatively, if you want smbd to automatically determine 
+	the list of Domain controllers to use for authentication, you may 
+	set this line to be :</para>
+
+	<para><command>password server = *</command></para>
+
+	<para>This method, which was introduced in Samba 2.0.6, 
+	allows Samba to use exactly the same mechanism that NT does. This 
+	method either broadcasts or uses a WINS database in order to
+	find domain controllers to authenticate against.</para>
+
+	<para>Finally, restart your Samba daemons and get ready for 
+	clients to begin using domain security!</para>
+</sect1>
+
+<sect1>
+<title>Samba and Windows 2000 Domains</title>
+
+<para>
+Many people have asked regarding the state of Samba's ability to participate in
+a Windows 2000 Domain.  Samba 2.2 is able to act as a member server of a Windows
+2000 domain operating in mixed or native mode.
+</para>
+
+<para>
+There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode.  A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain.  By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and 
+NT 4.0.  Samba has the same requirements as a Windows NT 4.0 member server.
+</para>
+
+<para>
+The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that 
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and 
+Computers" MMC (Microsoft Management Console) plugin.
+</para>
+
+</sect1>
+
+
+<sect1>
+	<title>Why is this better than security = server?</title>
+
+	<para>Currently, domain security in Samba doesn't free you from 
+	having to create local Unix users to represent the users attaching 
+	to your server. This means that if domain user <constant>DOM\fred
+	</constant> attaches to your domain security Samba server, there needs 
+	to be a local Unix user fred to represent that user in the Unix 
+	filesystem. This is very similar to the older Samba security mode 
+	<ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>, 
+	where Samba would pass through the authentication request to a Windows 
+	NT server in the same way as a Windows 95 or Windows 98 server would.
+	</para>
+	
+	<para>Please refer to the <ulink url="winbind.html">Winbind 
+	paper</ulink> for information on a system to automatically
+	assign UNIX uids and gids to Windows NT Domain users and groups.
+	This code is available in development branches only at the moment,
+	but will be moved to release branches soon.</para>
+
+	<para>The advantage to domain-level security is that the 
+	authentication in domain-level security is passed down the authenticated 
+	RPC channel in exactly the same way that an NT server would do it. This 
+	means Samba servers now participate in domain trust relationships in 
+	exactly the same way NT servers do (i.e., you can add Samba servers into 
+	a resource domain and have the authentication passed on from a resource
+	domain PDC to an account domain PDC.</para>
+
+	<para>In addition, with <command>security = server</command> every Samba 
+	daemon on a server has to keep a connection open to the 
+	authenticating server for as long as that daemon lasts. This can drain 
+	the connection resources on a Microsoft NT server and cause it to run 
+	out of available connections. With <command>security = domain</command>, 
+	however, the Samba daemons connect to the PDC/BDC only for as long 
+	as is necessary to authenticate the user, and then drop the connection, 
+	thus conserving PDC connection resources.</para>
+
+	<para>And finally, acting in the same manner as an NT server 
+	authenticating to a PDC means that as part of the authentication 
+	reply, the Samba server gets the user identification information such 
+	as the user SID, the list of NT groups the user belongs to, etc. All 
+	this information will allow Samba to be extended in the future into 
+	a mode the developers currently call appliance mode. In this mode, 
+	no local Unix users will be necessary, and Samba will generate Unix 
+	uids and gids from the information passed back from the PDC when a 
+	user is authenticated, making a Samba server truly plug and play 
+	in an NT domain environment. Watch for this code soon.</para>
+
+	<para><emphasis>NOTE:</emphasis> Much of the text of this document 
+	was first published in the Web magazine <ulink url="http://www.linuxworld.com"> 	
+	LinuxWorld</ulink> as the article <ulink
+	url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing 
+	the NIS/NT Samba</ulink>.</para>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml
new file mode 100644
index 0000000000..8b624bad1a
--- /dev/null
+++ b/docs/docbook/projdoc/ENCRYPTION.sgml
@@ -0,0 +1,378 @@
+<chapter>
+
+
+<chapterinfo>
+	<author>
+		<firstname>Jeremy</firstname><surname>Allison</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address>
+				<email>samba@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+
+	<pubdate>19 Apr 1999</pubdate>
+</chapterinfo>
+	
+<title>LanMan and NT Password Encryption in Samba 2.x</title>
+
+
+<sect1>
+	<title>Introduction</title>
+	
+	<para>With the development of LanManager and Windows NT 
+	compatible password encryption for Samba, it is now able 
+	to validate user connections in exactly the same way as 
+	a LanManager or Windows NT server.</para>
+
+	<para>This document describes how the SMB password encryption 
+	algorithm works and what issues there are in choosing whether 
+	you want to use it. You should read it carefully, especially 
+	the part about security and the "PROS and CONS" section.</para>
+	
+</sect1>
+
+<sect1>
+	<title>How does it work?</title>
+
+	<para>LanManager encryption is somewhat similar to UNIX 
+	password encryption. The server uses a file containing a 
+	hashed value of a user's password.  This is created by taking 
+	the user's plaintext password, capitalising it, and either 
+	truncating to 14 bytes or padding to 14 bytes with null bytes. 
+	This 14 byte value is used as two 56 bit DES keys to encrypt 
+	a 'magic' eight byte value, forming a 16 byte value which is 
+	stored by the server and client. Let this value be known as 
+	the "hashed password".</para>
+	
+	<para>Windows NT encryption is a higher quality mechanism, 
+	consisting of doing an MD4 hash on a Unicode version of the user's 
+	password. This also produces a 16 byte hash value that is 
+	non-reversible.</para>
+
+	<para>When a client (LanManager, Windows for WorkGroups, Windows 
+	95 or Windows NT) wishes to mount a Samba drive (or use a Samba 
+	resource), it first requests a connection and negotiates the 
+	protocol that the client and server will use. In the reply to this 
+	request the Samba server generates and appends an 8 byte, random 
+	value - this is stored in the Samba server after the reply is sent 
+	and is known as the "challenge".  The challenge is different for 
+	every client connection.</para>
+
+	<para>The client then uses the hashed password (16 byte values 
+	described above), appended with 5 null bytes, as three 56 bit 
+	DES keys, each of which is used to encrypt the challenge 8 byte 
+	value, forming a 24 byte value known as the "response".</para>
+
+	<para>In the SMB call SMBsessionsetupX (when user level security 
+	is selected) or the call SMBtconX (when share level security is 
+	selected), the 24 byte response is returned by the client to the 
+	Samba server.  For Windows NT protocol levels the above calculation 
+	is done on both hashes of the user's password and both responses are 
+	returned in the SMB call, giving two 24 byte values.</para>
+
+	<para>The Samba server then reproduces the above calculation, using 
+	its own stored value of the 16 byte hashed password (read from the 
+	<filename>smbpasswd</filename> file - described later) and the challenge 
+	value that it kept from the negotiate protocol reply. It then checks 
+	to see if the 24 byte value it calculates matches the 24 byte value 
+	returned to it from the client.</para>
+
+	<para>If these values match exactly, then the client knew the 
+	correct password (or the 16 byte hashed value - see security note 
+	below) and is thus allowed access. If not, then the client did not 
+	know the correct password and is denied access.</para>
+
+	<para>Note that the Samba server never knows or stores the cleartext 
+	of the user's password - just the 16 byte hashed values derived from 
+	it. Also note that the cleartext password or 16 byte hashed values 
+	are never transmitted over the network - thus increasing security.</para>
+</sect1>
+
+<sect1>
+	<title>Important Notes About Security</title>
+	
+	<para>The unix and SMB password encryption techniques seem similar 
+	on the surface. This similarity is, however, only skin deep. The unix 
+	scheme typically sends clear text passwords over the nextwork when 
+	logging in. This is bad. The SMB encryption scheme never sends the 
+	cleartext password over the network but it does store the 16 byte 
+	hashed values on disk. This is also bad. Why? Because the 16 byte hashed 
+	values are a "password equivalent". You cannot derive the user's 
+	password from them, but they could potentially be used in a modified 
+	client to gain access to a server. This would require considerable 
+	technical knowledge on behalf of the attacker but is perfectly possible. 
+	You should thus treat the smbpasswd file as though it contained the 
+	cleartext passwords of all your users. Its contents must be kept 
+	secret, and the file should be protected accordingly.</para>
+	
+	<para>Ideally we would like a password scheme which neither requires 
+	plain text passwords on the net or on disk. Unfortunately this 
+	is not available as Samba is stuck with being compatible with 
+	other SMB systems (WinNT, WfWg, Win95 etc). </para>
+
+	<warning>
+		<para>Note that Windows NT 4.0 Service pack 3 changed the 
+		default for permissible authentication so that plaintext 
+		passwords are <emphasis>never</emphasis> sent over the wire. 
+		The solution to this is either to switch to encrypted passwords 
+		with Samba or edit the Windows NT registry to re-enable plaintext 
+		passwords. See the document WinNT.txt for details on how to do 
+		this.</para>
+		
+		<para>Other Microsoft operating systems which also exhibit 
+		this behavior includes</para>
+		
+		<itemizedlist>
+			<listitem><para>MS DOS Network client 3.0 with 
+			the basic network redirector installed</para></listitem>
+			
+			<listitem><para>Windows 95 with the network redirector 
+			update installed</para></listitem>
+			
+			<listitem><para>Windows 98 [se]</para></listitem>
+			
+			<listitem><para>Windows 2000</para></listitem>
+		</itemizedlist>
+		
+		<para><emphasis>Note :</emphasis>All current release of 
+		Microsoft SMB/CIFS clients support authentication via the
+		SMB Challenge/Response mechanism described here.  Enabling
+		clear text authentication does not disable the ability
+		of the client to particpate in encrypted authentication.</para>
+	</warning>
+
+	<sect2>
+		<title>Advantages of SMB Encryption</title>
+
+		<itemizedlist>
+			<listitem><para>plain text passwords are not passed across 
+			the network. Someone using a network sniffer cannot just 
+			record passwords going to the SMB server.</para>
+			</listitem>
+		 
+			<listitem><para>WinNT doesn't like talking to a server 
+			that isn't using SMB encrypted passwords. It will refuse 
+			to browse the server if the server is also in user level 
+			security mode. It will insist on prompting the user for the 
+			password on each connection, which is very annoying. The
+			only things you can do to stop this is to use SMB encryption.
+			</para></listitem>
+		</itemizedlist>
+	</sect2>
+
+
+	<sect2>
+		<title>Advantages of non-encrypted passwords</title>
+
+		<itemizedlist>
+			<listitem><para>plain text passwords are not kept 
+			on disk. </para></listitem>
+			
+			<listitem><para>uses same password file as other unix 
+			services such as login and ftp</para></listitem>
+			
+			<listitem><para>you are probably already using other 
+			services (such as telnet and ftp) which send plain text 
+			passwords over the net, so sending them for SMB isn't 
+			such a big deal.</para></listitem>
+		</itemizedlist>
+	</sect2>
+</sect1>
+
+
+<sect1>
+	<title><anchor id="SMBPASSWDFILEFORMAT">The smbpasswd file</title>
+	
+	<para>In order for Samba to participate in the above protocol 
+	it must be able to look up the 16 byte hashed values given a user name.
+	Unfortunately, as the UNIX password value is also a one way hash
+	function (ie. it is impossible to retrieve the cleartext of the user's
+	password given the UNIX hash of it), a separate password file
+	containing this 16 byte value must be kept. To minimise problems with
+	these two password files, getting out of sync, the UNIX <filename>
+	/etc/passwd</filename> and the <filename>smbpasswd</filename> file, 
+	a utility, <command>mksmbpasswd.sh</command>, is provided to generate
+	a smbpasswd file from a UNIX <filename>/etc/passwd</filename> file.
+	</para
+
+
+	<para>To generate the smbpasswd file from your <filename>/etc/passwd
+	</filename> file use the following command :</para>
+	
+	<para><prompt>$ </prompt><userinput>cat /etc/passwd | mksmbpasswd.sh
+	&gt; /usr/local/samba/private/smbpasswd</userinput></para>
+	
+	<para>If you are running on a system that uses NIS, use</para>
+
+	<para><prompt>$ </prompt><userinput>ypcat passwd | mksmbpasswd.sh
+	&gt; /usr/local/samba/private/smbpasswd</userinput></para>
+	
+	<para>The <command>mksmbpasswd.sh</command> program is found in 
+	the Samba source directory. By default, the smbpasswd file is 
+	stored in :</para>
+
+	<para><filename>/usr/local/samba/private/smbpasswd</filename></para>
+
+	<para>The owner of the <filename>/usr/local/samba/private/</filename> 
+	directory should be set to root, and the permissions on it should 
+	be set to 0500 (<command>chmod 500 /usr/local/samba/private</command>).
+	</para>
+
+	<para>Likewise, the smbpasswd file inside the private directory should 
+	be owned by root and the permissions on is should be set to 0600
+	(<command>chmod 600 smbpasswd</command>).</para>
+
+
+	<para>The format of the smbpasswd file is (The line has been 
+	wrapped here. It should appear as one entry per line in 
+	your smbpasswd file.)</para>
+	
+	<para><programlisting>
+username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+	[Account type]:LCT-&lt;last-change-time&gt;:Long name
+	</programlisting></para>
+	
+	<para>Although only the <replaceable>username</replaceable>, 
+	<replaceable>uid</replaceable>, <replaceable>
+	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</replaceable>,
+	[<replaceable>Account type</replaceable>] and <replaceable>
+	last-change-time</replaceable> sections are significant 
+	and are looked at in the Samba code.</para>
+
+	<para>It is <emphasis>VITALLY</emphasis> important that there by 32 
+	'X' characters between the two ':' characters in the XXX sections - 
+	the smbpasswd and Samba code will fail to validate any entries that 
+	do not have 32 characters  between ':' characters. The first XXX 
+	section is for the Lanman password hash, the second is for the 
+	Windows NT version.</para>
+
+	<para>When the password file is created all users have password entries
+	consisting of 32 'X' characters. By default this disallows any access
+	as this user. When a user has a password set, the 'X' characters change
+	to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii
+	representation of the 16 byte hashed value of a user's password.</para>
+
+	<para>To set a user to have no password (not recommended), edit the file
+	using vi, and replace the first 11 characters with the ascii text
+	<constant>"NO PASSWORD"</constant> (minus the quotes).</para>
+
+	<para>For example, to clear the password for user bob, his smbpasswd file 
+	entry would look like :</para>
+
+	<para><programlisting>
+	bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
+	</programlisting></para>
+	
+	<para>If you are allowing users to use the smbpasswd command to set 
+	their own passwords, you may want to give users NO PASSWORD initially 
+	so they do not have to enter a previous password when changing to their 
+	new password (not recommended). In order for you to allow this the
+	<command>smbpasswd</command> program must be able to connect to the 
+	<command>smbd</command> daemon as that user with no password. Enable this 
+	by adding the line :</para>
+
+	<para><command>null passwords = yes</command></para>
+	
+	<para>to the [global] section of the smb.conf file (this is why 
+	the above scenario is not recommended). Preferably, allocate your
+	users a default password to begin with, so you do not have
+	to enable this on your server.</para>
+
+	<para><emphasis>Note : </emphasis>This file should be protected very 
+	carefully. Anyone with access to this file can (with enough knowledge of 
+	the protocols) gain access to your SMB server. The file is thus more 
+	sensitive than a normal unix <filename>/etc/passwd</filename> file.</para>
+</sect1>
+
+
+<sect1>
+	<title>The smbpasswd Command</title>
+	
+	<para>The smbpasswd command maintains the two 32 byte password fields 
+	in the smbpasswd file. If you wish to make it similar to the unix 
+	<command>passwd</command> or <command>yppasswd</command> programs, 
+	install it in <filename>/usr/local/samba/bin/</filename> (or your 
+	main Samba binary directory).</para>
+
+	<para>Note that as of Samba 1.9.18p4 this program <emphasis>MUST NOT 
+	BE INSTALLED</emphasis> setuid root (the new <command>smbpasswd</command> 
+	code enforces this restriction so it cannot be run this way by 
+	accident).</para>
+
+	<para><command>smbpasswd</command> now works in a client-server mode 
+	where it contacts the local smbd to change the user's password on its 
+	behalf. This has enormous benefits - as follows.</para>
+
+	<itemizedlist>
+		<listitem><para>smbpasswd no longer has to be setuid root - 
+		an enormous range of potential security problems is 
+		eliminated.</para></listitem>
+		
+		<listitem><para><command>smbpasswd</command> now has the capability 
+		to change passwords on Windows NT servers (this only works when 
+		the request is sent to the NT Primary Domain Controller if you 
+		are changing an NT Domain user's password).</para></listitem>
+	</itemizedlist>
+	
+	<para>To run smbpasswd as a normal user just type :</para>
+	
+	<para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
+	<para><prompt>Old SMB password: </prompt><userinput>&lt;type old value here - 
+	or hit return if there was no old password&gt;</userinput></para>
+	<para><prompt>New SMB Password: </prompt><userinput>&lt;type new value&gt;
+	</userinput></para>
+	<para><prompt>Repeat New SMB Password: </prompt><userinput>&lt;re-type new value
+	</userinput></para>
+	
+	<para>If the old value does not match the current value stored for 
+	that user, or the two new values do not match each other, then the 
+	password will not be changed.</para>
+	
+	<para>If invoked by an ordinary user it will only allow the user 
+	to change his or her own Samba password.</para>
+	
+	<para>If run by the root user smbpasswd may take an optional 
+	argument, specifying the user name whose SMB password you wish to 
+	change.  Note that when run as root smbpasswd does not prompt for 
+	or check the old password value, thus allowing root to set passwords 
+	for users who have forgotten their passwords.</para>
+	
+	<para><command>smbpasswd</command> is designed to work in the same way 
+	and be familiar to UNIX users who use the <command>passwd</command> or 
+	<command>yppasswd</command> commands.</para>
+
+	<para>For more details on using <command>smbpasswd</command> refer 
+	to the man page which will always be the definitive reference.</para>
+</sect1>
+
+
+<sect1>
+	<title>Setting up Samba to support LanManager Encryption</title>
+
+	<para>This is a very brief description on how to setup samba to 
+	support password encryption. </para>
+	
+	<orderedlist numeration="Arabic">
+		<listitem><para>compile and install samba as usual</para>
+		</listitem>
+		
+		<listitem><para>enable encrypted passwords in <filename>
+		smb.conf</filename> by adding the line <command>encrypt 
+		passwords = yes</command> in the [global] section</para>
+		</listitem>
+		
+		<listitem><para>create the initial <filename>smbpasswd</filename>
+		password file in the place you specified in the Makefile 
+		(--prefix=&lt;dir&gt;). See the notes under the <link
+		linkend="SMBPASSWDFILEFORMAT">The smbpasswd File</link>
+		section earlier in the document for details.</para>
+		</listitem>
+	</orderedlist>
+	
+	<para>Note that you can test things using smbclient.</para> 
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml
new file mode 100644
index 0000000000..a6be4a0ffd
--- /dev/null
+++ b/docs/docbook/projdoc/NT_Security.sgml
@@ -0,0 +1,358 @@
+<chapter>
+
+<chapterinfo>
+	<author>
+		<firstname>Jeremy</firstname><surname>Allison</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address>
+				<email>samba@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate>12 Apr 1999</pubdate>
+</chapterinfo>
+
+
+<title>UNIX Permission Bits and WIndows NT Access Control Lists</title>
+
+<sect1>
+	<title>Viewing and changing UNIX permissions using the NT 
+	security dialogs</title>
+
+
+	<para>New in the Samba 2.0.4 release is the ability for Windows 
+	NT clients to use their native security settings dialog box to 
+	view and modify the underlying UNIX permissions.</para>
+
+	<para>Note that this ability is careful not to compromise 
+	the security of the UNIX host Samba is running on, and 
+	still obeys all the file permission rules that a Samba 
+	administrator can set.</para>
+
+	<para>In Samba 2.0.4 and above the default value of the 
+	parameter <ulink url="smb.conf.5.html#NTACLSUPPOR"><parameter>
+	nt acl support</parameter></ulink> has been changed from 
+	<constant>false</constant> to <constant>true</constant>, so 
+ 	manipulation of permissions is turned on by default.</para>
+</sect1>
+
+<sect1>
+	<title>How to view file security on a Samba share</title>
+
+	<para>From an NT 4.0 client, single-click with the right 
+	mouse button on any file or directory in a Samba mounted 
+	drive letter or UNC path. When the menu pops-up, click 
+	on the <emphasis>Properties</emphasis> entry at the bottom of 
+	the menu. This brings up the normal file properties dialog
+	box, but with Samba 2.0.4 this will have a new tab along the top
+	marked <emphasis>Security</emphasis>. Click on this tab and you 
+	will see three buttons, <emphasis>Permissions</emphasis>, 	
+	<emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>. 
+	The <emphasis>Auditing</emphasis> button will cause either 
+	an error message <errorname>A requested privilege is not held 
+	by the client</errorname> to appear if the user is not the 
+	NT Administrator, or a dialog which is intended to allow an 
+	Administrator to add auditing requirements to a file if the 
+	user is logged on as the NT Administrator. This dialog is 
+	non-functional with a Samba share at this time, as the only 
+	useful button, the <command>Add</command> button will not currently 
+	allow a list of users to be seen.</para>
+
+</sect1>
+
+<sect1>
+	<title>Viewing file ownership</title>
+
+	<para>Clicking on the <command>"Ownership"</command> button 
+	brings up a dialog box telling you who owns the given file. The 
+	owner name will be of the form :</para>
+
+	<para><command>"SERVER\user (Long name)"</command></para>
+
+	<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of 
+	the Samba server, <replaceable>user</replaceable> is the user name of 
+	the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
+	is the discriptive string identifying the user (normally found in the
+	GECOS field of the UNIX password database). Click on the <command>Close
+	</command> button to remove this dialog.</para>
+
+	<para>If the parameter <parameter>nt acl support</parameter>
+	is set to <constant>false</constant> then the file owner will 
+	be shown as the NT user <command>"Everyone"</command>.</para>
+
+	<para>The <command>Take Ownership</command> button will not allow 
+	you to change the ownership of this file to yourself (clicking on 
+	it will display a dialog box complaining that the user you are 
+	currently logged onto the NT client cannot be found). The reason 
+	for this is that changing the ownership of a file is a privilaged 
+	operation in UNIX, available only to the <emphasis>root</emphasis> 
+	user. As clicking on this button causes NT to attempt to change 
+	the ownership of a file to the current user logged into the NT 
+	client this will not work with Samba at this time.</para>
+
+	<para>There is an NT chown command that will work with Samba 
+	and allow a user with Administrator privillage connected 
+	to a Samba 2.0.4 server as root to change the ownership of 
+	files on both a local NTFS filesystem or remote mounted NTFS 
+	or Samba drive. This is available as part of the <emphasis>Seclib
+	</emphasis> NT security library written by Jeremy Allison of 
+	the Samba Team, available from the main Samba ftp site.</para>
+
+</sect1>
+
+<sect1>
+	<title>Viewing file or directory permissions</title>
+
+	<para>The third button is the <command>"Permissions"</command> 
+	button. Clicking on this brings up a dialog box that shows both 
+	the permissions and the UNIX owner of the file or directory. 
+	The owner is displayed in the form :</para>
+
+	<para><command>"SERVER\user (Long name)"</command></para>
+
+	<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of 
+	the Samba server, <replaceable>user</replaceable> is the user name of 
+	the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
+	is the discriptive string identifying the user (normally found in the
+	GECOS field of the UNIX password database).</para>
+
+	<para>If the parameter <parameter>nt acl support</parameter>
+	is set to <constant>false</constant> then the file owner will 
+	be shown as the NT user <command>"Everyone"</command> and the 
+	permissions will be shown as NT "Full Control".</para>
+
+
+	<para>The permissions field is displayed differently for files 
+	and directories, so I'll describe the way file permissions 
+	are displayed first.</para>
+
+	<sect2>
+		<title>File Permissions</title>
+
+		<para>The standard UNIX user/group/world triple and 
+		the correspinding "read", "write", "execute" permissions 
+		triples are mapped by Samba into a three element NT ACL 
+		with the 'r', 'w', and 'x' bits mapped into the corresponding 
+		NT permissions. The UNIX world permissions are mapped into 
+		the global NT group <command>Everyone</command>, followed 
+		by the list of permissions allowed for UNIX world. The UNIX 
+		owner and group permissions are displayed as an NT 
+		<command>user</command> icon and an NT <command>local 
+		group</command> icon respectively followed by the list 
+	 	of permissions allowed for the UNIX user and group.</para>
+
+		<para>As many UNIX permission sets don't map into common 
+		NT names such as <command>"read"</command>, <command>
+		"change"</command> or <command>"full control"</command> then 
+		usually the permissions will be prefixed by the words <command>
+		"Special Access"</command> in the NT display list.</para>
+
+		<para>But what happens if the file has no permissions allowed 
+		for a particular UNIX user group or world component ? In order 
+		to  allow "no permissions" to be seen and modified then Samba 
+		overloads the NT <command>"Take Ownership"</command> ACL attribute 
+		(which has no meaning in UNIX) and reports a component with 
+		no permissions as having the NT <command>"O"</command> bit set. 
+		This was chosen of course to make it look like a zero, meaning 
+		zero permissions. More details on the decision behind this will 
+		be given below.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Directory Permissions</title>
+
+		<para>Directories on an NT NTFS file system have two 
+		different sets of permissions. The first set of permissions 
+		is the ACL set on the directory itself, this is usually displayed 
+		in the first set of parentheses in the normal <command>"RW"</command> 
+		NT style. This first set of permissions is created by Samba in 
+		exactly the same way as normal file permissions are, described 
+		above, and is displayed in the same way.</para>
+
+		<para>The second set of directory permissions has no real meaning 
+		in the UNIX permissions world and represents the <command>
+		"inherited"</command> permissions that any file created within 
+		this directory would inherit.</para>
+
+		<para>Samba synthesises these inherited permissions for NT by 
+		returning as an NT ACL the UNIX permission mode that a new file 
+		created by Samba on this share would receive.</para>
+	</sect2>
+</sect1>
+	
+<sect1>
+	<title>Modifying file or directory permissions</title>
+
+	<para>Modifying file and directory permissions is as simple 
+	as changing the displayed permissions in the dialog box, and 
+	clicking the <command>OK</command> button. However, there are 
+	limitations that a user needs to be aware of, and also interactions 
+	with the standard Samba permission masks and mapping of DOS 
+	attributes that need to also be taken into account.</para>
+
+	<para>If the parameter <parameter>nt acl support</parameter>
+	is set to <constant>false</constant> then any attempt to set 
+	security permissions will fail with an <command>"Access Denied"
+	</command> message.</para>
+
+	<para>The first thing to note is that the <command>"Add"</command> 
+	button will not return a list of users in Samba 2.0.4 (it will give 
+	an error message of <command>"The remote proceedure call failed 
+	and did not execute"</command>). This means that you can only 
+	manipulate the current user/group/world permissions listed in 
+	the dialog box. This actually works quite well as these are the 
+	only permissions that UNIX actually has.</para>
+
+	<para>If a permission triple (either user, group, or world) 
+	is removed from the list of permissions in the NT dialog box, 
+	then when the <command>"OK"</command> button is pressed it will 
+	be applied as "no permissions" on the UNIX side. If you then 
+	view the permissions again the "no permissions" entry will appear 
+	as the NT <command>"O"</command> flag, as described above. This 
+	allows you to add permissions back to a file or directory once 
+	you have removed them from a triple component.</para>
+
+	<para>As UNIX supports only the "r", "w" and "x" bits of 
+	an NT ACL then if other NT security attributes such as "Delete 
+	access" are selected then they will be ignored when applied on 
+	the Samba server.</para>
+
+	<para>When setting permissions on a directory the second 
+	set of permissions (in the second set of parentheses) is 
+	by default applied to all files within that directory. If this 
+	is not what you want you must uncheck the <command>"Replace 
+	permissions on existing files"</command> checkbox in the NT 
+	dialog before clicking <command>"OK"</command>.</para>
+
+	<para>If you wish to remove all permissions from a 
+	user/group/world  component then you may either highlight the 
+	component and click the <command>"Remove"</command> button, 
+	or set the component to only have the special <command>"Take
+	Ownership"</command> permission (dsplayed as <command>"O"
+	</command>) highlighted.</para>
+</sect1>
+
+<sect1>
+	<title>Interaction with the standard Samba create mask 
+	parameters</title>
+
+	<para>Note that with Samba 2.0.5 there are four new parameters 
+	to control this interaction.  These are :</para>
+
+	<para><parameter>security mask</parameter></para>
+	<para><parameter>force security mode</parameter></para>
+	<para><parameter>directory security mask</parameter></para>
+	<para><parameter>force directory security mode</parameter></para>
+
+	<para>Once a user clicks <command>"OK"</command> to apply the 
+	permissions Samba maps the given permissions into a user/group/world 
+	r/w/x triple set, and then will check the changed permissions for a 
+	file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK"> 
+	<parameter>security mask</parameter></ulink> parameter. Any bits that 
+	were changed that are not set to '1' in this parameter are left alone 
+	in the file permissions.</para>
+
+	<para>Essentially, zero bits in the <parameter>security mask</parameter>
+	mask may be treated as a set of bits the user is <emphasis>not</emphasis> 
+	allowed to change, and one bits are those the user is allowed to change.
+	</para>
+
+	<para>If not set explicitly this parameter is set to the same value as 
+	the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask
+	</parameter></ulink> parameter to provide compatibility with Samba 2.0.4 
+	where this permission change facility was introduced. To allow a user to 
+	modify all the user/group/world permissions on a file, set this parameter 
+	to 0777.</para>
+
+	<para>Next Samba checks the changed permissions for a file against 
+	the bits set in the <ulink url="smb.conf.5.html#FORCESECURITYMODE">
+	<parameter>force security mode</parameter></ulink> parameter. Any bits 
+	that were changed that correspond to bits set to '1' in this parameter 
+	are forced to be set.</para>
+
+	<para>Essentially, bits set in the <parameter>force security mode
+	</parameter> parameter may be treated as a set of bits that, when 
+	modifying security on a file, the user has always set to be 'on'.</para>
+
+	<para>If not set explicitly this parameter is set to the same value 
+	as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force 
+	create mode</parameter></ulink> parameter to provide compatibility
+	with Samba 2.0.4 where the permission change facility was introduced.
+	To allow a user to modify all the user/group/world permissions on a file,
+	with no restrictions set this parameter to 000.</para>
+
+	<para>The <parameter>security mask</parameter> and <parameter>force 
+	security mode</parameter> parameters are applied to the change 
+	request in that order.</para>
+
+	<para>For a directory Samba will perform the same operations as 
+	described above for a file except using the parameter <parameter>
+	directory security mask</parameter> instead of <parameter>security 
+	mask</parameter>, and <parameter>force directory security mode
+	</parameter> parameter instead of <parameter>force security mode
+	</parameter>.</para>
+
+	<para>The <parameter>directory security mask</parameter> parameter 
+	by default is set to the same value as the <parameter>directory mask
+	</parameter> parameter and the <parameter>force directory security 
+	mode</parameter> parameter by default is set to the same value as 
+ 	the <parameter>force directory mode</parameter> parameter to provide 
+	compatibility with Samba 2.0.4 where the permission change facility 
+	was introduced.</para>
+
+	<para>In this way Samba enforces the permission restrictions that 
+	an administrator can set on a Samba share, whilst still allowing users 
+	to modify the permission bits within that restriction.</para>
+
+	<para>If you want to set up a share that allows users full control
+	in modifying the permission bits on their files and directories and
+	doesn't force any particular bits to be set 'on', then set the following
+	parameters in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)
+	</filename></ulink> file in that share specific section :</para>
+
+	<para><parameter>security mask = 0777</parameter></para>
+	<para><parameter>force security mode = 0</parameter></para>
+	<para><parameter>directory security mask = 0777</parameter></para>
+	<para><parameter>force directory security mode = 0</parameter></para>
+
+	<para>As described, in Samba 2.0.4 the parameters :</para>
+
+	<para><parameter>create mask</parameter></para>
+	<para><parameter>force create mode</parameter></para>
+	<para><parameter>directory mask</parameter></para>
+	<para><parameter>force directory mode</parameter></para>
+
+	<para>were used instead of the parameters discussed here.</para>
+</sect1>
+
+<sect1>
+	<title>Interaction with the standard Samba file attribute 
+	mapping</title>
+
+	<para>Samba maps some of the DOS attribute bits (such as "read 
+	only") into the UNIX permissions of a file. This means there can 
+	be a conflict between the permission bits set via the security 
+	dialog and the permission bits set by the file attribute mapping.
+	</para>
+
+	<para>One way this can show up is if a file has no UNIX read access
+	for the owner it will show up as "read only" in the standard 
+	file attributes tabbed dialog. Unfortunately this dialog is
+	the same one that contains the security info in another tab.</para>
+
+	<para>What this can mean is that if the owner changes the permissions
+	to allow themselves read access using the security dialog, clicks
+	<command>"OK"</command> to get back to the standard attributes tab 
+	dialog, and then clicks <command>"OK"</command> on that dialog, then 
+	NT will set the file permissions back to read-only (as that is what 
+	the attributes still say in the dialog). This means that after setting 
+	permissions and clicking <command>"OK"</command> to get back to the 
+	attributes dialog you should always hit <command>"Cancel"</command> 
+	rather than <command>"OK"</command> to ensure that your changes 
+	are not overridden.</para>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/OS2-Client-HOWTO.sgml b/docs/docbook/projdoc/OS2-Client-HOWTO.sgml
new file mode 100644
index 0000000000..5db80cda3d
--- /dev/null
+++ b/docs/docbook/projdoc/OS2-Client-HOWTO.sgml
@@ -0,0 +1,142 @@
+<chapter>
+
+
+<chapterinfo>
+	<author>
+		<firstname>Jim</firstname><surname>McDonough</surname>
+		<affiliation>
+			<orgname>IBM</orgname>
+			<address>
+				<email>jerry@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate>5 Mar 2001</pubdate>
+</chapterinfo>
+
+<title>OS2 Client HOWTO</title>
+
+<sect1>
+	<title>FAQs</title>
+
+	<sect2>
+		<title>How can I configure OS/2 Warp Connect or 
+		OS/2 Warp 4 as a client for Samba?</title>
+
+		<para>A more complete answer to this question can be 
+		found on <ulink url="http://carol.wins.uva.nl/~leeuw/samba/warp.html">
+		http://carol.wins.uva.nl/~leeuw/samba/warp.html</ulink>.</para>
+		
+		<para>Basically, you need three components:</para>
+		
+		<itemizedlist>
+			<listitem><para>The File and Print Client ('IBM Peer')
+			</para></listitem>
+			<listitem><para>TCP/IP ('Internet support') 
+			</para></listitem>
+			<listitem><para>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
+			</para></listitem>
+		</itemizedlist>
+		
+		<para>Installing the first two together with the base operating 
+		system on a blank system is explained in the Warp manual. If Warp 
+		has already been installed, but you now want to install the 
+		networking support, use the "Selective Install for Networking" 
+		object in the "System Setup" folder.</para>
+
+		<para>Adding the "NetBIOS over TCP/IP" driver is not described 
+		in the manual and just barely in the online documentation. Start 
+		MPTS.EXE, click on OK, click on "Configure LAPS" and click 
+		on "IBM OS/2 NETBIOS OVER TCP/IP" in  'Protocols'.  This line 
+		is then moved to 'Current Configuration'. Select that line, 
+		click on "Change number" and increase it from 0 to 1. Save this
+		configuration.</para>
+
+		<para>If the Samba server(s) is not on your local subnet, you 
+		can optionally add IP names and addresses of these servers 
+		to the "Names List", or specify a  WINS server ('NetBIOS 
+		Nameserver' in IBM and RFC terminology). For Warp Connect you 
+		may need to download an update for 'IBM Peer' to bring it on 
+		the same level as Warp 4. See the webpage mentioned above.</para>
+	</sect2>
+	
+	<sect2>
+		<title>How can I configure OS/2 Warp 3 (not Connect), 
+		OS/2 1.2, 1.3 or 2.x for Samba?</title>
+		
+		<para>You can use the free Microsoft LAN Manager 2.2c Client 
+		for OS/2 from 
+		<ulink url="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/">
+		ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</ulink>.
+   	See <ulink url="http://carol.wins.uva.nl/~leeuw/lanman.html">
+		http://carol.wins.uva.nl/~leeuw/lanman.html</ulink> for 
+		more information on how to install and use this client. In 
+		a nutshell, edit the file \OS2VER in the root directory of 
+		the OS/2 boot partition and add the lines:</para>
+		
+		<para><programlisting>
+		20=setup.exe
+		20=netwksta.sys
+		20=netvdd.sys
+		</programlisting></para>
+		
+		<para>before you install the client. Also, don't use the 
+		included NE2000 driver because it is buggy. Try the NE2000 
+		or NS2000 driver from 
+		<ulink url="ftp://ftp.cdrom.com/pub/os2/network/ndis/">
+ 		ftp://ftp.cdrom.com/pub/os2/network/ndis/</ulink> instead.
+		</para>
+	</sect2>
+	
+	<sect2>
+		<title>Are there any other issues when OS/2 (any version) 
+		is used as a client?</title>
+		
+		<para>When you do a NET VIEW or use the "File and Print 
+		Client Resource Browser", no Samba servers show up. This can 
+		be fixed by a patch from <ulink
+		url="http://carol.wins.uva.nl/~leeuw/samba/fix.html">
+		http://carol.wins.uva.nl/~leeuw/samba/fix.html</ulink>.
+		The patch will be included in a later version of Samba. It also 
+		fixes a couple of other problems, such as preserving long 
+		filenames when objects are dragged from the Workplace Shell 
+		to the Samba server. </para>
+	</sect2>
+	
+	<sect2>
+		<title>How do I get printer driver download working 
+		for OS/2 clients?</title>
+
+		<para>First, create a share called [PRINTDRV] that is 
+		world-readable.  Copy your OS/2 driver files there.  Note 
+		that the .EA_ files must still be separate, so you will need 
+		to use the original install files, and not copy an installed 
+		driver from an OS/2 system.</para>
+		
+		<para>Install the NT driver first for that printer.  Then, 
+		add to your smb.conf a paramater, "os2 driver map = 
+		<replaceable>filename</replaceable>".  Then, in the file 
+		specified by <replaceable>filename</replaceable>, map the 
+		name of the NT driver name to the OS/2 driver name as 
+		follows:</para>
+		
+		<para>&lt;nt driver name&gt; = &lt;os2 driver 
+		name&gt;.&lt;device name&gt;, e.g.:
+		HP LaserJet 5L = LASERJET.HP LaserJet 5L</para>
+
+		<para>You can have multiple drivers mapped in this file.</para>
+	
+		<para>If you only specify the OS/2 driver name, and not the 
+		device name, the first attempt to download the driver will 
+		actually download the files, but the OS/2 client will tell 
+		you the driver is not available.  On the second attempt, it 
+		will work.  This is fixed simply by adding the device name
+  		 to the mapping, after which it will work on the first attempt.
+		</para>
+	</sect2>
+</sect1>
+
+</chapter>
+   
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
new file mode 100644
index 0000000000..699ba54a09
--- /dev/null
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -0,0 +1,964 @@
+<chapter>
+
+
+<chapterinfo>
+	<author>
+		<firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
+		<affiliation>
+			<orgname>VA Linux Systems/Samba Team</orgname>
+			<address><email>jerry@samba.org</email></address>
+		</affiliation>
+	</author>
+	<pubdate> (15 Apr 2001) </pubdate>
+</chapterinfo>
+
+<title>
+How to Configure Samba 2.2.x as a Primary Domain Controller
+</title>
+
+
+<!-- **********************************************************
+
+     Background Information
+
+*************************************************************** -->
+<sect1>
+<title>
+Background
+</title>
+
+<para><emphasis>Author's Note :</emphasis> This document
+is a combination of David Bannon's Samba 2.2 PDC HOWTO
+and the Samba NT Domain FAQ. Both documents are superceeded by this one.
+</para>
+
+<para>
+Version of Samba prior to release 2.2 had marginal capabilities to
+act as a Windows NT 4.0 Primary Domain Controller (PDC).  The following 
+functionality should work in 2.2.0:
+</para>
+
+<itemizedlist>
+	<listitem><para>domain logons for Windows NT 4.0/2000 clients</para></listitem>
+	
+	<listitem><para>placing a Windows 9x client in user level security</para></listitem>
+	
+	<listitem><para>retrieving a list of users and groups from a Samba PDC to
+	Windows 9x/NT/2000 clients </para></listitem>
+	
+	<listitem><para>roving user profiles</para></listitem>
+	
+	<listitem><para>Windows NT 4.0 style system policies</para></listitem>
+</itemizedlist>
+
+<para>
+The following pieces of functionality are not included in the 2.2 release:
+</para>
+
+<itemizedlist>
+	<listitem><para>Windows NT 4 domain trusts</para></listitem>
+	
+	<listitem><para>Sam replication with Windows NT 4.0 Domain Controllers
+	(i.e. a Samba PDC and a Windows NT BDC or vice versa) </para></listitem>
+	
+	<listitem><para>Adding users via the User Manager for Domains</para></listitem>
+
+	<listitem><para>Acting as a Windows 2000 Domain Controller (i.e. Kerberos
+	and Active Directory)</para></listitem>
+</itemizedlist>
+
+<para>
+Please note that Windows 9x clients are not true members of a domain
+for reasons outlined in this article.  Therefore the protocol for
+support Windows 9x style domain logons is completely different
+from NT4 domain logons and has been officially supported for some 
+time.
+</para>
+
+<para>
+Beginning with Samba 2.2.0, we are proud to announce official 
+support for Windows NT 4.0 style domain logons from Windows NT
+4.0 and Windows 2000 (including SP1) clients.  This article 
+outlines the steps necessary for configuring Samba as a PDC.
+Note that it is necessary to have a working Samba server
+prior to implementing the PDC functionality.  If you have not 
+followed the steps outlined in <ulink url="UNIX_INSTALL.html">
+UNIX_INSTALL.html</ulink>, please make sure that your server 
+is configured correctly before proceeding.  Another good 
+resource in the <ulink url="smb.conf.5.html">smb.conf(5) man 
+page</ulink>.
+</para>
+
+<para>
+Implementing a Samba PDC can basically be divided into 2 broad
+steps.
+</para>
+
+<orderedlist numeration="Arabic">
+	<listitem><para>Configuring the Samba Domain Controller
+	</para></listitem>
+	
+	<listitem><para>Creating machine trust accounts
+	and joining clients to the domain</para></listitem>
+</orderedlist>
+
+<para>
+There are other minor details such as user profiles, system
+policies, etc...  However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking
+concepts.  They will be mentioned only briefly here.
+</para>
+
+</sect1>
+
+
+<!-- **********************************************************
+
+     Configuring the Samba PDC
+
+*************************************************************** -->
+
+<sect1>
+<title>Configuring the Samba Domain Controller</title>
+
+<para>
+The first step in creating a working Samba PDC is to 
+understand the parameters necessary in smb.conf.  I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <ulink url="smb.conf.5.html"> the smb.conf
+man page</ulink>.  For convenience, the parameters have been
+linked with the actual smb.conf description.
+</para>
+
+<para>
+Here is an example smb.conf for acting as a PDC:
+</para>
+
+<para><programlisting>
+[global]
+    ; Basic server settings
+    <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
+    <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
+
+    ; we should act as the domain and local master browser
+    <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
+    <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
+    <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes
+    <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes
+    
+    ; security settings (must user security = user)
+    <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user
+    
+    ; encrypted passwords are a requirement for a PDC
+    <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes
+    
+    ; support domain logons
+    <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes
+    
+    ; where to store user profiles?
+    <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u
+    
+    ; where is a user's home directory and where should it
+    ; be mounted at?
+    <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
+    <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
+    
+    ; specify a generic logon script for all users
+    ; this is a relative path to the [netlogon] share
+    <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd
+
+; necessary share for domain controller
+[netlogon]
+    <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon
+    <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = no
+    <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable>
+    
+; share for storing user profiles
+[profiles]
+    <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile
+    <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = yes
+    <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600
+    <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
+</programlisting></para>
+
+<para>
+There are a couple of points to emphasize in the above
+configuration.
+</para>
+
+<itemizedlist>
+	<listitem><para>encrypted passwords must be enabled.
+	For more details on how to do this, refer to 
+	<ulink url="ENCRYPTION.html">ENCRYPTION.html</ulink>.
+	</para></listitem>
+	
+	<listitem><para>The server must support domain logons
+	and a <filename>[netlogon]</filename> share</para></listitem>
+	
+	<listitem><para>The server must be the domain master browser
+	in order for Windows client to locate the server as a DC.</para>
+	</listitem>
+</itemizedlist>    
+
+<para>
+As Samba 2.2 does not offer a complete implementation of group mapping between 
+Windows NT groups and UNIX groups (this is really quite complicated to explain 
+in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMONUSERS">domain 
+admin users</ulink> and <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain 
+admin group</ulink> smb.conf parameters for information of creating a Domain Admins 
+style accounts.
+</para>
+
+</sect1>
+
+
+<sect1>
+<title>Creating Machine Trust Accounts and Joining Clients 
+to the Domain</title>
+
+<para>
+First you must understand what a machine trust account is and what 
+it is used for.
+</para>
+
+<para>
+A machine trust account is a user account owned by a computer.  
+The account password acts as the shared secret for secure 
+communication with the Domain Controller.  Hence the reason that
+a Windows 9x host is never a true member of a domain because
+it does not posses a machine trust account and thus has no shared
+secret with the DC.
+</para>
+
+<para>
+On a Windows NT PDC, these machine trust account passwords are stored
+in the registry.  A Samba PDC stores these accounts in he same location
+as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
+However, machine trust accounts only possess the NT password hash.
+</para>
+
+<para>
+There are two means of creating machine trust accounts.
+</para>
+
+<itemizedlist>
+	<listitem><para>Manual creation before joining the client
+	to the domain.  In this case, the password is set to a known
+	value -- the lower case of the machine's netbios name.</para></listitem>
+	
+	<listitem><para>Creation of the account at the time of 
+	joining the domain.  In this case, the session key of the 
+	administrative account used to join the client to the domain acts
+	as an encryption key for setting the password to a random value.</para>
+	</listitem>
+</itemizedlist>
+
+<para>
+Because Samba requires machine accounts to possess a UNIX uid from
+which an Windows NT SID can be generated, all of these accounts
+will have an entry in <filename>/etc/passwd</filename> and smbpasswd.  
+Future releases will alleviate the need to create 
+<filename>/etc/passwd</filename> entries.
+</para>
+
+
+<para>
+The <filename>/etc/passwd</filename> entry will list the machine name 
+with a $ appended, won't have a passwd, will have a null shell and no 
+home directory. For example a machine called 'doppy' would have an 
+<filename>/etc/passwd</filename> entry like this :
+</para>
+
+<para><programlisting>
+doppy$:x:505:501:NTMachine:/dev/null:/bin/false
+</programlisting></para>
+
+<para>
+If you are manually creating the machine accounts, it is necessary
+to add the <filename>/etc/passwd</filename> (or NIS passwd
+map) entry prior to adding the <filename>smbpasswd</filename>
+entry.  The following command will create a new machine account
+ready for use.
+</para>
+
+<para>
+<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable>
+</para>
+
+<para>
+where <replaceable>machine_name</replaceable> is the machine's netbios
+name.
+</para>
+
+<para>
+<emphasis>If you manually create a machine account, immediately join
+the client to the domain.</emphasis>  An open account like this
+can allow intruders to gain access to user account information
+in your domain.
+</para>
+
+<para>
+The second way of creating machine trust accounts is to add
+them on the fly at the time the client is joined to the domain.
+You will need to include a value for the 
+<ulink url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink>
+parameter.  Below is an example I use on a RedHat 6.2 Linux system.
+</para>
+
+<para><programlisting>
+add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u 
+</programlisting></para>
+
+<para>
+In Samba 2.2.0, <emphasis>only the root account</emphasis> can be used to create
+machine accounts on the fly like this.  Therefore, it is required
+to create an entry in smbpasswd for <emphasis>root</emphasis>.
+The password <emphasis>SHOULD</emphasis> be set to s different
+password that the associated <filename>/etc/passwd</filename>
+entry for security reasons.
+</para>
+</sect1>
+
+<!-- **********************************************************
+
+     Common Problems
+
+*************************************************************** -->
+
+<sect1>
+<title>Common Problems and Errors</title>
+
+<para>
+</para>
+
+<para>
+<emphasis>I cannot include a '$' in a machine name.</emphasis>
+</para>
+
+<para>
+A 'machine name' in (typically) <filename>/etc/passwd</> 	
+of the machine name with a '$' appended. FreeBSD (and other BSD 
+systems ?) won't create a user with a '$' in their name.
+</para>
+
+<para>
+The problem is only in the program used to make the entry, once 
+made, it works perfectly. So create a user without the '$' and 
+use <command>vipw</> to edit the entry, adding the '$'. Or create 
+the whole entry with vipw if you like, make sure you use a 
+unique uid !
+</para>
+
+
+<para>
+<emphasis>I get told "You already have a connection to the Domain...." 
+when creating a machine account.</emphasis>
+</para>
+
+<para>
+This happens if you try to create a machine account from the 
+machine itself and use a user name that does not work (for whatever 
+reason) and then try another (possibly valid) user name.
+Exit out of the network applet to close the initial connection 
+and try again.
+</para>
+
+<para>
+Further, if the machine is a already a 'member of a workgroup' that 
+is the same name as the domain you are joining (bad idea) you will 
+get this message.  Change the workgroup name to something else, it 
+does not matter what, reboot, and try again.
+</para>
+
+<para>
+<emphasis>I get told "Cannot join domain, the credentials supplied 
+conflict with an existing set.."</emphasis>
+</para>
+
+<para>
+This is the same basic problem as mentioned above, "You already 
+have a connection..."
+</para>
+
+<para>
+<emphasis>
+"The system can not log you on (C000019B)...."</emphasis>
+</para>
+
+<para>I joined the domain successfully but after upgrading 
+to a newer version of the Samba code I get the message, "The system 
+can not log you on (C000019B), Please try a gain or consult your 
+system administrator" when attempting to logon.
+</para>
+
+<para>
+This occurs when the domain SID stored in 
+<filename>private/WORKGROUP.SID</filename> is 
+changed.  For example, you remove the file and <command>smbd</command> automatically 
+creates a new one.  Or you are swapping back and forth between 
+versions 2.0.7, TNG and the HEAD branch code (not recommended).  The 
+only way to correct the problem is to restore the original domain 
+SID or 	remove the domain client from the domain and rejoin.
+</para> 
+
+
+<para>
+<emphasis>"The machine account for this computer either does not 
+exist or is not accessible."</emphasis>
+</para>
+
+<para>
+When I try to join the domain I get the message "The machine account 
+for this computer either does not exist or is not accessible". Whats 
+wrong ?
+</para>
+
+<para>
+This problem is caused by the PDC not having a suitable machine account. 
+If you are using the <command>add user script =</> method to create 
+accounts then this would indicate that it has not worked. Ensure the domain 
+admin user system is working.
+</para>
+
+<para>
+Alternatively if you are creating account entries manually then they 
+have not been created correctly. Make sure that you have the entry 
+correct for the machine account in smbpasswd file on the Samba PDC. 
+If you added the account using an editor rather than using the smbpasswd 
+utility, make sure that the account name is the machine netbios name 
+with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
+in both /etc/passwd and the smbpasswd file. Some people have reported 
+that inconsistent subnet masks between the Samba server and the NT 
+client have caused this problem.   Make sure that these are consistent 
+for both client and server.
+</para>
+
+</sect1>
+
+
+
+<!-- **********************************************************
+
+     Policies and Profiles
+
+*************************************************************** -->
+
+<sect1>
+<title>
+System Policies and Profiles
+</title>
+
+<para>
+Much of the information necessary to implement System Policies and
+Roving User Profiles in a Samba domain is the same as that for 
+implementing these same items in a Windows NT 4.0 domain. 
+You should read the white paper <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">Implementing
+Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
+</para>
+
+<para>
+Here are some additional details:
+</para>
+
+<para>
+<emphasis>What about Windows NT Policy Editor ?</emphasis>
+</para>
+
+<para>
+To create or edit <filename>ntconfig.pol</filename> you must use 
+the NT Server Policy Editor, <command>poledit.exe</command>	which 
+is included with NT Server but <emphasis>not NT Workstation</emphasis>. 
+There is a Policy Editor on a NTws 
+but it is not suitable for creating <emphasis>Domain Policies</emphasis>. 
+Further, although the Windows 95 
+Policy Editor can be installed on an NT Workstation/Server, it will not
+work with NT policies because the registry key that are set by the policy templates. 
+However, the files from the NT Server will run happily enough on an NTws. 
+You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
+to put the two *.adm files in <filename>c:\winnt\inf</> which is where
+the binary will look for them unless told otherwise. Note also that that 
+directory is 'hidden'.
+</para>
+
+<para>The Windows NT policy editor is also included with the 
+Service Pack 3 (and later) for Windows NT 4.0. Extract the files using 
+<command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe 
+/x</command> for service pack 6a.  The policy editor, <command>poledit.exe</command> and the 
+associated template files (*.adm) should
+be extracted as well.  It is also possible to downloaded the policy template 
+files for Office97 and get a copy of the policy editor.  Another possible 
+location is with the Zero Administration Kit available for download from Microsoft.
+</para>
+
+
+<para>
+<emphasis>Can Win95 do Policies ?</emphasis>
+</para>
+
+<para>
+Install the group policy handler for Win9x to pick up group 
+policies.   Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. 
+Install group policies on a Win9x client by double-clicking 
+<filename>grouppol.inf</filename>. Log off and on again a couple of 
+times and see if Win98 picks up group policies.  Unfortunately this needs 
+to be done on every Win9x machine that uses group policies....
+</para> 
+
+<para>
+If group policies don't work one reports suggests getting the updated 
+(read: working) grouppol.dll for Windows 9x. The group list is grabbed 
+from /etc/group.
+</para>
+
+<para>
+<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis>
+</para>
+
+<para>
+Since I don't need to buy an NT Server CD now, how do I get 
+the 'User Manager for Domains', the 'Server Manager' ?
+</para>
+
+<para>
+Microsoft distributes a version of 
+these tools called nexus for installation on Windows 95 systems.  The 
+tools set includes
+</para>
+	
+<itemizedlist>
+	<listitem><para>Server Manager</para></listitem> 
+		
+	<listitem><para>User Manager for Domains</para></listitem> 
+
+	<listitem><para>Event Viewer</para></listitem> 
+</itemizedlist>
+
+<para>
+Click here to download the archived file <ulink 
+url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
+</para>
+
+<para>
+The Windows NT 4.0 version of the 'User Manager for 
+Domains' and 'Server Manager' are available from Microsoft via ftp 
+from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
+</para>
+
+</sect1>
+
+
+
+<!-- **********************************************************
+
+     Getting Help
+
+*************************************************************** -->
+
+
+<sect1>
+<title>What other help can I get ? </title>
+
+<para>
+There are many sources of information available in the form 
+of mailing lists, RFC's and documentation.  The docs that come 
+with the samba distribution contain very good explanations of 
+general SMB topics such as browsing.</para> 
+
+<para>
+<emphasis>What are some diagnostics tools I can use to debug the domain logon 
+process and where can I	find them?</emphasis>
+</para>
+
+    <para>
+	One of the best diagnostic tools for debugging problems is Samba itself.  
+	You can use the -d option for both smbd and nmbd to specifiy what 
+	'debug level' at which to run.  See the man pages on smbd, nmbd  and 
+	smb.conf for more information on debugging options.  The debug 
+	level can range from 1 (the default) to 10 (100 for debugging passwords).
+	</para>
+	
+	<para>
+	Another helpful method of debugging is to compile samba using the 
+	<command>gcc -g </command> flag.   This will include debug 
+	information in the binaries and allow you to attach gdb to the 
+	running smbd / nmbd process.  In order to attach gdb to an smbd 
+	process for an NT workstation, first get the workstation to make the 
+	connection. Pressing ctrl-alt-delete and going down to the domain box 
+	is sufficient (at least, on the first time you join the domain) to 
+	generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation 
+	maintains an open connection, and therefore there will be an smbd 
+	process running (assuming that you haven't set a really short smbd 
+	idle timeout)  So, in between pressing ctrl alt delete, and actually 
+	typing in your password, you can gdb attach and continue.
+	</para>
+
+	<para>
+	Some useful samba commands worth investigating:
+	</para>
+	
+	<itemizedlist>
+		<listitem><para>testparam | more</para></listitem>
+		<listitem><para>smbclient -L //{netbios name of server}</para></listitem>
+	</itemizedlist>
+    
+    <para>
+	An SMB enabled version of tcpdump is available from 
+    <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>.
+	Ethereal, another good packet sniffer for UNIX and Win32
+	hosts, can be downloaded from <ulink 
+	url="http://www.ethereal.com/">http://www.ethereal.com</ulink>.
+	</para>
+	
+	<para>
+	For tracing things on the Microsoft Windows NT, Network Monitor 
+	(aka. netmon) is available on the Microsoft Developer Network CD's, 
+	the Windows NT Server install CD and the SMS CD's.  The version of 
+	netmon that ships with SMS allows for dumping packets between any two 
+	computers (ie. placing the network interface in promiscuous mode).  
+	The version on the NT Server install CD will only allow monitoring 
+	of network traffic directed to the local NT box and broadcasts on the 
+	local subnet.  Be aware that Ethereal can read and write netmon 
+	formatted files.
+	</para>
+
+<para>
+<emphasis>How do I install 'Network Monitor' on an NT Workstation 
+or a Windows 9x box?</emphasis>
+</para>
+	<para>
+	Installing netmon on an NT workstation requires a couple 
+	of steps.  The following are for installing Netmon V4.00.349, which comes 
+	with Microsoft Windows NT Server 4.0, on Microsoft Windows NT 
+	Workstation 4.0.  The process should be similar for other version of 
+	Windows NT / Netmon.  You will need both the Microsoft Windows 
+	NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+	</para> 
+
+	<para>
+	Initially you will need to install 'Network Monitor Tools and Agent' 
+	on the NT Server.  To do this 
+	</para>
+
+	<itemizedlist>
+		<listitem><para>Goto Start - Settings - Control Panel - 
+		Network - Services - Add </para></listitem>
+		
+		<listitem><para>Select the 'Network Monitor Tools and Agent' and 
+		click on 'OK'.</para></listitem> 
+		
+		<listitem><para>Click 'OK' on the Network Control Panel.
+		</para></listitem> 
+		
+		<listitem><para>Insert the Windows NT Server 4.0 install CD 
+		when prompted.</para></listitem> 
+	</itemizedlist>
+
+	<para>
+	At this point the Netmon files should exist in 
+	<filename>%SYSTEMROOT%\System32\netmon\*.*</filename>.    
+	Two subdirectories exist as well, <filename>parsers\</filename> 
+	which contains the necessary DLL's for parsing the netmon packet 
+	dump, and <filename>captures\</filename>.
+	</para>
+
+	<para>
+	In order to install the Netmon tools on an NT Workstation, you will 
+	first need to install the 'Network  Monitor Agent' from the Workstation 
+	install CD.
+	</para>
+
+	<itemizedlist>
+		<listitem><para>Goto Start - Settings - Control Panel - 
+		Network - Services - Add</para></listitem> 
+
+		<listitem><para>Select the 'Network Monitor Agent' and click 
+		on 'OK'.</para></listitem> 
+		
+		<listitem><para>Click 'OK' on the Network Control Panel.
+		</para></listitem> 
+		
+		<listitem><para>Insert the Windows NT Workstation 4.0 install 
+		CD when prompted.</para></listitem> 
+	</itemizedlist>
+
+
+	<para>
+	Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* 
+	to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set 
+	permissions as  you deem appropriate for your site. You will need 
+	administrative rights on the NT box to run netmon.
+	</para>
+
+	<para>
+	To install Netmon on a Windows 9x box install the network monitor agent 
+	from the Windows 9x CD (\admin\nettools\netmon).  There is a readme 
+	file located with the netmon driver files on the CD if you need 
+	information on how to do this.  Copy the files from a working 
+	Netmon installation.
+	</para> 
+
+<sect2>
+<title>URLs and similar</title>
+
+
+<itemizedlist>
+
+ 	<listitem><para>Home of Samba site <ulink url="http://samba.org">
+        http://samba.org</ulink>. We have a mirror near you !</para></listitem>
+
+	<listitem><para> The <emphasis>Development</emphasis> document 
+	on the Samba mirrors might mention your problem. If so,
+	it might mean that the developers are working on it.</para></listitem>
+ 
+	<listitem><para>See how Scott Merrill simulates a BDC behavior at 
+        <ulink url="http://www.skippy.net/linux/smb-howto.html">
+        http://www.skippy.net/linux/smb-howto.html</>. </para></listitem>
+
+	<listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will
+        keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba">
+        http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem>
+
+	<listitem><para>Misc links to CIFS information 
+        <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem>
+
+	<listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/">
+        http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem>
+
+	<listitem><para>FTP site for older SMB specs: 
+        <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
+        ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
+
+</itemizedlist>
+
+</sect2>
+
+
+<sect2>
+<title>Mailing Lists</title>
+
+<para>
+<emphasis>How do I get help from the mailing lists ?</emphasis>
+</para>
+
+<para>
+There are a number of Samba related mailing lists. Go to <ulink 
+url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
+and then click on <command>Support</> and then click on <command>
+Samba related mailing lists</>.
+</para>
+
+<para>
+For questions relating to Samba TNG go to
+<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> 
+It has been requested that you don't post questions about Samba-TNG to the
+main stream Samba lists.</para>
+	 
+<para>
+If you post a message to one of the lists please observe the following guide lines :
+</para>
+
+<itemizedlist>
+
+	<listitem><para> Always remember that the developers are volunteers, they are 
+		not paid and they never guarantee to produce a particular feature at 
+		a particular time. Any time lines are 'best guess' and nothing more.
+		</para></listitem>
+
+	<listitem><para> Always mention what version of samba you are using and what 
+		operating system its running under. You should probably list the
+        relevant sections of your smb.conf file, at least the options 
+        in [global] that affect PDC support.</para></listitem>
+
+    <listitem><para>In addition to the version, if you obtained Samba via
+        CVS mention the date when you last checked it out.</para></listitem>
+
+	<listitem><para> Try and make your question clear and brief, lots of long, 
+		convoluted questions get deleted before	they are completely read ! 
+		Don't post html encoded messages (if you can select colour or font 
+		size its html).</para></listitem>
+
+	<listitem><para> If you run one of those nifty 'I'm on holidays' things when 
+		you are away, make sure its configured	to not answer mailing lists.
+		</para></listitem> 
+
+	<listitem><para> Don't cross post. Work out which is the best list to post to 
+		and see what happens, ie don't post to both samba-ntdom and samba-technical.
+        Many people active on the lists subscribe to more 
+		than one list and get annoyed to see the same message two or more times. 
+		Often someone will see a message and thinking it would be better dealt 
+		with on another, will forward it on for you.</para></listitem>
+
+    <listitem><para>You might include <emphasis>partial</emphasis>
+        log files written at a debug level set to as much as 20.  
+        Please don't send the entire log but enough to give the context of the 
+        error messages.</para></listitem>
+
+    <listitem><para>(Possibly) If you have a complete netmon trace ( from the opening of 
+        the pipe to the error ) you can send the *.CAP file as well.</para></listitem> 
+
+    <listitem><para>Please think carefully before attaching a document to an email.
+        Consider pasting the relevant parts into the body of the message. The samba
+        mailing lists go to a huge number of people, do they all need a copy of your 
+        smb.conf in their attach directory ?</para></listitem>
+
+</itemizedlist>
+
+
+<para>
+<emphasis>How do I get off the mailing lists ?</emphasis>
+</para>
+
+    <para>To have your name removed from a samba mailing list, go to the
+        same place you went to to get on it. Go to <ulink url=
+        "http://lists.samba.org/">http://lists.samba.org</ulink>, click 
+		on your nearest mirror and then click on <command>Support</> and 
+		then click on <command> Samba related mailing lists</>. Or perhaps see 
+        <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para>
+
+    <para>
+	Please don't post messages to the list asking to be removed, you will just
+        be referred to the above address (unless that process failed in some way...)
+    </para>
+</sect2>      
+</sect1>
+
+
+
+
+<!-- **********************************************************
+
+     Appendix - DOMAIN_CONTROL.txt
+
+*************************************************************** -->
+
+<sect1>
+<title>
+DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
+</title>
+
+<para>
+This appendix was originally authored by John H Terpstra of the Samba Team
+and is included here for posterity.
+</para>
+
+
+<para>
+<emphasis>NOTE :</emphasis> 
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on 
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the 
+Windows NT SAM.
+</para>
+
+<para>
+Windows NT Server can be installed as either a plain file and print server
+(WORKGROUP workstation or server) or as a server that participates in Domain
+Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
+</para>
+
+<para>
+The same is true for OS/2 Warp Server, Digital Pathworks and other similar
+products, all of which can participate in Domain Control along with Windows NT.
+However only those servers which have licensed Windows NT code in them can be
+a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
+</para>
+
+<para>
+To many people these terms can be confusing, so let's try to clear the air.
+</para>
+
+<para>
+Every Windows NT system (workstation or server) has a registry database.
+The registry contains entries that describe the initialization information
+for all services (the equivalent of Unix Daemons) that run within the Windows
+NT environment. The registry also contains entries that tell application
+software where to find dynamically loadable libraries that they depend upon.
+In fact, the registry contains entries that describes everything that anything
+may need to know to interact with the rest of the system.
+</para>
+
+<para>
+The registry files can be located on any Windows NT machine by opening a
+command prompt and typing:
+</para>
+
+<para>
+<prompt>C:\WINNT\></prompt> dir %SystemRoot%\System32\config
+</para>
+
+<para>
+The environment variable %SystemRoot% value can be obtained by typing:
+</para>
+
+<para>
+<prompt>C:\WINNT></prompt>echo %SystemRoot%
+</para>
+
+<para>
+The active parts of the registry that you may want to be familiar with are
+the files called: default, system, software, sam and security.
+</para>
+
+<para>
+In a domain environment, Microsoft Windows NT domain controllers participate
+in replication of the SAM and SECURITY files so that all controllers within
+the domain have an exactly identical copy of each.
+</para>
+
+<para>
+The Microsoft Windows NT system is structured within a security model that
+says that all applications and services must authenticate themselves before
+they can obtain permission from the security manager to do what they set out
+to do.
+</para>
+
+<para>
+The Windows NT User database also resides within the registry. This part of
+the registry contains the user's security identifier, home directory, group
+memberships, desktop profile, and so on.
+</para>
+
+<para>
+Every Windows NT system (workstation as well as server) will have its own
+registry. Windows NT Servers that participate in Domain Security control
+have a database that they share in common - thus they do NOT own an
+independent full registry database of their own, as do Workstations and
+plain Servers.
+</para>
+
+<para>
+The User database is called the SAM (Security Access Manager) database and
+is used for all user authentication as well as for authentication of inter-
+process authentication (ie: to ensure that the service action a user has
+requested is permitted within the limits of that user's privileges).
+</para>
+
+<para>
+The Samba team have produced a utility that can dump the Windows NT SAM into 
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This 
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.
+</para>
+
+<para>
+Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
+can participate in a Domain security system that is controlled by Windows NT
+servers that have been correctly configured. At most every domain will have
+ONE Primary Domain Controller (PDC). It is desirable that each domain will
+have at least one Backup Domain Controller (BDC).
+</para>
+
+<para>
+The PDC and BDCs then participate in replication of the SAM database so that
+each Domain Controlling participant will have an up to date SAM component
+within its registry.
+</para>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml
new file mode 100644
index 0000000000..41eb7a478c
--- /dev/null
+++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml
@@ -0,0 +1,446 @@
+<chapter>
+
+<title>How to Install and Test SAMBA</title>
+
+<sect1>
+	<title>Step 0: Read the man pages</title>
+	
+	<para>The man pages distributed with SAMBA contain 
+	lots of useful info that will help to get you started. 
+	If you don't know how to read man pages then try 
+	something like:</para>
+
+	<para><prompt>$ </prompt><userinput>nroff -man smbd.8 | more
+	</userinput></para>
+	
+	<para>Other sources of information are pointed to 
+	by the Samba web site,<ulink url="http://www.samba.org/">
+	http://www.samba.org</ulink></para>
+</sect1>
+
+<sect1>
+	<title>Step 1: Building the Binaries</title>
+	
+	<para>To do this, first run the program <command>./configure
+	</command> in the source directory. This should automatically 
+	configure Samba for your operating system. If you have unusual 
+	needs then you may wish to run</para>
+	
+	<para><prompt>root# </prompt><userinput>./configure --help
+	</userinput></para>
+	
+	<para>first to see what special options you can enable.
+	Then exectuting</para>
+	
+	<para><prompt>root# </prompt><userinput>make</userinput></para>
+	
+	<para>will create the binaries. Once it's successfully 
+	compiled you can use </para>
+	
+	<para><prompt>root# </prompt><userinput>make install</userinput></para>
+	
+	<para>to install the binaries and manual pages. You can 
+	separately install the binaries and/or man pages using</para>
+	
+	<para><prompt>root# </prompt><userinput>make installbin
+	</userinput></para>
+	
+	<para>and</para>
+	
+	<para><prompt>root# </prompt><userinput>make installman
+	</userinput></para>
+
+	<para>Note that if you are upgrading for a previous version 
+	of Samba you might like to know that the old versions of 
+	the binaries will be renamed with a ".old" extension. You 
+	can go back to the previous version with</para>
+	
+	<para><prompt>root# </prompt><userinput>make revert
+	</userinput></para>
+	
+	<para>if you find this version a disaster!</para>
+</sect1>
+
+<sect1>
+	<title>Step 2: The all important step</title>
+	
+	<para>At this stage you must fetch yourself a 
+	coffee or other drink you find stimulating. Getting the rest 
+	of the install right can sometimes be tricky, so you will 
+	probably need it.</para>
+
+	<para>If you have installed samba before then you can skip 
+	this step.</para>
+</sect1>
+
+<sect1>
+	<title>Step 3: Create the smb configuration file. </title>
+
+	<para>There are sample configuration files in the examples 
+	subdirectory in the distribution. I suggest you read them 
+	carefully so you can see how the options go together in 
+	practice. See the man page for all the options.</para>
+
+	<para>The simplest useful configuration file would be 
+	something like this:</para>
+
+	<para><programlisting>
+	[global]
+	   workgroup = MYGROUP
+
+	   [homes]
+	      guest ok = no
+	      read only = no
+	</programlisting</para>
+	
+	<para>which would allow connections by anyone with an 
+	account on the server, using either their login name or 
+	"homes" as the service name. (Note that I also set the 
+	workgroup that Samba is part of. See BROWSING.txt for defails)</para>
+	
+	<para>Note that <command>make install</command> will not install 
+	a <filename>smb.conf</filename> file. You need to create it 
+	yourself. </para>
+	
+	<para>Make sure you put the smb.conf file in the same place 
+	you specified in the<filename>Makefile</filename> (the default is to 
+	look for it in <filename>/usr/local/samba/lib/</filename>).</para>
+
+	<para>For more information about security settings for the 
+	[homes] share please refer to the document UNIX_SECURITY.txt.</para>
+</sect1>
+
+<sect1>
+	<title>Step 4: Test your config file with 
+	<command>testparm</command></title>
+
+	<para>It's important that you test the validity of your
+	<filename>smb.conf</filename> file using the testparm program. 
+	If testparm runs OK then it will list the loaded services. If 
+	not it will give an error message.</para>
+
+	<para>Make sure it runs OK and that the services look 
+	resonable before proceeding. </para>
+
+</sect1>
+
+<sect1>
+	<title>Step 5: Starting the smbd and nmbd</title>
+	
+	<para>You must choose to start smbd and nmbd either 
+	as daemons or from <command>inetd</command>. Don't try 
+	to do both!  Either you can put them in <filename>
+	inetd.conf</filename> and have them started on demand 
+	by <command>inetd</command>, or you can start them as
+	daemons either from the command line or in <filename>
+	/etc/rc.local</filename>. See the man pages for details 
+	on the command line options. Take particular care to read 
+	the bit about what user you need to be in order to start 
+	Samba.  In many cases you must be root.</para>
+
+	<para>The main advantage of starting <command>smbd</command>
+	and <command>nmbd</command> as a daemon is that they will 
+	respond slightly more quickly to an initial connection
+	request. This is, however, unlikely to be a problem.</para>
+
+	<sect2>
+		<title>Step 5a: Starting from inetd.conf</title>
+
+		<para>NOTE; The following will be different if 
+		you use NIS or NIS+ to distributed services maps.</para>
+		
+		<para>Look at your <filename>/etc/services</filename>. 
+		What is defined at port 139/tcp. If nothing is defined 
+		then add a line like this:</para>
+
+		<para><userinput>netbios-ssn     139/tcp</userinput></para>
+
+		<para>similarly for 137/udp you should have an entry like:</para>
+
+		<para><userinput>netbios-ns	137/udp</userinput></para>
+
+		<para>Next edit your <filename>/etc/inetd.conf</filename> 
+		and add two lines something like this:</para>
+
+		<para><programlisting>
+		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
+		</programlisting></para>
+
+		<para>The exact syntax of <filename>/etc/inetd.conf</filename> 
+		varies between unixes. Look at the other entries in inetd.conf 
+		for a guide.</para>
+
+		<para>NOTE: Some unixes already have entries like netbios_ns 
+		(note the underscore) in <filename>/etc/services</filename>. 
+		You must either edit <filename>/etc/services</filename> or
+		<filename>/etc/inetd.conf</filename> to make them consistant.</para>
+
+		<para>NOTE: On many systems you may need to use the 
+		"interfaces" option in smb.conf to specify the IP address 
+		and netmask of your interfaces. Run <command>ifconfig</command> 
+		as root if you don't know what the broadcast is for your
+		net. <command>nmbd</command> tries to determine it at run 
+		time, but fails on somunixes. See the section on "testing nmbd" 
+		for a method of finding if you need to do this.</para>
+
+		<para>!!!WARNING!!! Many unixes only accept around 5 
+		parameters on the command line in <filename>inetd.conf</filename>. 
+		This means you shouldn't use spaces between the options and 
+		arguments, or you should use a script, and start the script 
+		from <command>inetd</command>.</para>
+
+		<para>Restart <command>inetd</command>, perhaps just send 
+		it a HUP. If you have installed an earlier version of <command>
+		nmbd</command> then you may need to kill nmbd as well.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Step 5b. Alternative: starting it as a daemon</title>
+
+		<para>To start the server as a daemon you should create 
+		a script something like this one, perhaps calling 
+		it <filename>startsmb</filename>.</para>
+
+		<para><programlisting>
+		#!/bin/sh
+		/usr/local/samba/bin/smbd -D 
+		/usr/local/samba/bin/nmbd -D 
+		</programlisting></para>
+
+		<para>then make it executable with <command>chmod 
+		+x startsmb</command></para>
+
+		<para>You can then run <command>startsmb</command> by 
+		hand or execute it from <filename>/etc/rc.local</filename>
+		</para>
+
+		<para>To kill it send a kill signal to the processes 
+		<command>nmbd</command> and <command>smbd</command>.</para>
+
+		<para>NOTE: If you use the SVR4 style init system then 
+		you may like to look at the <filename>examples/svr4-startup</filename>
+		script to make Samba fit into that system.</para>
+	</sect2>
+</sect1>
+
+<sect1>
+	<title>Step 6: Try listing the shares available on your 
+	server</title>
+
+	<para><prompt>$ </prompt><userinput>smbclient -L 
+	<replaceable>yourhostname</replaceable></userinput></para>
+
+	<para>Your should get back a list of shares available on 
+	your server. If you don't then something is incorrectly setup. 
+	Note that this method can also be used to see what shares 
+	are available on other LanManager clients (such as WfWg).</para>
+
+	<para>If you choose user level security then you may find 
+	that Samba requests a password before it will list the shares. 
+	See the <command>smbclient</command> man page for details. (you 
+	can force it to list the shares without a password by
+	adding the option -U% to the command line. This will not work 
+	with non-Samba servers)</para>
+</sect1>
+
+<sect1>
+	<title>Step 7: Try connecting with the unix client</title>
+	
+	<para><prompt>$ </prompt><userinput>smbclient <replaceable>
+	//yourhostname/aservice</replaceable></userinput></para>
+	
+	<para>Typically the <replaceable>yourhostname</replaceable> 
+	would be the name of the host where you installed <command>
+	smbd</command>. The <replaceable>aservice</replaceable> is 
+	any service you have defined in the <filename>smb.conf</filename> 
+	file. Try your user name if you just have a [homes] section
+	in <filename>smb.conf</filename>.</para>
+
+	<para>For example if your unix host is bambi and your login 
+	name is fred you would type:</para>
+
+	<para><prompt>$ </prompt><userinput>smbclient //bambi/fred
+	</userinput></para>
+</sect1>
+
+<sect1>
+	<title>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, 
+	Win2k, OS/2, etc... client</title>
+	
+	<para>Try mounting disks. eg:</para>
+
+	<para><prompt>C:\WINDOWS\> </prompt><userinput>net use d: \\servername\service
+	</userinput></para>
+
+	<para>Try printing. eg:</para>
+
+	<para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1:
+	\\servername\spoolservice</userinput></para>
+
+	<para><prompt>C:\WINDOWS\> </prompt><userinput>print filename
+	</userinput></para>
+
+	<para>Celebrate, or send me a bug report!</para>
+</sect1>
+
+<sect1>
+	<title>What If Things Don't Work?</title>
+	
+	<para>If nothing works and you start to think "who wrote 
+	this pile of trash" then I suggest you do step 2 again (and 
+	again) till you calm down.</para>
+
+	<para>Then you might read the file DIAGNOSIS.txt and the 
+	FAQ. If you are still stuck then try the mailing list or 
+	newsgroup (look in the README for details). Samba has been 
+	successfully installed at thousands of sites worldwide, so maybe 
+	someone else has hit your problem and has overcome it. You could 
+	also use the WWW site to scan back issues of the samba-digest.</para>
+
+	<para>When you fix the problem PLEASE send me some updates to the
+	documentation (or source code) so that the next person will find it
+	easier. </para>
+
+	<sect2>
+		<title>Diagnosing Problems</title>
+
+		<para>If you have instalation problems then go to 
+		<filename>DIAGNOSIS.txt</filename> to try to find the 
+		problem.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Scope IDs</title>
+
+		<para>By default Samba uses a blank scope ID. This means 
+		all your windows boxes must also have a blank scope ID. 
+		If you really want to use a non-blank scope ID then you will 
+		need to use the -i &lt;scope&gt; option to nmbd, smbd, and 
+		smbclient. All your PCs will need to have the same setting for 
+		this to work. I do not recommend scope IDs.</para>
+	</sect2>
+
+
+	<sect2>
+		<title>Choosing the Protocol Level</title>
+
+		<para>The SMB protocol has many dialects. Currently 
+		Samba supports 5, called CORE, COREPLUS, LANMAN1, 
+		LANMAN2 and NT1.</para>
+
+		<para>You can choose what maximum protocol to support 
+		in the <filename>smb.conf</filename> file. The default is 
+		NT1 and that is the best for the vast majority of sites.</para>
+
+		<para>In older versions of Samba you may have found it 
+		necessary to use COREPLUS. The limitations that led to 
+		this have mostly been fixed. It is now less likely that you 
+		will want to use less than LANMAN1. The only remaining advantage 
+		of COREPLUS is that for some obscure reason WfWg preserves 
+		the case of passwords in this protocol, whereas under LANMAN1, 
+		LANMAN2 or NT1 it uppercases all passwords before sending them,
+		forcing you to use the "password level=" option in some cases.</para>
+
+		<para>The main advantage of LANMAN2 and NT1 is support for 
+		long filenames with some clients (eg: smbclient, Windows NT 
+		or Win95). </para>
+
+		<para>See the smb.conf(5) manual page for more details.</para>
+
+		<para>Note: To support print queue reporting you may find 
+		that you have to use TCP/IP as the default protocol under 
+		WfWg. For some reason if you leave Netbeui as the default 
+		it may break the print queue reporting on some systems. 
+		It is presumably a WfWg bug.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Printing from UNIX to a Client PC</title>
+
+		<para>To use a printer that is available via a smb-based 
+		server from a unix host you will need to compile the 
+		smbclient program. You then need to install the script 
+		"smbprint". Read the instruction in smbprint for more details.
+		</para>
+
+		<para>There is also a SYSV style script that does much 
+		the same thing called smbprint.sysv. It contains instructions.</para>
+	</sect2>
+
+	<sect2>
+		<title>Locking</title>
+
+		<para>One area which sometimes causes trouble is locking.</para>
+
+		<para>There are two types of locking which need to be 
+		performed by a SMB server. The first is "record locking" 
+		which allows a client to lock a range of bytes in a open file. 
+		The second is the "deny modes" that are specified when a file 
+		is open.</para>
+
+		<para>Samba supports "record locking" using the fcntl() unix system
+		call. This is often implemented using rpc calls to a rpc.lockd process
+		running on the system that owns the filesystem. Unfortunately many
+		rpc.lockd implementations are very buggy, particularly when made to
+		talk to versions from other vendors. It is not uncommon for the
+		rpc.lockd to crash.</para>
+
+		<para>There is also a problem translating the 32 bit lock 
+		requests generated by PC clients to 31 bit requests supported 
+		by most unixes. Unfortunately many PC applications (typically 
+		OLE2 applications) use byte ranges with the top bit set 
+		as semaphore sets. Samba attempts translation to support 
+		these types of applications, and the translation has proved 
+		to be quite successful.</para>
+		
+		<para>Strictly a SMB server should check for locks before 
+		every read and write call on a file. Unfortunately with the 
+		way fcntl() works this can be slow and may overstress the 
+		rpc.lockd. It is also almost always unnecessary as clients 
+		are supposed to independently make locking calls before reads 
+		and writes anyway if locking is important to them. By default 
+		Samba only makes locking calls when explicitly asked
+		to by a client, but if you set "strict locking = yes" then it will
+		make lock checking calls on every read and write. </para>
+
+		<para>You can also disable by range locking completely 
+		using "locking = no". This is useful for those shares that 
+		don't support locking or don't need it (such as cdroms). In 
+		this case Samba fakes the return codes of locking calls to 
+		tell clients that everything is OK.</para>
+
+		<para>The second class of locking is the "deny modes". These 
+		are set by an application when it opens a file to determine 
+		what types of access should be allowed simultaneously with 
+		its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE 
+		or DENY_ALL. There are also special compatability modes called 
+		DENY_FCB and  DENY_DOS.</para>
+
+		<para>You can disable share modes using "share modes = no". 
+		This may be useful on a heavily loaded server as the share 
+		modes code is very slow. See also the FAST_SHARE_MODES 
+		option in the Makefile for a way to do full share modes 
+		very fast using shared memory (if your OS supports it).</para>
+	</sect2>
+	
+	<sect2>
+		<title>Mapping Usernames</title>
+	
+		<para>If you have different usernames on the PCs and 
+		the unix server then take a look at the "username map" option. 
+		See the smb.conf man page for details.</para>
+	</sect2>
+
+	<sect2>
+		<title>Other Character Sets</title>
+
+		<para>If you have problems using filenames with accented 
+		characters in them (like the German, French or Scandinavian 
+		character sets) then I recommmend you look at the "valid chars" 
+		option in smb.conf and also take a look at the validchars 
+		package in the examples directory.</para>
+	</sect2>
+	
+</sect1>	
+</chapter>
diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml
new file mode 100644
index 0000000000..5853049d79
--- /dev/null
+++ b/docs/docbook/projdoc/msdfs_setup.sgml
@@ -0,0 +1,117 @@
+<chapter>
+
+<chapterinfo>
+	<author>
+		<firstname>Shirish</firstname><surname>Kalele</surname>
+		<affiliation>
+			<orgname>Samba Team & Veritas Software</orgname>
+			<address>
+				<email>samba@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate>12 Jul 200</pubdate>
+</chapterinfo>
+
+
+<title>Hosting a Microsoft Distributed File System tree on Samba</title>
+
+<sect1>
+
+	<title>Instructions</title>
+
+	<para>The Distributed File System (or Dfs) provides a means of 
+	separating the logical view of files and directories that users 
+	see from the actual physical locations of these resources on the 
+	network. It allows for higher availability, smoother storage expansion, 
+	load balancing etc. For more information about Dfs, refer to  <ulink 
+	url="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp">
+	Microsoft documentation</ulink>. </para>
+
+	<para>This document explains how to host a Dfs tree on a Unix 
+	machine (for Dfs-aware clients to browse) using Samba.</para>
+
+	<para>To enable SMB-based DFS for Samba, configure it with the 
+	<parameter>--with-msdfs</parameter> option. Once built, a 
+	Samba server can be made a Dfs server by setting the global 
+	boolean <ulink url="smb.conf.5.html#HOSTMSDFS"><parameter>
+	host msdfs</parameter></ulink> parameter in the <filename>smb.conf
+	</filename> file. You designate a share as a Dfs root using the share 
+	level boolean <ulink url="smb.conf.5.html#MSDFSROOT"><parameter>
+	msdfs root</parameter></ulink> parameter. A Dfs root directory on 
+	Samba hosts Dfs links in the form of symbolic links that point 
+	to other servers. For example, a symbolic link
+	<filename>junction-&gt;msdfs:storage1\share1</filename> in 
+	the share directory acts as the Dfs junction. When Dfs-aware 
+	clients attempt to access the junction link, they are redirected 
+	to the storage location (in this case, \\storage1\share1).</para>
+
+	<para>Dfs trees on Samba work with all Dfs-aware clients ranging 
+	from Windows 95 to 2000.</para>
+	
+	<para>Here's an example of setting up a Dfs tree on a Samba 
+	server.</para>
+
+	<para><programlisting>
+# The smb.conf file:
+[global]
+	netbios name = SAMBA
+	host msdfs   = yes
+
+[dfs]
+	path = /export/dfsroot
+	msdfs root = yes
+	</programlisting></para>
+
+
+	<para>In the /export/dfsroot directory we set up our dfs links to 
+	other servers on the network.</para>
+
+	<para><prompt>root# </prompt><userinput>cd /export/dfsroot</userinput></para>
+	<para><prompt>root# </prompt><userinput>chown root /export/dfsroot</userinput></para>
+	<para><prompt>root# </prompt><userinput>chmod 755 /export/dfsroot</userinput></para>
+	<para><prompt>root# </prompt><userinput>ln -s msdfs:storageA\\shareA linka</userinput></para>
+	<para><prompt>root# </prompt><userinput>ln -s msdfs:serverB\\share,serverC\\share linkb</userinput></para>
+
+
+	<para>You should set up the permissions and ownership of 
+	the directory acting as the Dfs root such that only designated 
+	users can create, delete or modify the msdfs links. Also note 
+	that symlink names should be all lowercase. This limitation exists 
+	to have Samba avoid trying all the case combinations to get at 
+	the link name. Finally set up the symbolic links to point to the 
+	network shares you want, and start Samba.</para>
+
+	<para>Users on Dfs-aware clients can now browse the Dfs tree 
+	on the Samba server at \\samba\dfs. Accessing 
+	links linka or linkb (which appear as directories to the client) 
+	takes users directly to the appropriate shares on the network.</para>
+
+	<sect2>
+		<title>Notes</title>
+
+		<itemizedlist>
+			<listitem><para>Windows clients need to be rebooted 
+			if a previously mounted non-dfs share is made a dfs 
+			root or vice versa. A better way is to introduce a 
+			new share and make it the dfs root.</para>
+			</listitem>
+			
+			<listitem><para>Currently there's a restriction that msdfs 
+			symlink names should all be lowercase.</para>
+			</listitem>
+			
+			<listitem><para>For security purposes, the directory 
+			acting as the root of the Dfs tree should have ownership 
+			and permissions set so that only designated users can 
+			modify the symbolic links in the directory.</para>
+			</listitem>
+		</itemizedlist>
+	</sect2>
+</sect1>
+
+
+	
+</chapter>
diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml
new file mode 100644
index 0000000000..7f0aebc45f
--- /dev/null
+++ b/docs/docbook/projdoc/printer_driver2.sgml
@@ -0,0 +1,555 @@
+<chapter>
+
+
+<chapterinfo>
+	<author>
+		<firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address>
+				<email>jerry@samba.org</email>
+			</address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate> (20 Apr 2001) </pubdate>
+</chapterinfo>
+
+<title>Printing Support in Samba 2.2.x</title>
+
+<sect1>
+<title>Introduction</title>
+	
+<para>Beginning with the 2.2.0 release, Samba supports 
+the native Windows NT printing mechanisms implemented via 
+MS-RPC (i.e. the SPOOLSS named pipe).  Previous versions of 
+Samba only supported LanMan printing calls.</para>
+
+<para>The additional functionality provided by the new 
+SPOOLSS support includes:</para>
+	
+<itemizedlist>
+	<listitem><para>Support for downloading printer driver 
+	files to Windows 95/98/NT/2000 clients upon demand.
+	</para></listitem>
+	
+	<listitem><para>Uploading of printer drivers via the 
+	Windows NT Add Printer Wizard (APW) or the 
+	Imprints tool set (refer to <ulink 
+	url="http://imprints.sourceforge.net">http://imprints.sourceforge.net</ulink>). 
+	</para></listitem>
+		
+	<listitem><para>Support for the native MS-RPC printing 
+	calls such as StartDocPrinter, EnumJobs(), etc...  (See 
+	the MSDN documentation at <ulink 
+	url="http://msdn.microsoft.com/">http://msdn.microsoft.com/</ulink> 
+	for more information on the Win32 printing API)
+	</para></listitem>
+		
+	<listitem><para>Support for NT Access Control Lists (ACL) 
+	on printer objects</para></listitem>
+	
+	<listitem><para>Improved support for printer queue manipulation 
+	through the use of an internal databases for spooled job 
+	information</para></listitem>
+</itemizedlist>
+
+</sect1>
+
+
+<sect1>
+<title>Configuration</title>
+
+<para>
+<emphasis>WARNING!!!</emphasis> Previous versions of Samba 
+recommended using a share named [printer$].  This name was taken from the 
+printer$ service created by Windows 9x clients when a 
+printer was shared.  Windows 9x printer servers always have 
+a printer$ service which provides read-only access via no 
+password in order to support printer driver downloads.
+</para>
+	
+<para>
+However, the initial implementation allowed for a 
+parameter named <parameter>printer driver location</parameter> 
+to be used on a per share basis to specify the location of 
+the driver files associated with that printer.  Another 
+parameter named <parameter>printer driver</parameter> provided 
+a means of defining the printer driver name to be sent to 
+the client.
+</para>
+ 
+<para>
+These parameters, including <parameter>printer driver 
+file</parameter> parameter, are being depreciated and should not 
+be used in new installations.  For more information on this change, 
+you should refer to the <link linkend="MIGRATION">Migration section 
+</link>of this document.
+</para>
+
+
+<sect2>
+<title>Creating [print$]</title>	
+
+<para>
+In order to support the uploading of printer driver 
+files, you must first configure a file share named [print$].  
+The name of this share is hard coded in Samba's internals so 
+the name is very important (print$ is the service used by 
+Windows NT print servers to provide support for printer driver 
+download).
+</para>
+
+<para>You should modify the server's smb.conf file to create the 
+following file share (of course, some of the parameter values,
+such as 'path' are arbitrary and should be replaced with
+appropriate values for your site):</para>
+
+<para><programlisting>
+[print$]
+    path = /usr/local/samba/printers
+    guest ok = yes
+    browseable = yes
+    read only = yes
+    write list = ntadmin
+</programlisting></para>
+	
+<para>The <ulink url="smb.conf.5.html#WRITELIST"><parameter>
+write list</parameter></ulink> is used to allow administrative 
+level user accounts to have write access in order to update files 
+on the share.  See the <ulink url="smb./conf.5.html">
+smb.conf(5) man page</ulink> for more information on 
+configuring file shares.</para>
+	
+<para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><command>
+guest ok = yes</command></ulink> depends upon how your
+site is configured.  If users will be guaranteed to have 
+an account on the Samba host, then this is a non-issue.</para>
+
+<note>	
+<title>Author's Note</title>
+
+<para>
+The non-issue is that if all your Windows NT users are guaranteed to be 
+authenticated by the Samba server (such as a domain member server and the NT 
+user has already been validated by the Domain Controller in 
+order to logon to the Windows NT console), then guest access 
+is not necessary.  Of course, in a workgroup environment where 
+you just want to be able to print without worrying about 
+silly accounts and security, then configure the share for 
+guest access.  You'll probably want to add <ulink 
+url="smb.conf.5.html#MAPTOGUEST"><command>map to guest = Bad User
+</command></ulink> in the [global] section as well.  Make sure 
+you understand what this parameter does before using it 
+though. --jerry
+</para>
+</note>
+
+<para>In order for a Windows NT print server to support 
+the downloading of driver files by multiple client architectures,
+it must create subdirectories within the [print$] service
+which correspond to each of the supported client architectures.
+Samba follows this model as well.</para>
+
+<para>Next create the directory tree below the [print$] share 
+for each architecture you wish to support.</para>
+
+<para><programlisting>
+[print$]-----
+        |-W32X86           ; "Windows NT x86"
+        |-WIN40            ; "Windows 95/98"
+        |-W32ALPHA         ; "Windows NT Alpha_AXP"
+        |-W32MIPS          ; "Windows NT R4000"
+        |-W32PPC           ; "Windows NT PowerPC"
+</programlisting></para>
+
+<warning>
+	<title>ATTENTION!  REQUIRED PERMISSIONS</title>
+	
+	<para>In order to currently add a new driver to you Samba host, 
+	one of two conditions must hold true:</para>
+		
+	<itemizedlist>
+		<listitem><para>The account used to connect to the Samba host 
+		must have a uid of 0 (i.e. a root account)</para></listitem>
+		
+		<listitem><para>The account used to connect to the Samba host
+		must be a member of the <ulink 
+		url="smb.conf.5.html#PRINTERADMIN"><parameter>printer 
+		admin</parameter></ulink> list.</para></listitem>
+	</itemizedlist>
+
+	<para>Of course, the connected account must still possess access
+	to add files to the subdirectories beneath [print$].</para>
+</warning>
+
+
+<para>Once you have created the required [print$] service and 
+associated subdirectories, simply log onto the Samba server using 
+a root (or <parameter>printer admin</parameter>) account
+from a Windows NT 4.0 client.  Navigate to the "Printers" folder
+on the Samba server.  You should see an initial listing of printers
+that matches the printer shares defined on your Samba host.
+</para>
+</sect2>
+
+<sect2>
+<title>Setting Drivers for Existing Printers</title>
+
+<para>The initial listing of printers in the Samba host's 
+Printers folder will have no printer driver assigned to them.  
+The way assign a driver to a printer is to view the Properties 
+of the printer and either</para>
+	
+<itemizedlist>
+	<listitem><para>Use the "New Driver..." button to install 
+	a new printer driver, or</para></listitem>
+	
+	<listitem><para>Select a driver from the popup list of 
+	installed drivers.  Initially this list will be empty.</para>
+	</listitem>
+</itemizedlist>
+	
+<para>If you wish to install printer drivers for client 
+operating systems other than "Windows NT x86", you will need 
+to use the "Sharing" tab of the printer properties dialog.</para>
+
+<para>Assuming you have connected with a root account, you 
+will also be able modify other printer properties such as 
+ACLs and device settings using this dialog box.</para>
+
+<para>A few closing comments for this section, it is possible 
+on a Windows NT print server to have printers
+listed in the Printers folder which are not shared.  Samba does
+not make this distinction.  By definition, the only printers of
+which Samba is aware are those which are specified as shares in
+<filename>smb.conf</filename>.</para>
+  
+<para>Another interesting side note is that Windows NT clients do
+not use the SMB printer share, but rather can print directly 
+to any printer on another Windows NT host using MS-RPC.  This
+of course assumes that the printing client has the necessary
+privileges on the remote host serving the printer.  The default
+permissions assigned by Windows NT to a printer gives the "Print"
+permissions to the "Everyone" well-known group.
+</para>
+
+</sect2>	
+
+
+<sect2>
+<title>Support a large number of printers</title>
+		
+<para>One issue that has arisen during the development
+phase of Samba 2.2 is the need to support driver downloads for
+100's of printers.  Using the Windows NT APW is somewhat 
+awkward to say the list.  If more than one printer are using the 
+same driver, the <ulink url="rpcclient.1.html"><command>rpcclient's
+setdriver command</command></ulink> can be used to set the driver
+associated with an installed driver.  The following is example
+of how this could be accomplished:</para>
+		
+<para><programlisting> 
+<prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumdrivers"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+ 
+[Windows NT x86]
+Printer Driver Info 1:
+     Driver Name: [HP LaserJet 4000 Series PS]
+ 
+Printer Driver Info 1:
+     Driver Name: [HP LaserJet 2100 Series PS]
+ 
+Printer Driver Info 1:
+     Driver Name: [HP LaserJet 4Si/4SiMX PS]
+				  
+<prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumprinters"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+     flags:[0x800000]
+     name:[\\POGO\hp-print]
+     description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
+     comment:[]
+				  
+<prompt>$ </prompt>rpcclient pogo -U root%bleaK.er \
+<prompt>&gt; </prompt> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+Successfully set hp-print to driver HP LaserJet 4000 Series PS.
+</programlisting></para>
+</sect2>
+
+
+
+<sect2>
+<title>Adding New Printers via the Windows NT APW</title>
+	
+<para>
+By default, Samba offers all printer shares defined in <filename>smb.conf</filename>
+in the "Printers..." folder.  Also existing in this folder is the Windows NT 
+Add Printer Wizard icon.  The APW will be show only if
+</para>
+
+<itemizedlist>
+	<listitem><para>The connected user is able to successfully
+	execute an OpenPrinterEx(\\server) with administrative
+	priviledges (i.e. root or <parameter>printer admin</parameter>.
+	</para></listitem>
+	
+	<listitem><para><ulink url="smb.conf.5.html#SHOWADDPRINTERWIZARD"><parameter>show 
+	add printer wizard = yes</parameter></ulink> (the default).
+	</para></listitem>
+</itemizedlist>
+
+<para>
+In order to be able to use the APW to successfully add a printer to a Samba 
+server, the <ulink url="smb.conf.5.html#ADDPRINTERCOMMAND"><parameter>addprinter 
+command</parameter></ulink> must have a defined value.  The program
+hook must successfully add the printer to the system (i.e. 
+<filename>/etc/printcap</filename> or appropriate files) and 
+<filename>smb.conf</filename> if necessary.
+</para>
+
+<para>
+When using the APW from a client, if the named printer share does 
+not exist, <command>smbd</command> will execute the <parameter>add printer 
+program</parameter> and reparse to the <filename>smb.conf</filename>
+to attempt to locate the new printer share.  If the share is still not defined,
+an error of "Access Denied" is returned to the client.  Note that the 
+<parameter>add printer program</parameter> is executed undet the context
+of the connected user, not necessarily a root account.
+</para>
+
+<para>
+There is a complementing <ulink url="smb.conf.5.html#DELETEPRINTERCOMMAND"><parameter>deleteprinter 
+command</parameter></ulink> for removing entries from the "Printers..."
+folder.
+</para>
+
+</sect2>
+
+
+<sect2>
+<title>Samba and Printer Ports</title>
+
+<para>
+Windows NT/2000 print servers associate a port with each printer.  These normally
+take the form of LPT1:, COM1:, FILE:, etc...  Samba must also support the
+concept of ports associated with a printer.  By default, only one printer port,
+named "Samba Printer Port", exists on a system.  Samba does not really a port in
+order to print, rather it is a requirement of Windows clients.  
+</para>
+
+<para>
+Note that Samba does not support the concept of "Printer Pooling" internally 
+either.  This is when a logical printer is assigned to multiple ports as 
+a form of load balancing or fail over.
+</para>
+
+<para>
+If you require that multiple ports be defined for some reason,
+<filename>smb.conf</filename> possesses a <ulink 
+url="smb.conf.5.html#ENUMPORTSCOMMAND"><parameter>enumports 
+command</parameter></ulink> which can be used to define an external program 
+that generates a listing of ports on a system.
+</para>
+
+</sect2>
+
+</sect1>
+
+
+<sect1>
+	<title>The Imprints Toolset</title>
+	
+	<para>The Imprints tool set provides a UNIX equivalent of the 
+	Windows NT Add Printer Wizard.  For complete information, please 
+	refer to the Imprints web site at <ulink url="http://imprints.sourceforge.net/">
+	http://imprints.sourceforge.net/</ulink> as well as the documentation 
+	included with the imprints source distribution.  This section will 
+	only provide a brief introduction to the features of Imprints.</para>
+	
+	
+	<sect2>
+		<title>What is Imprints?</title>
+
+		<para>Imprints is a collection of tools for supporting the goals 
+		of</para>
+		
+		<itemizedlist>
+			<listitem><para>Providing a central repository information 
+			regarding Windows NT and 95/98 printer driver packages</para>
+			</listitem>
+			
+			<listitem><para>Providing the tools necessary for creating 
+			the Imprints printer driver packages.</para></listitem>
+			
+			<listitem><para>Providing an installation client which 
+			will obtain and install printer drivers on remote Samba 
+			and Windows NT 4 print servers.</para></listitem>
+		</itemizedlist>
+		
+	</sect2>
+	
+	
+	<sect2>
+		<title>Creating Printer Driver Packages</title>
+		
+		<para>The process of creating printer driver packages is beyond
+		the scope of this document (refer to Imprints.txt also included
+		with the Samba distribution for more information).  In short,
+		an Imprints driver package is a gzipped tarball containing the
+		driver files, related INF files, and a control file needed by the
+		installation client.</para>
+	</sect2>
+	
+	
+	<sect2>
+		<title>The Imprints server</title>
+		
+		<para>The Imprints server is really a database server that 
+		may be queried via standard HTTP mechanisms.  Each printer 
+		entry in the database has an associated URL for the actual
+		downloading of the package.  Each package is digitally signed
+		via GnuPG which can be used to verify that package downloaded
+		is actually the one referred in the Imprints database.  It is 
+		<emphasis>not</emphasis> recommended that this security check 
+		be disabled.</para>
+	</sect2>
+	
+	<sect2>
+		<title>The Installation Client</title>
+
+		<para>More information regarding the Imprints installation client 
+		is available in the <filename>Imprints-Client-HOWTO.ps</filename> 
+		file included with the imprints source package.</para>
+
+		<para>The Imprints installation client comes in two forms.</para>
+
+		<itemizedlist>
+			<listitem><para>a set of command line Perl scripts</para>
+			</listitem>
+			
+			<listitem><para>a GTK+ based graphical interface to 
+			the command line perl scripts</para></listitem>
+		</itemizedlist>
+		
+		<para>The installation client (in both forms) provides a means
+		of querying the Imprints database server for a matching
+		list of known printer model names as well as a means to 
+		download and install the drivers on remote Samba and Windows
+		NT print servers.</para>
+
+		<para>The basic installation process is in four steps and 
+		perl code is wrapped around <command>smbclient</command> 
+		and <command>rpcclient</command>.</para>
+
+<para><programlisting>	
+foreach (supported architecture for a given driver)
+{
+     1.  rpcclient: Get the appropriate upload directory 
+         on the remote server
+     2.  smbclient: Upload the driver files
+     3.  rpcclient: Issues an AddPrinterDriver() MS-RPC
+}
+	
+4.  rpcclient: Issue an AddPrinterEx() MS-RPC to actually
+    create the printer
+</programlisting></para>
+		
+		<para>One of the problems encountered when implementing 
+		the Imprints tool set was the name space issues between 
+		various supported client architectures.  For example, Windows 
+		NT includes a driver named "Apple LaserWriter II NTX v51.8" 
+		and Windows 95 callsits version of this driver "Apple 
+		LaserWriter II NTX"</para>
+		
+		<para>The problem is how to know what client drivers have 
+		been uploaded for a printer.  As astute reader will remember 
+		that the Windows NT Printer Properties dialog only includes 
+		space for one printer driver name.  A quick look in the 
+		Windows NT 4.0 system registry at</para>
+	
+		<para><filename>HKLM\System\CurrentControlSet\Control\Print\Environment
+		</filename></para>
+		
+		<para>will reveal that Windows NT always uses the NT driver 
+		name.  The is ok as Windows NT always requires that at least 
+		the Windows NT version of the printer driver is present.  
+		However, Samba does not have the requirement internally.  
+		Therefore, how can you use the NT driver name if is has not 
+		already been installed?</para>
+		
+		<para>The way of sidestepping this limitation is to require 
+		that all Imprints printer driver packages include both the Intel 
+		Windows NT and 95/98 printer drivers and that NT driver is 
+		installed first.</para>
+	</sect2>
+	
+</sect1>
+
+
+<sect1>
+	<title><anchor id="MIGRATION">Migration to from Samba 2.0.x to 
+	2.2.x</title>
+	
+	<para>Given that printer driver management has changed
+	(we hope improved :) ) in 2.2.0 over prior releases,
+	migration from an existing setup to 2.2.0 can follow
+	several paths.</para>
+	
+	<warning>
+		<title>Achtung!</title>
+		<para>The following smb.conf parameters are considered to be
+		depreciated and will be removed soon.  Do not use them
+		in new installations</para>
+		
+		<itemizedlist>
+			<listitem><para><parameter>printer driver file (G)</parameter>
+			</para></listitem>
+			
+			<listitem><para><parameter>printer driver (S)</parameter>
+			</para></listitem>
+			
+			<listitem><para><parameter>printer driver location (S)</parameter>
+			</para></listitem>
+		</itemizedlist>
+	</warning>
+
+
+	<para>Here are the possible scenarios for supporting migration:</para>
+	
+	<itemizedlist>
+		<listitem><para>If you do not desire the new Windows NT 
+		print driver support, nothing needs to be done.  
+		All existing parameters work the same.</para></listitem>
+
+		<listitem><para>If you want to take advantage of NT printer 
+		driver support but do not want to migrate the 
+		9x drivers to the new setup, the leave the existing 
+		printers.def file.  When smbd attempts to locate a 
+		9x driver for the printer in the TDB and fails it 
+		will drop down to using the printers.def (and all 
+		associated parameters).  The <command>make_printerdef</command> 
+		tool will also remain for backwards compatibility but will 
+		be moved to the "this tool is the old way of doing it" 
+		pile.</para></listitem>
+
+		<listitem><para>If you install a Windows 9x driver for a printer 
+		on your Samba host (in the printing TDB), this information will 
+		take precedence and the three old printing parameters
+		will be ignored (including print driver location).</para></listitem>
+
+		<listitem><para>If you want to migrate an existing <filename>printers.def</filename> 
+		file into the new setup, the current only 
+		solution is to use the Windows NT APW to install the NT drivers 
+		and the 9x  drivers.  This can be scripted using <command>smbclient</command> 
+		and <command>rpcclient</command>.  See the 
+		Imprints installation client at <ulink 
+		url="http://imprints.sourceforge.net/">http://imprints.sourceforge.net/</ulink> 
+		for an example.
+		</para></listitem>
+	</itemizedlist>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 08499115be..b055477db7 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -1,5 +1,13 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
-<!ENTITY Chapter1 SYSTEM "chapter1.sgml">
+<!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml">
+<!ENTITY ENCRYPTION SYSTEM "ENCRYPTION.sgml">
+<!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml">
+<!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml">
+<!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml">
+<!ENTITY WINBIND SYSTEM "winbind.sgml">
+<!ENTITY NT-Security SYSTEM "NT_Security.sgml">
+<!ENTITY OS2-Client SYSTEM "OS2-Client-HOWTO.sgml">
+<!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml">
 ]>
 
 <book id="Samba-Project-Documentation">
@@ -10,13 +18,36 @@
 	<author>
 		<surname>SAMBA Team</surname>
 	</author>
-	<address><email>samba&commat;samba.org</email></address>
+	<address><email>samba@samba.org</email></address>
 	<pubdate>$rcsId</pubdate>
 </bookinfo>
 
-<toc></toc>
+<dedication>
+<title>Abstract</title>
 
+<para>
+This book is a collection of HOWTOs added to Samba documentation over the year.
+I try to ensure that all are current, but sometimes the is a larger job
+than one person can maintain.  You can always find the later version of this
+PDF file at <ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
+on the "Documentation" page.  Please send updates to <ulink 
+url="mailto:jerry@samba.org">jerry@samba.org</ulink>.
+</para>
 
-&Chapter1;
+<para>
+Cheers, jerry
+</para>
+
+</dedication>
+
+&UNIX-INSTALL;
+&ENCRYPTION;
+&MS-Dfs-Setup;
+&PRINTER-DRIVER2;
+&DOMAIN-MEMBER;
+&Samba-PDC-HOWTO;
+&WINBIND;
+&NT-Security;
+&OS2-Client;
 
 </book>
diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
new file mode 100644
index 0000000000..8a380c206d
--- /dev/null
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -0,0 +1,372 @@
+<chapter>
+
+
+<chapterinfo>
+	<author>
+		<firstname>Tim</firstname><surname>Potter</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address><email>tpot@linuxcare.com.au</email></address>
+		</affiliation>
+	</author>
+	<author>
+		<firstname>Andrew</firstname><surname>Trigdell</surname>
+		<affiliation>
+			<orgname>Samba Team</orgname>
+			<address><email>tridge@linuxcare.com.au</email></address>
+		</affiliation>
+	</author>
+	
+		
+	<pubdate>16 Oct 2000</pubdate>
+</chapterinfo>
+
+<title>Unifed Logons between Windows NT and UNIX using Winbind</title>
+
+<sect1>
+	<title>Abstract</title>
+
+	<para>Integration of UNIX and Microsoft Windows NT through 
+	a unified logon has been considered a "holy grail" in heterogeneous 
+	computing environments for a long time. We present <emphasis>winbind
+	</emphasis>, a component of the Samba suite of programs as a 
+	solution to the unied logon problem. Winbind uses a UNIX implementation 
+	of Microsoft RPC calls, Pluggable Authentication Modules, and the Name 
+	Service Switch to allow Windows NT domain users to appear and operate 
+	as UNIX users on a UNIX machine. This paper describes the winbind 
+	system, explaining the functionality it provides, how it is configured, 
+	and how it works internally.</para>
+</sect1>
+
+
+<sect1>
+	<title>Introduction</title>
+	
+	<para>It is well known that UNIX and Microsoft Windows NT have 
+	different models for representing user and group information and 
+	use different technologies for implementing them. This fact has 
+	made it difficult to integrate the two systems in a satisfactory 
+	manner.</para>
+	
+	<para>One common solution in use today has been to create 
+	identically named user accounts on both the UNIX and Windows systems 
+	and use the Samba suite of programs to provide file and print services 
+	between the two. This solution is far from perfect however, as 
+	adding and deleting users on both sets of machines becomes a chore 
+	and two sets of passwords are required both of which which
+	can lead to synchronization problems between the UNIX and Windows 
+	systems and confusion for users.</para>
+	
+	<para>We divide the unifed logon problem for UNIX machines into 
+	three smaller problems:</para>
+	
+	<itemizedlist>
+		<listitem><para>Obtaining Windows NT user and group information
+		</para></listitem>
+		
+		<listitem><para>Authenticating Windows NT users
+		</para></listitem>
+		
+		<listitem><para>Password changing for Windows NT users
+		</para></listitem>
+	</itemizedlist>
+
+
+	<para>Ideally, a prospective solution to the unified logon problem 
+	would satisfy all the above components without duplication of 
+	information on the UNIX machines and without creating additional 
+	tasks for the system administrator when maintaining users and 
+	groups on either system. The winbind system provides a simple 
+	and elegant solution to all three components of the unifed logon 
+	problem.</para>
+</sect1>
+
+
+<sect1>
+	<title>What Winbind Provides</title>
+
+	<para>Winbind unifies UNIX and Windows NT account management by 
+	allowing a UNIX box to become a full member of a NT domain. Once 
+	this is done the UNIX box will see NT users and groups as if 
+	they were native UNIX users and groups, allowing the NT domain 
+	to be used in much the same manner that NIS+ is used within 
+	UNIX-only environments.</para>
+	
+	<para>The end result is that whenever any 
+	program on the UNIX machine asks the operating system to lookup 
+	a user or group name, the query will be resolved by asking the 
+	NT domain controller for the specied domain to do the lookup.
+	Because Winbind hooks into the operating system at a low level 
+	(via the NSS name resolution modules in the C library) this 
+	redirection to the NT domain controller is completely 
+	transparent.</para>
+	
+	<para>Users on the UNIX machine can then use NT user and group 
+	names as they would use "native" UNIX names. They can chown files 
+	so that they are owned by NT domain users or even login to the 
+	UNIX machine and run a UNIX X-Window session as a domain user.</para>
+	
+	<para>The only obvious indication that Winbind is being used is 
+	that user and group names take the form DOMAIN\user and 
+	DOMAIN\group. This is necessary as it allows Winbind to determine 
+	that redirection to a domain controller is wanted for a particular 
+	lookup and which trusted domain is being referenced.</para>
+	
+	<para>Additionally, Winbind provides a authentication service 
+	that hooks into the Pluggable Authentication Modules (PAM) system 
+	to provide authentication via a NT domain to any PAM enabled 
+	applications. This capability solves the problem of synchronizing 
+	passwords between systems as all passwords are stored in a single 
+	location (on the domain controller).</para>
+	
+	<sect2>
+		<title>Target Uses</title>
+		
+		<para>Winbind is targeted at organizations that have an 
+		existing NT based domain infrastructure into which they wish 
+		to put UNIX workstations or servers. Winbind will allow these 
+		organizations to deploy UNIX workstations without having to 
+		maintain a separate account infrastructure. This greatly simplies 
+		the administrative overhead of deploying UNIX workstations into 
+		a NT based organization.</para>
+		
+		<para>Another interesting way in which we expect Winbind to 
+		be used is as a central part of UNIX based appliances. Appliances 
+		that provide file and print services to Microsoft based networks 
+		will be able to use Winbind to provide seamless integration of 
+		the appliance into the domain.</para>
+	</sect2>
+</sect1>
+
+
+
+<sect1>
+	<title>How Winbind Works</title>
+	
+	<para>The winbind system is designed around a client/server 
+	architecture. A long running <command>winbindd</command> daemon 
+	listens on a UNIX domain socket waiting for requests
+	to arrive. These requests are generated by the NSS and PAM 
+	clients and processed sequentially.</para>
+	
+	<para>The technologies used to implement winbind are described 
+	in detail below.</para>
+	
+	<sect2>
+		<title>Microsoft Remote Procedure Calls</title>
+		
+		<para>Over the last two years, efforts have been underway 
+		by various Samba Team members to decode various aspects of 
+		the Microsoft Remote Procedure Call (MSRPC) system. This 
+		system is used for most network related operations between 
+		Windows NT machines including remote management, user authentication
+		and print spooling. Although initially this work was done 
+		to aid the implementation of Primary Domain Controller (PDC) 
+		functionality in Samba, it has also yielded a body of code which 
+		can be used for other purposes.</para>
+		
+		<para>Winbind uses various MSRPC calls to enumerate domain users 
+		and groups and to obtain detailed information about individual 
+		users or groups. Other MSRPC calls can be used to authenticate 
+		NT domain users and to change user passwords. By directly querying 
+		a Windows PDC for user and group information, winbind maps the 
+		NT account information onto UNIX user and group names.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Name Service Switch</title>
+		
+		<para>The Name Service Switch, or NSS, is a feature that is 
+		present in many UNIX operating systems. It allows system 
+		information such as hostnames, mail aliases and user information 
+		to be resolved from dierent sources. For example, a standalone 
+		UNIX workstation may resolve system information from a series of 
+		flat files stored on the local lesystem. A networked workstation 
+		may first attempt to resolve system information from local files, 
+		then consult a NIS database for user information or a DNS server 
+		for hostname information.</para>
+		
+		<para>The NSS application programming interface allows winbind 
+		to present itself as a source of system information when 
+		resolving UNIX usernames and groups.  Winbind uses this interface, 
+		and information obtained from a Windows NT server using MSRPC 
+		calls to provide a new source of account enumeration.  Using standard 
+		UNIX library calls, one can enumerate the users and groups on
+		a UNIX machine running winbind and see all users and groups in 
+		a NT domain plus any trusted domain as though they were local 
+		users and groups.</para>
+		
+		<para>The primary control le for NSS is <filename>/etc/nsswitch.conf
+		</filename>. When a UNIX application makes a request to do a lookup 
+		the C library looks in <filename>/etc/nsswitch.conf</filename> 
+		for a line which matches the service type being requested, for 
+		example the "passwd" service type is used when user or group names 
+		are looked up. This	config line species which implementations 
+		of that service should be tried andin what order. If the passwd 
+		config line is:</para>
+
+		<para><command>passwd: files example</command></para>
+
+		<para>then the C library will first load a module called 
+		<filename>/lib/libnss_files.so</filename> followed by
+		the module <filename>/lib/libnss_example.so</filename>. The 
+		C library will dynamically load each of these modules in turn 
+		and call resolver functions within the modules to try to resolve 
+		the request. Once the request is resolved the C library returns the
+		result to the application.</para>
+		
+		<para>This NSS interface provides a very easy way for Winbind 
+		to hook into the operating system. All that needs to be done 
+		is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename> 
+		then add "winbind" into <filename>/etc/nsswitch.conf</filename> at 
+		the appropriate place. The C library will then call Winbind to 
+		resolve user and group names.</para>
+	</sect2>
+	
+	<sect2>
+		<title>Pluggable Authentication Modules</title>
+		
+		<para>Pluggable Authentication Modules, also known as PAM, 
+		is a system for abstracting authentication and authorization 
+		technologies. With a PAM module it is possible to specify different 
+		authentication methods for dierent system applications without 
+		having to recompile these applications. PAM is also useful
+		for implementing a particular policy for authorization. For example, 
+		a system administrator may only allow console logins from users 
+		stored in the local password file but only allow users resolved from 
+		a NIS database to log in over the network.</para>
+		
+		<para>Winbind uses the authentication management and password 
+		management PAM interface to integrate Windows NT users into a 
+		UNIX system. This allows Windows NT users to log in to a UNIX 
+		machine and be authenticated against a suitable Primary Domain 
+		Controller. These users can also change their passwords and have 
+		this change take eect directly on the Primary Domain Controller.
+		</para>
+		
+		<para>PAM is congured by providing control files in the directory 
+		<filename>/etc/pam.d/</filename> for each of the services that 
+		require authentication. When an authentication request is made 
+		by an application the PAM code in the C library looks up this
+		control file to determine what modules to load to do the 
+		authentication check and in what order. This interface makes adding 
+		a new authentication service for Winbind very easy, all that needs 
+		to be done is that the <filename>pam_winbind.so</filename> module 
+		is copied to <filename>/lib/security/</filename> and the pam 
+		control files for relevant services are updated to allow 
+		authentication via winbind. See the PAM documentation
+		for more details.</para>
+	</sect2>
+	
+	
+	<sect2>
+		<title>User and Group ID Allocation</title>
+		
+		<para>When a user or group is created under Windows NT 
+		is it allocated a numerical relative identier (RID). This is 
+		slightly dierent to UNIX which has a range of numbers which are 
+		used to identify users, and the same range in which to identify 
+		groups. It is winbind's job to convert RIDs to UNIX id numbers and
+		vice versa.  When winbind is congured it is given part of the UNIX 
+		user id space and a part of the UNIX group id space in which to 
+		store Windows NT users and groups. If a Windows NT user is 
+		resolved for the first time, it is allocated the next UNIX id from 
+		the range. The same process applies for Windows NT groups. Over 
+		time, winbind will have mapped all Windows NT users and groups
+		to UNIX user ids and group ids.</para>
+
+		<para>The results of this mapping are stored persistently in 
+		a ID mapping database held in a tdb database). This ensures that 
+		RIDs are mapped to UNIX IDs in a consistent way.</para>
+	</sect2>
+	
+	
+	<sect2>
+		<title>Result Caching</title>
+
+		<para>An active system can generate a lot of user and group 
+		name lookups. To reduce the network cost of these lookups winbind 
+		uses a caching scheme based on the SAM sequence number supplied 
+		by NT domain controllers.  User or group information returned 
+		by a PDC is cached by winbind along with a sequence number also 
+		returned by the PDC. This sequence number is incremented by 
+		Windows NT whenever any user or group information is modied. If 
+		a cached entry has expired, the sequence number is requested from 
+		the PDC and compared against the sequence number of the cached entry. 
+		If the sequence numbers do not match, then the cached information 
+		is discarded and up to date information is requested directly 
+		from the PDC.</para>
+	</sect2>
+</sect1>
+
+
+<sect1>
+	<title>Installation and Configuration</title>
+
+	<para>The easiest way to install winbind is by using the packages 
+	provided in the <filename>pub/samba/appliance/</filename> 
+	directory on your nearest 
+	Samba mirror. These packages provide snapshots of the Samba source 
+	code and binaries already setup to provide the full functionality 
+	of winbind. This setup is a little more complex than a normal Samba 
+	build as winbind needs a small amount of functionality from a 
+	development code branch called SAMBA_TNG.</para>
+	
+	<para>Once you have installed the packages you should read 
+	the <command>winbindd(8)</command> man page which will provide you 
+	with conguration information and give you sample conguration files. 
+	You may also wish to update the main Samba daemons smbd and nmbd) 
+	with a more recent development release, such as the recently
+	announced Samba 2.2 alpha release.</para>
+</sect1>
+
+<sect1>
+	<title>Limitations</title>
+	
+	<para>Winbind has a number of limitations in its current 
+	released version which we hope to overcome in future 
+	releases:</para>
+
+	<itemizedlist>
+		<listitem><para>Winbind is currently only available for 
+		the Linux operating system, although ports to other operating 
+		systems are certainly possible. For such ports to be feasible, 
+		we require the C library of the target operating system to 
+		support the Name Service Switch and Pluggable Authentication
+		Modules systems. This is becoming more common as NSS and 
+		PAM gain	support among UNIX vendors.</para></listitem>
+		
+		<listitem><para>The mappings of Windows NT RIDs to UNIX ids 
+		is not made algorithmically and depends on the order in which 
+		unmapped users or groups are seen by winbind. It may be difficult 
+		to recover the mappings of rid to UNIX id mapping if the file 
+		containing this information is corrupted or destroyed.</para>
+		</listitem>
+		
+		<listitem><para>Currently the winbind PAM module does not take 
+		into account possible workstation and logon time restrictions 
+		that may be been set for Windows NT users.</para></listitem>
+		
+		<listitem><para>Building winbind from source is currently 
+		quite tedious as it requires combining source code from two Samba 
+		branches. Work is underway to solve this by providing all 
+		the necessary functionality in the main Samba code branch.</para>
+		</listitem>
+	</itemizedlist>
+</sect1>
+
+
+<sect1>
+	<title>Conclusion</title>
+
+	<para>The winbind system, through the use of the Name Service 
+	Switch, Pluggable Authentication Modules, and appropriate 
+	Microsoft RPC calls have allowed us to provide seamless 
+	integration of Microsoft Windows NT domain users on a
+	UNIX system. The result is a great reduction in the administrative 
+	cost of running a mixed UNIX and NT network.</para>
+	
+</sect1>
+
+</chapter>
+