1 files changed, 141 insertions, 46 deletions

diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html
index f37bbf0abc..26ec1d04a7 100644
--- a/docs/htmldocs/ads.html
+++ b/docs/htmldocs/ads.html
@@ -5,7 +5,8 @@
 >Samba as a ADS domain member</TITLE
 ><META
 NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
+"><LINK
 REL="HOME"
 TITLE="SAMBA Project Documentation"
 HREF="samba-howto-collection.html"><LINK
@@ -13,10 +14,10 @@ REL="UP"
 TITLE="Type of installation"
 HREF="type.html"><LINK
 REL="PREVIOUS"
-TITLE="Samba Backup Domain Controller to Samba Domain Control"
+TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
 HREF="samba-bdc.html"><LINK
 REL="NEXT"
-TITLE="Samba as a NT4 or Win2k domain member"
+TITLE="Samba as a NT4 domain member"
 HREF="domain-security.html"></HEAD
 ><BODY
 CLASS="CHAPTER"
@@ -72,25 +73,126 @@ WIDTH="100%"></DIV
 CLASS="CHAPTER"
 ><H1
 ><A
-NAME="ADS"
-></A
->Chapter 8. Samba as a ADS domain member</H1
+NAME="ADS">Chapter 8. Samba as a ADS domain member</H1
 ><P
 >This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
 Windows2000 KDC. </P
+><P
+>Pieces you need before you begin:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>a Windows 2000 server.</TD
+></TR
+><TR
+><TD
+>samba 3.0 or higher.</TD
+></TR
+><TR
+><TD
+>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
+></TR
+><TR
+><TD
+>the OpenLDAP development libraries.</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
 ><DIV
 CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1251"
->8.1. Setup your <TT
-CLASS="FILENAME"
->smb.conf</TT
-></A
-></H1
+NAME="AEN1187">8.1. Installing the required packages for Debian</H1
 ><P
->You must use at least the following 3 options in smb.conf:</P
+>On Debian you need to install the following packages:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>libkrb5-dev</TD
+></TR
+><TR
+><TD
+>krb5-user</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1193">8.2. Installing the required packages for RedHat</H1
+><P
+>On RedHat this means you should have at least: 
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>krb5-workstation (for kinit)</TD
+></TR
+><TR
+><TD
+>krb5-libs (for linking with)</TD
+></TR
+><TR
+><TD
+>krb5-devel (because you are compiling from source)</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><P
+>in addition to the standard development environment.</P
+><P
+>Note that these are not standard on a RedHat install, and you may need 
+to get them off CD2.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1202">8.3. Compile Samba</H1
+><P
+>If your kerberos libraries are in a non-standard location then
+  remember to add the configure option --with-krb5=DIR.</P
+><P
+>After you run configure make sure that include/config.h contains 
+  lines like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>#define HAVE_KRB5 1
+#define HAVE_LDAP 1</PRE
+></P
+><P
+>If it doesn't then configure did not find your krb5 libraries or
+  your ldap libraries. Look in config.log to figure out why and fix
+  it.</P
+><P
+>Then compile and install Samba as usual. You must use at least the
+  following 3 options in smb.conf:</P
 ><P
 ><PRE
 CLASS="PROGRAMLISTING"
@@ -112,29 +214,24 @@ CLASS="PROGRAMLISTING"
 >  ads server = your.kerberos.server</PRE
 ></P
 ><P
->You do *not* need a smbpasswd file, and older clients will
-  be authenticated as if "security = domain", although it won't do any harm
-  and allows you to have local users not in the domain.
-  I expect that the above required options will change soon when we get better
-  active directory integration.</P
+>You do *not* need a smbpasswd file, although it won't do any harm
+  and if you have one then Samba will be able to fall back to normal
+  password security for older clients. I expect that the above
+  required options will change soon when we get better active
+  directory integration.</P
 ></DIV
 ><DIV
 CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1262"
->8.2. Setup your <TT
-CLASS="FILENAME"
->/etc/krb5.conf</TT
-></A
-></H1
+NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1
 ><P
 >The minimal configuration for krb5.conf is:</P
 ><P
 ><PRE
 CLASS="PROGRAMLISTING"
->[realms]
+>	[realms]
     YOUR.KERBEROS.REALM = {
 	kdc = your.kerberos.server
     }</PRE
@@ -158,18 +255,18 @@ to join the realm.</P
 ><P
 >If all you want is kerberos support in smbclient then you can skip
 straight to step 5 now. Step 3 is only needed if you want kerberos
-support for smbd and winbindd.</P
+support in smbd.</P
 ></DIV
 ><DIV
 CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1273"
->8.3. Create the computer account</A
-></H1
+NAME="AEN1227">8.5. Create the computer account</H1
 ><P
->As a user that has write permission on the Samba private directory
+>Do a "kinit" as a user that has authority to change arbitrary
+passwords on the KDC ("Administrator" is a good choice). Then as a
+user that has write permission on the Samba private directory
 (usually root) run:
 <B
 CLASS="COMMAND"
@@ -180,9 +277,7 @@ CLASS="SECT2"
 ><H2
 CLASS="SECT2"
 ><A
-NAME="AEN1277"
->8.3.1. Possible errors</A
-></H2
+NAME="AEN1231">8.5.1. Possible errors</H2
 ><P
 ><P
 ></P
@@ -190,6 +285,12 @@ NAME="AEN1277"
 CLASS="VARIABLELIST"
 ><DL
 ><DT
+>"bash: kinit: command not found"</DT
+><DD
+><P
+>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
+></DD
+><DT
 >"ADS support not compiled in"</DT
 ><DD
 ><P
@@ -205,9 +306,7 @@ CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1285"
->8.4. Test your server setup</A
-></H1
+NAME="AEN1243">8.6. Test your server setup</H1
 ><P
 >On a Windows 2000 client try <B
 CLASS="COMMAND"
@@ -225,9 +324,7 @@ CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1290"
->8.5. Testing with smbclient</A
-></H1
+NAME="AEN1248">8.7. Testing with smbclient</H1
 ><P
 >On your Samba server try to login to a Win2000 server or your Samba
 server using smbclient and kerberos. Use smbclient as usual, but
@@ -238,12 +335,10 @@ CLASS="SECT1"
 ><H1
 CLASS="SECT1"
 ><A
-NAME="AEN1293"
->8.6. Notes</A
-></H1
+NAME="AEN1251">8.8. Notes</H1
 ><P
->You must change administrator password at least once after DC 
-install, to create the right encoding types</P
+>You must change administrator password at least once after DC install,
+ to create the right encoding types</P
 ><P
 >w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
    their defaults DNS setup. Maybe fixed in service packs?</P
@@ -293,7 +388,7 @@ ACCESSKEY="N"
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
->Samba Backup Domain Controller to Samba Domain Control</TD
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
 ><TD
 WIDTH="34%"
 ALIGN="center"
@@ -307,7 +402,7 @@ ACCESSKEY="U"
 WIDTH="33%"
 ALIGN="right"
 VALIGN="top"
->Samba as a NT4 or Win2k domain member</TD
+>Samba as a NT4 domain member</TD
 ></TR
 ></TABLE
 ></DIV