7 files changed, 414 insertions, 378 deletions
diff --git a/docs/textdocs/BROWSING.txt b/docs/textdocs/BROWSING.txt
index 2ca41e5624..ad12d4c722 100644
--- a/docs/textdocs/BROWSING.txt
+++ b/docs/textdocs/BROWSING.txt
@@ -7,14 +7,10 @@ Summary: This describes how to configure Samba for improved browsing.
 
 OVERVIEW:
 =========
-
 SMB networking provides a mechanism by which clients can access a list
-of machines in a network, a so-called "browse list".  This list
-contains machines that are ready to offer file and/or print services
-to other machines within the network. Thus it does not include
-machines which aren't currently able to do server tasks.  The browse
-list is heavily used by all SMB clients.  Configuration of SMB
-browsing has been problematic for some Samba users, hence this
+of machines that are available within the network.  This list is called
+the browse list and is heavily used by all SMB clients.  Configuration
+of SMB browsing has been problematic for some Samba users, hence this
 document.
 
 Browsing will NOT work if name resolution from NetBIOS names to IP
@@ -63,10 +59,9 @@ browsing on another subnet.  It is recommended that this option is only
 used for 'unusual' purposes: announcements over the internet, for
 example.  See "remote announce" in the smb.conf man page.  
 
-If something doesn't work then hopefully the log.nmb file will help
-you track down the problem.  Try a debug level of 2 or 3 for finding
-problems. Also note that the current browse list usually gets stored
-in text form in a file called browse.dat.
+If something doesn't work then hopefully the log.nmb file will
+help you track down the problem.  Try a debug level of 2 or 3 for
+finding problems.
 
 Note that if it doesn't work for you, then you should still be able to
 type the server name as \\SERVER in filemanager then hit enter and
diff --git a/docs/textdocs/HINTS.txt b/docs/textdocs/HINTS.txt
index 877640108c..75114557fe 100644
--- a/docs/textdocs/HINTS.txt
+++ b/docs/textdocs/HINTS.txt
@@ -49,9 +49,6 @@ windows. Just drag your file onto the icon and it converts the file.
 Get it from
 ftp://samba.org/pub/samba/contributed/fixcrlf.zip
 
-The utilities unix2dos and dos2unix(in the mtools package) should do 
-the job under unix.
-
 ---------------------- 
 HINT: Use the "username map" option
 
diff --git a/docs/textdocs/Printing.txt b/docs/textdocs/Printing.txt
index 2c50e5f4fe..b47120eaba 100644
--- a/docs/textdocs/Printing.txt
+++ b/docs/textdocs/Printing.txt
@@ -3,7 +3,7 @@ Revised by:	Patrick Powell <papowell@lprng.org>
 Date:		August 11, 2000
 Status:		Current
 
-Subject:	Debugging Printing Problems
+Subject:	Dubugging Printing Problems
 =============================================================================
 
 This is a short description of how to debug printing problems with
diff --git a/docs/textdocs/Samba-OpenSSL.txt b/docs/textdocs/Samba-OpenSSL.txt
new file mode 100644
index 0000000000..e1b54b1a03
--- /dev/null
+++ b/docs/textdocs/Samba-OpenSSL.txt
@@ -0,0 +1,405 @@
+Contributor: Christian Starkjohann <cs@obdev.at>
+Date:        May 29, 1998
+Status:      
+
+Comment: Updated by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
+Date:	 July 16, 2001
+
+Subject:     Compiling and using samba with SSL support
+============================================================================
+
+What is SSL and SSLeay/OpenSSL?
+===============================
+SSL (Secure Socket Layer) is a protocol for encrypted and authenticated data
+transport. It is used by secure web servers for shopping malls, telebanking
+and things like that.
+
+SSLeay is a free implementation of the SSL protocol. The successor of it is
+OpenSSL, available from
+
+    http://www.openssl.org/
+
+The current version while these lines are written is 0.9.6b. In some countries
+encryption is plagued by legal problems, even though things have relaxed a
+lot in the last years.
+
+To compile samba with SSL support, you must first compile and install OpenSSL.
+At least version 0.9.5 of OpenSSL is required. Version 0.9.6b is the latest
+version and is strongly recommended.
+OpenSSL consists of a library (which can be linked to other applications like
+samba) and several utility programs needed for key generation, certification
+etc. OpenSSL installs to /usr/local/ssl/ by default.
+
+
+Compiling samba with OpenSSL
+============================
+1. Get and install OpenSSL. The rest of this documentation assumes that you
+   have installed it at the default location, which is /usr/local/ssl/.
+2. Call "configure" with the "--with-ssl" flag. If OpenSSL is not installed in
+   the default directory, you can use the "--with-sslinc" and "--with-ssllib"
+   flags to specify the location.
+3. Compile and install as usual.
+
+
+Configuring SSL in samba
+========================
+Before you configure SSL, you should know the basics of cryptography and how
+SSL relates to all of this. A basic introduction can be found further down in
+this document. The following variables in the "[global]" section of the
+configuration file are used to configure SSL:
+
+ssl                     = yes
+   This variable enables or disables the entire SSL mode. If it is set to
+   "no", the SSL enabled samba behaves exactly like the non-SSL samba. If set
+   to "yes", it depends on the variables "ssl hosts" and "ssl hosts resign"
+   whether an SSL connection will be required.
+ssl hosts               = 
+ssl hosts resign        = 192.168.
+   These two variables define whether samba will go into SSL mode or not. If
+   none of them is defined, samba will allow only SSL connections. If the
+   "ssl hosts" variable lists hosts (by IP-address, IP-address range, net
+   group or name), only these hosts will be forced into SSL mode. If the
+   "ssl hosts resign" variable lists hosts, only these hosts will NOT be
+   forced into SSL mode. The syntax for these two variables is the same as
+   for the "hosts allow" and "hosts deny" pair of variables, only that the
+   subject of the decision is different: It's not the access right but
+   whether SSL is used or not. See the man page of smb.conf (section about
+   "allow hosts") for details. The above example requires SSL connections
+   from all hosts outside the local net (which is 192.168.*.*).
+ssl CA certDir          = /usr/local/ssl/certs
+   This variable defines where to look up the Certification Autorities. The
+   given directory should contain one file for each CA that samba will trust.
+   The file name must be the hash value over the "Distinguished Name" of the
+   CA. How this directory is set up is explained later in this document. All
+   files within the directory that don't fit into this naming scheme are
+   ignored. You don't need this variable if you don't verify client
+   certificates.
+ssl CA certFile         = /usr/local/ssl/certs/trustedCAs.pem
+   This variable is a second way to define the trusted CAs. The certificates
+   of the trusted CAs are collected in one big file and this variable points
+   to the file. You will probably only use one of the two ways to define your
+   CAs. The first choice is preferable if you have many CAs or want to be
+   flexible, the second is perferable if you only have one CA and want to
+   keep things simple (you won't need to create the hashed file names). You
+   don't need this variable if you don't verify client certificates.
+ssl server cert         = /usr/local/ssl/certs/samba.pem
+   This is the file containing the server's certificate. The server _must_
+   have a certificate. The file may also contain the server's private key.
+   See later for how certificates and private keys are created.
+ssl server key          = /usr/local/ssl/private/samba.pem
+   This file contains the private key of the server. If this variable is not
+   defined, the key is looked up in the certificate file (it may be appended
+   to the certificate). The server _must_ have a private key and the
+   certificate _must_ match this private key.
+ssl client cert         = /usr/local/ssl/certs/smbclient.pem
+   The certificate in this file is used by smbclient if it exists. It's needed
+   if the server requires a client certificate.
+ssl client key          = /usr/local/ssl/private/smbclient.pem
+   This is the private key for smbclient. It's only needed if the client
+   should have a certificate.
+ssl require clientcert  = yes
+   If this variable is set to "yes", the server will not tolerate connections
+   from clients that don't have a valid certificate. The directory/file
+   given in "ssl CA certDir" and "ssl CA certFile" will be used to look up
+   the CAs that issued the client's certificate. If the certificate can't be
+   verified positively, the connection will be terminated.
+   If this variable is set to "no", clients don't need certificates. Contrary
+   to web applications you really _should_ require client certificates. In
+   the web environment the client's data is sensitive (credit card numbers)
+   and the server must prove to be trustworthy. In a file server environment
+   the server's data will be sensitive and the clients must prove to be
+   trustworthy.
+ssl require servercert  = yes
+   If this variable is set to "yes", the smbclient will request a certificate
+   from the server. Same as "ssl require clientcert" for the server.
+ssl ciphers             = ???
+   This variable defines the ciphers that should be offered during SSL
+   negotiation. You should not set this variable unless you know what you do.
+ssl version             = ssl2or3
+   This enumeration variable defines the versions of the SSL protocol that
+   will be used. "ssl2or3" allows dynamic negotiation of SSL v2 or v3, "ssl2"
+   results SSL v2, "ssl3" results in SSL v3 and "tls1" results in TLS v1. TLS
+   (Transport Layer Security) is the (proposed?) new standard for SSL. The
+   default value is "ssl2or3".
+ssl compatibility       = no
+   This variable defines whether SSLeay should be configured for bug
+   compatibility with other SSL implementations. This is probably not
+   desirable because currently no clients with SSL implementations other than
+   SSLeay exist.
+ssl entropy file        =
+   Specifies a file from which processes will read "random bytes" on startup.
+   In order to seed the internal pseudo random number generator, entropy
+   must be provided. On system with a /dev/urandom device file, the processes
+   will retrieve its entropy from the kernel. On systems without kernel
+   entropy support, a file can be supplied that will be read on startup
+   and that will be used to seed the PRNG.
+ssl entropy bytes	= 256
+   Number of bytes that will be read from entropy file. If -1 is given, the
+   complete file will be read.
+ssl egd socket		=
+   Location of the communiation socket of an EGD or PRNGD daemon, from which
+   entropy can be retrieved. This option can be used instead of or together
+   with the "ssl entropy file" directive. 255bytes of entropy will be
+   retrieved from the daemon.
+
+
+Running samba with OpenSSL
+==========================
+Samba is started as usual. The daemon will ask for the private key's pass
+phrase before it goes to background if the private key has been encrypted.
+If you start smbd from inetd, this won't work. Therefore you must not encrypt
+your private key if you run smbd from inetd.
+
+Windows clients will try to connect to the SSL enabled samba daemon and they
+will fail. This can fill your log with failed SSL negotiation messages. To
+avoid this, you can either not run nmbd (if all clients use DNS to look up
+the server), which will leave the Windows machine unaware of the server, or
+list all (local) Windows machines in the "ssl hosts resign" variable.
+
+
+About certificates
+==================
+Secure samba servers will not be set up for public use as it is the case with
+secure web servers. Most installations will probably use it for distributed
+offices that use parts of the internet for their intranet, for access to a
+web server that's physically hosted by the provider or simply for teleworking.
+All these applications work with a known group of users that can easily agree
+on a certification authority. The CA can be operated by the company and the
+policy for issuing certificates can be determined by the company. If samba is
+configured to verify client certificates, it (currently) only verifies
+whether a valid certificate exists. It does not verify any of the data within
+the certificate (although it prints some of the data to the log file).
+
+
+Which clients are available that support SSL?
+=============================================
+Currently there are only smbclient which is part of the samba package and
+Sharity. Shariy versions newer than 0.14 in the beta branch and 1.01 in the
+main branch can be compiled with SSLeay. Sharity is a CIFS/SMB client
+implementation for Unix. It is a commercial product, but it is available in
+source code and the demo-mode allows access to the first three layers of the
+mounted directory hierarchy. Licenses for universities and students are free.
+Sharity is available at
+
+    http://www.obdev.at/Products/Sharity.html
+
+
+
+###########################################################################
+Basics about Cryptography and SSL(eay)
+###########################################################################
+
+There are many good introductions to cryptography. I assume that the reader
+is familiar with the words "encryption", "digital signature" and RSA. If you
+don't know these terms, please read the cryptography FAQ part 6 and 7, which
+is posted to the usenet newsgroup sci.crypt. It is also available from
+
+    ftp://rtfm.mit.edu/pub/usenet/news.answers/cryptography-faq
+and
+    http://www.cis.ohio-state.edu/hypertext/faq/usenet/cryptography-faq
+
+I'll concentrate on the questions specific to SSL and samba here.
+
+
+What is a certificate?
+======================
+A certificate is issued by an issuer, usually a "Certification Authority"
+(CA), who confirms something by issuing the certificate. The subject of this
+confirmation depends on the CA's policy. CAs for secure web servers (used for
+shopping malls etc.) usually only attest that the given public key belongs the
+the given domain name. Company-wide CAs might attest that you are an employee
+of the company, that you have permissions to use a server or whatever.
+
+
+What is an X.509 certificate technically?
+=========================================
+Technically, the certificate is a block of data signed by the certificate
+issuer (the CA). The relevant fields are:
+   - unique identifier (name) of the certificate issuer
+   - time range during that the certificate is valid
+   - unique identifier (name) of the certified subject
+   - public key of the certified subject
+   - the issuer's signature over all of the above
+If this certificate should be verified, the verifier must have a table of the
+names and public keys of trusted CAs. For simplicity, these tables are lists
+of certificates issued by the respective CAs for themselves (self-signed
+certificates).
+
+
+What are the implications of this certificate structure?
+========================================================
+  - Because the certificate contains the subject's public key, the
+    certificate and the private key together are all that's needed to encrypt
+    and decrypt.
+  - To verify certificates, you need the certificates of all CAs you trust.
+  - The simplest form of a dummy-certificate is one that's signed by the
+    subject itself.
+  - A CA is needed. The client can't simply issue local certificates for
+    servers it trusts because the server determines which certificate it
+    presents.
+
+
+
+###########################################################################
+Setting up files and directories for OpenSSL
+###########################################################################
+
+The first thing you should do is to change your PATH environment variable to
+include the bin directory of OpenSSL. E.g.:
+
+    PATH=$PATH:/usr/local/ssl/bin   
+
+If your system's kernel supports a /dev/urandom device, all OpenSSL operations
+will automatically retrieve its entropy from it. If your system does not
+support /dev/urandom, you may install an EGD/PRNGD daemon for entropy
+supply or can generate seed from reading files (that should contain information
+unpredictable/unknown to attackers). Use the "-rand" option to the openssl
+commands to specify the entropy source (if /dev/urandom is not available).
+
+OpenSSL additionally keeps random seed in the $HOME/.rnd file. You can
+initialize this file using:
+    
+    openssl rand -rand /tmp/rfile.txt > $HOME/.rnd
+    rm -f /tmp/rfile.txt	# nobody must know!!
+
+or
+
+    openssl rand -rand /path/to/egd-socket > $HOME/.rnd
+
+How to create a keypair
+=======================
+This is done with 'genrsa' for RSA keys and 'gendsa' for DSA keys. For an RSA
+key with 1024 bits which is written to the file "key.pem" type:
+
+    openssl genrsa -des3 -rand /path/to/source 1024 > key.pem
+
+You will be asked for a pass phrase to protect this key. If you don't want to
+protect your private key with a pass phrase, just omit the parameter "-des3".
+If you want a different key size, replace the parameter "1024". You really
+should use a pass phrase.
+
+If you want to remove the pass phrase from a key use:
+
+    openssl rsa -in key.pem -out newkey.pem
+
+And to add or change a pass phrase:
+
+    openssl rsa -des3 -in key.pem -out newkey.pem
+
+
+How to create a dummy certificate
+=================================
+If you still have your keypair in the file "key.pem", the command
+
+    openssl req -new -x509 -key key.pem -out cert.pem
+
+will write a self-signed dummy certificate to the file "cert.pem". This can
+be used for testing or if only encryption and no certification is needed.
+Please bear in mind that encryption without authentication (certification)
+can never be secure. It's open to (at least) "man-in-the-middle" attacks.
+
+
+How to create a certificate signing request
+===========================================
+You must not simply send your keypair to the CA for signing because it
+contains the private key which _must_ be kept secret. A signing request
+consists of your public key and some additional information you want to have
+bound to that key by the certificate. If you operate a secure web server,
+this additional information will (among other things) contain the URL of
+your server in the field "Common Name". The certificate signing request is
+created from the keypair with the following command (assuming that the key
+pair is still in "key.pem"):
+
+    openssl req -new -key key.pem -out csr.pem
+
+This command will ask you for the information which must be included in the
+certificate and will write the signing request to the file "csr.pem". This
+signing request is all the CA needs for signing, at least technically. Most
+CAs will demand bureaucratic material and money, too.
+
+
+How to set up a Certification Authority (CA)
+============================================
+Being a certification authority requires a database that holds the CA's
+keypair, the CA's certificate, a list of all signed certificates and other
+information. This database is kept in a directory hierarchy below a
+configurable starting point. The starting point must be configured in the
+ssleay.conf file. This file is at /usr/local/ssl/lib/ssleay.conf if you have
+not changed the default installation path.
+
+The first thing you should do is to edit this file according to your needs.
+Let's  assume that you want to hold the CA's database at the directory
+"/usr/local/ssl/CA". Change the variable "dir" in section "CA_default" to
+this path. You may also want to edit the default settings for some variables,
+but the values given should be OK. This path is also contained in the shell
+script CA.sh, which should be at "/usr/local/ssl/bin/CA.sh". Change the path
+in the shell script:
+
+    CATOP=/usr/local/ssl/CA
+    CAKEY=./cakey.pem           # relative to $CATOP/
+    CACERT=./cacert.pem         # relative to $CATOP/private/
+
+Then create the directory "/usr/local/ssl/CA" and make it writable for the
+user that operates the CA. You should also initialize SSLeay as CA user (set
+up the random number generator). Now you should call the shell script CA.sh
+to set up the initial database:
+
+    CA.sh -newca
+
+This command will ask you whether you want to use an existing certificate or
+create one. Just press enter to create a new key pair and certificate. You
+will be asked the usual questions for certificates: the country, state, city,
+"Common Name", etc. Enter the appropriate values for the CA. When CA.sh
+finishes, it has set up a bunch of directories and files. A CA must publish
+it's certificate, which is in the file "/usr/local/ssl/CA/cacert.pem".
+
+
+How to sign a certificate request
+=================================
+After setting up the CA stuff, you can start signing certificate requests.
+Make sure that the SSLeay utilities know where the configuration file is.
+The default is compiled in, if you don't use the default location, add the
+parameter "-config <cfg-file>". Make also sure that the configuration file
+contains the correct path to the CA database. If all this is set up properly,
+you can sign the request in the file "csr.pem" with the command:
+
+    openssl ca -policy policy_anything -days 365 -infiles csr.pem >cert.pem
+
+The resulting certificate (and additional information) will be in "cert.pem".
+If you want the certificate to be valid for a period different from 365 days,
+simply change the "-days" parameter.
+
+
+How to install a new CA certificate
+===================================
+Whereever a certificate must be checked, the CA's certificate must be
+available. Let's take the common case where the client verifies the server's
+certificate. The case where the server verfies the client's certificate works
+the same way. The client receives the server's certificate, which contains
+the "Distinguished Name" of the CA. To verify whether the signature in this
+certificate is OK, it must look up the public key of that CA. Therefore each
+client must hold a database of CAs, indexed by CA name. This database is best
+kept in a directory where each file contains the certificate of one CA and is
+named after the hashvalue (checksum) of the CA's name. This section describes
+how such a database is managed technically. Whether or not to install (and
+thereby trust) a CA is a totally different matter.
+
+The client must know the directory of the CA database. This can be configured.
+There may also be a configuration option to set up a CA database file which
+contains all CA certs in one file. Let's assume that the CA database is kept
+in the directory "/usr/local/ssl/certs". The following example assumes that
+the CA's certificate is in the file "cacert.pem" and the CA is known as
+"myCA". To install the certificate, do the following:
+
+    cp cacert.pem /usr/local/ssl/cers/myCA.pem
+    cd /usr/local/ssl/certs
+    ln -s myCA.pem `openssl x509 -noout -hash < myCA.pem`.0
+
+The last command creates a link from the hashed name to the real file.
+
+From now on all certificates signed by the myCA authority will be accepted by
+clients that use the directory "/usr/local/ssl/certs/" as their CA certificate
+database.
+
+
+
diff --git a/docs/textdocs/Solaris-Winbind-HOWTO.txt b/docs/textdocs/Solaris-Winbind-HOWTO.txt
deleted file mode 100644
index a81bacf486..0000000000
--- a/docs/textdocs/Solaris-Winbind-HOWTO.txt
+++ /dev/null
@@ -1,361 +0,0 @@
-!==
-!== Solaris-Winbind-HOWTO.txt
-!==
-Contributors:   Naag Mummaneni <getnag@rediffmail.com>
-Updated:        May 2, 2002
-Status:         Current
-
-Subject:        Installing and Configuring Winbind on Solaris
-=============================================================================
-
-Installation and Configuration of Winbind on Solaris.
------------------------------------------------------
-
-This HOWTO describes how to get winbind services up and running to control
-access and authenticate users on your Solaris box using the winbind services
-which come with SAMBA 2.2.x latest CVS Checkout.Make sure you are using the
-latest Samba 2.2.x cvs checkout as other versions come with a lots of bugs
-regarding winbind .And even the Latest Samba Stable Release is also not an
-exception to this.
-
-Introduction
-------------
-
-This HOWTO describes the procedures used to get winbind up and running on a
-Solaris system. Winbind is capable of providing access and authentication
-control for Windows Domain users through an NT or Win2K PDC for 'regular'
-services, such as telnet and ftp, as well for SAMBA services.
-
-Why should I to this? 
-
-This allows the SAMBA administrator to rely on the authentication mechanisms
-on the NT/Win2K PDC for the authentication of domain members. NT/Win2K users
-no longer need to have separate accounts on the SAMBA server.
-
-Who should be reading this document? 
-
-This HOWTO is designed for system administrators. If you are implementing
-SAMBA on a file server and wish to (fairly easily) integrate existing
-NT/Win2K users from your PDC onto the SAMBA server, this HOWTO is for you.
-
-Requirements
-------------
-
-If you have a samba configuration file that you are currently using... BACK
-IT UP! If your system already uses PAM, back up the /etc/pam.conf file ! If
-you haven't already made a boot disk, MAKEONE NOW! Messing with the pam
-configuration file can make it nearly impossible to log in to yourmachine.
-That's why you want to be able to boot back into your machine in single user
-mode and restore your /etc/pam.conf back to the original state they were in
-if you get frustrated with the way things are going. ;-) Please refer to the
-main SAMBA web page or, better yet, your closest SAMBA mirror site for
-instructions on downloading the source code of Samba 2.2.x from the SAMBA
-CVS repository. To allow Domain users the ability to access SAMBA shares and
-files, as well as potentially other services provided by your SAMBA machine,
-PAM (pluggable authentication modules) must be setup properly on your
-machine. In order to compile the winbind modules, you should have at least
-the pam libraries resident on your system. Solaris 7/8 has its pam modules
-coming with the distribution itself.
-
-Testing Things Out
-------------------
-
-Before starting, it is probably best to kill off all the SAMBA related
-daemons running on your server. Kill off all smbd, nmbd, and winbindd
-processes that may be running.
-
-
-Configure and compile SAMBA
----------------------------
-
-The configuration and compilation of SAMBA is pretty straightforward. The
-first three steps may not be necessary depending upon whether or not you
-have previously built the Samba binaries.
-
-root# autoconf
-root# make clean
-root# rm config.cache
-root# ./configure --with-winbind --with-pam
-root# make
-root# make install
-
-This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA
-documentation if you want to install SAMBA somewhere else. It will also
-build the winbindd executable and libraries.
-
-Configure nsswitch.conf and the winbind libraries
--------------------------------------------------
-
-The libraries needed to run the winbindd daemon through nsswitch need to be
-copied to their proper locations, so
-
-root# cp ../samba/source/nsswitch/libnss_winbind.so /usr/lib
-
-I also found it necessary to make the following symbolic links:
-
-root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
-root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.2
-root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
-root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
-
-Now, as root you need to edit /etc/nsswitch.conf to allow user and group
-entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file
-look like this after editing:
-
-  passwd: files winbind
-  group: files winbind
-
-
-Configure smb.conf
-------------------
-
-Several parameters are needed in the smb.conf file to control the behavior
-of winbindd. Configure smb.conf These are described in more detail in the
-winbindd(8) man page. My smb.conf file was modified to include the following
-entries in the [global] section:
-
-[global]
-	<...>
-	# The previous documentation says to 
-	# as the "winbind seperator " directive also but 
-	# it is no longer supported.
-
-	# use uids from 10000 to 20000 for domain users
-	winbind uid = 10000-20000
-
-	# use gids from 10000 to 20000 for domain groups
-	winbind gid = 10000-20000
-
-	# allow enumeration of winbind users and groups
-	winbind enum users = yes
-	winbind enum groups = yes
-
-	# give winbind users a real shell (only needed if 
-	# they have telnet access)
-	template homedir = /home/winnt/%D/%U
-	template shell = /bin/bash
-
-
-Join the SAMBA server to the PDC domain
----------------------------------------
-
-Enter the following command to make the SAMBA server join the PDC domain,
-where DOMAIN is the name of your Windows domain and Administrator is a
-domain user who has administrative privileges in the domain.
-
-root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
-
-The proper response to the command should be: "Joined the domain DOMAIN"
-where DOMAIN is your DOMAIN name.
-
-Start up the winbindd daemon and test it!
-
-Eventually, you will want to modify your smb startup script to automatically
-invoke the winbindd daemon when the other parts of SAMBA start, but it is
-possible to test out just the winbind portion first. To start up winbind
-services, enter the following command as root:
-
-root# /usr/local/samba/bin/winbindd
-
-I'm always paranoid and like to make sure the daemon is really running...
-
-root# ps -ae | grep winbindd
-
-This command should produce output like this, if the daemon is running
-
-  3025 ? 00:00:00 winbindd
-
-Now... for the real test, try to get some information about the users on
-your PDC
-
-root# /usr/local/samba/bin/wbinfo -u
-
-This should echo back a list of users on your Windows users on your PDC. For
-example, I get the following response:
-
-CEO\Administrator
-CEO\burdell
-CEO\Guest
-CEO\jt-ad
-CEO\krbtgt
-CEO\TsInternetUser
-
-root# /usr/local/samba/bin/wbinfo -g
-
-CEO\Domain Admins
-CEO\Domain Users
-CEO\Domain Guests
-CEO\Domain Computers
-CEO\Domain Controllers
-CEO\Cert Publishers
-CEO\Schema Admins
-CEO\Enterprise Admins
-CEO\Group Policy Creator Owners
-
-The function 'getent' can now be used to get unified lists of both local and
-PDC users and groups. Try the following command:
-
-root# getent passwd
-
-You should get a list that looks like your /etc/passwd list followed by the domain users with their new
-uids, gids, home directories and default shells.
-
-The same thing can be done for groups with the command
-
-root# getent group
-
-Fix the /etc/rc.d/init.d/samba.server startup files The winbindd daemon
-needs to start up after the smbd and nmbd daemons are running. To accomplish
-this task, you need to modify the /etc/init.d/samba.server script to add
-commands to invoke this daemon in the proper sequence. My
-/etc/init.d/samba.server file starts up smbd, nmbd, and winbindd from the
-/usr/local/samba/bin directory directly.
-
-##
-## samba.server
-##
-
-if [ ! -d /usr/bin ]
-then                    # /usr not mounted
-        exit
-fi
-
-killproc() {            # kill the named process(es)
-        pid=`/usr/bin/ps -e |
-             /usr/bin/grep -w $1 |
-             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
-        [ "$pid" != "" ] && kill $pid
-}
- 
-# Start/stop processes required for samba server
-
-case "$1" in
-
-'start')
-#
-# Edit these lines to suit your installation (paths, workgroup, host)
-#
-echo Starting SMBD
-   /usr/local/samba/bin/smbd -D -s \
-	/usr/local/samba/smb.conf
-
-echo Starting NMBD
-   /usr/local/samba/bin/nmbd -D -l \
-	/usr/local/samba/var/log -s /usr/local/samba/smb.conf
-
-echo Starting Winbind Daemon
-   /usr/local/samba/bin/winbindd
-   ;;
-
-'stop')
-   killproc nmbd
-   killproc smbd
-   killproc winbindd
-   ;;
-
-*)
-   echo "Usage: /etc/init.d/samba.server { start | stop }"
-   ;;
-esac
-
-If you restart the smbd, nmbd, and winbindd daemons at this point, you
-should be able to connect to the samba server as a domain member just as if
-you were a local user.
-
-
-Configure Winbind and PAM
--------------------------
-
-If you have made it this far, you know that winbindd and samba are working
-together. If you want to use winbind to provide authentication for other
-services, keep reading. The pam configuration file need to be altered in
-this step. (Did you remember to make backups of your original /etc/pam.conf
-file? If not, do it now.) You will need a pam module to use winbindd with
-these other services. This module will be compiled in the ../source/nsswitch
-directory by default when we used ./configure --with-pam option.
-
-root# make nsswitch/pam_winbind.so
-
-from the ../source directory. The pam_winbind.so file should be copied to
-the location of your other pam security modules. On my Solaris 8, this was
-the /usr/lib/security directory.
-
-root# cp ../samba/source/nsswitch/pam_winbind.so /usr/lib/security
-
-The /etc/pam.conf need to be changed. I changed this file so that my Domain
-users can logon both locally as well as telnet.The following are the changes
-that I made.You can customize the pam.conf file as per your requirements,but
-be sure of those changes because in the worst case it will leave your system
-nearly impossible to boot.
-
-#
-#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
-#
-# Copyright (c) 1996-1999, Sun Microsystems, Inc.
-# All Rights Reserved.
-#
-# PAM configuration
-#
-# Authentication management
-#
-login   auth required   /usr/lib/security/pam_winbind.so
-login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
-login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
-#
-rlogin  auth sufficient /usr/lib/security/pam_winbind.so
-rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
-rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-dtlogin auth sufficient /usr/lib/security/pam_winbind.so
-dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
-other   auth sufficient /usr/lib/security/pam_winbind.so
-other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-# Account management
-#
-login   account sufficient      /usr/lib/security/pam_winbind.so
-login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-dtlogin account sufficient      /usr/lib/security/pam_winbind.so
-dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-other   account sufficient      /usr/lib/security/pam_winbind.so
-other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Session management
-#
-other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Password management
-#
-#other   password sufficient     /usr/lib/security/pam_winbind.so
-other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
-dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
-#
-# Support for Kerberos V5 authentication (uncomment to use Kerberos)
-#
-#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-
-I also added a try_first_pass line after the winbind.so line to get rid of
-annoying double prompts for passwords.
-
-Now restart your Samba & try connecting through your application that you
-configured in the pam.conf.
-
-
-
-!==
-!== end of Solaris-Winbind-HOWTO.txt
-!==
diff --git a/docs/textdocs/Tracing.txt b/docs/textdocs/Tracing.txt
index 6cc1d69258..fd65045abd 100644
--- a/docs/textdocs/Tracing.txt
+++ b/docs/textdocs/Tracing.txt
@@ -70,7 +70,7 @@ Once you are attached you then can do whatever it is on the client
 that is causing problems and you will capture all the system calls
 that smbd makes. 
 
-So how do you interpret the results? Generally I search through the
+So how do you interpret the results? Generally I search thorugh the
 output for strings that I know will appear when the problem
 happens. For example, if I am having touble with permissions on a file
 I would search for that files name in the strace output and look at
diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt
index 38705f018a..d6a0a01acc 100644
--- a/docs/textdocs/UNIX_SECURITY.txt
+++ b/docs/textdocs/UNIX_SECURITY.txt
@@ -32,7 +32,7 @@ directory and do an ls, the UNIX security solution is to
 change the UNIX file permissions on the users home directories
 such that the cd and ls would be denied.
 
-Samba tries very hard not to second guess the UNIX administrators
+Samba tries very had not to second guess the UNIX administrators
 security policies, and trusts the UNIX admin to set
 the policies and permissions he or she desires.