From fe667b2b9a8ac3233e1f3cc41810aa68c3c3c554 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Mon, 21 Apr 2003 22:25:50 +0000
Subject: Fix typo. (This used to be commit
 931ef8777eb86b5cd0ce7550484b2416ed6ae991)

---
 docs/docbook/projdoc/SWAT.sgml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml
index ad43fd7b8a..359264d26c 100644
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@@ -29,11 +29,11 @@ will be lost from the smb.conf file. Additionally, the parameters will be writte
 internal ordering.
 </para>
 
-<para><note>
+<note><para>
 So before using SWAT please be warned - SWAT will completely replace your smb.conf with
 a fully optimised file that has been stripped of all comments you might have placed there
 and only non-default settings will be written to the file.
-</note></para>
+</para></note>
 
 <para>
 SWAT should be installed to run via the network super daemon. Depending on which system
-- 
cgit 


From f99d40198b77259b3f71d81ab91a7034c8473238 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Mon, 21 Apr 2003 22:39:00 +0000
Subject: Add note from "Roylance, Stephen D." <SROYLANCE@PARTNERS.ORG> about
 Solaris9 and winbind (This used to be commit
 a9e978ba42fa7193dc45f1a4ed97f03637be3147)

---
 docs/docbook/projdoc/Portability.sgml | 13 +++++++++++++
 docs/docbook/projdoc/winbind.sgml     |  2 ++
 2 files changed, 15 insertions(+)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml
index 39ed37585f..cc21ecf255 100644
--- a/docs/docbook/projdoc/Portability.sgml
+++ b/docs/docbook/projdoc/Portability.sgml
@@ -189,6 +189,9 @@ samba performance significally.
 <sect1>
 <title>Solaris</title>
 
+<sect2>
+<title>Locking improvements</title>
+
 <para>Some people have been experiencing problems with F_SETLKW64/fcntl 
 when running samba on solaris. The built in file locking mechanism was
 not scalable. Performance would degrade to the point where processes would
@@ -216,6 +219,16 @@ and rebuild samba.
 </para>
 
 <para>Thanks to Joe Meslovich for reporting</para>
+
+</sect2>
+
+<sect2 id="winbind-solaris9">
+<title>Winbind on Solaris 9</title>
+<para>
+Nsswitch on Solaris 9 refuses to use the winbind nss module.  This behavior
+is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
+roll-up packages.
+</para>
 </sect1>
 
 </chapter>
diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
index 460038aea9..1f65e7a8b7 100644
--- a/docs/docbook/projdoc/winbind.sgml
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -786,6 +786,8 @@ stop() {
 <sect4>
 <title>Solaris</title>
 
+<para>Winbind doesn't work on solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
+
 <para>On solaris, you need to modify the 
 <filename>/etc/init.d/samba.server</filename> startup script. It usually 
 only starts smbd and nmbd but should now start winbindd too. If you 
-- 
cgit 


From f1019b512d1be6aac0837ba6558e91fda676b9d3 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Mon, 21 Apr 2003 22:40:57 +0000
Subject: I hate typos! (This used to be commit
 585907f3245cf53813888b4b3d121c40ffb9edff)

---
 docs/docbook/projdoc/samba-doc.sgml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 6048d60e5f..3b5d054cad 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -31,7 +31,7 @@ on the "Documentation" page.  Please send updates to
 
 <para>
 The Samba-Team would like to express sincere thanks to the many people who have with
-or without their knwoledge contributed to this update. The size and scope of this
+or without their knowledge contributed to this update. The size and scope of this
 project would not have been possible without significant community contribution. A not
 insignificant number of ideas for inclusion (if not content itself) has been obtained
 from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
-- 
cgit 


From 8d5d0947260e260433f97dad71f640b04a3187b0 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Mon, 21 Apr 2003 23:05:06 +0000
Subject: Adding more updates - maybe last one for today. (This used to be
 commit 042427c1f81b53403d9a97c5d4306051ed13d5bf)

---
 docs/docbook/projdoc/SWAT.sgml | 61 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 59 insertions(+), 2 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml
index 359264d26c..763872d567 100644
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@@ -42,14 +42,71 @@ your Unix/Linux system has you will have either an <filename>inetd</filename> or
 </para>
 
 <para>
-The nature and location of the network super
+The nature and location of the network super-daemon varies with the operating system
+implementation. The control file (or files) can be located in the file 
+<filename>/etc/inetd.conf</filename> or in the directory <filename>/etc/[x]inet.d</filename>
+or similar.
+</para>
+
+<para>
+The control entry for the older style file might be:
+</para>
+
+<para><programlisting>
+	# swat is the Samba Web Administration Tool
+	swat stream tcp nowait.400 root /usr/sbin/swat swat
+</programlisting></para>
+
+<para>
+A control file for the newer style xinetd could be:
+</para>
+
+<para>
+<programlisting>
+	# default: off
+	# description: SWAT is the Samba Web Admin Tool. Use swat \
+	#              to configure your Samba server. To use SWAT, \
+	#              connect to port 901 with your favorite web browser.
+	service swat
+	{
+		port    = 901
+		socket_type     = stream
+		wait    = no
+		only_from = localhost
+		user    = root
+		server  = /usr/sbin/swat
+		log_on_failure  += USERID
+		disable = yes
+	}
+</programlisting>
+</para>
+
+<para>
+Both the above examples assume that the <filename>swat</filename> binary has been
+located in the <filename>/usr/sbin</filename> directory. In addition to the above
+SWAT will use a directory access point from which it will load all it's help files,
+as well as other control information. The default location for this on most Linux
+systems is in the directory <filename>/usr/share/samba/swat</filename>.
+</para>
+
+<para>
+Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
+the only permission allowed is to view certain aspects of configuration as well as
+access to the password change facility.
+</para>
+
+<para>
+So long as you log onto SWAT as the user <command>root</command> you should obtain
+full change and commit ability.
 </para>
 
 <sect2>
 <title>The SWAT Home Page</title>
 
 <para>
-Blah blah here.
+The SWAT title page provides access to the latest Samba documentation. The manual page for
+each samba component is accessible from this page as are the Samba-HOWTO-Collection (this 
+document) as well as the O'Reilly book "Using Samba".
 </para>
 
 </sect2>
-- 
cgit 


From de690f13362f909c151f4b7e92d7a61f576b3685 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Tue, 22 Apr 2003 14:57:20 +0000
Subject: Update. (This used to be commit
 0f8f94b6adc477a8e7ccae7444e2b7f4670ef071)

---
 docs/docbook/global.ent | 1 +
 1 file changed, 1 insertion(+)

(limited to 'docs')

diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent
index dcef1084d6..2c7f55aa3a 100644
--- a/docs/docbook/global.ent
+++ b/docs/docbook/global.ent
@@ -7,6 +7,7 @@
 <!ENTITY email.jerry   'jerry@samba.org'>
 <!ENTITY email.patches 'samba-patches@samba.org'>
 <!ENTITY email.jelmer  'jelmer@samba.org'>
+<!ENTITY email.jht     'jht@samba.org'>
 
 
 <!-- Author entities -->
-- 
cgit 


From 0ecfcd3319909a61806cb6e37f7dedca6743ce38 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Tue, 22 Apr 2003 20:27:56 +0000
Subject: Added jCIFS to projects. (This used to be commit
 ef0f6b8957f3d8b46fdffa8c655c1906c9698254)

---
 docs/docbook/projdoc/IntroSMB.sgml | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/IntroSMB.sgml b/docs/docbook/projdoc/IntroSMB.sgml
index c1c0ae3293..4fd96ee87e 100644
--- a/docs/docbook/projdoc/IntroSMB.sgml
+++ b/docs/docbook/projdoc/IntroSMB.sgml
@@ -163,6 +163,10 @@ client file systems for Linux, both available in the Linux kernel itself.
 	Winbind (nsswitch) integration.
 	</para></listitem>
 
+	<listitem><para>
+	jCIFS (Java implementation of CIFS) is an active project headed by Chris Hertel.
+	</para></listitem>
+
 </itemizedlist>
 
 <para>
-- 
cgit 


From c91cb3098ed9fd365fc9f551fc6099fb97d88852 Mon Sep 17 00:00:00 2001
From: "Christopher R. Hertel" <crh@samba.org>
Date: Tue, 22 Apr 2003 21:09:29 +0000
Subject: Merged the changes I made in the 3.0 doc tree (wrong place) and
 fiddled the entry for jCIFS (thanks, John!). (This used to be commit
 43c1ba0ab2aa538d0defad4cdec385561d3563df)

---
 docs/docbook/projdoc/IntroSMB.sgml | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/IntroSMB.sgml b/docs/docbook/projdoc/IntroSMB.sgml
index 4fd96ee87e..32b18cc8fc 100644
--- a/docs/docbook/projdoc/IntroSMB.sgml
+++ b/docs/docbook/projdoc/IntroSMB.sgml
@@ -141,8 +141,8 @@ http://www.samba.org).  Optionally, you could just search mailing.unix.samba at
 <title>Related Projects</title>
 
 <para>
-Currently, there are two projects that are directly related to Samba: SMBFS and CIFS network
-client file systems for Linux, both available in the Linux kernel itself.
+There are currently two network filesystem client projects for Linux that are directly
+related to Samba: SMBFS and CIFS VFS.  These are both available in the Linux kernel itself.
 </para>
 
 <itemizedlist>
@@ -155,18 +155,14 @@ client file systems for Linux, both available in the Linux kernel itself.
 	</para></listitem>
 
 	<listitem><para>
-	CIFS (Common Internet File System) is the successor to SMB, and is actively being worked
-	on in the upcoming version of the Linux kernel. The intent of this module is to 
-	provide advanced network file system functionality including support for dfs (heirarchical 
+	CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
+        is being actively developed for the upcoming version of the Linux kernel. The intent of this module
+        is to provide advanced network file system functionality including support for dfs (heirarchical
 	name space), secure per-user session establishment, safe distributed caching (oplock), 
 	optional packet signing, Unicode and other internationalization improvements, and optional 
 	Winbind (nsswitch) integration.
-	</para></listitem>
-
-	<listitem><para>
-	jCIFS (Java implementation of CIFS) is an active project headed by Chris Hertel.
-	</para></listitem>
-
+        </para></listitem>
+ 
 </itemizedlist>
 
 <para>
@@ -174,6 +170,12 @@ Again, it's important to note that these are implementations for client filesyst
 nothing to do with acting as a file and print server for SMB/CIFS clients.
 </para>
 
+<para>
+There are other Open Source CIFS client implementations, such as the jCIFS project
+(jcifs.samba.org) which provides an SMB client toolkit written in Java.
+</para>
+
+
 </sect1>
 
 
-- 
cgit 


From d315de898bedcaf64e6a27ffb8ab29223a123f10 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Wed, 23 Apr 2003 04:39:34 +0000
Subject: Update - closed off for now (This used to be commit
 8511042ff6f664eb2f5cc80a59859fb004f5be13)

---
 docs/docbook/projdoc/SWAT.sgml | 212 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 199 insertions(+), 13 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml
index 763872d567..751138f138 100644
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@@ -35,6 +35,9 @@ a fully optimised file that has been stripped of all comments you might have pla
 and only non-default settings will be written to the file.
 </para></note>
 
+<sect2>
+<title>Enabling SWAT for use</title>
+
 <para>
 SWAT should be installed to run via the network super daemon. Depending on which system
 your Unix/Linux system has you will have either an <filename>inetd</filename> or
@@ -79,27 +82,80 @@ A control file for the newer style xinetd could be:
 		disable = yes
 	}
 </programlisting>
+
 </para>
 
 <para>
 Both the above examples assume that the <filename>swat</filename> binary has been
 located in the <filename>/usr/sbin</filename> directory. In addition to the above
-SWAT will use a directory access point from which it will load all it's help files,
+SWAT will use a directory access point from which it will load it's help files
 as well as other control information. The default location for this on most Linux
-systems is in the directory <filename>/usr/share/samba/swat</filename>.
+systems is in the directory <filename>/usr/share/samba/swat</filename>. The default
+location using samba defaults will be <filename>/usr/local/samba/swat</filename>.
 </para>
 
 <para>
 Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
 the only permission allowed is to view certain aspects of configuration as well as
-access to the password change facility.
+access to the password change facility. The buttons that will be exposed to the non-root
+user are: <emphasis>HOME, STATUS, VIEW, PASSWORD</emphasis>. The only page that allows
+change capability in this case is <emphasis>PASSWORD</emphasis>.
 </para>
 
 <para>
 So long as you log onto SWAT as the user <command>root</command> you should obtain
-full change and commit ability.
+full change and commit ability. The buttons that will be exposed includes:
+<emphasis>HOME, GLOBALS, SHARES, PRINTERS, WIZARD, STATUS, VIEW, PASSWORD</emphasis>.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Securing SWAT through SSL</title>
+
+<para>
+Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
+administration of Samba. Here is a method that works, courtesy of Markus Krieger
+</para>
+
+<para>
+Modifications to the swat setup are as following: 
+</para>
+
+<itemizedlist>
+	<listitem><para>
+	install OpenSSL 
+	</para></listitem>
+
+	<listitem><para>
+	generate certificate and private key
+
+	<programlisting>
+	root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \
+	 	/usr/share/doc/packages/stunnel/stunnel.cnf \
+		-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
+	</programlisting><para></listitem>
+
+	<listitem><para>
+	remove swat-entry from [x]inetd 
+	</para></listitem>
+
+	<listitem><para>
+	start stunnel
+
+	<programlisting>
+	root# stunnel -p /etc/stunnel/stunnel.pem -d 901 \
+		 -l /usr/local/samba/bin/swat swat 
+	</programlisting></para></listitem>
+</itemizedlist>
+
+<para>
+afterwards simply contact to swat by using the URL "https://myhost:901", accept the certificate
+and the SSL connection is up.
 </para>
 
+</sect2>
+
 <sect2>
 <title>The SWAT Home Page</title>
 
@@ -109,46 +165,163 @@ each samba component is accessible from this page as are the Samba-HOWTO-Collect
 document) as well as the O'Reilly book "Using Samba".
 </para>
 
+<para>
+Administrators who wish to validate their samba configuration may obtain useful information
+from the man pages for the diganostic utilities. These are available from the SWAT home page
+also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
+useful is <command>ethereal</command>, available from <ulink url="http://www.ethereal.com">
+http://www.ethereal.com</ulink>.
+</para>
+
+<note><para>
+SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is NOT recommended
+as it runs SWAT without authentication and with full administrative ability. ie: Allows
+changes to smb.conf as well as general operation with root privilidges. The option that
+creates this ability is the <command>-a</command> flag to swat. DO NOT USE THIS IN ANY
+PRODUCTION ENVIRONMENT - you have been warned!
+</para></note>
+
 </sect2>
+
 <sect2>
 <title>Global Settings</title>
 
 <para>
-Document steps right here!
+The Globals button will expose a page that allows configuration of the global parameters
+in smb.conf. There are three levels of exposure of the parameters:
 </para>
 
+<itemizedlist>
+	<listitem><para>
+	<command>Basic</command> - exposes common configuration options.
+	</para></listitem>
+
+	<listitem><para>
+	<command>Advanced</command> - exposes  configuration options needed in more 
+	complex environments.
+	</para></listitem>
+
+	<listitem><para>
+	<command>Developer</command> - exposes configuration options that only the brave
+	will want to tamper with.
+	</para></listitem>
+</itemizedlist>
+
+<para>
+To switch to other than <emphasis>Basic</emphasis> editing ability click on either the
+<emphasis>Advanced</emphasis> or the <emphasis>Developer</emphasis> dial, then click the
+<emphasis>Commit Changes</emphasis> button.
+</para>
+
+<para>
+After making any changes to configuration parameters make sure that you click on the 
+<emphasis>Commit Changes</emphasis> button before moving to another area otherwise
+your changes will be immediately lost.
+</para>
+
+<note><para>
+SWAT has context sensitive help. To find out what each parameter is for simply click the
+<command>Help</command> link to the left of the configurartion parameter.
+</para></note>
+
 </sect2>
+
 <sect2>
-<title>The SWAT Wizard</title>
+<title>Share Settings</title>
 
 <para>
-Lots of blah blah here.
+To affect a currenly configured share, simple click on the pull down button between the
+<emphasis>Choose Share</emphasis> and the <emphasis>Delete Share</emphasis> buttons,
+select the share you wish to operation on, then to edit the settings click on the
+<emphasis>Choose Share</emphasis> button, to delete the share simply press the
+<emphasis>Delete Share</emphasis> button.
+</para>
+
+<para>
+To create a new share, next to the button labelled <emphasis>Create Share</emphasis> enter
+into the text field the name of the share to be created, then click on the 
+<emphasis>Create Share</emphasis> button.
 </para>
 
 </sect2>
 
 <sect2>
-<title>Share Settings</title>
+<title>Printers Settings</title>
+
+<para>
+To affect a currenly configured printer, simple click on the pull down button between the
+<emphasis>Choose Printer</emphasis> and the <emphasis>Delete Printer</emphasis> buttons,
+select the printer you wish to operation on, then to edit the settings click on the
+<emphasis>Choose Printer</emphasis> button, to delete the share simply press the
+<emphasis>Delete Printer</emphasis> button.
+</para>
 
 <para>
-Document steps right here!
+To create a new printer, next to the button labelled <emphasis>Create Printer</emphasis> enter
+into the text field the name of the share to be created, then click on the 
+<emphasis>Create Printer</emphasis> button.
 </para>
 
 </sect2>
 
 <sect2>
-<title>Printing Settings</title>
+<title>The SWAT Wizard</title>
+
+<para>
+The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator
+to configure Samba with a minimum of effort.
+</para>
+
+<para>
+The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format.
+This will also happen if you press the commit button. The two differ in the the rewrite button
+ignores any changes that may have been made, while the Commit button causes all changes to be
+affected.
+</para>
+
+<para>
+The <emphasis>Edit</emphasis> button permits the editing (setting) of the minimal set of
+options that may be necessary to create a working samba server.
+</para>
 
 <para>
-Document steps right here!
+Finally, there are a limited set of options that will determine what type of server samba
+will be configured for, whether it will be a WINS server, participate as a WINS client, or
+operate with no WINS support. By clicking on one button you can elect to epose (or not) user
+home directories.
 </para>
 
 </sect2>
+
 <sect2>
 <title>The Status Page</title>
 
 <para>
-Document steps right here!
+The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
+The key daemons that create the samba server environment are: <command> smbd, nmbd, winbindd</command>.
+</para>
+
+<para>
+The daemons may be controlled individually or as a total group. Additionally, you may set
+an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
+will be continually spawned. The auto-refresh facility will allow you to track the changing
+conditions with minimal effort.
+</para>
+
+<para>
+Lastly, the Status page may be used to terminate specific smbd client connections in order to
+free files that may be locked.
+</para>
+
+</sect2>
+
+<sect2>
+<title>The View Page</title>
+
+<para>
+This page allows the administrator to view the optimised smb.conf file and if you are
+particularly massochistic will permit you also to see all possible global configuration
+parameters and their settings.
 </para>
 
 </sect2>
@@ -157,7 +330,20 @@ Document steps right here!
 <title>The Password Change Page</title>
 
 <para>
-Document steps right here!
+The Password Change page is a popular tool. This tool allows to creation, deletion, deactivation
+and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
+this tool to change a local password for a user account.
+</para>
+
+<para>
+When logged in as a non-root account the user will have to provide the old password as well as
+the new password (twice). When logged in as <command>root</command> only the new password is
+required.
+</para>
+
+<para>
+One popular use for this tool is to change user passwords across a range of remote MS Windows
+servers.
 </para>
 
 </sect2>
-- 
cgit 


From 203795681cfef4a19887be2b79a28c5031c0ce7d Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Wed, 23 Apr 2003 23:22:16 +0000
Subject: More updates. (This used to be commit
 6678c325d77f18fb4b63a0cd436b6024f83366f3)

---
 docs/docbook/projdoc/VFS.sgml     |  25 ++-
 docs/docbook/projdoc/locking.sgml | 440 +++++++++++++++++++++++++++++++++-----
 2 files changed, 409 insertions(+), 56 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml
index 0a88543c6e..666eb4f62f 100644
--- a/docs/docbook/projdoc/VFS.sgml
+++ b/docs/docbook/projdoc/VFS.sgml
@@ -72,11 +72,28 @@ facility.  The following operations are logged:
 <para>
 This module is identical with the <emphasis>audit</emphasis> module above except
 that it sends audit logs to both syslog as well as the smbd log file/s. The 
-loglevel for this module is set in the smb.conf file. At loglevel = 0, only file
-and directory deletions and directory and file creations are logged. At loglevel = 1
-file opens are renames and permission changes are logged , while at loglevel = 2 file
-open and close calls are logged also.
+loglevel for this module is set in the smb.conf file.
 </para>
+
+<para>
+The logging information that will be written to the smbd log file is controlled by
+the <emphasis>log level</emphasis> parameter in <filename>smb.conf</filename>. The
+following information will be recorded:
+</para>
+
+<table frame="all"><title>Extended Auditing Log Information</title>
+<tgroup cols="2" align="center")
+	<thead>
+	<row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
+	</thead>
+	<tbody>
+	<row><entry align="center">0</entry><entry align="left">Creation / Deletion</entry></row>
+	<row><entry align="center">1</entry><entry align="left">Create / Delete / Rename / Permission Changes</entry></row>
+	<row><entry align="center">2</entry><entry align="left">Create / Delete / Rename / Perm Change / Open / Close</entry></row>
+	</tbody>
+</tgroup>
+</table>
+
 </sect2>
 
 <sect2>
diff --git a/docs/docbook/projdoc/locking.sgml b/docs/docbook/projdoc/locking.sgml
index ef65c16e2c..facaef551f 100644
--- a/docs/docbook/projdoc/locking.sgml
+++ b/docs/docbook/projdoc/locking.sgml
@@ -2,59 +2,395 @@
 <chapterinfo>
 	&author.jeremy;
 	&author.jelmer;
+	&author.jht;
 </chapterinfo>
+<title>File and Record Locking</title>
 
-<title>Locking</title>
-
-<para>One area which sometimes causes trouble is locking.</para>
-
-<para>There are two types of locking which need to be 
-performed by a SMB server. The first is "record locking" 
-which allows a client to lock a range of bytes in a open file. 
-The second is the "deny modes" that are specified when a file 
-is open.</para>
-
-<para>Record locking semantics under Unix is very
-different from record locking under Windows. Versions
-of Samba before 2.2 have tried to use the native
-fcntl() unix system call to implement proper record
-locking between different Samba clients. This can not
-be fully correct due to several reasons. The simplest
-is the fact that a Windows client is allowed to lock a
-byte range up to 2^32 or 2^64, depending on the client
-OS. The unix locking only supports byte ranges up to
-2^31. So it is not possible to correctly satisfy a
-lock request above 2^31. There are many more
-differences, too many to be listed here.</para>
-
-<para>Samba 2.2 and above implements record locking
-completely independent of the underlying unix
-system. If a byte range lock that the client requests
-happens to fall into the range 0-2^31, Samba hands
-this request down to the Unix system. All other locks
-can not be seen by unix anyway.</para>
-
-<para>Strictly a SMB server should check for locks before 
-every read and write call on a file. Unfortunately with the 
-way fcntl() works this can be slow and may overstress the 
-rpc.lockd. It is also almost always unnecessary as clients 
-are supposed to independently make locking calls before reads 
-and writes anyway if locking is important to them. By default 
-Samba only makes locking calls when explicitly asked
-to by a client, but if you set "strict locking = yes" then it will
-make lock checking calls on every read and write. </para>
-
-<para>You can also disable by range locking completely 
-using "locking = no". This is useful for those shares that 
-don't support locking or don't need it (such as cdroms). In 
-this case Samba fakes the return codes of locking calls to 
-tell clients that everything is OK.</para>
-
-<para>The second class of locking is the "deny modes". These 
-are set by an application when it opens a file to determine 
-what types of access should be allowed simultaneously with 
-its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE 
-or DENY_ALL. There are also special compatibility modes called 
-DENY_FCB and  DENY_DOS.</para>
+<sect1>
+<title>Discussion</title>
 
+<para>
+One area which sometimes causes trouble is locking.
+</para>
+
+<para>
+There are two types of locking which need to be performed by a SMB server.
+The first is <emphasis>record locking</emphasis> which allows a client to lock
+a range of bytes in a open file.  The second is the <emphasis>deny modes</emphasis>
+that are specified when a file is open.
+</para>
+
+<para>
+Record locking semantics under Unix is very different from record locking under
+Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix
+system call to implement proper record locking between different Samba clients.
+This can not be fully correct due to several reasons. The simplest is the fact
+that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
+depending on the client OS. The unix locking only supports byte ranges up to 2^31.
+So it is not possible to correctly satisfy a lock request above 2^31. There are
+many more differences, too many to be listed here.
+</para>
+
+<para>
+Samba 2.2 and above implements record locking completely independent of the
+underlying unix system. If a byte range lock that the client requests happens
+to fall into the range 0-2^31, Samba hands this request down to the Unix system.
+All other locks can not be seen by unix anyway.
+</para>
+
+<para>
+Strictly a SMB server should check for locks before every read and write call on
+a file. Unfortunately with the way fcntl() works this can be slow and may overstress
+the rpc.lockd. It is also almost always unnecessary as clients are supposed to
+independently make locking calls before reads and writes anyway if locking is
+important to them. By default Samba only makes locking calls when explicitly asked
+to by a client, but if you set <emphasis>strict locking = yes</emphasis> then it
+will make lock checking calls on every read and write.
+</para>
+
+<para>
+You can also disable by range locking completely using <emphasis>locking = no</emphasis>.
+This is useful for those shares that don't support locking or don't need it
+(such as cdroms). In this case Samba fakes the return codes of locking calls to
+tell clients that everything is OK.
+</para>
+
+<para>
+The second class of locking is the <emphasis>deny modes</emphasis>. These 
+are set by an application when it opens a file to determine what types of
+access should be allowed simultaneously with its open. A client may ask for
+DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility
+modes called DENY_FCB and  DENY_DOS.
+</para>
+</sect1>
+
+<sect1>
+<title>Samba Opportunistic Locking Control</title>
+
+<para>
+Opportunistic locking essentially means that the client is allowed to download and cache
+a file on their hard drive while making changes; if a second client wants to access the
+file, the first client receives a break and must synchronise the file back to the server.
+This can give significant performance gains in some cases; some programs insist on
+synchronising the contents of the entire file back to the server for a single change.
+</para>
+
+<para>
+Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic locking.
+</para>
+
+<para>
+Level2 Oplocks provids opportunistic locking for a file that will be treated as
+<emphasis>read only</emphasis>. Typically this is used on files that are read-only or
+on files that the client has no initial intention to write to at time of opening the file.
+</para>
+
+<para>
+Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
+Samba's oplocked files, although this has provided better integration of MS Windows network
+file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are
+oplock aware at this time.
+</para>
+
+<para>
+Unless your system supports kernel oplocks, you should disable oplocks if you are
+accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
+always be disabled if you are sharing a database file (e.g., Microsoft Access) between
+multiple clients, as any break the first client receives will affect synchronisation of
+the entire file (not just the single record), which will result in a noticable performance
+impairment and, more likely, problems accessing the database in the first place. Notably,
+Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
+disable oplocks and tune your system from that point.
+</para>
+
+<para>
+If client-side caching is desirable and reliable on your network, you will benefit from
+turning on oplocks. If your network is slow and/or unreliable, or you are sharing your
+files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people
+will be accessing the same files frequently, you probably will not benefit from the overhead
+of your client sending oplock breaks and will instead want to disable oplocks for the share.
+</para>
+
+<para>
+Another factor to consider is the perceived performance of file access. If oplocks provide no
+measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
+</para>
+
+<para>
+You can disable oplocks on a per-share basis with the following:
+
+<programlisting>
+	oplocks = False
+	level2 oplocks = False
+</programlisting>
+
+Alternately, you could disable oplocks on a per-file basis within the share:
+
+<programlisting>
+	veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
+</programlisting>
+</para>
+
+<para>
+If you are experiencing problems with oplocks as apparent from Samba's log entries,
+you may want to play it safe and disable oplocks and level2 oplocks.
+</para>
+
+</sect1>
+
+<sect1>
+<title>MS Windows Opportunistic Locking and Caching Controls</title>
+
+<para>
+There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
+workstation computer that can affect any application attempting to access shared database files
+across a network. This is a result of a default setting configured in the Windows 2000/XP
+operating system known as <emphasis>Opportunistic Locking</emphasis>. When a workstation
+attempts to access shared data files located on another Windows 2000/XP computer,
+the Windows 2000/XP operating system will attempt to increase performance by locking the
+files and caching information locally. When this occurs, the application is unable to
+properly function, which results in an <emphasis>Access Denied</emphasis>
+ error message being displayed during network operations.
+</para>
+
+<para>
+All Windows operating systems in the NT family that act as database servers for data files
+(meaning that data files are stored there and accessed by other Windows PCs) may need to
+have opportunistic locking disabled in order to minimize the risk of data file corruption.
+This includes Windows 9x/Me, Windows NT, Windows 200x and Windows XP.
+</para>
+
+<para>
+If you are using a Windows NT family workstation in place of a server, you must also
+disable opportunistic locking (oplocks) on that workstation. For example, if you use a
+PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
+have data files located on it that are accessed from other Windows PCs, you may need to
+disable oplocks on that system.
+</para>
+
+<para>
+The major difference is the location in the Windows registry where the values for disabling
+oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location
+may be used.
+</para>
+
+<para>
+You can verify (or change or add, if necessary) this Registry value using the Windows
+Registry Editor. When you change this registry value, you will have to reboot the PC
+to ensure that the new setting goes into effect.
+</para>
+
+<para>
+The location of the client registry entry for opportunistic locking has changed in
+Windows 2000 from the earlier location in Microsoft Windows NT.
+</para>
+
+<note><para>
+Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks
+in earlier versions of Windows.
+</para></note>
+
+<para>
+You can also deny the granting of opportunistic locks by changing the following registry entries:
+</para>
+
+<para>
+<programlisting>
+	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXSmb\Parameters\
+
+		OplocksDisabled REG_DWORD 0 or 1
+		Default: 0 (not disabled)
+</programlisting>
+</para>
+
+<note><para>
+The OplocksDisabled registry value configures Windows clients to either request or not
+request opportunistic locks on a remote file. To disable oplocks, the value of
+ OplocksDisabled must be set to 1.
+</para></note>
+
+<para>
+<programlisting>
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
+
+		EnableOplocks REG_DWORD 0 or 1
+		Default: 1 (Enabled by Default)
+
+		EnableOpLockForceClose REG_DWORD 0 or 1
+		Default: 0 (Disabled by Default)
+</programlisting>
+</para>
+
+<note><para>
+The EnableOplocks value configures Windows-based servers (including Workstations sharing
+files) to allow or deny opportunistic locks on local files.
+</para></note>
+
+<para>
+To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1.
+</para>
+
+<para>
+An illustration of how level II oplocks work:
+</para>
+
+<itemizedlist>
+	<listitem><para>
+	Station 1 opens the file, requesting oplock.
+	</para></listitem>
+	<listitem><para>
+	Since no other station has the file open, the server grants station 1 exclusive oplock.
+	</para></listitem>
+	<listitem><para>
+	Station 2 opens the file, requesting oplock.
+	</para></listitem>
+	<listitem><para>
+	Since station 1 has not yet written to the file, the server asks station 1 to Break
+	to Level II Oplock.
+	</para></listitem>
+	<listitem><para>
+	Station 1 complies by flushing locally buffered lock information to the server.
+	</para></listitem>
+	<listitem><para>
+	Station 1 informs the server that it has Broken to Level II Oplock (alternatively,
+	station 1 could have closed the file).
+	</para></listitem>
+	<listitem><para>
+	The server responds to station 2's open request, granting it level II oplock.
+	Other stations can likewise open the file and obtain level II oplock.
+	</para></listitem>
+	<listitem><para>
+	Station 2 (or any station that has the file open) sends a write request SMB.
+	The server returns the write response.
+	</para></listitem>
+	<listitem><para>
+	The server asks all stations that have the file open to Break to None, meaning no
+	station holds any oplock on the file. Because the workstations can have no cached
+	writes or locks at this point, they need not respond to the break-to-none advisory;
+	all they need do is invalidate locally cashed read-ahead data.
+	</para></listitem>
+</itemizedlist>
+
+<sect2>
+<title>Workstation Service Entries</title>
+
+<para><programlisting>
+	\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
+
+	UseOpportunisticLocking   REG_DWORD   0 or 1
+	Default: 1 (true)
+</programlisting></para>
+
+<para>
+Indicates whether the redirector should use opportunistic-locking (oplock) performance
+enhancement. This parameter should be disabled only to isolate problems.
+</para>
+
+</sect2>
+<sect2>
+<title>Server Service Entries</title>
+
+<para><programlisting>
+	\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
+
+	EnableOplocks   REG_DWORD   0 or 1
+	Default: 1 (true)
+</programlisting></para>
+
+<para>
+Specifies whether the server allows clients to use oplocks on files. Oplocks are a
+significant performance enhancement, but have the potential to cause lost cached
+data on some networks, particularly wide-area networks.
+</para>
+
+<para><programlisting>
+	MinLinkThroughput   REG_DWORD   0 to infinite bytes per second
+	Default: 0
+</programlisting></para>
+
+<para>
+Specifies the minimum link throughput allowed by the server before it disables
+raw and opportunistic locks for this connection.
+</para>
+
+<para><programlisting>
+	MaxLinkDelay   REG_DWORD   0 to 100,000 seconds
+	Default: 60
+</programlisting></para>
+
+<para>
+Specifies the maximum time allowed for a link delay. If delays exceed this number,
+the server disables raw I/O and opportunistic locking for this connection.
+</para>
+
+<para><programlisting>
+	OplockBreakWait   REG_DWORD   10 to 180 seconds
+	Default: 35
+</programlisting></para>
+
+<para>
+Specifies the time that the server waits for a client to respond to an oplock break
+request. Smaller values can allow detection of crashed clients more quickly but can
+potentially cause loss of cached data.
+</para>
+
+</sect2>
+</sect1>
+
+<sect1>
+<title>Persistent Data Corruption</title>
+
+<para>
+If you have applied all of the settings discussed in this paper but data corruption problems
+and other symptoms persist, here are some additional things to check out:
+</para>
+
+<para>
+We have credible reports from developers that faulty network hardware, such as a single
+faulty network card, can cause symptoms similar to read caching and data corruption.
+If you see persistent data corruption even after repeated reindexing, you may have to
+rebuild the data files in question. This involves creating a new data file with the
+same definition as the file to be rebuilt and transferring the data from the old file
+to the new one. There are several known methods for doing this that can be found in
+our Knowledge Base.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Additional Reading</title>
+
+<para>
+You may want to check for an updated version of this white paper on our Web site from
+time to time. Many of our white papers are updated as information changes. For those papers,
+the Last Edited date is always at the top of the paper.
+</para>
+
+<para>
+Section of the Microsoft MSDN Library on opportunistic locking: 
+</para>
+
+<para>
+Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development &gt
+Windows Base Services &gt Files and I/O &gt SDK Documentation &gt File Storage &gt File Systems
+&gt About File Systems &gt Opportunistic Locks, Microsoft Corporation.
+<ulink url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>
+</para>
+
+<para>
+Microsoft Knowledge Base Article Q224992 "Maintaining Transactional Integrity with OPLOCKS",
+Microsoft Corporation, April 1999, <ulink url="=http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</ulink>.
+</para>
+
+<para>
+Microsoft Knowledge Base Article Q296264 "Configuring Opportunistic Locking in Windows 2000",
+Microsoft Corporation, April 2001, <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
+</para>
+
+<para>
+Microsoft Knowledge Base Article Q129202 "PC Ext: Explanation of Opportunistic Locking on Windows NT",
+ Microsoft Corporation, April 1995, <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
+</para>
+
+</sect1>
 </chapter>
-- 
cgit 


From 665198ea2ffea3550b6c2fd53a0dfab3dcf05e71 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 00:46:28 +0000
Subject: More updates: Fix typo in VFS docs, added docs on pam_smbpass.so to
 PAM. (This used to be commit a1d6d56ba0af75282fb0d90db84ae8bbfa1836e0)

---
 .../projdoc/PAM-Authentication-And-Samba.sgml      | 223 +++++++++++++++++++--
 docs/docbook/projdoc/VFS.sgml                      |   2 +-
 2 files changed, 203 insertions(+), 22 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
index ac9385f3de..a95baf0281 100644
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
@@ -165,27 +165,7 @@ life though, every decision makes trade-offs, so you may want examine the
 PAM documentation for further helpful information.
 </para></note>
 
-</sect1>
-
-<sect1>
-<title>Distributed Authentication</title>
-
-<para>
-The astute administrator will realize from this that the 
-combination of <filename>pam_smbpass.so</filename>, 
-<command>winbindd</command>, and a distributed 
-passdb backend, such as ldap, will allow the establishment of a
-centrally managed, distributed 
-user/password database that can also be used by all 
-PAM (eg: Linux) aware programs and applications. This arrangement 
-can have particularly potent advantages compared with the 
-use of Microsoft Active Directory Service (ADS) in so far as 
-reduction of wide area network authentication traffic.
-</para>
-
-</sect1>
-
-<sect1>
+<sect2>
 <title>PAM Configuration in smb.conf</title>
 
 <para>
@@ -210,5 +190,206 @@ password encryption.
 
 <para>Default: <command>obey pam restrictions = no</command></para>
 
+</sect2>
+
+<sect2>
+<title>Password Synchronisation using pam_smbpass.so</title>
+
+<para>
+pam_smbpass is a PAM module which can be used on conforming systems to
+keep the smbpasswd (Samba password) database in sync with the unix
+password file. PAM (Pluggable Authentication Modules) is an API supported
+under some Unices, such as Solaris, HPUX and Linux, that provides a
+generic interface to authentication mechanisms.
+</para>
+
+<para>
+For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/
+</para>
+
+<para>
+This module authenticates a local smbpasswd user database.  If you require
+support for authenticating against a remote SMB server, or if you're
+concerned about the presence of suid root binaries on your system, it is
+recommended that you use one of the other two following modules
+</para>
+
+<para><programlisting>
+	pam_smb - http://www.csn.ul.ie/~airlied/pam_smb/
+	  authenticates against any remote SMB server
+
+	pam_ntdom - ftp://ftp.samba.org/pub/samba/pam_ntdom/
+	  authenticates against an NT or Samba domain controller
+
+Options recognized by this module are as follows:
+
+        debug           -       log more debugging info
+        audit           -       like debug, but also logs unknown usernames
+        use_first_pass  -       don't prompt the user for passwords;
+                                take them from PAM_ items instead
+        try_first_pass  -       try to get the password from a previous
+                                PAM module, fall back to prompting the user
+        use_authtok     -       like try_first_pass, but *fail* if the new
+                                PAM_AUTHTOK has not been previously set.
+                                (intended for stacking password modules only)
+        not_set_pass    -       don't make passwords used by this module
+                                available to other modules.
+        nodelay         -       don't insert ~1 second delays on authentication
+                                failure.
+        nullok          -       null passwords are allowed.
+        nonull          -       null passwords are not allowed. Used to
+                                override the Samba configuration.
+        migrate         -       only meaningful in an "auth" context;
+                                used to update smbpasswd file with a
+                                password used for successful authentication.
+        smbconf=&lt file &gt  -     specify an alternate path to the smb.conf
+                                file.
+</programlisting><para>
+
+<para><programlisting>
+Thanks go to the following people:
+
+	* Andrew Morgan &lt morgan@transmeta.com &gt, for providing the Linux-PAM
+	framework, without which none of this would have happened
+
+	* Christian Gafton &lt gafton@redhat.com &gt and Andrew Morgan again, for the
+	pam_pwdb module upon which pam_smbpass was originally based
+
+	* Luke Leighton &lt lkcl@switchboard.net &gt for being receptive to the idea,
+	and for the occasional good-natured complaint about the project's status
+	that keep me working on it :)
+
+	* and of course, all the other members of the Samba team
+	&lt http://www.samba.org/samba/team.html &gt, for creating a great product
+	and for giving this project a purpose
+
+	---------------------
+	Stephen Langasek &lt vorlon@netexpress.net &gt
+</programlisting></para>
+
+<para>
+The following are examples of the use of pam_smbpass.so in the format of Linux
+<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this
+tool on other platforms will need to adapt this appropriately.
+</para>
+
+<sect3>
+<title>Password Synchonisation Configuration</title>
+
+<para>
+A sample PAM configuration that shows the use of pam_smbpass to make
+sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
+is changed.  Useful when an expired password might be changed by an
+application (such as ssh).
+</para>
+
+<para><programlisting>
+	#%PAM-1.0
+	# password-sync
+	#
+	auth       requisite        pam_nologin.so
+	auth       required         pam_unix.so
+	account    required         pam_unix.so
+	password   requisite        pam_cracklib.so retry=3
+	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
+	password   required         pam_smbpass.so nullok use_authtok try_first_pass
+	session    required         pam_unix.so
+</programlisting></para>
+</sect3>
+
+<sect3>
+<title>Password Migration Configuration</title>
+
+<para>
+A sample PAM configuration that shows the use of pam_smbpass to migrate
+from plaintext to encrypted passwords for Samba.  Unlike other methods,
+this can be used for users who have never connected to Samba shares:
+password migration takes place when users ftp in, login using ssh, pop
+their mail, etc.
+</para>
+
+<para><programlisting>
+	#%PAM-1.0
+	# password-migration
+	#
+	auth       requisite        pam_nologin.so
+	# pam_smbpass is called IFF pam_unix succeeds.
+	auth       requisite        pam_unix.so
+	auth       optional         pam_smbpass.so migrate
+	account    required         pam_unix.so
+	password   requisite        pam_cracklib.so retry=3
+	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
+	password   optional         pam_smbpass.so nullok use_authtok try_first_pass
+	session    required         pam_unix.so
+</programlisting></para>
+</sect3>
+
+<sect3>
+<title>Mature Password Configuration</title>
+
+<para>
+A sample PAM configuration for a 'mature' smbpasswd installation.
+private/smbpasswd is fully populated, and we consider it an error if
+the smbpasswd doesn't exist or doesn't match the Unix password.
+</para>
+
+<para><programlisting>
+	#%PAM-1.0
+	# password-mature
+	#
+	auth       requisite        pam_nologin.so
+	auth       required         pam_unix.so
+	account    required         pam_unix.so
+	password   requisite        pam_cracklib.so retry=3
+	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
+	password   required         pam_smbpass.so use_authtok use_first_pass
+	session    required         pam_unix.so
+</programlisting></para>
+</sect3>
+
+<sect3>
+<title>Kerberos Password Integration Configuration</title>
+
+<para>
+A sample PAM configuration that shows pam_smbpass used together with
+pam_krb5.  This could be useful on a Samba PDC that is also a member of
+a Kerberos realm.
+</para>
+
+<para><programlisting>
+	#%PAM-1.0
+	# kdc-pdc
+	#
+	auth       requisite        pam_nologin.so
+	auth       requisite        pam_krb5.so
+	auth       optional         pam_smbpass.so migrate
+	account    required         pam_krb5.so
+	password   requisite        pam_cracklib.so retry=3
+	password   optional         pam_smbpass.so nullok use_authtok try_first_pass
+	password   required         pam_krb5.so use_authtok try_first_pass
+	session    required         pam_krb5.so
+</programlisting></para>
+</sect3>
+
+</sect2>
 </sect1>
+
+<sect1>
+<title>Distributed Authentication</title>
+
+<para>
+The astute administrator will realize from this that the 
+combination of <filename>pam_smbpass.so</filename>, 
+<command>winbindd</command>, and a distributed 
+passdb backend, such as ldap, will allow the establishment of a
+centrally managed, distributed 
+user/password database that can also be used by all 
+PAM (eg: Linux) aware programs and applications. This arrangement 
+can have particularly potent advantages compared with the 
+use of Microsoft Active Directory Service (ADS) in so far as 
+reduction of wide area network authentication traffic.
+</para>
+
+</sect1>
+
 </chapter>
diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml
index 666eb4f62f..1f29a754b0 100644
--- a/docs/docbook/projdoc/VFS.sgml
+++ b/docs/docbook/projdoc/VFS.sgml
@@ -82,7 +82,7 @@ following information will be recorded:
 </para>
 
 <table frame="all"><title>Extended Auditing Log Information</title>
-<tgroup cols="2" align="center")
+<tgroup cols="2" align="center">
 	<thead>
 	<row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
 	</thead>
-- 
cgit 


From c073a6ed3f62c9c2784a5e67c67a3750aad5d147 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 24 Apr 2003 01:07:44 +0000
Subject: fix SGML syntax errors (This used to be commit
 43e169ce23a037b1df152b6e3fe6cfe55192b3d3)

---
 docs/docbook/projdoc/NT4Migration.sgml                 | 18 ++++++++++--------
 docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml |  2 +-
 docs/docbook/projdoc/PolicyMgmt.sgml                   |  2 +-
 docs/docbook/projdoc/Portability.sgml                  |  1 +
 docs/docbook/projdoc/SWAT.sgml                         |  2 +-
 5 files changed, 14 insertions(+), 11 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 60d9f121f4..469215e32e 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -79,19 +79,19 @@ What are the features that Samba-3 can NOT provide?
 
 <itemizedlist>
 <listitem>
-	<para>Active Directory Server<para>
+	<para>Active Directory Server</para>
 </listitem>
 <listitem>
-	<para>Group Policy Objects (in Active Direcrtory)<para>
+	<para>Group Policy Objects (in Active Direcrtory)</para>
 </listitem>
 <listitem>
-	<para>Machine Policy objects<para>
+	<para>Machine Policy objects</para>
 </listitem>
 <listitem>
-	<para>Logon Scripts in Active Directorty<para>
+	<para>Logon Scripts in Active Directorty</para>
 </listitem>
 <listitem>
-	<para>Software Application and Access Controls in Active Directory<para>
+	<para>Software Application and Access Controls in Active Directory</para>
 </listitem>
 </itemizedlist>
 
@@ -309,7 +309,7 @@ Samba-3 set up as a DC with netlogon share, profile share, etc.
 
 	<step><para>initGrps.sh DOMNAME</para></step>
 
-	<step><para>smbgroupedit -v</para>
+	<step><para>net groupmap list</para>
 		<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
 	</step>
 
@@ -469,7 +469,7 @@ Logon Scripts (Know how they work)
 
 User and Group mapping to Unix/Linux
 	username map facility may be needed
-	Use smbgroupedit to connect NT4 groups to Unix groups
+	Use 'net groupmap' to connect NT4 groups to Unix groups
 	Use pdbedit to set/change user configuration
 NOTE:
 If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP
@@ -489,7 +489,7 @@ Migration Tools
 	Profiles, Policies, Access Controls, Security
 
 Migration Tools
-	Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles
+	Samba: net, rpcclient, smbpasswd, pdbedit, profiles
 	Windows: NT4 Domain User Manager, Server Manager (NEXUS)
 
 Authentication
@@ -497,6 +497,8 @@ Authentication
 </programlisting>
 </para>
 
+</sect2>
+
 </sect1>
 
 </chapter>
diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
index a95baf0281..395bd71a27 100644
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
@@ -244,7 +244,7 @@ Options recognized by this module are as follows:
                                 password used for successful authentication.
         smbconf=&lt file &gt  -     specify an alternate path to the smb.conf
                                 file.
-</programlisting><para>
+</programlisting></para>
 
 <para><programlisting>
 Thanks go to the following people:
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml
index 7557d496a4..9ec9d452a7 100644
--- a/docs/docbook/projdoc/PolicyMgmt.sgml
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@@ -310,7 +310,7 @@ Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC
 
 <para>
 With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
-<filename>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</filename>. The administrator should read the
+<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
 man pages for these tools and become familiar with their use.
 </para>
 
diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml
index cc21ecf255..72c3d20547 100644
--- a/docs/docbook/projdoc/Portability.sgml
+++ b/docs/docbook/projdoc/Portability.sgml
@@ -229,6 +229,7 @@ Nsswitch on Solaris 9 refuses to use the winbind nss module.  This behavior
 is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
 roll-up packages.
 </para>
+</sect2>
 </sect1>
 
 </chapter>
diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml
index 751138f138..0aea999b53 100644
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@@ -134,7 +134,7 @@ Modifications to the swat setup are as following:
 	root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \
 	 	/usr/share/doc/packages/stunnel/stunnel.cnf \
 		-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
-	</programlisting><para></listitem>
+	</programlisting></para></listitem>
 
 	<listitem><para>
 	remove swat-entry from [x]inetd 
-- 
cgit 


From 6d385b59a0e0a600a973b05b00d52a1fc17f0bf4 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 01:24:24 +0000
Subject: Tidy up only. (This used to be commit
 b87ebad1ae15bf59466da3ca7c39a31c4631031b)

---
 docs/docbook/projdoc/winbind.sgml | 301 +++++++++++++++++++-------------------
 1 file changed, 153 insertions(+), 148 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
index 1f65e7a8b7..05460e1a61 100644
--- a/docs/docbook/projdoc/winbind.sgml
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -18,6 +18,7 @@
 		</affiliation>
 	</author>
 	&author.jelmer;
+	&author.jht;
 	</authorgroup>
 	<pubdate>27 June 2002</pubdate>
 </chapterinfo>
@@ -643,12 +644,12 @@ your PDC.  For example, I get the following response:
 </para>
 
 <para><programlisting>
-CEO+Administrator
-CEO+burdell
-CEO+Guest
-CEO+jt-ad
-CEO+krbtgt
-CEO+TsInternetUser
+	CEO+Administrator
+	CEO+burdell
+	CEO+Guest
+	CEO+jt-ad
+	CEO+krbtgt
+	CEO+TsInternetUser
 </programlisting></para>
 
 <para>
@@ -663,15 +664,15 @@ the PDC:
 
 <para><programlisting>
 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
-CEO+Domain Admins
-CEO+Domain Users
-CEO+Domain Guests
-CEO+Domain Computers
-CEO+Domain Controllers
-CEO+Cert Publishers
-CEO+Schema Admins
-CEO+Enterprise Admins
-CEO+Group Policy Creator Owners
+	CEO+Domain Admins
+	CEO+Domain Users
+	CEO+Domain Guests
+	CEO+Domain Computers
+	CEO+Domain Controllers
+	CEO+Cert Publishers
+	CEO+Schema Admins
+	CEO+Enterprise Admins
+	CEO+Group Policy Creator Owners
 </programlisting></para>
 
 <para>
@@ -710,7 +711,8 @@ The same thing can be done for groups with the command
 <para>
 The <command>winbindd</command> daemon needs to start up after the 
 <command>smbd</command> and <command>nmbd</command> daemons are running.  
-To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and 
+To accomplish this task, you need to modify the startup scripts of your system.
+They are located at <filename>/etc/init.d/smb</filename> in RedHat and 
 <filename>/etc/init.d/samba</filename> in Debian.
 script to add commands to invoke this daemon in the proper sequence.  My 
 startup script starts up <command>smbd</command>, 
@@ -736,8 +738,8 @@ start() {
         daemon /usr/local/samba/bin/winbindd
         RETVAL3=$?
         echo
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; touch /var/lock/subsys/smb || \
-           RETVAL=1
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
+		touch /var/lock/subsys/smb || RETVAL=1
         return $RETVAL
 }
 </programlisting></para>
@@ -776,7 +778,8 @@ stop() {
         echo -n $"Shutting down $KIND services: "
         killproc winbindd
         RETVAL3=$?
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/smb
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
+		 rm -f /var/lock/subsys/smb
         echo ""
         return $RETVAL
 }
@@ -796,63 +799,64 @@ the file could contains something like this:
 </para>
 
 <para><programlisting>
-##
-## samba.server
-##
-
-if [ ! -d /usr/bin ]
-then                    # /usr not mounted
-        exit
-fi
-
-killproc() {            # kill the named process(es)
-        pid=`/usr/bin/ps -e |
-             /usr/bin/grep -w $1 |
-             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
-        [ "$pid" != "" ] &amp;&amp; kill $pid
-}
- 
-# Start/stop processes required for samba server
-
-case "$1" in
-
-'start')
-#
-# Edit these lines to suit your installation (paths, workgroup, host)
-#
-echo Starting SMBD
-   /usr/local/samba/bin/smbd -D -s \
-	/usr/local/samba/smb.conf
-
-echo Starting NMBD
-   /usr/local/samba/bin/nmbd -D -l \
-	/usr/local/samba/var/log -s /usr/local/samba/smb.conf
-
-echo Starting Winbind Daemon
-   /usr/local/samba/bin/winbindd
-   ;;
-
-'stop')
-   killproc nmbd
-   killproc smbd
-   killproc winbindd
-   ;;
-
-*)
-   echo "Usage: /etc/init.d/samba.server { start | stop }"
-   ;;
-esac
+	##
+	## samba.server
+	##
+
+	if [ ! -d /usr/bin ]
+	then                    # /usr not mounted
+		exit
+	fi
+
+	killproc() {            # kill the named process(es)
+		pid=`/usr/bin/ps -e |
+		     /usr/bin/grep -w $1 |
+		     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
+		[ "$pid" != "" ] &amp;&amp; kill $pid
+	}
+	 
+	# Start/stop processes required for samba server
+
+	case "$1" in
+
+	'start')
+	#
+	# Edit these lines to suit your installation (paths, workgroup, host)
+	#
+	echo Starting SMBD
+	   /usr/local/samba/bin/smbd -D -s \
+		/usr/local/samba/smb.conf
+
+	echo Starting NMBD
+	   /usr/local/samba/bin/nmbd -D -l \
+		/usr/local/samba/var/log -s /usr/local/samba/smb.conf
+
+	echo Starting Winbind Daemon
+	   /usr/local/samba/bin/winbindd
+	   ;;
+
+	'stop')
+	   killproc nmbd
+	   killproc smbd
+	   killproc winbindd
+	   ;;
+
+	*)
+	   echo "Usage: /etc/init.d/samba.server { start | stop }"
+	   ;;
+	esac
 </programlisting></para>
 
-<para>Again, if you would like to run samba in dual daemon mode, replace 
+<para>
+Again, if you would like to run samba in dual daemon mode, replace 
 <programlisting>
-   /usr/local/samba/bin/winbindd
+	/usr/local/samba/bin/winbindd
 </programlisting>
 
 in the script above with:
 
 <programlisting>
-   /usr/local/samba/bin/winbindd -B
+	/usr/local/samba/bin/winbindd -B
 </programlisting>
 </para>
 
@@ -912,8 +916,8 @@ just left this fileas it was:
 
 
 <para><programlisting>
-auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_stack.so service=system-auth
+	auth    required        /lib/security/pam_stack.so service=system-auth
+	account required        /lib/security/pam_stack.so service=system-auth
 </programlisting></para>
 
 <para>
@@ -928,7 +932,7 @@ and <filename>/etc/xinetd.d/wu-ftp</filename> from
 </para>
 
 <para><programlisting>
-enable = no
+	enable = no
 </programlisting></para>
 
 <para>
@@ -936,7 +940,7 @@ to
 </para>
 
 <para><programlisting>
-enable = yes
+	enable = yes
 </programlisting></para>
 
 <para>	
@@ -956,13 +960,14 @@ changed to look like this:
 </para>
 
 <para><programlisting>
-auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
-auth       sufficient   /lib/security/pam_winbind.so
-auth       required     /lib/security/pam_stack.so service=system-auth
-auth       required     /lib/security/pam_shells.so
-account    sufficient   /lib/security/pam_winbind.so
-account    required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_listfile.so item=user sense=deny \
+		 file=/etc/ftpusers onerr=succeed
+	auth       sufficient   /lib/security/pam_winbind.so
+	auth       required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_shells.so
+	account    sufficient   /lib/security/pam_winbind.so
+	account    required     /lib/security/pam_stack.so service=system-auth
+	session    required     /lib/security/pam_stack.so service=system-auth
 </programlisting></para>
 
 <para>
@@ -971,16 +976,16 @@ same way.  It now looks like this:
 </para>
 
 <para><programlisting>
-auth       required     /lib/security/pam_securetty.so
-auth       sufficient   /lib/security/pam_winbind.so
-auth       sufficient   /lib/security/pam_unix.so use_first_pass
-auth       required     /lib/security/pam_stack.so service=system-auth
-auth       required     /lib/security/pam_nologin.so
-account    sufficient   /lib/security/pam_winbind.so
-account    required     /lib/security/pam_stack.so service=system-auth
-password   required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_stack.so service=system-auth
-session    optional     /lib/security/pam_console.so
+	auth       required     /lib/security/pam_securetty.so
+	auth       sufficient   /lib/security/pam_winbind.so
+	auth       sufficient   /lib/security/pam_unix.so use_first_pass
+	auth       required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_nologin.so
+	account    sufficient   /lib/security/pam_winbind.so
+	account    required     /lib/security/pam_stack.so service=system-auth
+	password   required     /lib/security/pam_stack.so service=system-auth
+	session    required     /lib/security/pam_stack.so service=system-auth
+	session    optional     /lib/security/pam_console.so
 </programlisting></para>
 
 <para>
@@ -1006,65 +1011,65 @@ nearly impossible to boot.
 </para>
 
 <para><programlisting>
-#
-#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
-#
-# Copyright (c) 1996-1999, Sun Microsystems, Inc.
-# All Rights Reserved.
-#
-# PAM configuration
-#
-# Authentication management
-#
-login   auth required   /usr/lib/security/pam_winbind.so
-login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
-login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
-#
-rlogin  auth sufficient /usr/lib/security/pam_winbind.so
-rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
-rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-dtlogin auth sufficient /usr/lib/security/pam_winbind.so
-dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
-other   auth sufficient /usr/lib/security/pam_winbind.so
-other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-# Account management
-#
-login   account sufficient      /usr/lib/security/pam_winbind.so
-login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-dtlogin account sufficient      /usr/lib/security/pam_winbind.so
-dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-other   account sufficient      /usr/lib/security/pam_winbind.so
-other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Session management
-#
-other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Password management
-#
-#other   password sufficient     /usr/lib/security/pam_winbind.so
-other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
-dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
-#
-# Support for Kerberos V5 authentication (uncomment to use Kerberos)
-#
-#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#
+	#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
+	#
+	# Copyright (c) 1996-1999, Sun Microsystems, Inc.
+	# All Rights Reserved.
+	#
+	# PAM configuration
+	#
+	# Authentication management
+	#
+	login   auth required   /usr/lib/security/pam_winbind.so
+	login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
+	login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
+	#
+	rlogin  auth sufficient /usr/lib/security/pam_winbind.so
+	rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
+	rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	dtlogin auth sufficient /usr/lib/security/pam_winbind.so
+	dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
+	other   auth sufficient /usr/lib/security/pam_winbind.so
+	other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	# Account management
+	#
+	login   account sufficient      /usr/lib/security/pam_winbind.so
+	login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	dtlogin account sufficient      /usr/lib/security/pam_winbind.so
+	dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	other   account sufficient      /usr/lib/security/pam_winbind.so
+	other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	# Session management
+	#
+	other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	# Password management
+	#
+	#other   password sufficient     /usr/lib/security/pam_winbind.so
+	other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
+	dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
+	#
+	# Support for Kerberos V5 authentication (uncomment to use Kerberos)
+	#
+	#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
 </programlisting></para>
 
 <para>
-- 
cgit 


From 8bc3f10c1af0dd3f624c9e68ed299b57d03bd3a3 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 24 Apr 2003 01:59:53 +0000
Subject: updating group mapping HOWTO. (This used to be commit
 4244e21971a21b8c8c80753e962eb2420fb1a1de)

---
 docs/docbook/global.ent                       |  1 +
 docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 93 +++++++++++++++++----------
 2 files changed, 60 insertions(+), 34 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent
index 2c7f55aa3a..d7c41ccbc6 100644
--- a/docs/docbook/global.ent
+++ b/docs/docbook/global.ent
@@ -385,6 +385,7 @@ an Active Directory environment.
 <!ENTITY smbclient '<application>smbclient</application>'>
 <!ENTITY winbindd '<application>winbindd</application>'>
 <!ENTITY smbgroupedit '<application>smbgroupedit</application>'>
+<!ENTITY net '<application>net</application>'>
 
 <!-- We only need this for SGML, and not for XML... -->
 <!ENTITY percnt '%'>
diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
index e037da4aeb..0d72487f54 100644
--- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
+++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
@@ -3,27 +3,28 @@
 <chapterinfo>
 	<author>
 		<firstname>Jean François</firstname><surname>Micouleau</surname>
+		&person.jerry;
 	</author>
 </chapterinfo>
 
 <title>Configuring Group Mapping</title>
 
-<para> 
-Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
-current method (likely to change) to manage the groups is a new command called
-&smbgroupedit;.
+<para>
+Starting with Samba 3.0 alpha 2, new group mapping functionality
+is available to create associations between Windows SIDs and UNIX
+groups. The <parameter>groupmap</parameter> subcommand included with
+the &net; tool can be used to manage these associations.
 </para>
 
 <para>
-The first immediate reason to use the group mapping on a PDC, is that
-the <command>domain admin group</command> of &smb.conf; is 
-now gone. This parameter was used to give the listed users local admin rights 
-on their workstations. It was some magic stuff that simply worked but didn't
-scale very well for complex setups.
+The first immediate reason to use the group mapping on a Samba PDC, is that
+the <parameter>domain admin group</parameter> &smb.conf; has been removed.
+This parameter was used to give the listed users membership in the "Domain Admins"
+Windows group which gave local admin rights on their workstations (in
+default configurations).
 </para>
 
 <para>
-Let me explain how it works on NT/W2K, to have this magic fade away.
 When installing NT/W2K on a computer, the installer program creates some users
 and groups. Notably the 'Administrators' group, and gives to that group some
 privileges like the ability to change the date and time or to kill any process
@@ -34,46 +35,70 @@ group privileges. If a 'joe' user is created and become a member of the
 </para>
 
 <para>
-When a NT/W2K machine is joined to a domain, during that phase, the "Domain
-Administrators' group of the PDC is added to the 'Administrators' group of the
-workstation. Every members of the 'Domain Administrators' group 'inherit' the
-rights of the 'Administrators' group when logging on the workstation.
+When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the
+PDC is added to the local 'Administrators' group of the workstation. Every
+member of the 'Domain Administrators' group 'inherit' the
+rights of the local 'Administrators' group when logging on the workstation.
 </para>
 
 <para>
-You are now wondering how to make some of your samba PDC users members of the
-'Domain Administrators' ? That's really easy.
+The following steps describe how to make samba PDC users members of the
+'Domain Admins' group?
 </para>
 
-<orderedlist> 
-<listitem><para>create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm</para></listitem>
-<listitem><para>add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <filename>/etc/group</filename> will look like:</para>
+<orderedlist>
+<listitem><para>create a unix group (usually in <filename>/etc/group</filename>),
+  let's call it domadm</para></listitem>
+<listitem><para>add to this group the users that must be Administrators. For example
+  if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
+  look like:</para>
 
-<para><programlisting>
-domadm:x:502:joe,john,mary
-</programlisting></para>
+  <para><programlisting>
+  domadm:x:502:joe,john,mary
+  </programlisting></para>
 
-</listitem>
+  </listitem>
 
-<listitem><para>Map this domadm group to the <command>domain admins</command> group by running the command:</para>
+<listitem><para>Map this domadm group to the "Domain Admins" group
+  by running the command:</para>
 
-<para><userinput>smbgroupedit -c "Domain Admins" -u domadm</userinput></para></listitem>
+  <para><prompt>root# </prompt><userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput></para>
+  
+  <para>The quotes around "Domain Admins" are necessary due to the space in the group name.  Also make
+  sure to leave no whitespace surrounding the equal character (=).</para>
+  </listitem>
 
 </orderedlist>
 
-<para>You're set, joe, john and mary are domain administrators !</para>
+<para>Now joe, john and mary are domain administrators!</para>
 
 <para>
-Like the Domain Admins group, you can map any arbitrary Unix group to any NT
-group. You can also make any Unix group a domain group. For example, on a domain
-member machine (an NT/W2K or a samba server running winbind), you would like to
-give access to a certain directory to some users who are member of a group on
-your samba PDC. Flag that group as a domain group by running:
+It is possible to map any arbitrary UNIX group to any Windows NT
+group as well as making any UNIX group a Windows domain group.
+For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a
+local file or printer on a domain member machine, you would flag
+that group as a domain group by running the following on the Samba PDC:
 </para>
 
-<para><userinput>smbgroupedit -a unixgroup -td</userinput></para>
+<para><prompt>root# </prompt><userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput></para>
+
+<para>Be aware that the rid parmeter is a unsigned 32 bit integer that should
+normally start at 1000.  However, this rid must not overlap with any RID assigned
+to a user.  Verifying this is done differently depending on on the passdb backend 
+you are using.  Future versions of the tools may perform the verification automatically,
+but for now the burden in on you.</para>
+
+<para>You can list the various groups in the mapping database by executing 
+<command>net groupmap list</command>.  Here is an example:</para>
+
+<para><programlisting><prompt>root# </prompt>net groupmap list
+System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
+Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
+Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
+Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
+</programlisting></para>
 
-<para>You can list the various groups in the mapping database like this</para>
-<para><userinput>smbgroupedit -v</userinput></para>
+<para>For complete details on <command>net groupmap</command>, refer to the 
+net(8) man page.</para>
 
 </chapter>
-- 
cgit 


From c0960be217bbf1107843b510bb0829e9c6593e85 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 24 Apr 2003 03:01:56 +0000
Subject: update net man page for groupmap options (This used to be commit
 465510e39f3366a2477ffb6e7fb121ed6c88d04a)

---
 docs/docbook/manpages/net.8.sgml | 61 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 3 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml
index 8ee965e3ed..6b6ebd1f09 100644
--- a/docs/docbook/manpages/net.8.sgml
+++ b/docs/docbook/manpages/net.8.sgml
@@ -600,7 +600,7 @@ List all current items in the cache.
 <refsect2>
 <title>GETLOCALSID [DOMAIN]</title>
 
-<para>Print the SID of the specified domain, or if the parameter is 
+<para>Print the SID of the specified domain, or if the parameter is
 omitted, the SID of the domain the local server is in.</para>
 
 </refsect2>
@@ -612,10 +612,65 @@ omitted, the SID of the domain the local server is in.</para>
 
 </refsect2>
 
+<refsect2>
+<title>GROUPMAP</title>
+
+<para>Manage the mappings between Windows group SIDs and UNIX groups.
+Parameters take the for "parameter=value".  Common options include:</para>
+
+<itemizedlist>
+<listitem><para>unixgroup - Name of the UNIX group</para></listitem>
+<listitem><para>ntgroup - Name of the Windows NT group (must be
+  resolvable to a SID</para></listitem>
+<listitem><para>rid - Unsigned 32-bit integer</para></listitem>
+<listitem><para>sid - Full SID in the form of "S-1-..."</para></listitem>
+<listitem><para>type - Type of the group; either 'domain', 'local',
+  or 'builtin'</para></listitem>
+<listitem><para>comment - Freeform text description of the group</para></listitem>
+</itemizedlist>
+
+<refsect3>
+<title>GROUPMAP ADD</title>
+
+<para>Add a new group mapping entry</para>
+
+<para>net groupmap add {rid=int|sid=string} unixgroup=string [type={domain|local|builtin}] [ntgroup=string] [comment=string]</para>
+
+</refsect3>
+
+<refsect3>
+<title>GROUPMAP DELETE</title>
+
+<para>Delete a group mapping entry</para>
+
+<para>net groupmap delete {ntgroup=string|sid=SID}</para>
+
+</refsect3>
+
+<refsect3>
+<title>GROUPMAP MODIFY</title>
+
+<para>Update en existing group entry</para>
+
+<para>net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] [comment=string] [type={domain|local}</para>
+</refsect3>
+
+<refsect3>
+<title>GROUPMAP LIST</title>
+
+<para>List existing group mapping entries</para>
+
+<para>net groupmap list [verbose] [ntgroup=string] [sid=SID]</para>
+
+</refsect3>
+</refsect2>
+
+
+
 <refsect2>
 <title>MAXRID</title>
 
-<para>Prints out the highest RID currently in use on the local 
+<para>Prints out the highest RID currently in use on the local
 server (by the active 'passdb backend').
 </para>
 
@@ -624,7 +679,7 @@ server (by the active 'passdb backend').
 <refsect2>
 <title>RPC INFO</title>
 
-<para>Print information about the domain of the remote server, 
+<para>Print information about the domain of the remote server,
 such as domain name, domain sid and number of users and groups.
 </para>
 
-- 
cgit 


From ffb628e9c71cf55601d098a3dfbe22fbfa3d0746 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 05:20:34 +0000
Subject: Fix for bad macro error. (This used to be commit
 076882b91c3b08d4438499b185b8e8bc0f4ba716)

---
 docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
index 0d72487f54..841d24b78d 100644
--- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
+++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
@@ -13,7 +13,7 @@
 Starting with Samba 3.0 alpha 2, new group mapping functionality
 is available to create associations between Windows SIDs and UNIX
 groups. The <parameter>groupmap</parameter> subcommand included with
-the &net; tool can be used to manage these associations.
+the <command>net</command> tool can be used to manage these associations.
 </para>
 
 <para>
-- 
cgit 


From b7ff7b37fbf8bd47c4a4b1e224891899822bdf92 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 24 Apr 2003 05:35:22 +0000
Subject: remove smbgroupedit entity (This used to be commit
 5de29a84b3039cd951367ac78879ec8bfd4a08d1)

---
 docs/docbook/global.ent | 1 -
 1 file changed, 1 deletion(-)

(limited to 'docs')

diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent
index d7c41ccbc6..2933602e60 100644
--- a/docs/docbook/global.ent
+++ b/docs/docbook/global.ent
@@ -384,7 +384,6 @@ an Active Directory environment.
 <!ENTITY smb.conf '<filename>smb.conf</filename>'>
 <!ENTITY smbclient '<application>smbclient</application>'>
 <!ENTITY winbindd '<application>winbindd</application>'>
-<!ENTITY smbgroupedit '<application>smbgroupedit</application>'>
 <!ENTITY net '<application>net</application>'>
 
 <!-- We only need this for SGML, and not for XML... -->
-- 
cgit 


From bca6ff183c9431dc52c122e97c6060dae82e1464 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 19:59:27 +0000
Subject: Update from LanDude <landude@comcast.net> (This used to be commit
 d8f8794d10c4add9b7b850341b98c29c67028c4a)

---
 docs/docbook/projdoc/ADS-HOWTO.sgml | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml
index d08833b7fd..c7def652fc 100644
--- a/docs/docbook/projdoc/ADS-HOWTO.sgml
+++ b/docs/docbook/projdoc/ADS-HOWTO.sgml
@@ -11,7 +11,7 @@
 <para>
 This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
 Windows2000 KDC. 
-</para>
+</para> 
 
 <sect1>
 <title>Setup your <filename>smb.conf</filename></title>
@@ -44,6 +44,8 @@ In case samba can't figure out your ads server using your realm name, use the
 <sect1>
 <title>Setup your <filename>/etc/krb5.conf</filename></title>
 
+<para>Note: you will need the krb5 workstation, devel, and libs installed</para>
+
 <para>The minimal configuration for <filename>krb5.conf</filename> is:</para>
 
 <para><programlisting>
@@ -53,10 +55,16 @@ In case samba can't figure out your ads server using your realm name, use the
     }
 </programlisting></para>
 
-<para>Test your config by doing a <userinput>kinit <replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput> and making sure that
+<para>Test your config by doing a <userinput>kinit
+<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput> and making sure that
   your password is accepted by the Win2000 KDC. </para>
 
-<note><para>The realm must be uppercase. </para></note>
+<note><para>The realm must be uppercase or you will get "Cannot find KDC for requested
+realm while getting initial credentials" error </para></note>
+
+<note><para>Time between the two servers must be synchronized.  You will get a
+"kinit(v5): Clock skew too great while getting initial credentials" if the time
+difference is more than five minutes. </para>
 
 <para>
 You also must ensure that you can do a reverse DNS lookup on the IP
@@ -99,7 +107,15 @@ As a user that has write permission on the Samba private directory
 <para>
 <variablelist>
 <varlistentry><term>"ADS support not compiled in"</term>
-<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry>
+<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
+(make clean all install) after the kerberos libs and headers are installed.
+</para></listitem></varlistentry>
+
+<varlistentry><term>net ads join prompts for user name</term>
+<listitem><para>You need to login to the domain using <userinput>kinit
+<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
+<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
+to the domain.  </para></listitem></varlistentry>
 </variablelist>
 </para>
 
@@ -110,6 +126,12 @@ As a user that has write permission on the Samba private directory
 <sect1 id="ads-test-server">
 <title>Test your server setup</title>
 
+<para>
+If the join was successful, you will see a new computer account with the
+NetBIOS name of your Samba server in Active Directory (in the "Computers"
+folder under Users and Computers.
+</para>
+
 <para>
 On a Windows 2000 client try <userinput>net use * \\server\share</userinput>. You should
 be logged in with kerberos without needing to know a password. If
@@ -136,6 +158,8 @@ specify the <parameter>-k</parameter> option to choose kerberos authentication.
 <para>You must change administrator password at least once after DC 
 install, to create the right encoding types</para>
 
+<!--RS: right encoding types for what?  I don't understand this note as I did not do this on my server and did not have any problems (that I know of)-->
+
 <para>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
    their defaults DNS setup. Maybe fixed in service packs?</para>
 </sect1>
-- 
cgit 


From f0917e0bfd2eebfc9826e6924c231fab99059186 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 22:00:45 +0000
Subject: Updates: ADS typo fix, ProfileMgmt: Additional docs on how to disable
 roaming profiles. (This used to be commit
 efd8872989b13bd8daa814b6b91cab1fd30ff170)

---
 docs/docbook/projdoc/ADS-HOWTO.sgml   | 10 +++---
 docs/docbook/projdoc/ProfileMgmt.sgml | 59 ++++++++++++++++++++++++++++++++++-
 2 files changed, 63 insertions(+), 6 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml
index c7def652fc..c36f150112 100644
--- a/docs/docbook/projdoc/ADS-HOWTO.sgml
+++ b/docs/docbook/projdoc/ADS-HOWTO.sgml
@@ -56,15 +56,16 @@ In case samba can't figure out your ads server using your realm name, use the
 </programlisting></para>
 
 <para>Test your config by doing a <userinput>kinit
-<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput> and making sure that
-  your password is accepted by the Win2000 KDC. </para>
+<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput> and
+making sure that your password is accepted by the Win2000 KDC.
+</para>
 
 <note><para>The realm must be uppercase or you will get "Cannot find KDC for requested
 realm while getting initial credentials" error </para></note>
 
 <note><para>Time between the two servers must be synchronized.  You will get a
 "kinit(v5): Clock skew too great while getting initial credentials" if the time
-difference is more than five minutes. </para>
+difference is more than five minutes. </para></note>
 
 <para>
 You also must ensure that you can do a reverse DNS lookup on the IP
@@ -86,8 +87,7 @@ If all you want is kerberos support in &smbclient; then you can skip
 straight to <link linkend="ads-test-smbclient">Test with &smbclient;</link> now. 
 <link linkend="ads-create-machine-account">Creating a computer account</link> 
 and <link linkend="ads-test-server">testing your servers</link>
-is only needed if you want kerberos
-support for &smbd; and &winbindd;.
+is only needed if you want kerberos support for &smbd; and &winbindd;.
 </para>
 
 </sect1>
diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml
index bc0113baeb..ac61391306 100644
--- a/docs/docbook/projdoc/ProfileMgmt.sgml
+++ b/docs/docbook/projdoc/ProfileMgmt.sgml
@@ -122,6 +122,63 @@ You can support profiles for both Win9X and WinNT clients by setting both the
 	logon path = \\%L\profiles\%u
 </programlisting></para>
 
+</sect3>
+<sect3>
+<title>Disabling Roaming Profile Support</title>
+
+<para>
+A question often asked is "How may I enforce use of local profiles?" or
+"How do I disable Roaming Profiles?"
+</para>
+
+<para>
+There are three ways of doing this:
+</para>
+
+<itemizedlist>
+	<listitem><para>
+	<command>In smb.conf:</command> affect the following settings and ALL clients
+	will be forced to use a local profile:
+	<programlisting>
+		logon home =
+		logon path =
+	</programlisting></para></listitem>
+
+	<listitem><para>
+	<command>MS Windows Registry:</command> by using the Microsoft Management Console
+	gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This
+	of course modifies registry settings. The full path to the option is:
+	<programlisting>
+	Local Computer Policy\
+		Computer Configuration\
+			Administrative Templates\
+				System\
+					User Profiles\
+
+	Disable:	Only Allow Local User Profiles
+	Disable:	Prevent Roaming Profile Change from Propogating to the Server
+	</programlisting><para>
+	</listitem>
+
+	<listitem><para>
+	<command>Change of Profile Type:</command> From the start menu right click on the
+	MY Computer icon, select <emphasis>Properties</emphasis>, click on the "<emphasis>User Profiles</emphasis>
+	tab, select the profile you wish to change from Roaming type to Local, click <emphasis>Change Type</emphasis>.
+	</para></listitem>
+</itemizedlist>
+
+<para>
+Consult the MS Windows registry guide for your particular MS Windows version for more
+information about which registry keys to change to enforce use of only local user
+profiles.
+</para>
+
+<note><para>
+The specifics of how to convert a local profile to a roaming profile, or a roaming profile
+to a local one vary according to the version of MS Windows you are running. Consult the
+Microsoft MS Windows Resource Kit for your version of Windows for specific information.
+</para></note>
+
 </sect3>
 </sect2>
 
@@ -885,7 +942,7 @@ The default entries are:
 	Common Desktop		%SystemRoot%\Profiles\All Users\Desktop
 	Common Programs		%SystemRoot%\Profiles\All Users\Programs
 	Common Start Menu	%SystemRoot%\Profiles\All Users\Start Menu
-	Common Startu	p	%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup
+	Common Startup		%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup
 </programlisting>
 </para>
 
-- 
cgit 


From 07511789c0469829babaefbd1ad1742b1ab799da Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Thu, 24 Apr 2003 23:26:32 +0000
Subject: Corrections and edits from Jesse Jacobs <jesse@eazy.homeip.net> (This
 used to be commit 2b28e69ddfb017290674298b7497ce780d189976)

---
 docs/docbook/projdoc/DOMAIN_MEMBER.sgml   |  2 +-
 docs/docbook/projdoc/NetworkBrowsing.sgml |  4 ++--
 docs/docbook/projdoc/PolicyMgmt.sgml      |  4 ++--
 docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 12 ++++++------
 docs/docbook/projdoc/passdb.sgml          | 16 ++++++++--------
 docs/docbook/projdoc/security_level.sgml  | 14 +++++++-------
 6 files changed, 26 insertions(+), 26 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index 6f995af286..9470688089 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -14,7 +14,7 @@
 	<title>Joining an NT Domain with Samba 3.0</title>
 
 	<para>Assume you have a Samba 3.0 server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining an or Win2k NT domain called
+	<constant>SERV1</constant> and are joining a Win2k or NT domain called
 	<constant>DOM</constant>, which has a PDC with a NetBIOS name
 	of <constant>DOMPDC</constant> and two backup domain controllers 
 	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml
index 7743cb9c75..e8d1b40710 100644
--- a/docs/docbook/projdoc/NetworkBrowsing.sgml
+++ b/docs/docbook/projdoc/NetworkBrowsing.sgml
@@ -883,7 +883,7 @@ name resolve order = wins lmhosts  	(eliminates bcast and host)
 The default is:
 <programlisting>
 name  resolve order = host lmhost wins bcast
-</programlisting>.
+</programlisting>
 where "host" refers the the native methods used by the Unix system
 to implement the gethostbyname() function call. This is normally
 controlled by <filename>/etc/host.conf</filename>, <filename>/etc/nsswitch.conf</filename> and <filename>/etc/resolv.conf</filename>.
@@ -927,7 +927,7 @@ that can NOT be provided by any other means of name resolution.
 Samba facilitates browsing.  The browsing is supported by &nmbd;
 and is also controlled by options in the &smb.conf; file.
 Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available.
+to support domain logons and scripts is now available.
 </para>
 
 <para>
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml
index 9ec9d452a7..333fe6ad0b 100644
--- a/docs/docbook/projdoc/PolicyMgmt.sgml
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@@ -183,7 +183,7 @@ known as the group policy template (GPT).
 </para>
 
 <para>
-With NT4 clients the policy file is read and executed upon only aas each user log onto the network.
+With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
 MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
 startup (machine specific part) and when the user logs onto the network the user specific part
 is applied. In MS Windows 200x style policy management each machine and/or user may be subject
@@ -278,7 +278,7 @@ This has considerable advanage compared with the use of NTConfig.POL (NT4) style
 </para>
 
 <para>
-Inaddition to user access controls that may be imposed or applied via system and/or group policies
+In addition to user access controls that may be imposed or applied via system and/or group policies
 in a manner that works in conjunction with user profiles, the user management environment under
 MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
 Common restrictions that are frequently used includes:
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 2e5f436769..7295a15875 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -109,7 +109,7 @@ The following functionalities are NOT provided by Samba 3.0:
 <para>
 Please note that Windows 9x / Me / XP Home clients are not true members of a domain
 for reasons outlined in this article.  Therefore the protocol for
-support Windows 9x-style domain logons is completely different
+support of Windows 9x-style domain logons is completely different
 from NT4 / Win2k type domain logons and has been officially supported for some 
 time.
 </para>
@@ -263,7 +263,7 @@ shared secret with the domain controller.
 </para>
 
 <para>A Windows PDC stores each machine trust account in the Windows
-Registry. A Samba-3 PDC also has to stoe machine trust account information
+Registry. A Samba-3 PDC also has to store machine trust account information
 in a suitable back-end data store. With Samba-3 there can be multiple back-ends
 for this including:
 </para>
@@ -665,7 +665,7 @@ the network and download their preferences, desktop and start menu.
 
 <para>
 Before launching into the configuration instructions, it is 
-worthwhile lookingat how a Windows 9x/ME client performs a logon:
+worthwhile to look at how a Windows 9x/ME client performs a logon:
 </para>
 
 <orderedlist>
@@ -705,7 +705,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon:
 	<para>
 	The client then sends a NetUserGetInfo request to the server, to retrieve
 	the user's home share, which is used to search for profiles. Since the
-	response to the NetUserGetInfo request does not contain much more 	
+	response to the NetUserGetInfo request does not contain much more then	
 	the user's home share, profiles for Win9X clients MUST reside in the user
 	home directory.
 	</para>
@@ -774,7 +774,7 @@ Actually, this issue is also closely tied to the debate on whether
 or not Samba must be the domain master browser for its workgroup
 when operating as a DC.  While it may technically be possible
 to configure a server as such (after all, browsing and domain logons
-are two distinctly different functions), it is not a good idea to
+are two distinctly different functions), it is not a good idea to do
 so.  You should remember that the DC must register the DOMAIN#1b NetBIOS 
 name.  This is the name used by Windows clients to locate the DC.
 Windows clients do not distinguish between the DC and the DMB.
@@ -786,7 +786,7 @@ Now back to the issue of configuring a Samba DC to use a mode other
 than "security = user".  If a Samba host is configured to use 
 another SMB server or DC in order to validate user connection 
 requests, then it is a fact that some other machine on the network 
-(the "password server") knows more about user than the Samba host.
+(the "password server") knows more about the user than the Samba host.
 99% of the time, this other host is a domain controller.  Now 
 in order to operate in domain mode security, the "workgroup" parameter
 must be set to the name of the Windows NT domain (which already 
diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml
index 776c79f095..6f256daddd 100644
--- a/docs/docbook/projdoc/passdb.sgml
+++ b/docs/docbook/projdoc/passdb.sgml
@@ -140,7 +140,7 @@
 			record passwords going to the SMB server.</member>
 		 
 			<member>WinNT doesn't like talking to a server 
-			that SM not support encrypted passwords. It will refuse 
+			that does not support encrypted passwords. It will refuse 
 			to browse the server if the server is also in user level 
 			security mode. It will insist on prompting the user for the 
 			password on each connection, which is very annoying. The
@@ -300,7 +300,7 @@ in the thousands).
 The first is that all lookups must be performed sequentially.  Given that
 there are approximately two lookups per domain logon (one for a normal
 session connection such as when mapping a network drive or printer), this
-is a performance bottleneck for lareg sites.  What is needed is an indexed approach
+is a performance bottleneck for large sites.  What is needed is an indexed approach
 such as is used in databases.
 </para></listitem>
 
@@ -394,7 +394,7 @@ url="mailto:jerry@samba.org">jerry@samba.org</ulink>
 </para>
 
 <para>
-Just as the smbpasswd file is mean to store information which supplements a
+Just as the smbpasswd file is meant to store information which supplements a
 user's <filename>/etc/passwd</filename> entry, so is the sambaAccount object
 meant to supplement the UNIX user account information.  A sambaAccount is a
 <constant>STRUCTURAL</constant> objectclass so it can be stored individually
@@ -528,7 +528,7 @@ use with an LDAP directory could appear as
      # The password for this DN is not stored in smb.conf.  Rather it
      # must be set by using 'smbpasswd -w <replaceable>secretpw</replaceable>' to store the
      # passphrase in the secrets.tdb file.  If the "ldap admin dn" values
-     # changes, this password will need to be reset.
+     # change, this password will need to be reset.
      ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
 
      # Define the SSL option when connecting to the directory
@@ -566,12 +566,12 @@ use with an LDAP directory could appear as
 
 <para>
 As users accounts are managed thru the sambaAccount objectclass, you should
-modify you existing administration tools to deal with sambaAccount attributes.
+modify your existing administration tools to deal with sambaAccount attributes.
 </para>
 
 <para>
 Machines accounts are managed with the sambaAccount objectclass, just
-like users accounts. However, it's up to you to stored thoses accounts
+like users accounts. However, it's up to you to store thoses accounts
 in a different tree of you LDAP namespace: you should use
 "ou=Groups,dc=plainjoe,dc=org" to store groups and
 "ou=People,dc=plainjoe,dc=org" to store users. Just configure your
@@ -581,7 +581,7 @@ file).
 
 <para>
 In Samba release 3.0, the group management system is based on posix
-groups. This means that Samba make usage of the posixGroup objectclass.
+groups. This means that Samba makes usage of the posixGroup objectclass.
 For now, there is no NT-like group system management (global and local
 groups).
 </para>
@@ -733,7 +733,7 @@ the <parameter>logon home</parameter> string is expanded to \\TASHTEGO\becky.
 If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
 this value is used.  However, if this attribute does not exist, then the value
 of the <parameter>logon home</parameter> parameter is used in its place.  Samba
-will only write the attribute value to the directory entry is the value is
+will only write the attribute value to the directory entry if the value is
 something other than the default (e.g. \\MOBY\becky).
 </para>
 
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml
index 4ce5955e35..e840ff6c17 100644
--- a/docs/docbook/projdoc/security_level.sgml
+++ b/docs/docbook/projdoc/security_level.sgml
@@ -136,7 +136,7 @@ MS Windows clients may use encrypted passwords as part of a challenege/response
 authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple
 password based authentication. It should be realized that with the SMB protocol
 the password is passed over the network either in plain text or encrypted, but
-not both in the same authentication requests.
+not both in the same authentication request.
 </para>
 
 <para>
@@ -203,10 +203,10 @@ However, passwords on UNIX systems often make use of mixed case characters.
 This means that in order for a user on a Windows 9x client to connect to a Samba
 server using clear text authentication, the <parameter>password level</parameter>
 must be set to the maximum number of upper case letter which <emphasis>could</emphasis>
-appear is a password.  Note that is the server OS uses the traditional DES version
-of crypt(), then a <parameter>password level</parameter> of 8 will result in case
+appear is a password.  Note that the server OS uses the traditional DES version
+of crypt(), a <parameter>password level</parameter> of 8 will result in case
 insensitive passwords as seen from Windows users.  This will also result in longer
-login times as Samba hash to compute the permutations of the password string and 
+login times as Samba has to compute the permutations of the password string and 
 try them one by one until a match is located (or all combinations fail).
 </para>
 
@@ -235,7 +235,7 @@ This method involves the additions of the following parameters in the &smb.conf;
 There are two ways of identifying whether or not a username and 
 password pair was valid or not. One uses the reply information provided 
 as part of the authentication messaging process, the other uses 
-just and error code.
+just an error code.
 </para>
 
 <para>
@@ -304,8 +304,8 @@ MS Windows NT security domain. This is done as follows:
 <para>
 Use of this mode of authentication does require there to be a standard Unix account
 for the user in order to assign a uid once the account has been authenticated by
-the remote Windows DC.  This account can be blocked to prevent logons by other than
-MS Windows clients by things such as setting an invalid shell in the
+the remote Windows DC.  This account can be blocked to prevent logons by clients other than
+MS Windows through things such as setting an invalid shell in the
 <filename>/etc/passwd</filename> entry. 
 </para>
 
-- 
cgit 


From 7aa3d6c2ad2ce7ba5dd76ccd03fdf90da672ed93 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 04:36:08 +0000
Subject: Fixing typos. (This used to be commit
 fe13a878d50f325482c6d626ed5dd6e399e4b853)

---
 docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 12 ++++----
 docs/docbook/projdoc/ServerType.sgml      |  2 +-
 docs/docbook/projdoc/UNIX_INSTALL.sgml    |  4 +--
 docs/docbook/projdoc/passdb.sgml          |  8 ++---
 docs/docbook/projdoc/samba-doc.sgml       |  6 ++--
 docs/docbook/projdoc/securing-samba.sgml  | 49 ++++++++++++++++++++++++-------
 6 files changed, 54 insertions(+), 27 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
index 8dbc007e4f..2f3b568471 100644
--- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
@@ -57,9 +57,9 @@ parameters in the [global]-section of the smb.conf have to be set:
 </para>
 
 <para><programlisting>
-workgroup = SAMBA
-domain master = yes
-domain logons = yes
+	workgroup = SAMBA
+	domain master = yes
+	domain logons = yes
 </programlisting></para>
 
 <para>
@@ -201,9 +201,9 @@ by setting
 </para>
 
 <para><programlisting>
-workgroup = samba
-domain master = no
-domain logons = yes
+	workgroup = samba
+	domain master = no
+	domain logons = yes
 </programlisting></para>
 
 <para>
diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml
index b38a9c097d..7229a50201 100644
--- a/docs/docbook/projdoc/ServerType.sgml
+++ b/docs/docbook/projdoc/ServerType.sgml
@@ -85,7 +85,7 @@ LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.
 <para>
 Please refer to the section on Howto configure Samba as a Primary Domain Controller
 and for more information regarding how to create a domain machine account for a
-domain member server as well as for information regading how to enable the samba
+domain member server as well as for information regarding how to enable the samba
 domain member machine to join the domain and to be fully trusted by it.
 </para>
 
diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml
index 1019e524f7..3ad83c1f9d 100644
--- a/docs/docbook/projdoc/UNIX_INSTALL.sgml
+++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml
@@ -88,13 +88,13 @@
 	<para>
 	SWAT is a web-based interface that helps you configure samba. 
 	SWAT might not be available in the samba package on your platform, 
-	but in a seperate package. Please read the swat manpage 
+	but in a separate package. Please read the swat manpage 
 	on compiling, installing and configuring swat from source.
 	</para>
 
 	<para>To launch SWAT just run your favorite web browser and 
 	point it at "http://localhost:901/". Replace <replaceable>localhost</replaceable> with the name of the computer you are running samba on if you 
-	are running samba on a different computer then your browser.</para>
+	are running samba on a different computer than your browser.</para>
 
 	<para>Note that you can attach to SWAT from any IP connected 
 	machine but connecting from a remote machine leaves your 
diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml
index 6f256daddd..523a34603d 100644
--- a/docs/docbook/projdoc/passdb.sgml
+++ b/docs/docbook/projdoc/passdb.sgml
@@ -238,8 +238,8 @@ data is stored at all.
 <sect1>
 <title>TDB</title>
 <para>Samba can also store the user data in a "TDB" (Trivial Database). Using this backend 
-doesn't require any additional configuration. This backend is recommended for new installations who 
-don't require LDAP.
+doesn't require any additional configuration. This backend is recommended for new installations that 
+don not require LDAP.
 </para>
 </sect1>
 
@@ -284,7 +284,7 @@ Two additional Samba resources which may prove to be helpful are
 </sect2>
 
 <sect2>
-<title>Introduction</title>
+<title>Encrypted Password Database</title>
 
 <para>
 Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
@@ -327,7 +327,7 @@ API, and is still so named in the CVS trees).
 </para>
 
 <para>
-There are a few points to stress about what the ldapsam
+There are a few points to stress about that the ldapsam
 does not provide.  The LDAP support referred to in the this documentation does not
 include:
 </para>
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 3b5d054cad..a729caf99f 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -19,7 +19,7 @@
 <abstract>
 <para>
 This book is a collection of HOWTOs added to Samba documentation over the years.
-Samba is always under development, and so is it's documentation. This release of the
+Samba is always under development, and so is its' documentation. This release of the
 documentation represents a major revision or layout as well as contents.
 The most recent version of this document can be found at
 <ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
@@ -35,8 +35,8 @@ or without their knowledge contributed to this update. The size and scope of thi
 project would not have been possible without significant community contribution. A not
 insignificant number of ideas for inclusion (if not content itself) has been obtained
 from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
-Please keep publishing you Unofficial HOWTO's - they are a source of inspiration and
-application knowledge that is most to be desired by may Samba users and administrators.
+Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
 </para>
 
 </abstract>
diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml
index e9e8c4f9f8..eedc7ba725 100644
--- a/docs/docbook/projdoc/securing-samba.sgml
+++ b/docs/docbook/projdoc/securing-samba.sgml
@@ -2,6 +2,7 @@
 
 <chapterinfo>
 	&author.tridge;
+	&author.jht;
 	<pubdate>17 March 2003</pubdate>
 </chapterinfo>
 
@@ -36,8 +37,8 @@ might be:
 </para>
 
 <para><programlisting>
-  hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
-  hosts deny = 0.0.0.0/0
+	hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+	hosts deny = 0.0.0.0/0
 </programlisting></para>
 
 <para>
@@ -66,8 +67,8 @@ You can change this behaviour using options like the following:
 </para>
 
 <para><programlisting>
-  interfaces = eth* lo
-  bind interfaces only = yes
+	interfaces = eth* lo
+	bind interfaces only = yes
 </programlisting></para>
 
 <para>
@@ -105,10 +106,10 @@ UDP ports to allow and block. Samba uses the following:
 </para>
 
 <para><programlisting>
-UDP/137    - used by nmbd
-UDP/138    - used by nmbd
-TCP/139    - used by smbd
-TCP/445    - used by smbd
+	UDP/137    - used by nmbd
+	UDP/138    - used by nmbd
+	TCP/139    - used by smbd
+	TCP/445    - used by smbd
 </programlisting></para>
 
 <para>
@@ -135,9 +136,9 @@ To do that you could use:
 </para>
 
 <para><programlisting>
-  [ipc$]
-     hosts allow = 192.168.115.0/24 127.0.0.1
-     hosts deny = 0.0.0.0/0
+	[ipc$]
+	     hosts allow = 192.168.115.0/24 127.0.0.1
+	     hosts deny = 0.0.0.0/0
 </programlisting></para>
 
 <para>
@@ -163,6 +164,32 @@ methods listed above for some reason.
 
 </sect1>
 
+<sect1>
+<title>NTLMv2 Security</title>
+
+<para>
+To configure NTLMv2 authentication the following registry keys are worth knowing about:
+</para>
+
+<para>
+<programlisting>
+	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+	"lmcompatibilitylevel"=dword:00000003
+
+	0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
+	use NTLMv2 session security if the server supports it. Domain
+	controllers accept LM, NTLM and NTLMv2 authentication.
+
+	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+	"NtlmMinClientSec"=dword:00080000
+
+	0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
+	NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
+	session security is not negotiated.
+</programlisting>
+</para>
+</sect1>
+
 <sect1>
 <title>Upgrading Samba</title>
 
-- 
cgit 


From 26724fa2b08bc3aab43cd357df38c2a04363ef98 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 14:26:08 +0000
Subject: Update from Rick Segeberg <landude@comcast.net> (This used to be
 commit af4fa1aea6bc69d56da88c83968561f0fac1f3a4)

---
 docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index 9470688089..335e5cc7db 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -12,15 +12,18 @@
 <sect1>
 
 	<title>Joining an NT Domain with Samba 3.0</title>
+<!--changed by RS: IMHO, this would read better and be easier to reference as a listrather than written out in paragraph form-->
+	<para>
+	<variablelist>
+	<varlistentry><term>"Assumptions:"</term>
+	<listitem>NetBIOS name: <constant>SERV1</constant></listitem>
+	<listitem>Win2K/NT domain name: <constant>DOM</constant></listitem>
+	<listitem>Domain's PDC NetBIOS name: <constant>DOMPDC</constant></listitem>
+	<listitem>Domain's BDC NetBIOS names: <constant>DOMBDC1</constant> and <constant>DOMBDC2</constant></listitem>
+	</variablelist>
+	</para>
 
-	<para>Assume you have a Samba 3.0 server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining a Win2k or NT domain called
-	<constant>DOM</constant>, which has a PDC with a NetBIOS name
-	of <constant>DOMPDC</constant> and two backup domain controllers 
-	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
-	</constant>.</para>
-
-	<para>Firstly, you must edit your &smb.conf; file to tell Samba it should
+	<para>First, you must edit your &smb.conf; file to tell Samba it should
 	now use domain security.</para>
 	
 	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
@@ -83,7 +86,7 @@
 	<para>in your terminal window. See the <ulink url="net.8.html">
 	net(8)</ulink> man page for more details.</para>
 	
-	<para>This process joins the server to thedomain
+	<para>This process joins the server to the domain
 	without having to create the machine trust account on the PDC
 	beforehand.</para>
 
@@ -129,7 +132,7 @@
 	means Samba servers now participate in domain trust relationships in 
 	exactly the same way NT servers do (i.e., you can add Samba servers into 
 	a resource domain and have the authentication passed on from a resource
-	domain PDC to an account domain PDC.</para>
+	domain PDC to an account domain PDC).</para>
 
 	<para>In addition, with <command>security = server</command> every Samba 
 	daemon on a server has to keep a connection open to the 
-- 
cgit 


From dfdc9b19f8d0ad5cde6657db6b76b628f5cb9ce2 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 15:49:02 +0000
Subject: Adding edits from Vance Lankhaar. (This used to be commit
 a7788bc3b9ae4aec48bf94ed446e6bc0668863bf)

---
 docs/docbook/projdoc/ADS-HOWTO.sgml       | 40 ++++++++-------
 docs/docbook/projdoc/DOMAIN_MEMBER.sgml   | 10 ++--
 docs/docbook/projdoc/NetworkBrowsing.sgml |  2 +-
 docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 82 ++++++++++++++++++++++---------
 docs/docbook/projdoc/security_level.sgml  | 13 ++++-
 5 files changed, 99 insertions(+), 48 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml
index c36f150112..1ee0ab1962 100644
--- a/docs/docbook/projdoc/ADS-HOWTO.sgml
+++ b/docs/docbook/projdoc/ADS-HOWTO.sgml
@@ -19,16 +19,16 @@ Windows2000 KDC.
 <para>You must use at least the following 3 options in smb.conf:</para>
 
 <para><programlisting>
-  realm = YOUR.KERBEROS.REALM
-  security = ADS
-  encrypt passwords = yes
+	realm = YOUR.KERBEROS.REALM
+	security = ADS
+	encrypt passwords = yes
 </programlisting></para>
 
 <para>
 In case samba can't figure out your ads server using your realm name, use the 
 <command>ads server</command> option in <filename>smb.conf</filename>:
 <programlisting>
-  ads server = your.kerberos.server
+	ads server = your.kerberos.server
 </programlisting>
 </para>
 
@@ -49,10 +49,10 @@ In case samba can't figure out your ads server using your realm name, use the
 <para>The minimal configuration for <filename>krb5.conf</filename> is:</para>
 
 <para><programlisting>
-[realms]
-    YOUR.KERBEROS.REALM = {
-	kdc = your.kerberos.server
-    }
+	[realms]
+	    YOUR.KERBEROS.REALM = {
+		kdc = your.kerberos.server
+	    }
 </programlisting></para>
 
 <para>Test your config by doing a <userinput>kinit
@@ -98,7 +98,9 @@ is only needed if you want kerberos support for &smbd; and &winbindd;.
 <para>
 As a user that has write permission on the Samba private directory
 (usually root) run:
-<userinput>net ads join</userinput>
+<programlisting>
+	<userinput>net join -U Administrator%password</userinput>
+</programlisting>
 </para>
 
 <sect2>
@@ -106,16 +108,16 @@ As a user that has write permission on the Samba private directory
 
 <para>
 <variablelist>
-<varlistentry><term>"ADS support not compiled in"</term>
-<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
-(make clean all install) after the kerberos libs and headers are installed.
-</para></listitem></varlistentry>
-
-<varlistentry><term>net ads join prompts for user name</term>
-<listitem><para>You need to login to the domain using <userinput>kinit
-<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
-<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
-to the domain.  </para></listitem></varlistentry>
+	<varlistentry><term>"ADS support not compiled in"</term>
+	<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
+	(make clean all install) after the kerberos libs and headers are installed.
+	</para></listitem></varlistentry>
+
+	<varlistentry><term>net join prompts for user name</term>
+	<listitem><para>You need to login to the domain using <userinput>kinit
+	<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
+	<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
+	to the domain.  </para></listitem></varlistentry>
 </variablelist>
 </para>
 
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index 335e5cc7db..cd4168e446 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -69,9 +69,14 @@
 	<para>In order to actually join the domain, you must run this
         command:</para>
 
-	<para><prompt>root# </prompt><userinput>net rpc join -S DOMPDC
+	<para><prompt>root# </prompt><userinput>net join -S DOMPDC
 	-U<replaceable>Administrator%password</replaceable></userinput></para>
 
+	<para>
+	If the <userinput>-S DOMPDC</userinput> argument is not given then
+	the domain name will be obtained from smb.conf.
+	</para>
+
 	<para>as we are joining the domain DOM and the PDC for that domain 
 	(the only machine that has write access to the domain SAM database) 
 	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
@@ -123,8 +128,7 @@
 	<para>Please refer to the <ulink url="winbind.html">Winbind 
 	paper</ulink> for information on a system to automatically
 	assign UNIX uids and gids to Windows NT Domain users and groups.
-	This code is available in development branches only at the moment,
-	but will be moved to release branches soon.</para>
+	</para>
 
 	<para>The advantage to domain-level security is that the 
 	authentication in domain-level security is passed down the authenticated 
diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml
index e8d1b40710..29768ea42a 100644
--- a/docs/docbook/projdoc/NetworkBrowsing.sgml
+++ b/docs/docbook/projdoc/NetworkBrowsing.sgml
@@ -8,7 +8,7 @@
 <title>Samba / MS Windows Network Browsing Guide</title>
 
 <para>
-This document contains detailed informataion as well as a fast track guide to
+This document contains detailed information as well as a fast track guide to
 implementing browsing across subnets and / or across workgroups (or domains).
 WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
 NOT involved in browse list handling except by way of name to address resolution.
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 7295a15875..be7a6d5201 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -169,6 +169,11 @@ Here is an example &smb.conf; for acting as a PDC:
     <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
     <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
 
+    ; User and Machine Account Backends
+    ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ...
+    ;              mysqlsam, xmlsam, guest
+    <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest
+
     ; we should act as the domain and local master browser
     <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
     <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
@@ -209,6 +214,20 @@ Here is an example &smb.conf; for acting as a PDC:
     <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
 </programlisting></para>
 
+<note><para>
+The above parameters make for a full set of parameters that may define the server's mode
+of operation. The following parameters are the essentials alone:
+
+<programlisting>
+	workgroup = NARNIA
+	domain logons = Yes
+	security = User
+</programlisting>
+
+The additional parameters shown in the longer listing above just makes for a
+more complete environment.
+</para></note>
+
 <para>
 There are a couple of points to emphasize in the above configuration.
 </para>
@@ -264,13 +283,13 @@ shared secret with the domain controller.
 
 <para>A Windows PDC stores each machine trust account in the Windows
 Registry. A Samba-3 PDC also has to store machine trust account information
-in a suitable back-end data store. With Samba-3 there can be multiple back-ends
+in a suitable backend data store. With Samba-3 there can be multiple back-ends
 for this including:
 </para>
 
 <itemizedlist>
 	<listitem><para>
-	<emphasis>smbpaswd</emphasis> - the plain ascii file stored used by
+	<emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
 	earlier versions of Samba. This file configuration option requires
 	a Unix/Linux system account for EVERY entry (ie: both for user and for
 	machine accounts). This file will be located in the <emphasis>private</emphasis>
@@ -311,9 +330,16 @@ for this including:
 	</para></listitem>
 </itemizedlist>
 
-<para>Read the chapter about the <link linkend="passdb">User Database</link> 
+<para>Read the chapter about the <link linkend="passdb backend">User Database</link> 
 for details.</para>
 
+<note><para>
+The new tdbsam and ldapsam account backends store vastly more information than
+smbpasswd is capable of. The new backend database includes capacity to specify
+per user settings for many parameters, over-riding global settings given in the
+<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
+</para></note>
+
 <para>
 A Samba PDC, however, stores each machine trust account in two parts,
 as follows:
@@ -420,7 +446,7 @@ the corresponding Unix account.
 	equivalent of creating a machine trust account on a Windows NT PDC using 
 	the "Server Manager".  From the time at which the account is created
 	to the time which the client joins the domain and changes the password,
-	your domain is vulnerable to an intruder joining your domain using a
+	your domain is vulnerable to an intruder joining your domain using
 	a machine with the same NetBIOS name.  A PDC inherently trusts
 	members of the domain and will serve out a large degree of user 
 	information to such clients.  You have been warned!
@@ -469,20 +495,22 @@ version of Windows.
 <itemizedlist>
 <listitem><para><emphasis>Windows 2000</emphasis></para>
 
-	<para> When the user elects to join the client to a domain, Windows prompts for
-	an account and password that is privileged to join the domain.  A
-	Samba administrative account (i.e., a Samba account that has root
-	privileges on the Samba server) must be entered here; the
-	operation will fail if an ordinary user account is given. 
-	The password for this account should be
-	set to a different password than the associated
-	<filename>/etc/passwd</filename> entry, for security
-	reasons. </para>
-
-	<para>The session key of the Samba administrative account acts as an
+	<para>
+	When the user elects to join the client to a domain, Windows prompts for
+	an account and password that is privileged to join the domain. A Samba administrative
+	account (i.e., a Samba account that has root privileges on the Samba server) must be
+	entered here; the operation will fail if an ordinary user account is given. 
+	The password for this account should be set to a different password than the associated
+	<filename>/etc/passwd</filename> entry, for security reasons.
+	</para>
+
+	<para>
+	The session key of the Samba administrative account acts as an
 	encryption key for setting the password of the machine trust
 	account. The machine trust account will be created on-the-fly, or
-	updated if it already exists.</para>
+	updated if it already exists.
+	</para>
+
 </listitem>
 
 <listitem><para><emphasis>Windows NT</emphasis></para>
@@ -522,11 +550,9 @@ systems?) won't create a user with a '$' in their name.
 </para>
 
 <para>
-The problem is only in the program used to make the entry, once 
-made, it works perfectly. So create a user without the '$' and 
-use <command>vipw</command> to edit the entry, adding the '$'. Or create 
-the whole entry with vipw if you like, make sure you use a 
-unique User ID !
+The problem is only in the program used to make the entry. Once made, it works perfectly.
+Create a user without the '$' using <command>vipw</command> to edit the entry, adding
+the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!
 </para>
 </sect2>
 
@@ -547,7 +573,7 @@ will remove all network drive connections:
 </para>
 
 <para>
-Further, if the machine is a already a 'member of a workgroup' that 
+Further, if the machine is already a 'member of a workgroup' that 
 is the same name as the domain you are joining (bad idea) you will 
 get this message.  Change the workgroup name to something else, it 
 does not matter what, reboot, and try again.
@@ -569,8 +595,18 @@ is changed. The most common cause of a change in domain SID is when
 the domain name and/or the server name (netbios name) is changed.
 The only way to correct the problem is to restore the original domain 
 SID or remove the domain client from the domain and rejoin. The domain
-SID may be reset using either the smbpasswd or rpcclient utilities.
+SID may be reset using either the net or rpcclient utilities.
+</para>
+
+<para>
+The reset or change the domain SID you can use the net command as follows:
+
+<programlisting>
+	net getlocalsid 'OLDNAME'
+	net setlocalsid 'SID'
+</programlisting>
 </para>
+
 </sect2>
 
 <sect2>
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml
index e840ff6c17..a59392bbac 100644
--- a/docs/docbook/projdoc/security_level.sgml
+++ b/docs/docbook/projdoc/security_level.sgml
@@ -128,6 +128,13 @@ That real authentication server can be another Samba server or can be a
 Windows NT server, the later natively capable of encrypted password support.
 </para>
 
+<note><para>
+<emphasis>Server</emphasis> level security is incompatible with what is known 
+as </empahsis>schannel</emphasis> or "sign and seal" protocols. This means that
+if you want to use <empahsis>server</emphasis> level security you must disable
+the use of "sign and seal" on all machines on your network.
+</para></note>
+
 <sect3>
 <title>Configuring Samba for Seemless Windows Network Integration</title>
 
@@ -270,7 +277,7 @@ all authentication requests to be passed through to the domain controllers.
 <title>Samba as a member of an MS Windows NT security domain</title>
 
 <para>
-This method involves additon of the following paramters in the &smb.conf; file:
+This method involves addition of the following parameters in the &smb.conf; file:
 </para>
 
 <para><programlisting>
@@ -297,7 +304,9 @@ MS Windows NT security domain. This is done as follows:
 	</para></listitem>
 	
 	<listitem><para>Next, on the Linux system execute: 
-	<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command>
+	<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> (samba 2.x)
+
+	<command>net join -U administrator%password</command>   (samba-3)
 	</para></listitem>
 </itemizedlist>
 
-- 
cgit 


From 0f5feb2105f2d3ffd0d7f1f74ec24257358b2e2c Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 15:59:42 +0000
Subject: Update from Rick Segeberg <landude@comcast.net> (This used to be
 commit 2310cee6abf66bf52b2c90fed4c7db7412153e10)

---
 docs/docbook/projdoc/Diagnosis.sgml | 46 ++++++++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 8 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml
index 9ab95dad86..1ca15d189a 100644
--- a/docs/docbook/projdoc/Diagnosis.sgml
+++ b/docs/docbook/projdoc/Diagnosis.sgml
@@ -20,13 +20,15 @@ then it is probably working fine.
 <para>
 You should do ALL the tests, in the order shown. We have tried to
 carefully choose them so later tests only use capabilities verified in
-the earlier tests.
+the earlier tests.  However, do not stop at the first error as there
+have been some instances when continuing with the tests has helped
+to solve a problem.
 </para>
 
 <para>
 If you send one of the samba mailing lists  an email saying "it doesn't work"
 and you have not followed this test procedure then you should not be surprised
-your email is ignored.
+if your email is ignored.
 </para>
 
 </sect1>
@@ -46,7 +48,7 @@ The procedure is similar for other types of clients.
 <para>
 It is also assumed you know the name of an available share in your
 &smb.conf;. I will assume this share is called <replaceable>tmp</replaceable>.
-You can add a <replaceable>tmp</replaceable> share like by adding the
+You can add a <replaceable>tmp</replaceable> share like this by adding the
 following to &smb.conf;:
 </para>
 
@@ -61,12 +63,13 @@ following to &smb.conf;:
 </para>
 
 <note><para>
-These tests assume version 3.0 or later of the samba suite. Some commands shown did not exist in earlier versions. 
+These tests assume version 3.0 or later of the samba suite.
+Some commands shown did not exist in earlier versions. 
 </para></note>
 
 <para>
 Please pay attention to the error messages you receive. If any error message
-reports that your server is being unfriendly you should first check that you
+reports that your server is being unfriendly you should first check that your
 IP name resolution is correctly set up. eg: Make sure your <filename>/etc/resolv.conf</filename>
 file points to name servers that really do exist.
 </para>
@@ -77,6 +80,21 @@ that the settings for your &smb.conf; file results in <command>dns proxy = no</c
 best way to check this is with <userinput>testparm smb.conf</userinput>.
 </para>
 
+<para>
+It is helpful to monitor the log files during testing by using the
+<command>tail -F <replaceable>log_file_name</replaceable> in a separate
+terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). 
+Relevant log files can be found (for default installations) in
+<filename>/usr/local/samba/var</filename>.  Also, connection logs from
+machines can be found here or possibly in <filename>/var/log/samba</filename>
+depending on how or if you specified logging in your &smb.conf; file.
+</para>
+
+<para>
+If you make changes to your &smb.conf; file while going through these test,
+don't forget to restart &smbd; and &nmbd;.
+</para>
+
 </sect1>
 
 <sect1>
@@ -124,6 +142,11 @@ software. You will need to relax the rules to let in the workstation
 in question, perhaps by allowing access from another subnet (on Linux
 this is done via the <application>ipfwadm</application> program.)
 </para>
+
+<para>
+Note: Modern Linux distributions install ipchains/iptables by default. 
+This is a common problem that is often overlooked.
+</para>
 </step>
 
 <step performance="required">
@@ -149,6 +172,13 @@ it is running, and check that the netbios-ssn port is in a LISTEN
 state using <userinput>netstat -a</userinput>.
 </para>
 
+<note><para>
+Some Unix / Linux systems use <command>xinetd</command> in place of
+<command>inetd</command>. Check your system documentation for the location
+of the control file/s for your particular system implementation of
+this network super daemon.
+</para></note>
+
 <para>
 If you get a "session request failed" then the server refused the
 connection. If it says "Your server software is being unfriendly" then
@@ -265,7 +295,7 @@ hosts.
 <para>
 If this doesn't give a similar result to the previous test then
 nmblookup isn't correctly getting your broadcast address through its
-automatic mechanism. In this case you should experiment use the
+automatic mechanism. In this case you should experiment with the
 <command>interfaces</command> option in &smb.conf; to manually configure your IP
 address, broadcast and netmask. 
 </para>
@@ -358,7 +388,7 @@ when you type <command>dir</command>.
 <step performance="required">
 
 <para>
-On the PC type the command <userinput>net view \\BIGSERVER</userinput>. You will 
+On the PC, type the command <userinput>net view \\BIGSERVER</userinput>. You will 
 need to do this from within a "dos prompt" window. You should get back a 
 list of available shares on the server.
 </para>
@@ -463,7 +493,7 @@ an election is held at startup.
 <step performance="required">
 
 <para>
-From file manager try to browse the server. Your samba server should
+>From file manager try to browse the server. Your samba server should
 appear in the browse list of your local workgroup (or the one you
 specified in smb.conf). You should be able to double click on the name
 of the server and get a list of shares. If you get a "invalid
-- 
cgit 


From 6c9b614c5becb84359d8547cc5bb76d0523bea4e Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 18:05:59 +0000
Subject: Fixes for syntax errors. (This used to be commit
 837141f45ef0a007a4cf46690c9eb0d838a25b2f)

---
 docs/docbook/projdoc/ADS-HOWTO.sgml       |  2 --
 docs/docbook/projdoc/DOMAIN_MEMBER.sgml   | 16 +++++++---------
 docs/docbook/projdoc/Diagnosis.sgml       |  2 +-
 docs/docbook/projdoc/Samba-PDC-HOWTO.sgml |  2 +-
 docs/docbook/projdoc/security_level.sgml  |  4 ++--
 5 files changed, 11 insertions(+), 15 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml
index 1ee0ab1962..c89a0e4f87 100644
--- a/docs/docbook/projdoc/ADS-HOWTO.sgml
+++ b/docs/docbook/projdoc/ADS-HOWTO.sgml
@@ -160,8 +160,6 @@ specify the <parameter>-k</parameter> option to choose kerberos authentication.
 <para>You must change administrator password at least once after DC 
 install, to create the right encoding types</para>
 
-<!--RS: right encoding types for what?  I don't understand this note as I did not do this on my server and did not have any problems (that I know of)-->
-
 <para>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
    their defaults DNS setup. Maybe fixed in service packs?</para>
 </sect1>
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index cd4168e446..a5921e8ce3 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -12,15 +12,13 @@
 <sect1>
 
 	<title>Joining an NT Domain with Samba 3.0</title>
-<!--changed by RS: IMHO, this would read better and be easier to reference as a listrather than written out in paragraph form-->
-	<para>
-	<variablelist>
-	<varlistentry><term>"Assumptions:"</term>
-	<listitem>NetBIOS name: <constant>SERV1</constant></listitem>
-	<listitem>Win2K/NT domain name: <constant>DOM</constant></listitem>
-	<listitem>Domain's PDC NetBIOS name: <constant>DOMPDC</constant></listitem>
-	<listitem>Domain's BDC NetBIOS names: <constant>DOMBDC1</constant> and <constant>DOMBDC2</constant></listitem>
-	</variablelist>
+	<para><emphasis>Assumptions:</emphasis>
+	<programlisting>
+		NetBIOS name: SERV1
+		Win2K/NT domain name: DOM
+		Domain's PDC NetBIOS name: DOMPDC
+		Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
+	</programlisting>
 	</para>
 
 	<para>First, you must edit your &smb.conf; file to tell Samba it should
diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml
index 1ca15d189a..6c7ac68ba4 100644
--- a/docs/docbook/projdoc/Diagnosis.sgml
+++ b/docs/docbook/projdoc/Diagnosis.sgml
@@ -82,7 +82,7 @@ best way to check this is with <userinput>testparm smb.conf</userinput>.
 
 <para>
 It is helpful to monitor the log files during testing by using the
-<command>tail -F <replaceable>log_file_name</replaceable> in a separate
+<command>tail -F <replaceable>log_file_name</replaceable></command> in a separate
 terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). 
 Relevant log files can be found (for default installations) in
 <filename>/usr/local/samba/var</filename>.  Also, connection logs from
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index be7a6d5201..6a3bcacf17 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -330,7 +330,7 @@ for this including:
 	</para></listitem>
 </itemizedlist>
 
-<para>Read the chapter about the <link linkend="passdb backend">User Database</link> 
+<para>Read the chapter about the <link linkend="passdb">User Database</link> 
 for details.</para>
 
 <note><para>
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml
index a59392bbac..f19ec4a1e8 100644
--- a/docs/docbook/projdoc/security_level.sgml
+++ b/docs/docbook/projdoc/security_level.sgml
@@ -130,8 +130,8 @@ Windows NT server, the later natively capable of encrypted password support.
 
 <note><para>
 <emphasis>Server</emphasis> level security is incompatible with what is known 
-as </empahsis>schannel</emphasis> or "sign and seal" protocols. This means that
-if you want to use <empahsis>server</emphasis> level security you must disable
+as <emphasis>schannel</emphasis> or "sign and seal" protocols. This means that
+if you want to use <emphasis>server</emphasis> level security you must disable
 the use of "sign and seal" on all machines on your network.
 </para></note>
 
-- 
cgit 


From d820b547bd5c555c566bb49cefb7004597cfe114 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Sat, 26 Apr 2003 01:38:46 +0000
Subject: Many typos, syntax fixes, more. Multiple sources including mega patch
 from 	- Jesse Jacobs <jesse@eazy.homeip.net> (This used to be commit
 5da18339e19bf2bcc23a19339c8a6a3052246d44)

---
 docs/docbook/projdoc/Bugs.sgml                     |  4 +-
 docs/docbook/projdoc/CUPS-printing.sgml            | 83 ++++++++++++----------
 docs/docbook/projdoc/Compiling.sgml                |  4 +-
 docs/docbook/projdoc/Diagnosis.sgml                |  4 +-
 docs/docbook/projdoc/Integrating-with-Windows.sgml |  8 +--
 docs/docbook/projdoc/InterdomainTrusts.sgml        | 12 ++--
 docs/docbook/projdoc/NT4Migration.sgml             | 13 ++--
 docs/docbook/projdoc/Other-Clients.sgml            |  2 +-
 .../projdoc/PAM-Authentication-And-Samba.sgml      |  2 +-
 docs/docbook/projdoc/Problems.sgml                 |  4 +-
 docs/docbook/projdoc/ProfileMgmt.sgml              | 13 ++--
 docs/docbook/projdoc/SWAT.sgml                     | 10 +--
 docs/docbook/projdoc/Speed.sgml                    |  2 +-
 docs/docbook/projdoc/VFS.sgml                      | 10 +--
 docs/docbook/projdoc/passdb.sgml                   | 27 ++++---
 docs/docbook/projdoc/securing-samba.sgml           |  4 +-
 docs/docbook/projdoc/unicode.sgml                  |  4 +-
 17 files changed, 116 insertions(+), 90 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml
index 155ab353f4..e7ebde788b 100644
--- a/docs/docbook/projdoc/Bugs.sgml
+++ b/docs/docbook/projdoc/Bugs.sgml
@@ -164,7 +164,7 @@ occurred. Include this in your mail.
 </para>
 
 <para>
-If you known any assembly language then do a <userinput>disass</userinput> of the routine
+If you know any assembly language then do a <userinput>disass</userinput> of the routine
 where the problem occurred (if its in a library routine then
 disassemble the routine that called it) and try to work out exactly
 where the problem is by looking at the surrounding code. Even if you
@@ -195,7 +195,7 @@ where it occurred.
 The best sort of bug report is one that includes a fix! If you send us
 patches please use <userinput>diff -u</userinput> format if your version of 
 diff supports it, otherwise use <userinput>diff -c4</userinput>. Make sure 
-your do the diff against a clean version of the source and let me know 
+you do the diff against a clean version of the source and let me know 
 exactly what version you used. 
 </para>
 
diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml
index ea10ba0e75..57faebdcd6 100644
--- a/docs/docbook/projdoc/CUPS-printing.sgml
+++ b/docs/docbook/projdoc/CUPS-printing.sgml
@@ -294,9 +294,12 @@ for the mailing, etc.).
 </sect1>
 
 <sect1>
-<title>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe
-PostScript driver with CUPS-PPDs downloaded to clients</title>
+<title>CUPS as a network PostScript RIP</title>
 
+<para>
+This is the configuration where CUPS drivers are working on server, and where the
+Adobe PostScript driver with CUPS-PPDs is downloaded to clients.
+</para>
 
 <para>
 CUPS is perfectly able to use PPD files (PostScript
@@ -543,7 +546,8 @@ associated with this printer is copied from <filename>/etc/cups/ppd/</filename>
 
 <para><programlisting>
 <prompt>root# </prompt> <command>cupsaddsmb -U root infotec_IS2027</command>
-Password for root required to access localhost via SAMBA: <userinput>[type in password 'secret']</userinput>
+Password for root required to access localhost via
+SAMBA: <userinput>[type in password 'secret']</userinput>
 </programlisting></para>
 
 <para>
@@ -568,7 +572,8 @@ Note: The following line shave been wrapped so that information is not lost.
 <prompt>root# </prompt> cupsaddsmb -v -U root infotec_IS2027
     Password for root required to access localhost via SAMBA:
     Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put
-       /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/
+       /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put
+       /usr/share/cups/drivers/
        ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr
        W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP'
     added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
@@ -576,14 +581,14 @@ Note: The following line shave been wrapped so that information is not lost.
     added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
     Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
     NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
-    putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s)
-      (average 17395.2 kb/s)
-    putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s)
-      (average 11343.0 kb/s)
-    putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s)
-      (average 9260.4 kb/s)
-    putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s)
-      (average 9247.1 kb/s)
+    putting file /var/spool/cups/tmp/3cd1cc66376c0 as
+      \W32X86/infotec_IS2027.PPD (17394.6 kb/s) (average 17395.2 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS5.DLL as
+      \W32X86/ADOBEPS5.DLL (10877.4 kb/s) (average 11343.0 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPSU.DLL as
+      \W32X86/ADOBEPSU.DLL (5095.2 kb/s) (average 9260.4 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPSU.HLP as
+      \W32X86/ADOBEPSU.HLP (8828.7 kb/s) (average 9247.1 kb/s)
 
     Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put
       /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put
@@ -598,32 +603,37 @@ Note: The following line shave been wrapped so that information is not lost.
     added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
     Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
     NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
-    putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s)
-      (average 26092.8 kb/s)
-    putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s)
-      (average 11812.9 kb/s)
-    putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s)
-      (average 14679.3 kb/s)
-    putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s)
-      (average 14281.5 kb/s)
-    putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s)
-      (average 12944.0 kb/s)
-    putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s)
-      (average 13169.7 kb/s)
-    putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s)
-      (average 13266.7 kb/s)
-
-    Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86"
-       "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"'
-    cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
+    putting file /var/spool/cups/tmp/3cd1cc66376c0 as
+      \WIN40/infotec_IS2027.PPD (26091.5 kb/s) (average 26092.8 kb/s)
+    putting file /usr/share/cups/drivers/ADFONTS.MFM as
+      \WIN40/ADFONTS.MFM (11241.6 kb/s) (average 11812.9 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS4.DRV as
+      \WIN40/ADOBEPS4.DRV (16640.6 kb/s) (average 14679.3 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS4.HLP as
+      \WIN40/ADOBEPS4.HLP (11285.6 kb/s) (average 14281.5 kb/s)
+    putting file /usr/share/cups/drivers/DEFPRTR2.PPD as
+      \WIN40/DEFPRTR2.PPD (823.5 kb/s) (average 12944.0 kb/s)
+    putting file /usr/share/cups/drivers/ICONLIB.DLL as
+      \WIN40/ICONLIB.DLL (19226.2 kb/s) (average 13169.7 kb/s)
+    putting file /usr/share/cups/drivers/PSMON.DLL as
+      \WIN40/PSMON.DLL (18666.1 kb/s) (average 13266.7 kb/s)
+
+    Running command: rpcclient localhost -N -U'root%secret'
+       -c 'adddriver "Windows NT x86"
+       "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
+		ADOBEPSU.HLP:NULL:RAW:NULL"'
+    cmd = adddriver "Windows NT x86"
+       "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
        ADOBEPSU.HLP:NULL:RAW:NULL"
     Printer Driver infotec_IS2027 successfully installed.
 
-    Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0"
-       "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:
-       ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
-    cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:
-       ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
+    Running command: rpcclient localhost -N -U'root%secret'
+       -c 'adddriver "Windows 4.0"
+       "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:
+		ADOBEPS4.HLP:PSMON.DLL:RAW: ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
+    cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:
+		infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:
+		ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
     Printer Driver infotec_IS2027 successfully installed.
 
     Running command: rpcclient localhost -N -U'root%secret'
@@ -1537,7 +1547,8 @@ as compared to the Adobe drivers?
 	<listitem><para>
 	the Adobe drivers (depending on the printer PPD associated with them)
 	often put a PJL header in front of the core PostScript part of the print
-	file (thus the file starts with "<replaceable>1B</replaceable>%-12345X" or "<replaceable>escape</replaceable>%-12345X"
+	file (thus the file starts with "<replaceable>1B</replaceable>%-12345X"
+	or "<replaceable>escape</replaceable>%-12345X"
 	instead of "%!PS"). This leads to the CUPS daemon autotyping the
 	arriving file as a print-ready file, not requiring a pass thru the
 	"pstops" filter (to speak more technical, it is not regarded as the
diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml
index 15b5acc594..664975779c 100644
--- a/docs/docbook/projdoc/Compiling.sgml
+++ b/docs/docbook/projdoc/Compiling.sgml
@@ -71,7 +71,7 @@ url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink>
 
 <para>
 You can also access the source code via a 
-normal cvs client.  This gives you much more control over you can 
+normal cvs client.  This gives you much more control over what you can 
 do with the repository and allows you to checkout whole source trees 
 and keep them up to date via normal cvs commands. This is the 
 preferred method of access if you are a developer and not
@@ -134,7 +134,7 @@ on this system just substitute the correct package name
 	</para>
 	
 	<para>
-	CVS branches other HEAD can be obtained by using the <parameter>-r</parameter>
+	CVS branches other then HEAD can be obtained by using the <parameter>-r</parameter>
 	and defining a tag name.  A list of branch tag names can be found on the
 	"Development" page of the samba web site.  A common request is to obtain the
 	latest 2.2 release code.  This could be done by using the following userinput.
diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml
index 6c7ac68ba4..150f071b78 100644
--- a/docs/docbook/projdoc/Diagnosis.sgml
+++ b/docs/docbook/projdoc/Diagnosis.sgml
@@ -216,7 +216,7 @@ To solve this problem change these lines to:
 Do NOT use the <command>bind interfaces only</command> parameter where you 
 may wish to
 use the samba password change facility, or where &smbclient; may need to
-access local service for name resolution or for local resource
+access a local service for name resolution or for local resource
 connections. (Note: the <command>bind interfaces only</command> parameter deficiency
 where it will not allow connections to the loopback address will be
 fixed soon).
@@ -302,7 +302,7 @@ address, broadcast and netmask.
 
 <para>
 If your PC and server aren't on the same subnet then you will need to
-use the <parameter>-B</parameter> option to set the broadcast address to the that of the PCs
+use the <parameter>-B</parameter> option to set the broadcast address to that of the PCs
 subnet.
 </para>
 
diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml
index f6ac0be5a4..9f0de0a56a 100644
--- a/docs/docbook/projdoc/Integrating-with-Windows.sgml
+++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml
@@ -8,7 +8,7 @@
 <title>Integrating MS Windows networks with Samba</title>
  
 <para>
-This section deals with NetBIOS over TCP/IP name to IP address resolution. If you
+This section deals with NetBIOS over TCP/IP name to IP address resolution. If
 your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
 section does not apply to your installation. If your installation involves use of
 NetBIOS over TCP/IP then this section may help you to resolve networking problems.
@@ -307,7 +307,7 @@ One further point of clarification should be noted, the <filename>/etc/hosts</fi
 file and the DNS records do not provide the NetBIOS name type information 
 that MS Windows clients depend on to locate the type of service that may 
 be needed. An example of this is what happens when an MS Windows client 
-wants to locate a domain logon server. It find this service and the IP 
+wants to locate a domain logon server. It finds this service and the IP 
 address of a server that provides it by performing a lookup (via a 
 NetBIOS broadcast) for enumeration of all machines that have 
 registered the name type *&lt;1c&gt;. A logon request is then sent to each 
@@ -385,7 +385,7 @@ This file is usually located in MS Windows NT 4.0 or
 2000 in <filename>C:\WINNT\SYSTEM32\DRIVERS\ETC</filename> and contains 
 the IP Address and the machine name in matched pairs. The 
 <filename>LMHOSTS</filename> file performs NetBIOS name 
-to IP address mapping oriented.
+to IP address mapping.
 </para>
 
 <para>
@@ -493,7 +493,7 @@ every way the equivalent of the Unix/Linux <filename>/etc/hosts</filename> file.
 <para>
 This capability is configured in the TCP/IP setup area in the network 
 configuration facility. If enabled an elaborate name resolution sequence 
-is followed the precise nature of which isdependant on what the NetBIOS 
+is followed the precise nature of which is dependant on what the NetBIOS 
 Node Type parameter is configured to. A Node Type of 0 means use 
 NetBIOS broadcast (over UDP broadcast) is first used if the name 
 that is the subject of a name lookup is not found in the NetBIOS name 
diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml
index dc34e7eca7..2c492d4ac0 100644
--- a/docs/docbook/projdoc/InterdomainTrusts.sgml
+++ b/docs/docbook/projdoc/InterdomainTrusts.sgml
@@ -123,7 +123,7 @@ between domains in purely Samba environment.
 <title>Samba-3 as the Trusting Domain</title>
 
 <para>
-In order to set Samba PDC to be trusted party of the relationship first you need
+In order to set the Samba PDC to be the trusted party of the relationship first you need
 to create special account for the domain that will be the trusting party. To do that,
 you can use the 'smbpasswd' utility. Creating the trusted domain account is very
 similiar to creating a trusted machine account. Suppose, your domain is
@@ -152,8 +152,8 @@ The account name will be 'rumba$' (the name of the remote domain)
 After issuing this command you'll be asked to enter the password for
 the account. You can use any password you want, but be aware that Windows NT will
 not change this password until 7 days following account creation.
-After the command returns successfully, you can look at the entry for new account
-(in the way depending on your configuration) and see that account's name is
+After the command returns successfully, you can look at the entry for the new account
+(in the stardard way depending on your configuration) and see that account's name is
 really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
 the trust by establishing it from Windows NT Server.
 </para>
@@ -187,8 +187,8 @@ domain (SAMBA) and password securing the relationship.
 </para>
 
 <para>
-The password can be arbitrarily chosen. It is easy to change it the password
-from Samba server whenever you want. After confirming the password your account is
+The password can be arbitrarily chosen. It is easy to change the password
+from the Samba server whenever you want. After confirming the password your account is
 ready for use. Now it's Samba's turn.
 </para>
 
@@ -202,7 +202,7 @@ Using your favourite shell while being logged in as root, issue this command:
 
 <para>
 You will be prompted for the password you just typed on your Windows NT4 Server box.
-Don not worry if you see an error message that mentions a returned code of
+Do not worry if you see an error message that mentions a returned code of
 <errorname>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</errorname>. It means the
 password you gave is correct and the NT4 Server says the account is
 ready for interdomain connection and not for ordinary
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 469215e32e..733d1f75ae 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -129,7 +129,7 @@ includes:
 	<para>Ability to implement a full single-signon architecture</para>
 </listitem>
 <listitem>
-	<para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para>
+	<para>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</para>
 </listitem>
 </itemizedlist>
 
@@ -462,8 +462,9 @@ Policies (migrate or create new ones)
 	Watch out for Tattoo effect
 
 User and Group Profiles
-	Platform specific so use platform tool to change from a Local to a Roaming profile
-	Can use new profiles tool to change SIDs (NTUser.DAT)
+	Platform specific so use platform tool to change from a Local
+	to a Roaming profile Can use new profiles tool to change SIDs
+	(NTUser.DAT)
 
 Logon Scripts (Know how they work)
 
@@ -472,7 +473,8 @@ User and Group mapping to Unix/Linux
 	Use 'net groupmap' to connect NT4 groups to Unix groups
 	Use pdbedit to set/change user configuration
 NOTE:
-If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP
+If migrating to LDAP back end it may be easier to dump initial LDAP database
+to LDIF, then edit, then reload into LDAP
 
 	OS specific scripts / programs may be needed
 		Add / delete Users
@@ -482,7 +484,8 @@ If migrating to LDAP back end it may be easier to dump initial LDAP database to
 			Applied only to domain members (note up to 16 chars)
 		Add / delete Groups
 			Note OS limits on size and nature
-				Linux limit is 16 char, no spaces and no upper case chars (groupadd)
+				Linux limit is 16 char,
+				no spaces and no upper case chars (groupadd)
 
 Migration Tools
 	Domain Control (NT4 Style)
diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml
index 73316927e0..068b9c0b32 100644
--- a/docs/docbook/projdoc/Other-Clients.sgml
+++ b/docs/docbook/projdoc/Other-Clients.sgml
@@ -14,7 +14,7 @@
 <title>Macintosh clients?</title>
 
 <para>
-Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now have a CIFS Client / Server called DAVE - see
+Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now have a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
 </para>
 
 <para>
diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
index 395bd71a27..9f03f98b5f 100644
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
@@ -34,7 +34,7 @@ or by editing individual files that are located in <filename>/etc/pam.d</filenam
 	If the PAM authentication module (loadable link library file) is located in the
 	default location then it is not necessary to specify the path. In the case of
 	Linux, the default location is <filename>/lib/security</filename>. If the module
-	is located other than default then the path may be specified as:
+	is located outside the default then the path must be specified as:
 	
 	<programlisting>
 	auth       required      /other_path/pam_strange_module.so
diff --git a/docs/docbook/projdoc/Problems.sgml b/docs/docbook/projdoc/Problems.sgml
index 1f880a78cd..eb43b63b63 100644
--- a/docs/docbook/projdoc/Problems.sgml
+++ b/docs/docbook/projdoc/Problems.sgml
@@ -44,7 +44,7 @@ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
 maintains an open connection, and therefore there will be an smbd 
 process running (assuming that you haven't set a really short smbd 
 idle timeout)  So, in between pressing ctrl alt delete, and actually 
-typing in your password, you can gdb attach and continue.
+typing in your password, you can attach gdb and continue.
 </para>
 
 <para>
@@ -85,7 +85,7 @@ formatted files.
 Installing netmon on an NT workstation requires a couple 
 of steps.  The following are for installing Netmon V4.00.349, which comes 
 with Microsoft Windows NT Server 4.0, on Microsoft Windows NT 
-Workstation 4.0.  The process should be similar for other version of 
+Workstation 4.0.  The process should be similar for other versions of 
 Windows NT / Netmon.  You will need both the Microsoft Windows 
 NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
 </para> 
diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml
index ac61391306..82897808b2 100644
--- a/docs/docbook/projdoc/ProfileMgmt.sgml
+++ b/docs/docbook/projdoc/ProfileMgmt.sgml
@@ -102,7 +102,7 @@ of your home directory called <filename>.profiles</filename> (thus making them h
 </para>
 
 <para>
-Not only that, but <userinput>net use/home</userinput> will also work, because of a feature in
+Not only that, but <userinput>net use /home</userinput> will also work, because of a feature in
 Windows 9x / Me. It removes any directory stuff off the end of the home directory area
 and only uses the server and share portion. That is, it looks like you
 specified \\%L\%U for <command>logon home</command>.
@@ -157,7 +157,8 @@ There are three ways of doing this:
 
 	Disable:	Only Allow Local User Profiles
 	Disable:	Prevent Roaming Profile Change from Propogating to the Server
-	</programlisting><para>
+	</programlisting>
+	</para>
 	</listitem>
 
 	<listitem><para>
@@ -964,7 +965,7 @@ The default entries are:
 <para>
 When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
 <filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change
-the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum
+the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
 arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
 workstation. 
 </para>
@@ -981,7 +982,7 @@ login name of the user.
 	<note>
 	<para>
 	This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
-	should be created at the root of this share and msut be called <filename>Default Profile</filename>.
+	should be created at the root of this share and must be called <filename>Default Profile</filename>.
 	</para>
 	</note>
 
@@ -998,7 +999,7 @@ the local machine only under the path <filename>C:\Documents and Settings\%USERN
 </para>
 
 <para>
-Those wishing to modify the default behaviour can do so through up to three methods:
+Those wishing to modify the default behaviour can do so through three methods:
 </para>
 
 <itemizedlist>
@@ -1078,7 +1079,7 @@ the others are of type REG_EXPAND_SZ.
 <para>
 It makes a huge difference to the speed of handling roaming user profiles if all the folders are
 stored on a dedicated location on a network server. This means that it will NOT be necessary to
-write Outlook PST file over the network for every login and logout.
+write the Outlook PST file over the network for every login and logout.
 </para>
 
 <para>
diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml
index 0aea999b53..f238e8e1b0 100644
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@@ -230,9 +230,9 @@ SWAT has context sensitive help. To find out what each parameter is for simply c
 <title>Share Settings</title>
 
 <para>
-To affect a currenly configured share, simple click on the pull down button between the
+To affect a currenly configured share, simply click on the pull down button between the
 <emphasis>Choose Share</emphasis> and the <emphasis>Delete Share</emphasis> buttons,
-select the share you wish to operation on, then to edit the settings click on the
+select the share you wish to operate on, then to edit the settings click on the
 <emphasis>Choose Share</emphasis> button, to delete the share simply press the
 <emphasis>Delete Share</emphasis> button.
 </para>
@@ -249,9 +249,9 @@ into the text field the name of the share to be created, then click on the
 <title>Printers Settings</title>
 
 <para>
-To affect a currenly configured printer, simple click on the pull down button between the
+To affect a currenly configured printer, simply click on the pull down button between the
 <emphasis>Choose Printer</emphasis> and the <emphasis>Delete Printer</emphasis> buttons,
-select the printer you wish to operation on, then to edit the settings click on the
+select the printer you wish to operate on, then to edit the settings click on the
 <emphasis>Choose Printer</emphasis> button, to delete the share simply press the
 <emphasis>Delete Printer</emphasis> button.
 </para>
@@ -330,7 +330,7 @@ parameters and their settings.
 <title>The Password Change Page</title>
 
 <para>
-The Password Change page is a popular tool. This tool allows to creation, deletion, deactivation
+The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
 and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
 this tool to change a local password for a user account.
 </para>
diff --git a/docs/docbook/projdoc/Speed.sgml b/docs/docbook/projdoc/Speed.sgml
index 753810c1d8..2509883916 100644
--- a/docs/docbook/projdoc/Speed.sgml
+++ b/docs/docbook/projdoc/Speed.sgml
@@ -117,7 +117,7 @@ pointless and will cause you to allocate memory unnecessarily.
 At startup the client and server negotiate a <command>maximum transmit</command> size,
 which limits the size of nearly all SMB commands. You can set the
 maximum size that Samba will negotiate using the <command>max xmit = </command> option
-in &smb.conf;. Note that this is the maximum size of SMB request that 
+in &smb.conf;. Note that this is the maximum size of SMB requests that 
 Samba will accept, but not the maximum size that the *client* will accept.
 The client maximum receive size is sent to Samba by the client and Samba
 honours this limit.
diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml
index 1f29a754b0..225411b427 100644
--- a/docs/docbook/projdoc/VFS.sgml
+++ b/docs/docbook/projdoc/VFS.sgml
@@ -99,9 +99,9 @@ following information will be recorded:
 <sect2>
 <title>recycle</title>
 <para>
-A recycle-bin like modules. When used any unlink call
+A recycle-bin like module. When used any unlink call
 will be intercepted and files moved to the recycle
-directory instead of beeing deleted.
+directory instead of being deleted.
 </para>
 
 <para>Supported options:
@@ -159,7 +159,7 @@ netatalk file sharing services.
 
 <para>Advantages compared to the old netatalk module:
 <simplelist>
-<member>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</member>
+<member>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</member>
 <member>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
 </simplelist>
 </para>
@@ -174,12 +174,12 @@ netatalk file sharing services.
 <para>
 This section contains a listing of various other VFS modules that 
 have been posted but don't currently reside in the Samba CVS 
-tree for one reason ot another (e.g. it is easy for the maintainer 
+tree for one reason or another (e.g. it is easy for the maintainer 
 to have his or her own CVS tree).
 </para>
 
 <para>
-No statemets about the stability or functionality any module
+No statemets about the stability or functionality of any module
 should be implied due to its presence here.
 </para>
 
diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml
index 523a34603d..422cf7b7e7 100644
--- a/docs/docbook/projdoc/passdb.sgml
+++ b/docs/docbook/projdoc/passdb.sgml
@@ -867,13 +867,15 @@ identifier:pass must change time column  - int(9)
 identifier:username column               - varchar(255) - unix username
 identifier:domain column                 - varchar(255) - NT domain user is part of
 identifier:nt username column            - varchar(255) - NT username
-identifier:fullname column            - varchar(255) - Full name of user
+identifier:fullname column               - varchar(255) - Full name of user
 identifier:home dir column               - varchar(255) - Unix homedir path
-identifier:dir drive column              - varchar(2) - Directory drive path (eg: 'H:')
-identifier:logon script column           - varchar(255) - Batch file to run on client side when logging on
+identifier:dir drive column              - varchar(2)   - Directory drive path (eg: 'H:')
+identifier:logon script column           - varchar(255)
+					 - Batch file to run on client side when logging on
 identifier:profile path column           - varchar(255) - Path of profile
 identifier:acct desc column              - varchar(255) - Some ASCII NT user data
-identifier:workstations column           - varchar(255) - Workstations user can logon to (or NULL for all)
+identifier:workstations column           - varchar(255)
+					 - Workstations user can logon to (or NULL for all)
 identifier:unknown string column         - varchar(255) - unknown string
 identifier:munged dial column            - varchar(255) - ?
 identifier:uid column                    - int(9) - Unix user ID (uid)
@@ -908,11 +910,15 @@ I strongly discourage the use of plaintext passwords, however, you can use them:
 </para>
 
 <para>
-If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. 
+If you would like to use plaintext passwords, set
+'identifier:lanman pass column' and 'identifier:nt pass column' to
+'NULL' (without the quotes) and 'identifier:plain pass column' to the
+name of the column containing the plaintext passwords. 
 </para>
 
 <para>
-If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.
+If you use encrypted passwords, set the 'identifier:plain pass
+column' to 'NULL' (without the quotes). This is the default.
 </para>
 
 </sect2>
@@ -944,16 +950,21 @@ Or, set 'identifier:workstations column' to :
 <para>This module requires libxml2 to be installed.</para>
 
 <para>The usage of pdb_xml is pretty straightforward. To export data, use:
+</para>
 
-<userinput>pdbedit -e xml:filename</userinput>
+<para>
+	<userinput>pdbedit -e xml:filename</userinput>
+</para>
 
+<para>
 (where filename is the name of the file to put the data in)
 </para>
 
 <para>
 To import data, use:
 <userinput>pdbedit -i xml:filename -e current-pdb</userinput>
-
+</para>
+<para>
 Where filename is the name to read the data from and current-pdb to put it in.
 </para>
 </sect1>
diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml
index eedc7ba725..d320767a77 100644
--- a/docs/docbook/projdoc/securing-samba.sgml
+++ b/docs/docbook/projdoc/securing-samba.sgml
@@ -44,7 +44,7 @@ might be:
 <para>
 The above will only allow SMB connections from 'localhost' (your own
 computer) and from the two private networks 192.168.2 and
-192.168.3. All other connections will be refused connections as soon
+192.168.3. All other connections will be refused as soon
 as the client sends its first packet. The refusal will be marked as a
 'not listening on called name' error.
 </para>
@@ -84,7 +84,7 @@ If you use the above and someone tries to make a SMB connection to
 your host over a PPP interface called 'ppp0' then they will get a TCP
 connection refused reply. In that case no Samba code is run at all as
 the operating system has been told not to pass connections from that
-interface to any process.
+interface to any samba process.
 </para>
 
 </sect1>
diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml
index 42d2e1d50f..eaf9990dcb 100644
--- a/docs/docbook/projdoc/unicode.sgml
+++ b/docs/docbook/projdoc/unicode.sgml
@@ -36,9 +36,9 @@ store one character).
 </para>
 
 <para>
-A standardised multibyte charset is unicode, info available at 
+A standardised multibyte charset is unicode, info is available at 
 <ulink url="http://www.unicode.org/">www.unicode.org</ulink>. 
-Big advantage of using a multibyte charset is that you only need one; no 
+A big advantage of using a multibyte charset is that you only need one; no 
 need to make sure two computers use the same charset when they are 
 communicating.
 </para>
-- 
cgit 


From 629f9d7c95e189981b9890f88775577984e107a7 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Sat, 26 Apr 2003 02:28:01 +0000
Subject: Use &author.jerry;, not &person.jerry; (This used to be commit
 0833677ee51c95d27b146b40b2e5f681a7f02fcc)

---
 docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs')

diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
index 841d24b78d..7250bca824 100644
--- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
+++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
@@ -3,7 +3,7 @@
 <chapterinfo>
 	<author>
 		<firstname>Jean François</firstname><surname>Micouleau</surname>
-		&person.jerry;
+		&author.jerry;
 	</author>
 </chapterinfo>
 
-- 
cgit 


From 74b9fdc1ccd6c061038d86f7713cb33a89e2261c Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Sat, 26 Apr 2003 02:29:33 +0000
Subject: --with-tdbsam is gone (This used to be commit
 8f63f7142c6bf1e89b5cc3c0d02cbe480bc247b4)

---
 docs/docbook/manpages/smb.conf.5.sgml | 2 --
 1 file changed, 2 deletions(-)

(limited to 'docs')

diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index 9486eb87ea..fa61121f4b 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -5423,8 +5423,6 @@ df $1 | tail -1 | awk '{print $2" "$4}'
 		<listitem><para>This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both 
                 smbpasswd and tdbsam to be used without a recompile. 
                 Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.
-                Experimental backends must still be selected
-                (eg --with-tdbsam) at configure time.
 		</para>
 
                 <para>This parameter is in two parts, the backend's name, and a 'location'
-- 
cgit 


From 54c285888509dcd4520f2608d618012f5877d073 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Sat, 26 Apr 2003 02:30:53 +0000
Subject: The net manpage is complete, say so in the VERSION section (This used
 to be commit ff76db525180f0fc192a9c0cfb56781dbfb418ee)

---
 docs/docbook/manpages/net.8.sgml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs')

diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml
index 6b6ebd1f09..ca52ce8ffc 100644
--- a/docs/docbook/manpages/net.8.sgml
+++ b/docs/docbook/manpages/net.8.sgml
@@ -883,7 +883,7 @@ to show in the result.
 <refsect1>
 	<title>VERSION</title>
 
-	<para>This man page is incomplete for version 3.0 of the Samba 
+	<para>This man page is complete for version 3.0 of the Samba 
 	suite.</para>
 </refsect1>
 
-- 
cgit 


From 013fa338a27eda32dac92882e4fcd39218d8285e Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Sat, 26 Apr 2003 17:22:13 +0000
Subject: removing smbgroupedit manpage (This used to be commit
 4a0c02d133af6ea6f1009b81067974d6ad4fb404)

---
 docs/docbook/Makefile.in                  |   2 +-
 docs/docbook/manpages/smbgroupedit.8.sgml | 229 ---------------------
 docs/htmldocs/smbgroupedit.8.html         | 331 ------------------------------
 docs/manpages/manpage.links               |   0
 docs/manpages/manpage.refs                |  39 ----
 docs/manpages/smbgroupedit.8              | 148 -------------
 6 files changed, 1 insertion(+), 748 deletions(-)
 delete mode 100644 docs/docbook/manpages/smbgroupedit.8.sgml
 delete mode 100644 docs/htmldocs/smbgroupedit.8.html
 delete mode 100644 docs/manpages/manpage.links
 delete mode 100644 docs/manpages/manpage.refs
 delete mode 100644 docs/manpages/smbgroupedit.8

(limited to 'docs')

diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in
index 0739f43f84..ce3d009f6c 100644
--- a/docs/docbook/Makefile.in
+++ b/docs/docbook/Makefile.in
@@ -21,7 +21,7 @@ MANPAGES_NAMES=findsmb.1 smbclient.1 \
 	smbpasswd.8 testprns.1 \
 	smb.conf.5 wbinfo.1 pdbedit.8 \
 	smbcacls.1 smbsh.1 winbindd.8 \
-	smbgroupedit.8 vfstest.1 \
+	vfstest.1 \
 	profiles.1 smbtree.1 ntlm_auth.1 \
 	editreg.1 smbcquotas.1
 
diff --git a/docs/docbook/manpages/smbgroupedit.8.sgml b/docs/docbook/manpages/smbgroupedit.8.sgml
deleted file mode 100644
index 6c489bb785..0000000000
--- a/docs/docbook/manpages/smbgroupedit.8.sgml
+++ /dev/null
@@ -1,229 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<refentry id="smbgroupedit.8">
-
-<refmeta>
-	<refentrytitle>smbgroupedit</refentrytitle>
-	<manvolnum>8</manvolnum>
-</refmeta>
-
-<refnamediv>
-	<refname>smbgroupedit</refname>
-	<refpurpose>Query/set/change UNIX - Windows NT group mapping</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-	<cmdsynopsis>
-		<command>smbroupedit</command>
-		<arg choice="opt">-v [l|s]</arg>
-		<arg choice="opt">-a UNIX-groupname [-d NT-groupname|-p privilege|]</arg>
-	</cmdsynopsis>
-</refsynopsisdiv>
-
-
-
-<refsect1>
-
-<title>DESCRIPTION</title>
-
-<para>
-This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
-<manvolnum>7</manvolnum></citerefentry> suite.</para>
-
-<para>
-The  smbgroupedit  command  allows for mapping unix groups
-to NT Builtin, Domain, or Local groups.  Also
-allows setting privileges for that group, such as saAddUser,
-etc.
-</para>
-
-</refsect1>
-
-<refsect1>
-	<title>OPTIONS</title>
-
-	<variablelist>
-		<varlistentry>
-		<term>-v[l|s]</term>
-		<listitem><para>This option will list all groups available
-		in the Windows NT domain in which samba is operating.
-		</para>
-
-		<variablelist>
-		<varlistentry>
-		<term>-l</term>
-		<listitem><para>give a long listing, of the format:</para>
-
-<para><programlisting>
-"NT Group Name"
-    SID            :
-    Unix group     :
-    Group type     :
-    Comment        :
-    Privilege      :
-</programlisting></para>
-
-<para>For example:
-<programlisting>
-Users
-    SID       : S-1-5-32-545
-    Unix group: -1
-    Group type: Local group
-    Comment   :
-    Privilege : No privilege
-</programlisting></para>
-
-		</listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>-s</term>
-		<listitem><para>display a short listing of the format:</para>
-
-<para><programlisting>
-NTGroupName(SID) -> UnixGroupName
-</programlisting></para>
-
-<para>For example:
-<programlisting>
-Users (S-1-5-32-545) -> -1
-</programlisting></para>
-
-		</listitem>
-		</varlistentry>
-		</variablelist>
-
-		</listitem>
-		</varlistentry>
-
-	</variablelist>
-</refsect1>
-
-
-
-<refsect1>
-<title>FILES</title>
-
-<para></para>
-
-</refsect1>
-
-
-
-<refsect1>
-
-<title>EXIT STATUS</title>
-
-<para>
-<command>smbgroupedit</command> returns a status of 0 if the
-operation completed successfully, and a value of 1 in the event
-of a failure.
-</para>
-
-</refsect1>
-
-
-
-
-<!-- ****************************************************
-**************************************************** -->
-<refsect1>
-
-<title>EXAMPLES</title>
-
-
-<para>
-To make a subset of your samba PDC users members of
-the 'Domain Admins'  Global group:
-</para>
-
-<orderedlist>
-
-	<listitem><para>create a unix group (usually in
-	<filename>/etc/group</filename>), let's call it <constant>domadm</constant>.
-	</para></listitem>
-
-	<listitem><para>add to this group the users that you want to be
-	domain administrators. For example if you want joe, john and mary,
-	your entry in <filename>/etc/group</filename> will look like:
-	</para>
-
-	<para>domadm:x:502:joe,john,mary</para>
-	</listitem>
-
-	<listitem><para>map this domadm group to the 'domain admins' group:</para>
-	<orderedlist>
-		<listitem><para>Get the SID for the Windows NT "Domain Admins" group:</para>
-<para><programlisting>
-<prompt>root# </prompt><command>smbgroupedit -vs | grep "Domain Admins"</command>
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1
-</programlisting></para></listitem>
-
-		<listitem><para>map the unix domadm group to the Windows NT
-		"Domain Admins" group, by running the command:
-<programlisting>
-<prompt>root# </prompt><command>smbgroupedit \
--c S-1-5-21-1108995562-3116817432-1375597819-512 \
--u domadm -td</command>
-</programlisting></para>
-
-		<para><emphasis>warning:</emphasis> don't copy and paste this sample, the
-		Domain Admins SID (the S-1-5-21-...-512) is different for every PDC.
-		</para>	</listitem>
-	</orderedlist>
-	</listitem>
-</orderedlist>
-
-<para>
-To verify that your mapping has taken effect:
-<programlisting>
-<prompt>root# </prompt><command>smbgroupedit -vs|grep "Domain Admins"</command>
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm
-</programlisting></para>
-
-<para>To give access to a certain directory on a domain member machine (an
-NT/W2K or a samba server running winbind) to some users who are member
-of a group on your samba PDC, flag that group as a domain group:
-<programlisting>
-<prompt>root# </prompt><command>smbgroupedit -a unixgroup -td</command>
-</programlisting></para>
-
-</refsect1>
-
-<refsect1>
-
-<title>VERSION</title>
-
-<para>
-This man page is correct for the 3.0alpha releases of
-the Samba suite.
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-
-<para>
-<citerefentry><refentrytitle>smb.conf</refentrytitle>
-<manvolnum>5</manvolnum></citerefentry></para>
-
-</refsect1>
-
-
-<refsect1>
-<title>AUTHOR</title>
-
-<para>
-The original Samba software and related utilities
-were created by Andrew Tridgell. Samba is now developed
-by the Samba Team as an Open Source project similar
-to the way the Linux kernel is developed.
-</para>
-
-<para>
-<command>smbgroupedit</command> was written by Jean Francois Micouleau.
-The current set of manpages and documentation is maintained
-by the Samba Team in the same fashion as the Samba source code. The conversion
-to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</para>
-</refsect1>
-
-</refentry>
diff --git a/docs/htmldocs/smbgroupedit.8.html b/docs/htmldocs/smbgroupedit.8.html
deleted file mode 100644
index 32e00315b4..0000000000
--- a/docs/htmldocs/smbgroupedit.8.html
+++ /dev/null
@@ -1,331 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->smbgroupedit</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="SMBGROUPEDIT.8"
-></A
->smbgroupedit</H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN5"
-></A
-><H2
->Name</H2
->smbgroupedit&nbsp;--&nbsp;Query/set/change UNIX - Windows NT group mapping</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->smbroupedit</B
->  [-v [l|s]] [-a UNIX-groupname [-d NT-groupname|-p privilege|]]</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN13"
-></A
-><H2
->DESCRIPTION</H2
-><P
->This program is part of the <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->Samba</SPAN
->(7)</SPAN
-> suite.</P
-><P
->The  smbgroupedit  command  allows for mapping unix groups
-to NT Builtin, Domain, or Local groups.  Also
-allows setting privileges for that group, such as saAddUser,
-etc.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN20"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-v[l|s]</DT
-><DD
-><P
->This option will list all groups available
-		in the Windows NT domain in which samba is operating.
-		</P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-l</DT
-><DD
-><P
->give a long listing, of the format:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->"NT Group Name"
-    SID            :
-    Unix group     :
-    Group type     :
-    Comment        :
-    Privilege      :</PRE
-></P
-><P
->For example:
-<PRE
-CLASS="PROGRAMLISTING"
->Users
-    SID       : S-1-5-32-545
-    Unix group: -1
-    Group type: Local group
-    Comment   :
-    Privilege : No privilege</PRE
-></P
-></DD
-><DT
->-s</DT
-><DD
-><P
->display a short listing of the format:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->NTGroupName(SID) -&#62; UnixGroupName</PRE
-></P
-><P
->For example:
-<PRE
-CLASS="PROGRAMLISTING"
->Users (S-1-5-32-545) -&#62; -1</PRE
-></P
-></DD
-></DL
-></DIV
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN44"
-></A
-><H2
->FILES</H2
-><P
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN47"
-></A
-><H2
->EXIT STATUS</H2
-><P
-><B
-CLASS="COMMAND"
->smbgroupedit</B
-> returns a status of 0 if the
-operation completed successfully, and a value of 1 in the event
-of a failure.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN51"
-></A
-><H2
->EXAMPLES</H2
-><P
->To make a subset of your samba PDC users members of
-the 'Domain Admins'  Global group:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->create a unix group (usually in
-	<TT
-CLASS="FILENAME"
->/etc/group</TT
->), let's call it <CODE
-CLASS="CONSTANT"
->domadm</CODE
->.
-	</P
-></LI
-><LI
-><P
->add to this group the users that you want to be
-	domain administrators. For example if you want joe, john and mary,
-	your entry in <TT
-CLASS="FILENAME"
->/etc/group</TT
-> will look like:
-	</P
-><P
->domadm:x:502:joe,john,mary</P
-></LI
-><LI
-><P
->map this domadm group to the 'domain admins' group:</P
-><P
-></P
-><OL
-TYPE="a"
-><LI
-><P
->Get the SID for the Windows NT "Domain Admins" group:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><B
-CLASS="COMMAND"
->smbgroupedit -vs | grep "Domain Admins"</B
->
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -&#62; -1</PRE
-></P
-></LI
-><LI
-><P
->map the unix domadm group to the Windows NT
-		"Domain Admins" group, by running the command:
-<PRE
-CLASS="PROGRAMLISTING"
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><B
-CLASS="COMMAND"
->smbgroupedit \
--c S-1-5-21-1108995562-3116817432-1375597819-512 \
--u domadm -td</B
-></PRE
-></P
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->warning:</I
-></SPAN
-> don't copy and paste this sample, the
-		Domain Admins SID (the S-1-5-21-...-512) is different for every PDC.
-		</P
-></LI
-></OL
-></LI
-></OL
-><P
->To verify that your mapping has taken effect:
-<PRE
-CLASS="PROGRAMLISTING"
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><B
-CLASS="COMMAND"
->smbgroupedit -vs|grep "Domain Admins"</B
->
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -&#62; domadm</PRE
-></P
-><P
->To give access to a certain directory on a domain member machine (an
-NT/W2K or a samba server running winbind) to some users who are member
-of a group on your samba PDC, flag that group as a domain group:
-<PRE
-CLASS="PROGRAMLISTING"
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><B
-CLASS="COMMAND"
->smbgroupedit -a unixgroup -td</B
-></PRE
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN87"
-></A
-><H2
->VERSION</H2
-><P
->This man page is correct for the 3.0alpha releases of
-the Samba suite.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN90"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->smb.conf</SPAN
->(5)</SPAN
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN96"
-></A
-><H2
->AUTHOR</H2
-><P
->The original Samba software and related utilities
-were created by Andrew Tridgell. Samba is now developed
-by the Samba Team as an Open Source project similar
-to the way the Linux kernel is developed.</P
-><P
-><B
-CLASS="COMMAND"
->smbgroupedit</B
-> was written by Jean Francois Micouleau.
-The current set of manpages and documentation is maintained
-by the Samba Team in the same fashion as the Samba source code. The conversion
-to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/docs/manpages/manpage.links b/docs/manpages/manpage.links
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/docs/manpages/manpage.refs b/docs/manpages/manpage.refs
deleted file mode 100644
index 81323bebe1..0000000000
--- a/docs/manpages/manpage.refs
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-  '' => '',
-  'refentry:SMBGROUPEDIT.8' => 'smbgroupedit(8)',
-  'refentry:NET.8' => 'net(8)',
-  'refentry:SAMBA.7' => 'samba(7)',
-  'refentry:SMBSTATUS.1' => 'smbstatus(1)',
-  'refentry:SMBCACLS.1' => 'smbcacls(1)',
-  'refentry:WBINFO.1' => 'wbinfo(1)',
-  'refentry:NTLM-AUTH.1' => 'ntlm_auth(1)',
-  'refentry:SMBPASSWD.8' => 'smbpasswd(8)',
-  'refentry:SMB.CONF.5' => 'smb.conf(5)',
-  'refentry:FINDSMB.1' => 'findsmb(1)',
-  'refentry:SMBCONTROL.1' => 'smbcontrol(1)',
-  'refentry:TESTPRNS.1' => 'testprns(1)',
-  'refentry:SMBPASSWD.5' => 'smbpasswd(5)',
-  'refentry:SMBD.8' => 'smbd(8)',
-  'refentry:SMBTREE.1' => 'smbtree(1)',
-  'refentry:EDITREG.1' => 'editreg(1)',
-  'refentry:SMBCLIENT.1' => 'smbclient(1)',
-  'refentry:WINBINDD.8' => 'winbindd(8)',
-  'refentry:NMBLOOKUP' => 'nmblookup(1)',
-  'refentry:SMBMOUNT.8' => 'smbmount(8)',
-  'refentry:SMBCQUOTAS.1' => 'smbcquotas(1)',
-  'refentry:PDBEDIT.8' => 'pdbedit(8)',
-  'refentry:NTLM_AUTH.1' => 'ntlm_auth(1)',
-  'refentry:SWAT.8' => 'swat(8)',
-  'refentry:PROFILES.1' => 'profiles(1)',
-  'refentry:LMHOSTS.5' => 'lmhosts(5)',
-  'refentry:SMBMNT.8' => 'smbmnt(8)',
-  'refentry:SMBSH.1' => 'smbsh(1)',
-  'refentry:SMBSPOOL.8' => 'smbspool(8)',
-  'refentry:RPCCLIENT.1' => 'rpcclient(1)',
-  'refentry:VFSTEST.1' => 'vfstest(1)',
-  'refentry:NMBD.8' => 'nmbd(8)',
-  'refentry:TESTPARM.1' => 'testparm(1)',
-  'refentry:SMBUMOUNT.8' => 'smbumount(8)',
-  'refentry:SMBTAR.1' => 'smbtar(1)',
-  '' => ''
-}
diff --git a/docs/manpages/smbgroupedit.8 b/docs/manpages/smbgroupedit.8
deleted file mode 100644
index cd6a79acb1..0000000000
--- a/docs/manpages/smbgroupedit.8
+++ /dev/null
@@ -1,148 +0,0 @@
-.\" This manpage has been automatically generated by docbook2man 
-.\" from a DocBook document.  This tool can be found at:
-.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> 
-.\" Please send any bug reports, improvements, comments, patches, 
-.\" etc. to Steve Cheng <steve@ggi-project.org>.
-.TH "SMBGROUPEDIT" "8" "19 april 2003" "" ""
-
-.SH NAME
-smbgroupedit \- Query/set/change UNIX - Windows NT group mapping
-.SH SYNOPSIS
-
-\fBsmbroupedit\fR [ \fB-v [l|s]\fR ] [ \fB-a UNIX-groupname [-d NT-groupname|-p privilege|]\fR ]
-
-.SH "DESCRIPTION"
-.PP
-This program is part of the \fBSamba\fR(7) suite.
-.PP
-The  smbgroupedit  command  allows for mapping unix groups
-to NT Builtin, Domain, or Local groups.  Also
-allows setting privileges for that group, such as saAddUser,
-etc.
-.SH "OPTIONS"
-.TP
-\fB-v[l|s]\fR
-This option will list all groups available
-in the Windows NT domain in which samba is operating.
-.RS
-.TP
-\fB-l\fR
-give a long listing, of the format:
-
-
-.nf
-"NT Group Name"
-    SID            :
-    Unix group     :
-    Group type     :
-    Comment        :
-    Privilege      :
-.fi
-
-For example:
-
-.nf
-Users
-    SID       : S-1-5-32-545
-    Unix group: -1
-    Group type: Local group
-    Comment   :
-    Privilege : No privilege
-.fi
-.TP
-\fB-s\fR
-display a short listing of the format:
-
-
-.nf
-NTGroupName(SID) -> UnixGroupName
-.fi
-
-For example:
-
-.nf
-Users (S-1-5-32-545) -> -1
-.fi
-.RE
-.SH "FILES"
-.PP
-.SH "EXIT STATUS"
-.PP
-\fBsmbgroupedit\fR returns a status of 0 if the
-operation completed successfully, and a value of 1 in the event
-of a failure.
-.SH "EXAMPLES"
-.PP
-To make a subset of your samba PDC users members of
-the 'Domain Admins'  Global group:
-.TP 3
-1. 
-create a unix group (usually in
-\fI/etc/group\fR), let's call it domadm.
-.TP 3
-2. 
-add to this group the users that you want to be
-domain administrators. For example if you want joe, john and mary,
-your entry in \fI/etc/group\fR will look like:
-
-domadm:x:502:joe,john,mary
-.TP 3
-3. 
-map this domadm group to the 'domain admins' group:
-.RS
-.TP 3
-1. 
-Get the SID for the Windows NT "Domain Admins" group:
-
-
-.nf
-root# \fBsmbgroupedit -vs | grep "Domain Admins"\fR
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1
-.fi
-.TP 3
-2. 
-map the unix domadm group to the Windows NT
-"Domain Admins" group, by running the command:
-
-.nf
-root# \fBsmbgroupedit \\
--c S-1-5-21-1108995562-3116817432-1375597819-512 \\
--u domadm -td\fR
-.fi
-
-\fBwarning:\fR don't copy and paste this sample, the
-Domain Admins SID (the S-1-5-21-...-512) is different for every PDC.
-.RE
-.PP
-To verify that your mapping has taken effect:
-
-.nf
-root# \fBsmbgroupedit -vs|grep "Domain Admins"\fR
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm
-.fi
-.PP
-To give access to a certain directory on a domain member machine (an
-NT/W2K or a samba server running winbind) to some users who are member
-of a group on your samba PDC, flag that group as a domain group:
-
-.nf
-root# \fBsmbgroupedit -a unixgroup -td\fR
-.fi
-.SH "VERSION"
-.PP
-This man page is correct for the 3.0alpha releases of
-the Samba suite.
-.SH "SEE ALSO"
-.PP
-\fBsmb.conf\fR(5)
-.SH "AUTHOR"
-.PP
-The original Samba software and related utilities
-were created by Andrew Tridgell. Samba is now developed
-by the Samba Team as an Open Source project similar
-to the way the Linux kernel is developed.
-.PP
-\fBsmbgroupedit\fR was written by Jean Francois Micouleau.
-The current set of manpages and documentation is maintained
-by the Samba Team in the same fashion as the Samba source code. The conversion
-to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.
-- 
cgit 


From ca42a64f9b2bca475cc77c8fd08d54c397c311eb Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Sat, 26 Apr 2003 18:42:17 +0000
Subject: Added tdbbackup man page. (This used to be commit
 b217373ba8fc167efc8e68b6db1a9e51e670b12a)

---
 docs/docbook/global.ent                |   1 +
 docs/docbook/manpages/tdbbackup.8.sgml | 130 +++++++++++++++++++++++++++++++++
 2 files changed, 131 insertions(+)
 create mode 100644 docs/docbook/manpages/tdbbackup.8.sgml

(limited to 'docs')

diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent
index 2933602e60..efe33c4ff9 100644
--- a/docs/docbook/global.ent
+++ b/docs/docbook/global.ent
@@ -442,6 +442,7 @@ an Active Directory environment.
 <!ENTITY MAN-SMBSTATUS SYSTEM "manpages/smbstatus.1.sgml">
 <!ENTITY MAN-SMBUMOUNT SYSTEM "manpages/smbumount.8.sgml">
 <!ENTITY MAN-SWAT SYSTEM "manpages/swat.8.sgml">
+<!ENTITY MAN-TDBBACKUP SYSTEM "manpages/tdbbackup.8.sgml">
 <!ENTITY MAN-TESTPARM SYSTEM "manpages/testparm.1.sgml">
 <!ENTITY MAN-TESTPRNS SYSTEM "manpages/testprns.1.sgml">
 <!ENTITY MAN-VFSTEST SYSTEM "manpages/vfstest.1.sgml">
diff --git a/docs/docbook/manpages/tdbbackup.8.sgml b/docs/docbook/manpages/tdbbackup.8.sgml
new file mode 100644
index 0000000000..25b2c27aef
--- /dev/null
+++ b/docs/docbook/manpages/tdbbackup.8.sgml
@@ -0,0 +1,130 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
+<!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
+]>
+<refentry id="tdbbackup.1">
+
+<refmeta>
+	<refentrytitle>tdbbackup</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>tdbbackup</refname>
+	<refpurpose>tool for backing up and for validating the integrity of samba .tdb files</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>tdbbackup</command>
+		<arg choice="opt">-s suffix</arg>
+		<arg choice="opt">-v</arg>
+		<arg choice="opt">-h</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>This tool is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
+	<manvolnum>1</manvolnum></citerefentry> suite.</para>
+
+	<para><command>tdbbackup</command> is a tool that may be used to backup samba .tdb
+	files. This tool may also be used to verify the integrity of the .tdb files prior
+	to samba startup, in which case, if it find file damage and it finds a prior backup
+	it will restore the backup file.
+	</para>
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+
+		<varlistentry>
+		<term>-s suffix</term>
+		<listitem><para>
+		The <term>-s</term> option allows the adminisistrator to specify a file
+		backup extension. This way it is possible to keep a history of tdb backup
+		files by using a new suffix for each backup.
+		</para> </listitem>
+		</varlistentry>
+
+		&stdarg.help;
+
+		<varlistentry>
+		<term>-v</term>
+		<listitem><para>
+		The <term>-v</term> will check the database for damages (currupt data)
+		which if detected causes the backup to be restored.
+		</para></listitem>
+		</varlistentry>
+
+		&popt.common.samba;
+
+	</variablelist>
+</refsect1>
+
+
+<refsect1>
+	<title>COMMANDS</title>
+
+	<para><emphasis>GENERAL INFORMATION</emphasis></para>
+
+	<para>
+	The <command>tdbbackup</command> utility should be run as soon as samba has shut down.
+	Do NOT run this command on a live database. Typical usage for the command will be:
+	</para>
+
+	<para>tdbbackup [-s suffix] *.tdb</para>
+
+	<para>
+	Before restarting samba the following command may be run to validate .tdb files:
+	</para>
+
+	<para>tdbbackup -v [-s suffix] *.tdb</para>
+
+	<para>
+	Samba .tdb files are stored in various locations, be sure to run backup all
+	.tdb file on the system. Imporatant files includes:
+
+	<itemistedlist>
+		<listitem><para>
+		<command>secrets.tdb</command> - usual location is in the /usr/local/samba/private
+		directory, or on some systems in /etc/samba.
+		</para></listitem>
+
+		<listitem><para>
+		<command>passdb.tdb</command> - usual location is in the /usr/local/samba/private
+		directory, or on some systems in /etc/samba.
+		</para></listitem>
+
+		<listitem><para>
+		<command>*.tdb</command> located in the /usr/local/samba/var directory or on some
+		systems in the /var/cache or /var/lib/samba directories.
+		</para></listitem>
+
+	</itemizedlist>
+
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 3.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>
+	The original Samba software and related utilities were created by Andrew Tridgell.
+	Samba is now developed by the Samba Team as an Open Source project similar to the way
+	the Linux kernel is developed.
+	</para> 
+
+	<para>The tdbbackup man page was written by John H Terpstra.</para>
+</refsect1>
+
+</refentry>
-- 
cgit