From 4a090ba06a54f5da179ac02bb307cc03d08831bf Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Wed, 16 Jul 2003 05:34:56 +0000
Subject: trying to get HEAD building again.  If you want the code prior to
 this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit
 adb98e7b7cd0f025b52c570e4034eebf4047b1ad)

---
 docs/docbook/smbdotconf/filename/mangledstack.xml  |  2 +-
 docs/docbook/smbdotconf/filename/mangleprefix.xml  |  2 +-
 docs/docbook/smbdotconf/generate-context.xsl       |  8 +---
 docs/docbook/smbdotconf/generate-file-list.sh      |  8 ++--
 docs/docbook/smbdotconf/logging/debuglevel.xml     |  2 +-
 docs/docbook/smbdotconf/printing/printcommand.xml  |  2 +-
 .../smbdotconf/protocol/nameresolveorder.xml       | 24 +++++++---
 docs/docbook/smbdotconf/protocol/usespnego.xml     |  2 +-
 docs/docbook/smbdotconf/security/authmethods.xml   | 14 +++++-
 docs/docbook/smbdotconf/security/lanmanauth.xml    | 16 +++++++
 docs/docbook/smbdotconf/security/ntlmauth.xml      | 12 +++--
 docs/docbook/smbdotconf/security/passdbbackend.xml | 51 ++++++++--------------
 .../docbook/smbdotconf/security/passwordserver.xml | 32 ++++++++------
 .../smbdotconf/security/restrictanonymous.xml      | 15 +++++--
 docs/docbook/smbdotconf/security/security.xml      | 28 +++++++++---
 docs/docbook/smbdotconf/vfs/vfsobject.xml          | 12 ++---
 docs/docbook/smbdotconf/winbind/winbindgid.xml     |  2 +
 docs/docbook/smbdotconf/winbind/winbinduid.xml     | 11 ++---
 .../smbdotconf/winbind/winbindusedefaultdomain.xml |  2 +-
 docs/docbook/smbdotconf/wins/winspartners.xml      |  2 +-
 20 files changed, 150 insertions(+), 97 deletions(-)

(limited to 'docs/docbook/smbdotconf')

diff --git a/docs/docbook/smbdotconf/filename/mangledstack.xml b/docs/docbook/smbdotconf/filename/mangledstack.xml
index 42083d13a2..5f28e76dd9 100644
--- a/docs/docbook/smbdotconf/filename/mangledstack.xml
+++ b/docs/docbook/smbdotconf/filename/mangledstack.xml
@@ -1,4 +1,4 @@
-<samba:parameter name="mangling stack"
+<samba:parameter name="mangled stack"
                  context="G"
                  advanced="1" developer="1"
                  xmlns:samba="http://samba.org/common">
diff --git a/docs/docbook/smbdotconf/filename/mangleprefix.xml b/docs/docbook/smbdotconf/filename/mangleprefix.xml
index 5476ed1f08..cbd41f973d 100644
--- a/docs/docbook/smbdotconf/filename/mangleprefix.xml
+++ b/docs/docbook/smbdotconf/filename/mangleprefix.xml
@@ -1,4 +1,4 @@
-<samba:parameter name="mangling prefix"
+<samba:parameter name="mangle prefix"
                  context="G"
                  advanced="1" developer="1"
                  xmlns:samba="http://samba.org/common">
diff --git a/docs/docbook/smbdotconf/generate-context.xsl b/docs/docbook/smbdotconf/generate-context.xsl
index 13fb216700..4afba52a86 100644
--- a/docs/docbook/smbdotconf/generate-context.xsl
+++ b/docs/docbook/smbdotconf/generate-context.xsl
@@ -24,17 +24,11 @@
 </xsl:template>
 
 <xsl:template match="//samba:parameter">
-      <xsl:message>
-        <xsl:text>Processing samba:parameter (</xsl:text>
-        <xsl:value-of select="@name"/>
-        <xsl:text>)</xsl:text>
-      </xsl:message>
-
   <xsl:variable name="name"><xsl:value-of select="translate(translate(string(@name),' ',''),
                   'abcdefghijklmnopqrstuvwxyz','ABCDEFGHIJKLMNOPQRSTUVWXYZ')"/>
   </xsl:variable>
   
-  <xsl:if test="contains(@context,$smb.context)">
+  <xsl:if test="contains(@context,$smb.context) or $smb.context='ALL'">
      <xsl:element name="listitem">
         <xsl:element name="para">
            <xsl:element name="link">
diff --git a/docs/docbook/smbdotconf/generate-file-list.sh b/docs/docbook/smbdotconf/generate-file-list.sh
index 3495f50c43..84c3d5d2fc 100755
--- a/docs/docbook/smbdotconf/generate-file-list.sh
+++ b/docs/docbook/smbdotconf/generate-file-list.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 echo "<variablelist>"
-find . -type f -name '*.xml' -mindepth 2 | sort -t/ -k3 |
-        while read ; do  
-                echo "<xi:include href='$REPLY' parse='xml' xmlns:xi='http://www.w3.org/2001/XInclude'/>"
-        done
+for I in `find . -type f -name '*.xml' -mindepth 2 | sort -t/ -k3 | xargs`
+do 
+	echo "<xi:include href='$I' parse='xml' xmlns:xi='http://www.w3.org/2001/XInclude'/>"
+done
                 
 echo "</variablelist>"
diff --git a/docs/docbook/smbdotconf/logging/debuglevel.xml b/docs/docbook/smbdotconf/logging/debuglevel.xml
index 8bd4b4e0b5..622fbf21a2 100644
--- a/docs/docbook/smbdotconf/logging/debuglevel.xml
+++ b/docs/docbook/smbdotconf/logging/debuglevel.xml
@@ -1,4 +1,4 @@
-<samba:parameter name="debug level"
+<samba:parameter name="debuglevel"
                  context="G"
 		 hide="1"
                  xmlns:samba="http://samba.org/common">
diff --git a/docs/docbook/smbdotconf/printing/printcommand.xml b/docs/docbook/smbdotconf/printing/printcommand.xml
index 5444309053..4b9904f6a8 100644
--- a/docs/docbook/smbdotconf/printing/printcommand.xml
+++ b/docs/docbook/smbdotconf/printing/printcommand.xml
@@ -15,7 +15,7 @@
     <para>The print command is simply a text string. It will be used 
     verbatim after macro substitutions have been made:</para>
 
-    <para>%s, %p - the path to the spool
+	<para>%s, %f - the path to the spool
     file name</para>
 
     <para>%p - the appropriate printer 
diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml
index 897d04ad1c..4e88495489 100644
--- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml
+++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml
@@ -5,7 +5,8 @@
 <listitem>
     <para>This option is used by the programs in the Samba 
     suite to determine what naming services to use and in what order 
-    to resolve host names to IP addresses. The option takes a space 
+    to resolve host names to IP addresses. Its main purpose to is to
+    control how netbios name resolution is performed.  The option takes a space 
     separated string of name resolution options.</para>
 
     <para>The options are: &quot;lmhosts&quot;, &quot;host&quot;,
@@ -16,7 +17,8 @@
 	<listitem>
 	    <para><constant>lmhosts</constant> : Lookup an IP 
 	    address in the Samba lmhosts file. If the line in lmhosts has 
-	    no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+	    no name type attached to the NetBIOS name (see the <ulink 
+            url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
 	    any name type matches for lookup.</para>
 	</listitem>
 
@@ -26,9 +28,10 @@
 	    </filename>, NIS, or DNS lookups. This method of name resolution 
 	    is operating system depended for instance on IRIX or Solaris this 
 	    may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename> 
-	    file.  Note that this method is only used if the NetBIOS name 
-	    type being queried is the 0x20 (server) name type, otherwise 
-	    it is ignored.</para>
+	    file.  Note that this method is used only if the NetBIOS name 
+	    type being queried is the 0x20 (server) name type or 0x1c (domain controllers). 
+            The latter case is only useful for active directory domains and results in a DNS
+            query for the SRV RR entry matching _ldap._tcp.domain.</para>
 	</listitem>
 
 	<listitem>
@@ -50,9 +53,18 @@
     <para>Default: <command moreinfo="none">name resolve order = lmhosts host wins bcast</command></para>
 
     <para>Example: <command moreinfo="none">name resolve order = lmhosts bcast host</command></para>
-
+    
     <para>This will cause the local lmhosts file to be examined 
     first, followed by a broadcast attempt, followed by a normal 
     system hostname lookup.</para>
+
+    <para>When Samba is functioning in ADS security mode (<command moreinfo="none">security = ads</command>)
+    it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para>
+
+    <para><command moreinfo="none">name resolve order = wins bcast</command></para>
+
+    <para>DC lookups will still be done via DNS, but fallbacks to netbios names will
+		not inundate your DNS servers with needless querys for DOMAIN&lt;0x1c&gt; lookups.</para>
+    
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml
index 88c9f1df7a..7dddbd3f74 100644
--- a/docs/docbook/smbdotconf/protocol/usespnego.xml
+++ b/docs/docbook/smbdotconf/protocol/usespnego.xml
@@ -5,7 +5,7 @@
 <listitem>
     <para> This variable controls controls whether samba will try 
     to use Simple and Protected NEGOciation (as specified by rfc2478) with 
-    WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. 
+    WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 
     Unless further issues are discovered with our SPNEGO
     implementation, there is no reason this should ever be
     disabled.</para>
diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml
index 0b7965d55b..7c0f5a71e1 100644
--- a/docs/docbook/smbdotconf/security/authmethods.xml
+++ b/docs/docbook/smbdotconf/security/authmethods.xml
@@ -6,14 +6,24 @@
     <para>This option allows the administrator to chose what
     authentication methods <command moreinfo="none">smbd</command> will use when authenticating
     a user.  This option defaults to sensible values based on <link linkend="SECURITY">
-    <parameter moreinfo="none">security</parameter></link>.</para>
+    <parameter moreinfo="none">security</parameter></link>.  This should be considered
+    a developer option and used only in rare circumstances.  In the majority (if not all)
+    of production servers, the default setting should be adequate.</para>
 
     <para>Each entry in the list attempts to authenticate the user in turn, until
     the user authenticates.  In practice only one method will ever actually 
     be able to complete the authentication.
     </para>
 
+    <para>Possible options include <constant>guest</constant> (anonymous access), 
+    <constant>sam</constant> (lookups in local list of accounts based on netbios 
+    name or domain name), <constant>winbind</constant> (relay authentication requests
+    for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd 
+    method of authentication for remote domain users; deprecated in favour of winbind method), 
+    <constant>trustdomain</constant> (authenticate trusted users by contacting the 
+    remote DC directly from smbd; deprecated in favour of winbind method).</para>
+
     <para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
-    <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
+    <para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index e293242472..0a8fdd3ef3 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -8,7 +8,23 @@
     using the LANMAN password hash. If disabled, only clients which support NT 
     password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not 
     Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Servers
+    without Windows 95/98 or MS DOS clients are advised to disable
+    this option.  </para>
 		
+    <para>Unlike the <command moreinfo="none">encypt
+    passwords</command> option, this parameter cannot alter client
+    behaviour, and the LANMAN response will still be sent over the
+    network.  See the <command moreinfo="none">client lanman
+    auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+    <para>If this option, and <command moreinfo="none">ntlm
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
+
     <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab7..96092152c9 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
                  xmlns:samba="http://samba.org/common">
 <listitem>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
-    If disabled, only the lanman password hashes will be used.</para>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
 
-    <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should 
-    be enabled in order to be able to log in.</para>
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
 		
     <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
 </listitem>
diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml
index d755cfc313..1a3a83946a 100644
--- a/docs/docbook/smbdotconf/security/passdbbackend.xml
+++ b/docs/docbook/smbdotconf/security/passdbbackend.xml
@@ -23,15 +23,6 @@
 		</para>
 	    </listitem>
 			
-	    <listitem>
-		<para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd
-                backend, but with support for 'not unix accounts'.  
-                Takes a path to the smbpasswd file as an optional argument.</para>
-		
-                <para>See also <link linkend="NONUNIXACCOUNTRANGE">
-                <parameter moreinfo="none">non unix account range</parameter></link></para>
-	    </listitem>
-
 	    <listitem>
 		<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
                 backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb 
@@ -39,33 +30,11 @@
                 <parameter moreinfo="none">private dir</parameter></link> directory.</para>
 	    </listitem>
 			
-	    <listitem>
-		<para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage
-                backend, with non unix account support.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb 
-                in the <link linkend="PRIVATEDIR">
-                <parameter moreinfo="none">private dir</parameter></link> directory.</para>
-		
-                <para>See also <link linkend="NONUNIXACCOUNTRANGE">
-                <parameter moreinfo="none">non unix account range</parameter></link></para>
-	    </listitem>
-			
 	    <listitem>
 		<para><command moreinfo="none">ldapsam</command> - The LDAP based passdb 
                 backend.  Takes an LDAP URL as an optional argument (defaults to 
                 <command moreinfo="none">ldap://localhost</command>)</para>
-	    </listitem>
 			
-	    <listitem>
-		<para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb 
-                backend, with non unix account support.  Takes an LDAP URL as an optional argument (defaults to 
-                <command moreinfo="none">ldap://localhost</command>)</para>
-
-		<para>Note:  In this module, any account without a matching POSIX account is regarded
-                as 'non unix'.  </para>
-
-		<para>See also <link linkend="NONUNIXACCOUNTRANGE">
-		<parameter moreinfo="none">non unix account range</parameter></link></para>
-	                
 		<para>LDAP connections should be secured where possible.  This may be done using either
                 Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
                 specifying <parameter moreinfo="none">ldaps://</parameter> in
@@ -79,15 +48,29 @@
 		</para>
 	    </listitem>
 
+		<listitem>
+		<para><command moreinfo="none">mysql</command> - 
+		The MySQL based passdb backend. Takes an identifier as 
+		argument. Read the Samba HOWTO Collection for configuration
+		details.
+		</para></listitem>
+
+		<listitem>
+		<para><command moreinfo="none">guest</command> - 
+		Very simple backend that only provides one user: the guest user.
+		Only maps the NT guest user to the <parameter>guest account</parameter>.
+		Required in pretty much all situations.
+		</para></listitem>
+
 	</itemizedlist>
     </para>
 
-    <para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para>
+    <para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para>
 
     <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para>
 
-	<para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com guest</command></para>
+	<para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para>
 
-    <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para>
+    <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
index e40ff32b75..f854027041 100644
--- a/docs/docbook/smbdotconf/security/passwordserver.xml
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -3,18 +3,22 @@
                  advanced="1" wizard="1" developer="1"
 		 xmlns:samba="http://samba.org/common">
 <listitem>
-    <para>By specifying the name of another SMB server (such 
-    as a WinNT box) with this option, and using <command moreinfo="none">security = domain
-    </command> or <command moreinfo="none">security = server</command> you can get Samba 
-    to do all its username/password validation via a remote server.</para>
+    <para>By specifying the name of another SMB server 
+    or Active Directory domain controller with this option, 
+    and using <command moreinfo="none">security = [ads|domain|server]</command> 
+    it is possible to get Samba to 
+    to do all its username/password validation using a specific remote server.</para>
 
-    <para>This option sets the name of the password server to use. 
-    It must be a NetBIOS name, so if the machine's NetBIOS name is 
-    different from its Internet name then you may have to add its NetBIOS 
-    name to the lmhosts  file which is stored in the same directory 
-    as the <filename moreinfo="none">smb.conf</filename> file.</para>
+    <para>This option sets the name or IP address of the password server to use. 
+    New syntax has been added to support defining the port to use when connecting 
+    to the server the case of an ADS realm.  To define a port other than the
+    default LDAP port of 389, add the port number using a colon after the 
+    name or IP address (e.g. 192.168.1.100:389).  If you do not specify a port,
+    Samba will use the standard LDAP port of tcp/389.  Note that port numbers
+    have no effect on password servers for Windows NT 4.0 domains or netbios 
+    connections.</para>
 
-    <para>The name of the password server is looked up using the 
+    <para>If parameter is a name, it is looked up using the 
     parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name 
     resolve order</parameter></link> and so may resolved
     by any method and order described in that parameter.</para>
@@ -38,14 +42,14 @@
     trust your clients, and you had better restrict them with hosts allow!</para>
 
     <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
-    <constant>domain</constant>, then the list of machines in this 
+    <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this 
     option must be a list of Primary or Backup Domain controllers for the
     Domain or the character '*', as the Samba server is effectively
     in that domain, and will use cryptographically authenticated RPC calls
     to authenticate the user logging on. The advantage of using <command moreinfo="none">
     security = domain</command> is that if you list several hosts in the 
     <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
-    </command> will try each in turn till it finds one that responds. This 
+    </command> will try each in turn till it finds one that responds.  This
     is useful in case your primary server goes down.</para>
 
     <para>If the <parameter moreinfo="none">password server</parameter> option is set 
@@ -55,7 +59,7 @@
     and then contacting each server returned in the list of IP 
     addresses from the name resolution source. </para>
 
-    <para>If the list of servers contains both names and the '*'
+    <para>If the list of servers contains both names/IP's and the '*'
     character, the list is treated as a list of preferred 
     domain controllers, but an auto lookup of all remaining DC's
     will be added to the list as well.  Samba will not attempt to optimize 
@@ -93,6 +97,8 @@
     
     <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
     
+    <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para>
+
     <para>Example: <command moreinfo="none">password server = *</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 803bc06b2b..25d2ba0df6 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -14,12 +14,21 @@
     Windows 2000/XP and Samba, no anonymous connections are allowed at
     all.  This can break third party and Microsoft
     applications which expect to be allowed to perform
-    operations anonymously.
+	operations anonymously.</para>
 
+	<para>
     The security advantage of using restrict anonymous = 1 is dubious,
     as user and group list information can be obtained using other
-    means.
-    </para>
+	means.
+	</para>
+
+	<note>
+	<para>
+    The security advantage of using restrict anonymous = 2 is removed
+    by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+	ok</parameter> = yes</link> on any share.
+	</para>
+	</note>
 
     <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
 </listitem>
diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml
index 68c5f2cdd2..030abc1de1 100644
--- a/docs/docbook/smbdotconf/security/security.xml
+++ b/docs/docbook/smbdotconf/security/security.xml
@@ -212,10 +212,9 @@
     does not support them.  However note that if encrypted passwords have been 
     negotiated then Samba cannot revert back to checking the UNIX password file, 
     it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check 
-    users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory 
-    <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
+	users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
 
-    <para><emphasis>Note</emphasis> this mode of operation has
+	<note><para>This mode of operation has
     significant pitfalls, due to the fact that is activly initiates a
     man-in-the-middle attack on the remote SMB server.  In particular,
     this mode of operation can cause significant resource consuption on
@@ -223,13 +222,13 @@
     of the user's session.  Furthermore, if this connection is lost,
     there is no way to reestablish it, and futher authenticaions to the
     Samba server may fail.  (From a single client, till it disconnects).
-    </para>
+	</para></note>
 
-    <para><emphasis>Note</emphasis> that from the client's point of 
+	<note><para>From the client's point of 
     view <command moreinfo="none">security = server</command> is the
     same as <command moreinfo="none">security = user</command>.  It
     only affects how the server deals  with the authentication, it does
-    not in any way affect what the  client sees.</para>
+	not in any way affect what the  client sees.</para></note>
 
     <para><emphasis>Note</emphasis> that the name of the resource being 
     requested is <emphasis>not</emphasis> sent to the server until after 
@@ -246,6 +245,23 @@
     <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password 
     server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
     <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+
+	<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
+	
+	<para>In this mode, Samba will act as a domain member in an ADS realm. To operate 
+		in this mode, the machine running Samba will need to have Kerberos installed 
+		and configured and Samba will need to be joined to the ADS realm using the 
+		net utility. </para>
+	
+	<para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
+		Controller. </para>
+	
+	<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+
+	<para>See also the <link linkend="ADSSERVER"><parameter moreinfo="none">ads server
+	</parameter></link> parameter, the <link linkend="REALM"><parameter moreinfo="none">realm
+	</parameter></link> paramter and the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
 		
     <para>Default: <command moreinfo="none">security = USER</command></para>
     <para>Example: <command moreinfo="none">security = DOMAIN</command></para>
diff --git a/docs/docbook/smbdotconf/vfs/vfsobject.xml b/docs/docbook/smbdotconf/vfs/vfsobject.xml
index c68e8d0135..1a45e36c40 100644
--- a/docs/docbook/smbdotconf/vfs/vfsobject.xml
+++ b/docs/docbook/smbdotconf/vfs/vfsobject.xml
@@ -1,12 +1,12 @@
 <samba:parameter name="vfs object"
                  context="S"
+		 hide="1"
                  xmlns:samba="http://samba.org/common">
 <listitem>
-	<para>This parameter specifies a shared object files that 
-	are used for Samba VFS I/O operations.  By default, normal 
-	disk I/O operations are used but these can be overloaded 
-	with one or more VFS objects. </para>
-		
-	<para>Default: <emphasis>no value</emphasis></para>
+	<para>Synonym for
+	<link linkend="VFSOBJECTS">
+	<parameter moreinfo="none">vfs objects</parameter>
+	</link>.
+	</para>	
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/winbindgid.xml b/docs/docbook/smbdotconf/winbind/winbindgid.xml
index a8414e9e8c..e00e576389 100644
--- a/docs/docbook/smbdotconf/winbind/winbindgid.xml
+++ b/docs/docbook/smbdotconf/winbind/winbindgid.xml
@@ -3,6 +3,8 @@
                  advanced="1" developer="1" hide="1"
                  xmlns:samba="http://samba.org/common">
 <listitem>
+	<para>This parameter is now an alias for <command moreinfo="none">idmap gid</command></para>
+
 	<para>The winbind gid parameter specifies the range of group 
 	ids that are allocated by the <citerefentry><refentrytitle>winbindd</refentrytitle>
 	<manvolnum>8</manvolnum></citerefentry> daemon.  This range of group ids should have no 
diff --git a/docs/docbook/smbdotconf/winbind/winbinduid.xml b/docs/docbook/smbdotconf/winbind/winbinduid.xml
index 6fee40fcb8..0f61bac13c 100644
--- a/docs/docbook/smbdotconf/winbind/winbinduid.xml
+++ b/docs/docbook/smbdotconf/winbind/winbinduid.xml
@@ -3,11 +3,12 @@
                  advanced="1" developer="1" hide="1"
                  xmlns:samba="http://samba.org/common">
 <listitem>
-	<para>The winbind gid parameter specifies the range of group 
-	ids that are allocated by the <citerefentry><refentrytitle>winbindd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry> daemon.  This range of ids should have no 
-	existing local or NIS users within it as strange conflicts can 
-	occur otherwise.</para>
+	<para>This parameter is now an alias for <command moreinfo="none">idmap uid</command></para>
+
+	<para>The winbind gid parameter specifies the range of user ids that are allocated by the
+	<citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+	daemon.  This range of ids should have no existing local or NIS users within it as strange
+	conflicts can occur otherwise.</para>
 
 	<para>Default: <command moreinfo="none">winbind uid = &lt;empty string&gt;</command></para>
 		
diff --git a/docs/docbook/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs/docbook/smbdotconf/winbind/winbindusedefaultdomain.xml
index 5c31a7f9b0..8112331f5e 100644
--- a/docs/docbook/smbdotconf/winbind/winbindusedefaultdomain.xml
+++ b/docs/docbook/smbdotconf/winbind/winbindusedefaultdomain.xml
@@ -1,4 +1,4 @@
-<samba:parameter name="winbind used default domain"
+<samba:parameter name="winbind use default domain"
                  context="G"
                  advanced="1" developer="1"
                  xmlns:samba="http://samba.org/common">
diff --git a/docs/docbook/smbdotconf/wins/winspartners.xml b/docs/docbook/smbdotconf/wins/winspartners.xml
index 9ec277ed2d..13e252b2c0 100644
--- a/docs/docbook/smbdotconf/wins/winspartners.xml
+++ b/docs/docbook/smbdotconf/wins/winspartners.xml
@@ -1,4 +1,4 @@
-<samba:parameter name="wins partner"
+<samba:parameter name="wins partners"
                  context="G"
                  advanced="1" wizard="1" developer="1"
                  xmlns:samba="http://samba.org/common">
-- 
cgit