From dabce971b0a08c2a85428b2db29152dce2cb4075 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 7 Apr 2004 10:40:50 +0000 Subject: - Better names for some files - Add the build system (This used to be commit 450386e3edfc59e0ad67c12998eddfc46b381250) --- docs/Makefile.in | 50 +- docs/howto/DOMAIN_MEMBER.xml | 1105 -------------------- docs/howto/DomainMember.xml | 1105 ++++++++++++++++++++ docs/howto/GROUP-MAPPING-HOWTO.xml | 668 ------------ docs/howto/Group-Mapping.xml | 668 ++++++++++++ docs/howto/Install.xml | 379 +++++++ docs/howto/PAM-Authentication-And-Samba.xml | 939 ----------------- docs/howto/PAM.xml | 939 +++++++++++++++++ docs/howto/UNIX_INSTALL.xml | 379 ------- docs/xslt/docbook.xsl | 154 +++ docs/xslt/expand-sambadoc.xsl | 486 +++++++++ docs/xslt/extract-examples.xsl | 50 + docs/xslt/figures/caution.eps | 1 + docs/xslt/figures/important.eps | 1 + docs/xslt/figures/note.eps | 1387 ++++++++++++++++++++++++ docs/xslt/figures/tip.eps | 1503 +++++++++++++++++++++++++++ docs/xslt/figures/warning.eps | 1 + docs/xslt/generate-attributions.xsl | 81 ++ docs/xslt/html-chunk.xsl | 16 + docs/xslt/html-common.xsl | 25 + docs/xslt/html.xsl | 11 + docs/xslt/html/samba.css | 80 ++ docs/xslt/latex.xsl | 107 ++ docs/xslt/latex/sambadoc.cls | 466 +++++++++ docs/xslt/lists.mod.xsl | 29 + docs/xslt/man.xsl | 169 +++ docs/xslt/normalize-scape.mod.xsl | 395 +++++++ docs/xslt/table.mod.xsl | 743 +++++++++++++ docs/xslt/unicode.mapping.dtd | 16 + docs/xslt/unicode.mapping.xml | 72 ++ 30 files changed, 8913 insertions(+), 3112 deletions(-) delete mode 100644 docs/howto/DOMAIN_MEMBER.xml create mode 100644 docs/howto/DomainMember.xml delete mode 100644 docs/howto/GROUP-MAPPING-HOWTO.xml create mode 100644 docs/howto/Group-Mapping.xml create mode 100644 docs/howto/Install.xml delete mode 100644 docs/howto/PAM-Authentication-And-Samba.xml create mode 100644 docs/howto/PAM.xml delete mode 100644 docs/howto/UNIX_INSTALL.xml create mode 100644 docs/xslt/docbook.xsl create mode 100644 docs/xslt/expand-sambadoc.xsl create mode 100644 docs/xslt/extract-examples.xsl create mode 100644 docs/xslt/figures/caution.eps create mode 100644 docs/xslt/figures/important.eps create mode 100644 docs/xslt/figures/note.eps create mode 100644 docs/xslt/figures/tip.eps create mode 100644 docs/xslt/figures/warning.eps create mode 100644 docs/xslt/generate-attributions.xsl create mode 100644 docs/xslt/html-chunk.xsl create mode 100644 docs/xslt/html-common.xsl create mode 100644 docs/xslt/html.xsl create mode 100644 docs/xslt/html/samba.css create mode 100644 docs/xslt/latex.xsl create mode 100644 docs/xslt/latex/sambadoc.cls create mode 100644 docs/xslt/lists.mod.xsl create mode 100644 docs/xslt/man.xsl create mode 100644 docs/xslt/normalize-scape.mod.xsl create mode 100644 docs/xslt/table.mod.xsl create mode 100644 docs/xslt/unicode.mapping.dtd create mode 100644 docs/xslt/unicode.mapping.xml (limited to 'docs') diff --git a/docs/Makefile.in b/docs/Makefile.in index 785be9a91a..7602476cb4 100644 --- a/docs/Makefile.in +++ b/docs/Makefile.in @@ -32,13 +32,14 @@ endif # Paths OUTPUTDIR = output +ARCHIVEDIR = output/archive SRCDIR = @srcdir@ MANDIR=$(OUTPUTDIR)/manpages EPSTOPDF = @EPSTOPDF@ -MANPROJDOC = manpages -PROJDOC = projdoc +MANPAGEDIR = manpages +HOWTODIR = howto MAKEINDEX = @MAKEINDEX@ -IMAGEPROJDIR = $(PROJDOC)/imagefiles +IMAGEPROJDIR = $(HOWTODIR)/imagefiles GUIDEDOC = guide EXAMPLESDIR = examples DEVDOC = devdoc @@ -47,21 +48,21 @@ PSDIR = $(OUTPUTDIR) PDFDIR = $(OUTPUTDIR) DVIDIR = $(OUTPUTDIR) TXTDIR = $(OUTPUTDIR)/textdocs -FAQPROJDOC = faq +FAQHOWTODIR = faq FAQDIR = $(OUTPUTDIR)/faq HTMLDIR=$(OUTPUTDIR)/htmldocs PLUCKERDIR=$(OUTPUTDIR)/plucker # Lists of files to process LATEX_FIGURES = xslt/figures/caution.pdf xslt/figures/important.pdf xslt/figures/note.pdf xslt/figures/tip.pdf xslt/figures/warning.pdf -MANPAGES_SOURCES = $(wildcard $(MANPROJDOC)/*.?.xml) -MANPAGES = $(patsubst $(MANPROJDOC)/%.xml,$(MANDIR)/%,$(MANPAGES_SOURCES)) $(MANDIR)/smb.conf.5 -MANPAGES_HTML = $(patsubst $(MANPROJDOC)/%.xml,$(HTMLDIR)/%.html,$(MANPAGES_SOURCES)) $(HTMLDIR)/smb.conf.5.html -MANPAGES_PLUCKER = $(patsubst $(MANPROJDOC)/%.xml,$(PLUCKERDIR)/%.pdb,$(MANPAGES_SOURCES)) $(PLUCKERDIR)/smb.conf.5.pdb - -PROJDOC_IMAGES_PNG = $(wildcard $(IMAGEPROJDIR)/*.png) -PROJDOC_IMAGES_EPS=$(patsubst %.png,%.eps,$(wildcard $(IMAGEPROJDIR)/*.png)) -PROJDOC_DEPS = $(PROJDOC)/*.xml $(PROJDOC)/attributions.xml $(MANPROJDOC)/*.xml $(SMBDOTCONFDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/parameters.all.xml $(SMBDOTCONFDOC)/parameters.global.xml $(SMBDOTCONFDOC)/parameters.service.xml +MANPAGES_SOURCES = $(wildcard $(MANPAGEDIR)/*.?.xml) +MANPAGES = $(patsubst $(MANPAGEDIR)/%.xml,$(MANDIR)/%,$(MANPAGES_SOURCES)) $(MANDIR)/smb.conf.5 +MANPAGES_HTML = $(patsubst $(MANPAGEDIR)/%.xml,$(HTMLDIR)/%.html,$(MANPAGES_SOURCES)) $(HTMLDIR)/smb.conf.5.html +MANPAGES_PLUCKER = $(patsubst $(MANPAGEDIR)/%.xml,$(PLUCKERDIR)/%.pdb,$(MANPAGES_SOURCES)) $(PLUCKERDIR)/smb.conf.5.pdb + +HOWTODIR_IMAGES_PNG = $(wildcard $(IMAGEPROJDIR)/*.png) +HOWTODIR_IMAGES_EPS=$(patsubst %.png,%.eps,$(wildcard $(IMAGEPROJDIR)/*.png)) +HOWTODIR_DEPS = $(HOWTODIR)/*.xml $(HOWTODIR)/attributions.xml $(MANPAGEDIR)/*.xml $(SMBDOTCONFDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/parameters.all.xml $(SMBDOTCONFDOC)/parameters.global.xml $(SMBDOTCONFDOC)/parameters.service.xml DEVDOC_DEPS = $(DEVDOC)/*.xml $(DEVDOC)/attributions.xml all: @@ -101,7 +102,7 @@ txt: $(TXTDIR) $(TXTDIR)/Samba-HOWTO-Collection.txt $(TXTDIR)/Samba-Developers-G htmlman: $(HTMLDIR) $(MANPAGES_HTML) CSS htmlfaq: $(HTMLDIR) CSS - $(XSLTPROC) --stringparam base.dir "$(FAQDIR)/" --stringparam root.filename samba-faq xslt/html-chunk.xsl $(FAQPROJDOC)/sambafaq.xml + $(XSLTPROC) --stringparam base.dir "$(FAQDIR)/" --stringparam root.filename samba-faq xslt/html-chunk.xsl $(FAQHOWTODIR)/sambafaq.xml html-single: $(HTMLDIR) CSS $(HTMLDIR)/Samba-HOWTO-Collection.html $(HTMLDIR)/Samba-Developers-Guide.html @if [ ! -d $(HTMLDIR)/images/ ]; then \ mkdir $(HTMLDIR)/images/; \ @@ -122,7 +123,7 @@ tex: Samba-HOWTO-Collection.tex Samba-Developers-Guide.tex gpl.tex plucker: html-single htmlman htmlfaq $(PLUCKERDIR) $(MANPAGES_PLUCKER) $(PLUCKERDIR)/Samba-Developers-Guide.pdb $(PLUCKERDIR)/Samba-HOWTO-Collection.pdb $(PLUCKERBUILD) -v -M2 --stayonhost --noimages --zlib-compression -H file:$(FAQDIR)/samba-faq.html -f samba-faq -p $(PLUCKERDIR) -Samba-HOWTO-Collection.xml: $(PROJDOC)/samba-doc.xml $(PROJDOC_DEPS) +Samba-HOWTO-Collection.xml: $(HOWTODIR)/index.xml $(HOWTODIR_DEPS) $(XSLTPROC) --stringparam noreference 1 --xinclude --output $@ xslt/expand-sambadoc.xsl $< Samba-Guide.xml: $(GUIDEDOC)/guide-main.xml @@ -131,7 +132,7 @@ Samba-Guide.xml: $(GUIDEDOC)/guide-main.xml Samba-Developers-Guide.xml: $(DEVDOC)/dev-doc.xml $(DEVDOC_DEPS) $(XSLTPROC) --stringparam noreference 1 --xinclude --output $@ xslt/expand-sambadoc.xsl $< -$(PROJDOC)/attributions.xml: $(PROJDOC)/samba-doc.xml +$(HOWTODIR)/attributions.xml: $(HOWTODIR)/index.xml @echo > $@ # Make sure we don't get recursive dependencies, etc! $(XSLTPROC) --output $@ xslt/generate-attributions.xsl $< @@ -144,11 +145,11 @@ clean: $(PDFDIR)/*.pdf $(FAQDIR)/*.html $(HTMLDIR)/*html $(HTMLDIR)/samba.css rm -f xslt/figures/*pdf rm -f $(SMBDOTCONFDOC)/parameters.*.xml $(DVIDIR)/*.dvi - rm -f samba-doc.* dev-doc.* $(PROJDOC)/changelog.xml $(PROJDOC)/attributions.xml $(DEVDOC)/attributions.xml + rm -f samba-doc.* dev-doc.* $(HOWTODIR)/changelog.xml $(HOWTODIR)/attributions.xml $(DEVDOC)/attributions.xml rm -f Samba-HOWTO-Collection.* rm -f Samba-Developers-Guide.* rm -f Samba-Guide.* - rm -f $(IMAGEPROJDIR)/*.eps $(MANPROJDOC)/smb.conf.5.xml + rm -f $(IMAGEPROJDIR)/*.eps $(MANPAGEDIR)/smb.conf.5.xml rm -f $(PLUCKERDIR)/*.pdb # Text files @@ -175,7 +176,7 @@ $(PDFDIR)/%.pdf: %.tex latexfigures gpl.tex -$(PDFLATEX) $< mv $(patsubst %.tex,%.pdf,$<) $@ -epsimages: $(PROJDOC_IMAGES_EPS) +epsimages: $(HOWTODIR_IMAGES_EPS) # DVI files $(DVIDIR)/%.dvi: %.tex epsimages gpl.tex @@ -206,7 +207,7 @@ $(PLUCKERDIR): CSS: $(HTMLDIR) xslt/html/samba.css cp xslt/html/samba.css $(HTMLDIR)/ -$(HTMLDIR)/Samba-HOWTO-Collection.html: Samba-HOWTO-Collection.xml $(PROJDOC_DEPS) $(PROJDOC_IMAGES_PNG) +$(HTMLDIR)/Samba-HOWTO-Collection.html: Samba-HOWTO-Collection.xml $(HOWTODIR_DEPS) $(HOWTODIR_IMAGES_PNG) $(XSLTPROC) --output $@ xslt/html.xsl $< $(HTMLDIR)/Samba-Developers-Guide.html: Samba-Developers-Guide.xml $(DEVDOC_DEPS) @@ -218,7 +219,7 @@ $(HTMLDIR)/%.html: %.xml $(PLUCKERDIR)/%.pdb: $(HTMLDIR)/%.html $(PLUCKERBUILD) -v -M1 --stayonhost --noimages --zlib-compression -H file:$< -f $(patsubst $(PLUCKERDIR)/%.pdb,%,$@) -p $(PLUCKERDIR) -%.xml: $(MANPROJDOC)/%.xml +%.xml: $(MANPAGEDIR)/%.xml $(XSLTPROC) --stringparam noreference 1 --output $@ xslt/expand-sambadoc.xsl $< # Manpages @@ -263,7 +264,7 @@ undocumented: $(SMBDOTCONFDOC)/parameters.all.xml $(EXAMPLESDIR): mkdir $(EXAMPLESDIR) -files: $(PROJDOC)/samba-doc.xml $(PROJDOC)/attributions.xml $(EXAMPLESDIR) +files: $(HOWTODIR)/index.xml $(HOWTODIR)/attributions.xml $(EXAMPLESDIR) $(XSLTPROC) xslt/extract-smbfiles.xsl $< > /dev/null samples: $(EXAMPLESDIR) Samba-HOWTO-Collection.xml @@ -275,3 +276,10 @@ guide: $(PDFDIR)/Samba-Guide.pdf %/changelog.xml: % $(wildcard %/CVS/*) $(CVS2CL) --stdout --xml $< | $(XSLTPROC) --output $@ xslt/genchangelog.xsl - + +$(ARCHIVEDIR): + mkdir $(ARCHIVEDIR) + +archive: $(ARCHIVEDIR) guide howto + cp $(PDFDIR)/Samba-HOWTO-Collection.pdf $(ARCHIVEDIR)/TOSHARG-`date +%Y%m%d`.pdf + cp $(PDFDIR)/Samba-Guide.pdf $(ARCHIVEDIR)/S3bE-`date +%Y%m%d`.pdf diff --git a/docs/howto/DOMAIN_MEMBER.xml b/docs/howto/DOMAIN_MEMBER.xml deleted file mode 100644 index 72b00663f7..0000000000 --- a/docs/howto/DOMAIN_MEMBER.xml +++ /dev/null @@ -1,1105 +0,0 @@ - - - - &author.jht; - &author.jeremy; - &author.jerry; - &author.tridge; - &author.jelmer; - &person.gd;LDAP updates - - -Domain Membership - - -Domain Membership is a subject of vital concern. Samba must be able to -participate as a member server in a Microsoft Domain Security context, and -Samba must be capable of providing Domain machine member trust accounts, -otherwise it would not be able to offer a viable option for many users. - - - -This chapter covers background information pertaining to Domain Membership, -the Samba configuration for it, and MS Windows client procedures for joining a -domain. Why is this necessary? Because both are areas in which there exists -within the current MS Windows networking world and particularly in the -UNIX/Linux networking and administration world, a considerable level of -misinformation, incorrect understanding and a lack of knowledge. Hopefully -this chapter will fill the voids. - - - -Features and Benefits - - -MS Windows workstations and servers that want to participate in Domain Security need to -be made Domain Members. Participating in Domain Security is often called -Single Sign On or SSO for short. This -chapter describes the process that must be followed to make a workstation -(or another server &smbmdash; be it an MS Windows NT4 / 200x -server) or a Samba server a member of an MS Windows Domain Security context. - - - -Server TypeDomain Member -Samba-3 can join an MS Windows NT4-style domain as a native member server, an -MS Windows Active Directory Domain as a native member server, or a Samba Domain -Control network. Domain Membership has many advantages: - - - - -SAM - MS Windows workstation users get the benefit of SSO. - - - - Domain user access rights and file ownership/access controls can be set - from the single Domain Security Account Manager (SAM) database - (works with Domain Member servers as well as with MS Windows workstations - that are Domain Members). - - - - Only MS Windows NT4/200x/XP Professional - workstations that are Domain Members can use network logon facilities. - - - - Domain Member workstations can be better controlled through the use of - Policy files (NTConfig.POL) and Desktop Profiles. - - - - Through the use of logon scripts, users can be given transparent access to network - applications that run off application servers. - - - - Network administrators gain better application and user access management - abilities because there is no need to maintain user accounts on any network - client or server, other than the central Domain database - (either NT4/Samba SAM style Domain, NT4 Domain that is backend-ed with an - LDAP directory, or via an Active Directory infrastructure). - - - - - - -MS Windows Workstation/Server Machine Trust Accounts - - -Machine Trust Accounts -A Machine Trust Account is an account that is used to authenticate a client -machine (rather than a user) to the Domain Controller server. In Windows terminology, -this is known as a Computer Account. The purpose of the machine account -is to prevent a rogue user and Domain Controller from colluding to gain access to a -domain member workstation. - - - -The password of a Machine Trust Account acts as the shared secret for -secure communication with the Domain Controller. This is a security -feature to prevent an unauthorized machine with the same NetBIOS name -from joining the domain and gaining access to domain user/group -accounts. Windows NT/200x/XP Professional clients use machine trust -accounts, but Windows 9x/Me/XP Home clients do not. Hence, a -Windows 9x/Me/XP Home client is never a true member of a Domain -because it does not possess a Machine Trust Account, and, thus, has no -shared secret with the Domain Controller. - - - -A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. -The introduction of MS Windows 2000 saw the introduction of Active Directory, -the new repository for Machine Trust Accounts. A Samba PDC, however, stores -each Machine Trust Account in two parts, -as follows: - - - - A Domain Security Account (stored in the - passdb backend that has been configured in the - &smb.conf; file. The precise nature of the account information that is - stored depends on the type of backend database that has been chosen. - - - - The older format of this data is the smbpasswd database - that contains the UNIX login ID, the UNIX user identifier (UID), and the - LanMan and NT encrypted passwords. There is also some other information in - this file that we do not need to concern ourselves with here. - - - - The two newer database types are called ldapsam, and - tdbsam. Both store considerably more data than the - older smbpasswd file did. The extra information - enables new user account controls to be implemented. - - - - A corresponding UNIX account, typically stored in - /etc/passwd. Work is in progress to allow a - simplified mode of operation that does not require UNIX user accounts, but - this may not be a feature of the early releases of Samba-3. - - - - - -Machine Trust Accountscreating -There are three ways to create Machine Trust Accounts: - - - - - Manual creation from the UNIX/Linux command line. Here, both the Samba and - corresponding UNIX account are created by hand. - - - - Server Manager - Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member - server, or using the Nexus toolkit available from the Microsoft Web site. - This tool can be run from any MS Windows machine as long as the user is - logged on as the administrator account. - - - - On-the-fly creation. The Samba Machine Trust Account is automatically - created by Samba at the time the client is joined to the domain. - (For security, this is the recommended method.) The corresponding UNIX - account may be created automatically or manually. - - - - -Manual Creation of Machine Trust Accounts - - -The first step in manually creating a Machine Trust Account is to manually -create the corresponding UNIX account in /etc/passwd. -This can be done using vipw or another add user command -that is normally used to create new UNIX accounts. The following is an example for -a Linux-based Samba server: - - - -useradd -vipw - -&rootprompt;/usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" \ - -s /bin/false machine_name$ - -&rootprompt;passwd -l machine_name$ - - - -In the above example above there is an existing system group machines which is used -as the primary group for all machine accounts. In the following examples the machines group has -numeric GID equal 100. - - -chpass -On *BSD systems, this can be done using the chpass utility: - - - - -&rootprompt;chpass -a \ -'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/nologin' - - - - -The /etc/passwd entry will list the machine name -with a $ appended, will not have a password, will have a null shell and no -home directory. For example, a machine named doppy would have an -/etc/passwd entry like this: - - - -doppy$:x:505:100:machine_nickname:/dev/null:/bin/false - - - -Above, machine_nickname can be any -descriptive name for the client, i.e., BasementComputer. -machine_name absolutely must be the NetBIOS -name of the client to be joined to the domain. The $ must be -appended to the NetBIOS name of the client or Samba will not recognize -this as a Machine Trust Account. - - - -Now that the corresponding UNIX account has been created, the next step is to create -the Samba account for the client containing the well-known initial -Machine Trust Account password. This can be done using the -smbpasswd command -as shown here: - - - - -&rootprompt;smbpasswd -a -m machine_name - - - - -where machine_name is the machine's NetBIOS -name. The RID of the new machine account is generated from the UID of -the corresponding UNIX account. - - - -Join the client to the domain immediately - - -Manually creating a Machine Trust Account using this method is the -equivalent of creating a Machine Trust Account on a Windows NT PDC using -Server Manager -the Server Manager. From the time at which the -account is created to the time the client joins the domain and -changes the password, your domain is vulnerable to an intruder joining -your domain using a machine with the same NetBIOS name. A PDC inherently -trusts members of the domain and will serve out a large degree of user -information to such clients. You have been warned! - - - - - -Managing Domain Machine Accounts using NT4 Server Manager - - -A working add machine script script is essential -for machine trust accounts to be automatically created. This applies no matter whether -one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager. - - - -SRVTOOLS.EXE -If the machine from which you are trying to manage the domain is an -MS Windows NT4 workstation or MS Windows 200x/XP Professional, -the tool of choice is the package called SRVTOOLS.EXE. -When executed in the target directory it will unpack SrvMgr.exe -and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation). - - - -Nexus.exe -If your workstation is a Microsoft Windows 9x/Me family product - you should download the Nexus.exe package from the Microsoft web site. -When executed from the target directory this will unpack the same tools but for use on -this platform. - - - -Further information about these tools may be obtained from the following locations: - - - - - - - - - - -Launch the srvmgr.exe (Server Manager for Domains) and follow these steps: - - - -Server Manager Account Machine Account Management - - From the menu select Computer. - - - - Click Select Domain. - - - - Click the name of the domain you wish to administer in the - Select Domain panel and then click - OK. - - - - Again from the menu select Computer. - - - - Select Add to Domain. - - - - In the dialog box, click the radio button to - Add NT Workstation of Server, then - enter the machine name in the field provided, and click the - Add button. - - - - - - -On-the-Fly Creation of Machine Trust Accounts - - -The second (and recommended) way of creating Machine Trust Accounts is -simply to allow the Samba server to create them as needed when the client -is joined to the domain. - - -Since each Samba Machine Trust Account requires a corresponding UNIX account, a method -for automatically creating the UNIX account is usually supplied; this requires configuration of the -add machine script option in &smb.conf;. This method is not required, however, corresponding UNIX -accounts may also be created manually. - - - - -Here is an example for a Red Hat Linux system. - - - -[global] -<...remainder of parameters...> -add machine script/usr/sbin/useradd -d /dev/null -g 100 \ - -s /bin/false -M %u - - - - - - -Making an MS Windows Workstation or Server a Domain Member - - -The procedure for making an MS Windows workstation or server a member of the domain varies -with the version of Windows. - - - - Windows 200x/XP Professional Client - - - When the user elects to make the client a Domain Member, Windows 200x prompts for - an account and password that has privileges to create machine accounts in the domain. - A Samba Administrator Account (i.e., a Samba account that has root privileges on the - Samba server) must be entered here; the operation will fail if an ordinary user - account is given. - - - - For security reasons, the password for this Administrator Account should be set - to a password that is other than that used for the root user in /etc/passwd. - - - - The name of the account that is used to create Domain Member machine accounts can be - anything the network administrator may choose. If it is other than root - then this is easily mapped to root in the file named in the &smb.conf; parameter - username map/etc/samba/smbusers. - - - - The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust - account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. - - - - - Windows NT4 Client - - - If the Machine Trust Account was created manually, on the - Identification Changes menu enter the domain name, but do not - check the box Create a Computer Account in the Domain. - In this case, the existing Machine Trust Account is used to join the machine - to the domain. - - - - If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain - name and check the box Create a Computer Account in the Domain. In this case, joining - the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when - prompted). - - - - - Samba Client - - Joining a Samba client to a domain is documented in - Domain Member Server. - - - - - - - -Domain Member Server - - -This mode of server operation involves the Samba machine being made a member -of a domain security context. This means by definition that all user -authentication will be done from a centrally defined authentication regime. -The authentication regime may come from an NT3/4-style (old domain technology) -server, or it may be provided from an Active Directory server (ADS) running on -MS Windows 2000 or later. - - - - -Of course it should be clear that the authentication backend itself could be -from any distributed directory architecture server that is supported by Samba. -This can be LDAP (from OpenLDAP), or Sun's iPlanet, or NetWare Directory -Server, and so on. - - - - -When Samba is configured to use an LDAP, or other identity management and/or -directory service, it is Samba that continues to perform user and machine -authentication. It should be noted that the LDAP server does not perform -authentication handling in place of what Samba is designed to do. - - - -Please refer to Domain Control, for more information regarding -how to create a domain machine account for a Domain Member server as well as for -information on how to enable the Samba Domain Member machine to join the domain -and be fully trusted by it. - - - -Joining an NT4-type Domain with Samba-3 - -Next table lists names that have been used in the remainder of this chapter. - -Assumptions - - - - - - NetBIOS name:SERV1 - - - Windows 200x/NT domain name:&example.workgroup; - - - Domain's PDC NetBIOS name:DOMPDC - - - Domain's BDC NetBIOS names:DOMBDC1 and DOMBDC2 - - - -
- - -First, you must edit your &smb.conf; file to tell Samba it should now use domain security. - - - - Change (or add) your - security line in the [global] section -of your &smb.conf; to read: - - - - -securitydomain - - - - -Next change the workgroup line in the [global] -section to read: - - - - -workgroup&example.workgroup; - - - - -This is the name of the domain we are joining. - - - -You must also have the parameter encrypt passwords -set to yes in order for your users to authenticate to the NT PDC. -This is the default setting if this parameter is not specified. There is no need to specify this -parameter, but if it is specified in the &smb.conf; file, it must be set to Yes. - - - -Finally, add (or modify) a password server line in the [global] -section to read: - - - - -password serverDOMPDC DOMBDC1 DOMBDC2 - - - - -These are the primary and backup Domain Controllers Samba -will attempt to contact in order to authenticate users. Samba will -try to contact each of these servers in order, so you may want to -rearrange this list in order to spread out the authentication load -among Domain Controllers. - - - -Alternately, if you want smbd to automatically determine -the list of Domain Controllers to use for authentication, you may -set this line to be: - - - - -password server* - - - - -This method allows Samba to use exactly the same mechanism that NT does. The -method either uses broadcast-based name resolution, performs a WINS database -lookup in order to find a Domain Controller against which to authenticate, -or locates the Domain Controller using DNS name resolution. - - - -To join the domain, run this command: - - - - -&rootprompt;net join -S DOMPDC -UAdministrator%password - - - - -If the argument is not given, the domain name will be obtained from &smb.conf;. - - - -The machine is joining the domain DOM, and the PDC for that domain (the only machine -that has write access to the domain SAM database) is DOMPDC, therefore use the -option. The Administrator%password is the login name and -password for an account that has the necessary privilege to add machines to the -domain. If this is successful, you will see the message in your terminal window the -text shown below. Where the older NT4 style domain architecture is used: - -Joined domain DOM. - - - - -Where Active Directory is used: - -Joined SERV1 to realm MYREALM. - - - - -Refer to the net man page for further information. - - - -This process joins the server to the domain without having to create the machine -trust account on the PDC beforehand. - - - -This command goes through the machine account password change protocol, then writes -the new (random) machine account password for this Samba server into a file in the -same directory in which a smbpasswd file would be normally stored: - -/usr/local/samba/private/secrets.tdb -or -/etc/samba/secrets.tdb. - - - - -This file is created and owned by root and is not readable by any other user. It is -the key to the Domain-level security for your system, and should be treated as carefully -as a shadow password file. - - - -Finally, restart your Samba daemons and get ready for clients to begin using domain -security. The way you can restart your Samba daemons depends on your distribution, -but in most cases the following will suffice: - -&rootprompt;/etc/init.d/samba restart - - - - - - -Why Is This Better Than <parameter>security = server</parameter>? - - -Currently, domain security in Samba does not free you from -having to create local UNIX users to represent the users attaching -to your server. This means that if Domain user DOM\fred - attaches to your Domain Security Samba server, there needs -to be a local UNIX user fred to represent that user in the UNIX -file system. This is similar to the older Samba security mode -securityserver, -where Samba would pass through the authentication request to a Windows -NT server in the same way as a Windows 95 or Windows 98 server would. - - - -Please refer to Winbind: Use of Domain Accounts chapter, for information on a system -to automatically assign UNIX UIDs and GIDs to Windows NT Domain users and groups. - - - -The advantage to Domain-level security is that the -authentication in Domain-level security is passed down the authenticated -RPC channel in exactly the same way that an NT server would do it. This -means Samba servers now participate in domain trust relationships in -exactly the same way NT servers do (i.e., you can add Samba servers into -a resource domain and have the authentication passed on from a resource -domain PDC to an account domain PDC). - - - -In addition, with securityserver, every Samba -daemon on a server has to keep a connection open to the -authenticating server for as long as that daemon lasts. This can drain -the connection resources on a Microsoft NT server and cause it to run -out of available connections. With securitydomain, -however, the Samba daemons connect to the PDC/BDC only for as long -as is necessary to authenticate the user and then drop the connection, -thus conserving PDC connection resources. - - - -And finally, acting in the same manner as an NT server -authenticating to a PDC means that as part of the authentication -reply, the Samba server gets the user identification information such -as the user SID, the list of NT groups the user belongs to, and so on. - - - - -Much of the text of this document was first published in the Web magazine -LinuxWorld as the article -Doing the NIS/NT Samba. - - - - - - - -Samba ADS Domain Membership - - -Active Directory -ADSActive Directory -KDC -Kerberos -This is a rough guide to setting up Samba-3 with Kerberos authentication against a -Windows 200x KDC. A familiarity with Kerberos is assumed. - - - -Configure &smb.conf; - - -You must use at least the following three options in &smb.conf;: - - - -realmyour.kerberos.REALM -securityADS -The following parameter need only be specified if present. -The default setting is not present is Yes. -encrypt passwordsyes - - - -In case samba cannot correctly identify the appropriate ADS server using the realm name, use the -password server option in &smb.conf;: - -password serveryour.kerberos.server - - - - -You do not need a smbpasswd file, and older clients will be authenticated as -if securitydomain, although it will not do any harm and -allows you to have local users not in the domain. - - - - - -Configure <filename>/etc/krb5.conf</filename> - - -/etc/krb5.conf -Kerberos/etc/krb5.conf -With both MIT and Heimdal Kerberos, it is unnecessary to configure the -/etc/krb5.conf, and it may be detrimental. - - - -Microsoft Active Directory servers automatically create SRV records in the DNS zone -_kerberos.REALM.NAME for each KDC in the realm. This is part -of the installation and configuration process used to create an Active Directory Domain. - - - -MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will -automatically find the KDCs. In addition, krb5.conf only allows specifying -a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 -libraries to use whichever KDCs are available. - - - -When manually configuring krb5.conf, the minimal configuration is: - - - - - -[libdefaults] - default_realm = YOUR.KERBEROS.REALM - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - -[domain_realms] - .kerberos.server = YOUR.KERBEROS.REALM - - - -When using Heimdal versions before 0.6 use the following configuration settings: - -[libdefaults] - default_realm = YOUR.KERBEROS.REALM - default_etypes = des-cbc-crc des-cbc-md5 - default_etypes_des = des-cbc-crc des-cbc-md5 - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - -[domain_realms] - .kerberos.server = YOUR.KERBEROS.REALM - - - - -kinit -Test your config by doing a kinit -USERNAME@REALM and -making sure that your password is accepted by the Win2000 KDC. - - - -With Heimdal versions earlier than 0.6.x you only can use newly created accounts -in ADS or accounts that have had the password changed once after migration, or -in case of Administrator after installation. At the -moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6 -(and no default etypes in krb5.conf). Unfortunately this whole area is still -in a state of flux. - - - -The realm must be in uppercase or you will get Cannot find KDC for -requested realm while getting initial credentials error (Kerberos -is case-sensitive!). - - - -Time between the two servers must be synchronized. You will get a -kinit(v5): Clock skew too great while getting initial credentials -if the time difference is more than five minutes. - - - -Clock skew limits are configurable in the Kerberos protocols. The default setting is -five minutes. - - - -You also must ensure that you can do a reverse DNS lookup on the IP -address of your KDC. Also, the name that this reverse lookup maps to -must either be the NetBIOS name of the KDC (i.e., the hostname with no -domain attached) or it can alternately be the NetBIOS name followed by the realm. - - - -The easiest way to ensure you get this right is to add a -/etc/hosts entry mapping the IP address of your KDC to -its NetBIOS name. If you do not get this correct then you will get a -local error when you try to join the realm. - - - -If all you want is Kerberos support in &smbclient; then you can skip -directly to Testing with &smbclient; now. -Create the Computer Account and -Testing Server Setup -are needed only if you want Kerberos support for &smbd; and &winbindd;. - - - - - -Create the Computer Account - - -As a user who has write permission on the Samba private directory (usually root), run: - -&rootprompt; net ads join -U Administrator%password - - - - -When making a Windows client a member of an ADS domain within a complex organization, you -may want to create the machine account within a particular organizational unit. Samba-3 permits -this to be done using the following syntax: - -&rootprompt; kinit Administrator@your.kerberos.REALM -&rootprompt; net ads join organizational_unit - - - - -For example, you may want to create the machine account in a container called Servers -under the organizational directory Computers\BusinessUnit\Department like this: - -&rootprompt; net ads join "Computers\BusinessUnit\Department\Servers" - - - - - - -Possible Errors - - - - ADS support not compiled in - Samba must be reconfigured (remove config.cache) and recompiled - (make clean all install) after the Kerberos libraries and headers files are installed. - - - net ads join prompts for user name - You need to login to the domain using kinit - USERNAME@REALM. - USERNAME must be a user who has rights to add a machine - to the domain. - - Unsupported encryption/or checksum types - - Make sure that the /etc/krb5.conf is correctly configured - for the type and version of Kerberos installed on the system. - - - - - - - - - -Testing Server Setup - - -If the join was successful, you will see a new computer account with the -NetBIOS name of your Samba server in Active Directory (in the Computers -folder under Users and Computers. - - - -On a Windows 2000 client, try net use * \\server\share. You should -be logged in with Kerberos without needing to know a password. If this fails then run -klist tickets. Did you get a ticket for the server? Does it have -an encryption type of DES-CBC-MD5? - - - -Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. - - - - - -Testing with &smbclient; - - - -smbclient -On your Samba server try to login to a Win2000 server or your Samba -server using &smbclient; and Kerberos. Use &smbclient; as usual, but -specify the option to choose Kerberos authentication. - - - - - -Notes - - -You must change administrator password at least once after DC -install, to create the right encryption types. - - - -Windows 200x does not seem to create the _kerberos._udp and _ldap._tcp in -the default DNS setup. Perhaps this will be fixed later in service packs. - - - - - - -Sharing User ID Mappings between Samba Domain Members - - -Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). -These mappings are done by the idmap subsystem of Samba. - - - -In some cases it is useful to share these mappings between Samba Domain Members, -so name->id mapping is identical on all machines. -This may be needed in particular when sharing files over both CIFS and NFS. - - -To use the LDAP ldap idmap suffix, set: - - -ldap idmap suffixou=Idmap,dc=quenya,dc=org - - -See the &smb.conf; man page entry for the ldap idmap suffix -parameter for further information. - - -Do not forget to specify also the ldap admin dn -and to make certain to set the LDAP administrative password into the secrets.tdb using: - -&rootprompt; smbpasswd -w ldap-admin-password - - - - - -Common Errors - - -In the process of adding/deleting/re-adding Domain Member machine accounts, there are -many traps for the unwary player and many little things that can go wrong. -It is particularly interesting how often subscribers on the Samba mailing list have concluded -after repeated failed attempts to add a machine account that it is necessary to re-install -MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type -of problem. The real solution is often quite simple and with an understanding of how MS Windows -networking functions, it is easy to overcome. - - - -Cannot Add Machine Back to Domain - - -A Windows workstation was re-installed. The original domain machine -account was deleted and added immediately. The workstation will not join the domain if I use -the same machine name. Attempts to add the machine fail with a message that the machine already -exists on the network &smbmdash; I know it does not. Why is this failing? - - - -The original name is still in the NetBIOS name cache and must expire after machine account -deletion before adding that same name as a Domain Member again. The best advice is to delete -the old account and then add the machine with a new name. - - - - - -Adding Machine to Domain Fails - - -Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a -message that, `The machine could not be added at this time, there is a network problem. -Please try again later.' Why? - - - -You should check that there is an add machine script in your &smb.conf; -file. If there is not, please add one that is appropriate for your OS platform. If a script -has been defined, you will need to debug its operation. Increase the log level -in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which -operation is failing. - - - -Possible causes include: - - - - - The script does not actually exist, or could not be located in the path specified. - - - - Corrective action: Fix it. Make sure when run manually - that the script will add both the UNIX system account and the Samba SAM account. - - - - The machine could not be added to the UNIX system accounts file /etc/passwd. - - - - Corrective action: Check that the machine name is a legal UNIX - system account name. If the UNIX utility useradd is called, - then make sure that the machine name you are trying to add can be added using this - tool. Useradd on some systems will not allow any upper case characters - nor will it allow spaces in the name. - - - - -The add machine script does not create the -machine account in the Samba backend database, it is there only to create a UNIX system -account to which the Samba backend database account can be mapped. - - - - - - I Can't Join a Windows 2003 PDC - - Windows 2003 requires SMB signing. Client side SMB signing has been implemented in Samba-3.0. - Set client use spnegoyes when communicating - with a Windows 2003 server. - - - - diff --git a/docs/howto/DomainMember.xml b/docs/howto/DomainMember.xml new file mode 100644 index 0000000000..72b00663f7 --- /dev/null +++ b/docs/howto/DomainMember.xml @@ -0,0 +1,1105 @@ + + + + &author.jht; + &author.jeremy; + &author.jerry; + &author.tridge; + &author.jelmer; + &person.gd;LDAP updates + + +Domain Membership + + +Domain Membership is a subject of vital concern. Samba must be able to +participate as a member server in a Microsoft Domain Security context, and +Samba must be capable of providing Domain machine member trust accounts, +otherwise it would not be able to offer a viable option for many users. + + + +This chapter covers background information pertaining to Domain Membership, +the Samba configuration for it, and MS Windows client procedures for joining a +domain. Why is this necessary? Because both are areas in which there exists +within the current MS Windows networking world and particularly in the +UNIX/Linux networking and administration world, a considerable level of +misinformation, incorrect understanding and a lack of knowledge. Hopefully +this chapter will fill the voids. + + + +Features and Benefits + + +MS Windows workstations and servers that want to participate in Domain Security need to +be made Domain Members. Participating in Domain Security is often called +Single Sign On or SSO for short. This +chapter describes the process that must be followed to make a workstation +(or another server &smbmdash; be it an MS Windows NT4 / 200x +server) or a Samba server a member of an MS Windows Domain Security context. + + + +Server TypeDomain Member +Samba-3 can join an MS Windows NT4-style domain as a native member server, an +MS Windows Active Directory Domain as a native member server, or a Samba Domain +Control network. Domain Membership has many advantages: + + + + +SAM + MS Windows workstation users get the benefit of SSO. + + + + Domain user access rights and file ownership/access controls can be set + from the single Domain Security Account Manager (SAM) database + (works with Domain Member servers as well as with MS Windows workstations + that are Domain Members). + + + + Only MS Windows NT4/200x/XP Professional + workstations that are Domain Members can use network logon facilities. + + + + Domain Member workstations can be better controlled through the use of + Policy files (NTConfig.POL) and Desktop Profiles. + + + + Through the use of logon scripts, users can be given transparent access to network + applications that run off application servers. + + + + Network administrators gain better application and user access management + abilities because there is no need to maintain user accounts on any network + client or server, other than the central Domain database + (either NT4/Samba SAM style Domain, NT4 Domain that is backend-ed with an + LDAP directory, or via an Active Directory infrastructure). + + + + + + +MS Windows Workstation/Server Machine Trust Accounts + + +Machine Trust Accounts +A Machine Trust Account is an account that is used to authenticate a client +machine (rather than a user) to the Domain Controller server. In Windows terminology, +this is known as a Computer Account. The purpose of the machine account +is to prevent a rogue user and Domain Controller from colluding to gain access to a +domain member workstation. + + + +The password of a Machine Trust Account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT/200x/XP Professional clients use machine trust +accounts, but Windows 9x/Me/XP Home clients do not. Hence, a +Windows 9x/Me/XP Home client is never a true member of a Domain +because it does not possess a Machine Trust Account, and, thus, has no +shared secret with the Domain Controller. + + + +A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. +The introduction of MS Windows 2000 saw the introduction of Active Directory, +the new repository for Machine Trust Accounts. A Samba PDC, however, stores +each Machine Trust Account in two parts, +as follows: + + + + A Domain Security Account (stored in the + passdb backend that has been configured in the + &smb.conf; file. The precise nature of the account information that is + stored depends on the type of backend database that has been chosen. + + + + The older format of this data is the smbpasswd database + that contains the UNIX login ID, the UNIX user identifier (UID), and the + LanMan and NT encrypted passwords. There is also some other information in + this file that we do not need to concern ourselves with here. + + + + The two newer database types are called ldapsam, and + tdbsam. Both store considerably more data than the + older smbpasswd file did. The extra information + enables new user account controls to be implemented. + + + + A corresponding UNIX account, typically stored in + /etc/passwd. Work is in progress to allow a + simplified mode of operation that does not require UNIX user accounts, but + this may not be a feature of the early releases of Samba-3. + + + + + +Machine Trust Accountscreating +There are three ways to create Machine Trust Accounts: + + + + + Manual creation from the UNIX/Linux command line. Here, both the Samba and + corresponding UNIX account are created by hand. + + + + Server Manager + Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member + server, or using the Nexus toolkit available from the Microsoft Web site. + This tool can be run from any MS Windows machine as long as the user is + logged on as the administrator account. + + + + On-the-fly creation. The Samba Machine Trust Account is automatically + created by Samba at the time the client is joined to the domain. + (For security, this is the recommended method.) The corresponding UNIX + account may be created automatically or manually. + + + + +Manual Creation of Machine Trust Accounts + + +The first step in manually creating a Machine Trust Account is to manually +create the corresponding UNIX account in /etc/passwd. +This can be done using vipw or another add user command +that is normally used to create new UNIX accounts. The following is an example for +a Linux-based Samba server: + + + +useradd +vipw + +&rootprompt;/usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" \ + -s /bin/false machine_name$ + +&rootprompt;passwd -l machine_name$ + + + +In the above example above there is an existing system group machines which is used +as the primary group for all machine accounts. In the following examples the machines group has +numeric GID equal 100. + + +chpass +On *BSD systems, this can be done using the chpass utility: + + + + +&rootprompt;chpass -a \ +'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/nologin' + + + + +The /etc/passwd entry will list the machine name +with a $ appended, will not have a password, will have a null shell and no +home directory. For example, a machine named doppy would have an +/etc/passwd entry like this: + + + +doppy$:x:505:100:machine_nickname:/dev/null:/bin/false + + + +Above, machine_nickname can be any +descriptive name for the client, i.e., BasementComputer. +machine_name absolutely must be the NetBIOS +name of the client to be joined to the domain. The $ must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a Machine Trust Account. + + + +Now that the corresponding UNIX account has been created, the next step is to create +the Samba account for the client containing the well-known initial +Machine Trust Account password. This can be done using the +smbpasswd command +as shown here: + + + + +&rootprompt;smbpasswd -a -m machine_name + + + + +where machine_name is the machine's NetBIOS +name. The RID of the new machine account is generated from the UID of +the corresponding UNIX account. + + + +Join the client to the domain immediately + + +Manually creating a Machine Trust Account using this method is the +equivalent of creating a Machine Trust Account on a Windows NT PDC using +Server Manager +the Server Manager. From the time at which the +account is created to the time the client joins the domain and +changes the password, your domain is vulnerable to an intruder joining +your domain using a machine with the same NetBIOS name. A PDC inherently +trusts members of the domain and will serve out a large degree of user +information to such clients. You have been warned! + + + + + +Managing Domain Machine Accounts using NT4 Server Manager + + +A working add machine script script is essential +for machine trust accounts to be automatically created. This applies no matter whether +one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager. + + + +SRVTOOLS.EXE +If the machine from which you are trying to manage the domain is an +MS Windows NT4 workstation or MS Windows 200x/XP Professional, +the tool of choice is the package called SRVTOOLS.EXE. +When executed in the target directory it will unpack SrvMgr.exe +and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation). + + + +Nexus.exe +If your workstation is a Microsoft Windows 9x/Me family product + you should download the Nexus.exe package from the Microsoft web site. +When executed from the target directory this will unpack the same tools but for use on +this platform. + + + +Further information about these tools may be obtained from the following locations: + + + + + + + + + + +Launch the srvmgr.exe (Server Manager for Domains) and follow these steps: + + + +Server Manager Account Machine Account Management + + From the menu select Computer. + + + + Click Select Domain. + + + + Click the name of the domain you wish to administer in the + Select Domain panel and then click + OK. + + + + Again from the menu select Computer. + + + + Select Add to Domain. + + + + In the dialog box, click the radio button to + Add NT Workstation of Server, then + enter the machine name in the field provided, and click the + Add button. + + + + + + +On-the-Fly Creation of Machine Trust Accounts + + +The second (and recommended) way of creating Machine Trust Accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. + + +Since each Samba Machine Trust Account requires a corresponding UNIX account, a method +for automatically creating the UNIX account is usually supplied; this requires configuration of the +add machine script option in &smb.conf;. This method is not required, however, corresponding UNIX +accounts may also be created manually. + + + + +Here is an example for a Red Hat Linux system. + + + +[global] +<...remainder of parameters...> +add machine script/usr/sbin/useradd -d /dev/null -g 100 \ + -s /bin/false -M %u + + + + + + +Making an MS Windows Workstation or Server a Domain Member + + +The procedure for making an MS Windows workstation or server a member of the domain varies +with the version of Windows. + + + + Windows 200x/XP Professional Client + + + When the user elects to make the client a Domain Member, Windows 200x prompts for + an account and password that has privileges to create machine accounts in the domain. + A Samba Administrator Account (i.e., a Samba account that has root privileges on the + Samba server) must be entered here; the operation will fail if an ordinary user + account is given. + + + + For security reasons, the password for this Administrator Account should be set + to a password that is other than that used for the root user in /etc/passwd. + + + + The name of the account that is used to create Domain Member machine accounts can be + anything the network administrator may choose. If it is other than root + then this is easily mapped to root in the file named in the &smb.conf; parameter + username map/etc/samba/smbusers. + + + + The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust + account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. + + + + + Windows NT4 Client + + + If the Machine Trust Account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box Create a Computer Account in the Domain. + In this case, the existing Machine Trust Account is used to join the machine + to the domain. + + + + If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain + name and check the box Create a Computer Account in the Domain. In this case, joining + the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when + prompted). + + + + + Samba Client + + Joining a Samba client to a domain is documented in + Domain Member Server. + + + + + + + +Domain Member Server + + +This mode of server operation involves the Samba machine being made a member +of a domain security context. This means by definition that all user +authentication will be done from a centrally defined authentication regime. +The authentication regime may come from an NT3/4-style (old domain technology) +server, or it may be provided from an Active Directory server (ADS) running on +MS Windows 2000 or later. + + + + +Of course it should be clear that the authentication backend itself could be +from any distributed directory architecture server that is supported by Samba. +This can be LDAP (from OpenLDAP), or Sun's iPlanet, or NetWare Directory +Server, and so on. + + + + +When Samba is configured to use an LDAP, or other identity management and/or +directory service, it is Samba that continues to perform user and machine +authentication. It should be noted that the LDAP server does not perform +authentication handling in place of what Samba is designed to do. + + + +Please refer to Domain Control, for more information regarding +how to create a domain machine account for a Domain Member server as well as for +information on how to enable the Samba Domain Member machine to join the domain +and be fully trusted by it. + + + +Joining an NT4-type Domain with Samba-3 + +Next table lists names that have been used in the remainder of this chapter. + +Assumptions + + + + + + NetBIOS name:SERV1 + + + Windows 200x/NT domain name:&example.workgroup; + + + Domain's PDC NetBIOS name:DOMPDC + + + Domain's BDC NetBIOS names:DOMBDC1 and DOMBDC2 + + + +
+ + +First, you must edit your &smb.conf; file to tell Samba it should now use domain security. + + + + Change (or add) your + security line in the [global] section +of your &smb.conf; to read: + + + + +securitydomain + + + + +Next change the workgroup line in the [global] +section to read: + + + + +workgroup&example.workgroup; + + + + +This is the name of the domain we are joining. + + + +You must also have the parameter encrypt passwords +set to yes in order for your users to authenticate to the NT PDC. +This is the default setting if this parameter is not specified. There is no need to specify this +parameter, but if it is specified in the &smb.conf; file, it must be set to Yes. + + + +Finally, add (or modify) a password server line in the [global] +section to read: + + + + +password serverDOMPDC DOMBDC1 DOMBDC2 + + + + +These are the primary and backup Domain Controllers Samba +will attempt to contact in order to authenticate users. Samba will +try to contact each of these servers in order, so you may want to +rearrange this list in order to spread out the authentication load +among Domain Controllers. + + + +Alternately, if you want smbd to automatically determine +the list of Domain Controllers to use for authentication, you may +set this line to be: + + + + +password server* + + + + +This method allows Samba to use exactly the same mechanism that NT does. The +method either uses broadcast-based name resolution, performs a WINS database +lookup in order to find a Domain Controller against which to authenticate, +or locates the Domain Controller using DNS name resolution. + + + +To join the domain, run this command: + + + + +&rootprompt;net join -S DOMPDC -UAdministrator%password + + + + +If the argument is not given, the domain name will be obtained from &smb.conf;. + + + +The machine is joining the domain DOM, and the PDC for that domain (the only machine +that has write access to the domain SAM database) is DOMPDC, therefore use the +option. The Administrator%password is the login name and +password for an account that has the necessary privilege to add machines to the +domain. If this is successful, you will see the message in your terminal window the +text shown below. Where the older NT4 style domain architecture is used: + +Joined domain DOM. + + + + +Where Active Directory is used: + +Joined SERV1 to realm MYREALM. + + + + +Refer to the net man page for further information. + + + +This process joins the server to the domain without having to create the machine +trust account on the PDC beforehand. + + + +This command goes through the machine account password change protocol, then writes +the new (random) machine account password for this Samba server into a file in the +same directory in which a smbpasswd file would be normally stored: + +/usr/local/samba/private/secrets.tdb +or +/etc/samba/secrets.tdb. + + + + +This file is created and owned by root and is not readable by any other user. It is +the key to the Domain-level security for your system, and should be treated as carefully +as a shadow password file. + + + +Finally, restart your Samba daemons and get ready for clients to begin using domain +security. The way you can restart your Samba daemons depends on your distribution, +but in most cases the following will suffice: + +&rootprompt;/etc/init.d/samba restart + + + + + + +Why Is This Better Than <parameter>security = server</parameter>? + + +Currently, domain security in Samba does not free you from +having to create local UNIX users to represent the users attaching +to your server. This means that if Domain user DOM\fred + attaches to your Domain Security Samba server, there needs +to be a local UNIX user fred to represent that user in the UNIX +file system. This is similar to the older Samba security mode +securityserver, +where Samba would pass through the authentication request to a Windows +NT server in the same way as a Windows 95 or Windows 98 server would. + + + +Please refer to Winbind: Use of Domain Accounts chapter, for information on a system +to automatically assign UNIX UIDs and GIDs to Windows NT Domain users and groups. + + + +The advantage to Domain-level security is that the +authentication in Domain-level security is passed down the authenticated +RPC channel in exactly the same way that an NT server would do it. This +means Samba servers now participate in domain trust relationships in +exactly the same way NT servers do (i.e., you can add Samba servers into +a resource domain and have the authentication passed on from a resource +domain PDC to an account domain PDC). + + + +In addition, with securityserver, every Samba +daemon on a server has to keep a connection open to the +authenticating server for as long as that daemon lasts. This can drain +the connection resources on a Microsoft NT server and cause it to run +out of available connections. With securitydomain, +however, the Samba daemons connect to the PDC/BDC only for as long +as is necessary to authenticate the user and then drop the connection, +thus conserving PDC connection resources. + + + +And finally, acting in the same manner as an NT server +authenticating to a PDC means that as part of the authentication +reply, the Samba server gets the user identification information such +as the user SID, the list of NT groups the user belongs to, and so on. + + + + +Much of the text of this document was first published in the Web magazine +LinuxWorld as the article +Doing the NIS/NT Samba. + + + + + + + +Samba ADS Domain Membership + + +Active Directory +ADSActive Directory +KDC +Kerberos +This is a rough guide to setting up Samba-3 with Kerberos authentication against a +Windows 200x KDC. A familiarity with Kerberos is assumed. + + + +Configure &smb.conf; + + +You must use at least the following three options in &smb.conf;: + + + +realmyour.kerberos.REALM +securityADS +The following parameter need only be specified if present. +The default setting is not present is Yes. +encrypt passwordsyes + + + +In case samba cannot correctly identify the appropriate ADS server using the realm name, use the +password server option in &smb.conf;: + +password serveryour.kerberos.server + + + + +You do not need a smbpasswd file, and older clients will be authenticated as +if securitydomain, although it will not do any harm and +allows you to have local users not in the domain. + + + + + +Configure <filename>/etc/krb5.conf</filename> + + +/etc/krb5.conf +Kerberos/etc/krb5.conf +With both MIT and Heimdal Kerberos, it is unnecessary to configure the +/etc/krb5.conf, and it may be detrimental. + + + +Microsoft Active Directory servers automatically create SRV records in the DNS zone +_kerberos.REALM.NAME for each KDC in the realm. This is part +of the installation and configuration process used to create an Active Directory Domain. + + + +MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will +automatically find the KDCs. In addition, krb5.conf only allows specifying +a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 +libraries to use whichever KDCs are available. + + + +When manually configuring krb5.conf, the minimal configuration is: + + + + + +[libdefaults] + default_realm = YOUR.KERBEROS.REALM + +[realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + +[domain_realms] + .kerberos.server = YOUR.KERBEROS.REALM + + + +When using Heimdal versions before 0.6 use the following configuration settings: + +[libdefaults] + default_realm = YOUR.KERBEROS.REALM + default_etypes = des-cbc-crc des-cbc-md5 + default_etypes_des = des-cbc-crc des-cbc-md5 + +[realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + +[domain_realms] + .kerberos.server = YOUR.KERBEROS.REALM + + + + +kinit +Test your config by doing a kinit +USERNAME@REALM and +making sure that your password is accepted by the Win2000 KDC. + + + +With Heimdal versions earlier than 0.6.x you only can use newly created accounts +in ADS or accounts that have had the password changed once after migration, or +in case of Administrator after installation. At the +moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6 +(and no default etypes in krb5.conf). Unfortunately this whole area is still +in a state of flux. + + + +The realm must be in uppercase or you will get Cannot find KDC for +requested realm while getting initial credentials error (Kerberos +is case-sensitive!). + + + +Time between the two servers must be synchronized. You will get a +kinit(v5): Clock skew too great while getting initial credentials +if the time difference is more than five minutes. + + + +Clock skew limits are configurable in the Kerberos protocols. The default setting is +five minutes. + + + +You also must ensure that you can do a reverse DNS lookup on the IP +address of your KDC. Also, the name that this reverse lookup maps to +must either be the NetBIOS name of the KDC (i.e., the hostname with no +domain attached) or it can alternately be the NetBIOS name followed by the realm. + + + +The easiest way to ensure you get this right is to add a +/etc/hosts entry mapping the IP address of your KDC to +its NetBIOS name. If you do not get this correct then you will get a +local error when you try to join the realm. + + + +If all you want is Kerberos support in &smbclient; then you can skip +directly to Testing with &smbclient; now. +Create the Computer Account and +Testing Server Setup +are needed only if you want Kerberos support for &smbd; and &winbindd;. + + + + + +Create the Computer Account + + +As a user who has write permission on the Samba private directory (usually root), run: + +&rootprompt; net ads join -U Administrator%password + + + + +When making a Windows client a member of an ADS domain within a complex organization, you +may want to create the machine account within a particular organizational unit. Samba-3 permits +this to be done using the following syntax: + +&rootprompt; kinit Administrator@your.kerberos.REALM +&rootprompt; net ads join organizational_unit + + + + +For example, you may want to create the machine account in a container called Servers +under the organizational directory Computers\BusinessUnit\Department like this: + +&rootprompt; net ads join "Computers\BusinessUnit\Department\Servers" + + + + + + +Possible Errors + + + + ADS support not compiled in + Samba must be reconfigured (remove config.cache) and recompiled + (make clean all install) after the Kerberos libraries and headers files are installed. + + + net ads join prompts for user name + You need to login to the domain using kinit + USERNAME@REALM. + USERNAME must be a user who has rights to add a machine + to the domain. + + Unsupported encryption/or checksum types + + Make sure that the /etc/krb5.conf is correctly configured + for the type and version of Kerberos installed on the system. + + + + + + + + + +Testing Server Setup + + +If the join was successful, you will see a new computer account with the +NetBIOS name of your Samba server in Active Directory (in the Computers +folder under Users and Computers. + + + +On a Windows 2000 client, try net use * \\server\share. You should +be logged in with Kerberos without needing to know a password. If this fails then run +klist tickets. Did you get a ticket for the server? Does it have +an encryption type of DES-CBC-MD5? + + + +Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. + + + + + +Testing with &smbclient; + + + +smbclient +On your Samba server try to login to a Win2000 server or your Samba +server using &smbclient; and Kerberos. Use &smbclient; as usual, but +specify the option to choose Kerberos authentication. + + + + + +Notes + + +You must change administrator password at least once after DC +install, to create the right encryption types. + + + +Windows 200x does not seem to create the _kerberos._udp and _ldap._tcp in +the default DNS setup. Perhaps this will be fixed later in service packs. + + + + + + +Sharing User ID Mappings between Samba Domain Members + + +Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). +These mappings are done by the idmap subsystem of Samba. + + + +In some cases it is useful to share these mappings between Samba Domain Members, +so name->id mapping is identical on all machines. +This may be needed in particular when sharing files over both CIFS and NFS. + + +To use the LDAP ldap idmap suffix, set: + + +ldap idmap suffixou=Idmap,dc=quenya,dc=org + + +See the &smb.conf; man page entry for the ldap idmap suffix +parameter for further information. + + +Do not forget to specify also the ldap admin dn +and to make certain to set the LDAP administrative password into the secrets.tdb using: + +&rootprompt; smbpasswd -w ldap-admin-password + + + + + +Common Errors + + +In the process of adding/deleting/re-adding Domain Member machine accounts, there are +many traps for the unwary player and many little things that can go wrong. +It is particularly interesting how often subscribers on the Samba mailing list have concluded +after repeated failed attempts to add a machine account that it is necessary to re-install +MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type +of problem. The real solution is often quite simple and with an understanding of how MS Windows +networking functions, it is easy to overcome. + + + +Cannot Add Machine Back to Domain + + +A Windows workstation was re-installed. The original domain machine +account was deleted and added immediately. The workstation will not join the domain if I use +the same machine name. Attempts to add the machine fail with a message that the machine already +exists on the network &smbmdash; I know it does not. Why is this failing? + + + +The original name is still in the NetBIOS name cache and must expire after machine account +deletion before adding that same name as a Domain Member again. The best advice is to delete +the old account and then add the machine with a new name. + + + + + +Adding Machine to Domain Fails + + +Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a +message that, `The machine could not be added at this time, there is a network problem. +Please try again later.' Why? + + + +You should check that there is an add machine script in your &smb.conf; +file. If there is not, please add one that is appropriate for your OS platform. If a script +has been defined, you will need to debug its operation. Increase the log level +in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which +operation is failing. + + + +Possible causes include: + + + + + The script does not actually exist, or could not be located in the path specified. + + + + Corrective action: Fix it. Make sure when run manually + that the script will add both the UNIX system account and the Samba SAM account. + + + + The machine could not be added to the UNIX system accounts file /etc/passwd. + + + + Corrective action: Check that the machine name is a legal UNIX + system account name. If the UNIX utility useradd is called, + then make sure that the machine name you are trying to add can be added using this + tool. Useradd on some systems will not allow any upper case characters + nor will it allow spaces in the name. + + + + +The add machine script does not create the +machine account in the Samba backend database, it is there only to create a UNIX system +account to which the Samba backend database account can be mapped. + + + + + + I Can't Join a Windows 2003 PDC + + Windows 2003 requires SMB signing. Client side SMB signing has been implemented in Samba-3.0. + Set client use spnegoyes when communicating + with a Windows 2003 server. + + + + diff --git a/docs/howto/GROUP-MAPPING-HOWTO.xml b/docs/howto/GROUP-MAPPING-HOWTO.xml deleted file mode 100644 index 41860d1757..0000000000 --- a/docs/howto/GROUP-MAPPING-HOWTO.xml +++ /dev/null @@ -1,668 +0,0 @@ - - - - &author.jht; - - Jean FrançoisMicouleau - - &author.jerry; - -Group Mapping &smbmdash; MS Windows and UNIX - - - -groupsmapping - Starting with Samba-3, new group mapping functionality is available to create associations - between Windows group SIDs and UNIX groups. The groupmap subcommand - included with the &net; tool can be used to manage these associations. - - - - The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide - which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map - to a UNIX group that has a value other than the default (-1) will be exposed - in group selection lists in tools that access domain users and groups. - - - - - domain admin group - The domain admin group parameter has been removed in Samba-3 and should no longer - be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the - Domain Admins Windows group which gave local admin rights on their workstations - (in default configurations). - - - - -Features and Benefits - - - Samba allows the administrator to create MS Windows NT4/200x group accounts and to - arbitrarily associate them with UNIX/Linux group accounts. - - - -UID -GID - Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. - Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system - accounts should be automatically created when these tools are used. In the absence of these scripts, and - so long as winbindd is running, Samba group accounts that are created using these - tools will be allocated UNIX UIDs/GIDs from the ID range specified by the - idmap uid/idmap gid - parameters in the &smb.conf; file. - - -
IDMAP: group SID to GID resolution. - - - - -
- -
IDMAP: GID resolution to matching SID. - - - - -
- - - In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to - IDMAP: group SID to GID resolution and IDMAP: GID resolution to matching SID. - The net groupmap is - used to establish UNIX group to NT SID mappings as shown in IDMAP: storing group mappings. - - -
IDMAP storing group mappings. - - - - -
- - - - groupadd - groupdel - Administrators should be aware that where &smb.conf; group interface scripts make - direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd, - groupdel, and groupmod), the resulting UNIX/Linux group names will be subject - to any limits imposed by these tools. If the tool does not allow upper case characters - or space characters, then the creation of an MS Windows NT4/200x style group of - Engineering Managers will attempt to create an identically named - UNIX/Linux group, an attempt that will of course fail. - - - - - - GID - SID - There are several possible work-arounds for the operating system tools limitation. One - method is to use a script that generates a name for the UNIX/Linux system group that - fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID) - back to the calling Samba interface. This will provide a dynamic work-around solution. - - - - Another work-around is to manually create a UNIX/Linux group, then manually create the - MS Windows NT4/200x group on the Samba server and then use the net groupmap - tool to connect the two to each other. - - - - - -Discussion - - - When installing MS Windows NT4/200x on a computer, the installation - program creates default users and groups, notably the Administrators group, - and gives that group privileges necessary privileges to perform essential system tasks, - such as the ability to change the date and time or to kill (or close) any process running on the - local machine. - - - - Administrator - The Administrator user is a member of the Administrators group, and thus inherits - Administrators group privileges. If a joe user is created to be a member of the - Administrators group, joe has exactly the same rights as the user, - Administrator. - - - - When an MS Windows NT4/200x/XP machine is made a Domain Member, the Domain Admins group of the - PDC is added to the local Administrators group of the workstation. Every member of the - Domain Administrators group inherits the rights of the local Administrators group when - logging on the workstation. - - - - The following steps describe how to make Samba PDC users members of the Domain Admins group? - - - - - Create a UNIX group (usually in /etc/group), let's call it domadm. - - - - Add to this group the users that must be Administrators. For example, - if you want joe, john and mary to be administrators, - your entry in /etc/group will look like this: - - - - domadm:x:502:joe,john,mary - - - - - Map this domadm group to the Domain Admins group by running the command: - - - - - &rootprompt;net groupmap add ntgroup=Domain Admins unixgroup=domadm - - - - - Domain Admins group - The quotes around Domain Admins are necessary due to the space in the group name. - Also make sure to leave no white-space surrounding the equal character (=). - - - - - Now joe, john and mary are domain administrators. - - - - groupsdomain - It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as - making any UNIX group a Windows domain group. For example, if you wanted to include a - UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, - you would flag that group as a domain group by running the following on the Samba PDC: - - - - -&rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct - - - - - Be aware that the RID parameter is a unsigned 32-bit integer that should - normally start at 1000. However, this RID must not overlap with any RID assigned - to a user. Verification for this is done differently depending on the passdb backend - you are using. Future versions of the tools may perform the verification automatically, - but for now the burden is on you. - - - - Important Administrative Information - - - Administrative rights are necessary in two specific forms: - - - - For Samba-3 Domain Controllers and - Domain Member Servers/Clients. - To manage Domain Member Windows workstations. - - - - Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires root - level privilege. The addition of a Windows client to a Samba Domain involves the addition of a user account - for the Windows client. - - - - Many UNIX administrators continue to request the Samba Team make it possible to add Windows workstations, or - to ability to add/delete or modify user accounts, without requiring root privileges. - Such a request violates every understanding of basic UNIX system security. - - - - There is no safe way to provide access on a UNIX/Linux system without providing root - level privilege. Provision of root privileges can be done wither by logging onto - the Domain as the user root, or by permitting particular users to use a UNIX account - that is a member of the UNIX group that has a GID=0 as the primary group in the /etc/passwd - database. Users of such accounts can use tools like the NT4 Domain User Manager, and the NT4 Domain Server - Manager to manage user and group accounts as well as Domain Member server and client accounts. This level - of privilege is also needed to manage share level ACLs. - - - - Administrative tasks on a Windows Domain Member workstation, can be done by anyone who is a member of the - Domain Admins group. This group can be mapped to any convenient UNIX group. - - - - - - Default Users, Groups and Relative Identifiers - - -Relative IdentifierRID -RID - When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and - Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued - integrity of operation. Samba must be provisioned with certain essential Domain Groups that require - the appropriate RID value. When Samba-3 is configured to use tdbsam the essential - Domain Groups are automatically created. It is the LDAP administrators' responsibility to create - (provision) the default NT Groups. - - - - Each essential Domain Group must be assigned its respective well-known RID. The default Users, Groups, - Aliases, and RIDs are shown in Well-Known User Default RIDs table. - - - - When the passdb backend uses LDAP (ldapsam) it is the - administrators' responsibility to create the essential Domain Groups, and to assign each its default RID. - - - - It is permissible to create any Domain Group that may be necessary, just make certain that the essential - Domain Groups (well known) have been created and assigned its default RID. Other groups you create may - be assigned any arbitrary RID you care to use. - - - - Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group - will be available for use as an NT Domain Group. - - - - - Well-Known User Default RIDs - - - - - - - - Well-Known Entity - RID - Type - Essential - - - - - Domain Administrator - 500 - User - No - - - Domain Guest - 501 - User - No - - - Domain KRBTGT - 502 - User - No - - - Domain Admins - 512 - Group - Yes - - - Domain Users - 513 - Group - Yes - - - Domain Guests - 514 - Group - Yes - - - Domain Computers - 515 - Group - No - - - Domain Controllers - 516 - Group - No - - - Domain Certificate Admins - 517 - Group - No - - - Domain Schema Admins - 518 - Group - No - - - Domain Enterprise Admins - 519 - Group - No - - - Domain Policy Admins - 520 - Group - No - - - Builtin Admins - 544 - Alias - No - - - Builtin users - 545 - Alias - No - - - Builtin Guests - 546 - Alias - No - - - Builtin Power Users - 547 - Alias - No - - - Builtin Account Operators - 548 - Alias - No - - - Builtin System Operators - 549 - Alias - No - - - Builtin Print Operators - 550 - Alias - No - - - Builtin Backup Operators - 551 - Alias - No - - - Builtin Replicator - 552 - Alias - No - - - Builtin RAS Servers - 553 - Alias - No - - - -
- - - - - - Example Configuration - - - You can list the various groups in the mapping database by executing - net groupmap list. Here is an example: - - -netgroupmap - - - -&rootprompt; net groupmap list -Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin -Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser -Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest - - - - - For complete details on net groupmap, refer to the net(8) man page. - - - - - - - -Configuration Scripts - - - Everyone needs tools. Some of us like to create our own, others prefer to use canned tools - (i.e., prepared by someone else for general use). - - - - Sample &smb.conf; Add Group Script - - - A script to create complying group names for use by the Samba group interfaces - is provided in smbgrpadd.sh. - - -smbgrpadd.sh - - - smbgrpadd.sh - - -#!/bin/bash - -# Add the group using normal system groupadd tool. -groupadd smbtmpgrp00 - -thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` - -# Now change the name to what we want for the MS Windows networking end -cp /etc/group /etc/group.bak -cat /etc/group.bak | sed "s/smbtmpgrp00/$1/g" > /etc/group - -# Now return the GID as would normally happen. -echo $thegid -exit 0 - - - - - - The &smb.conf; entry for the above script would be something like that in the following example. - -Configuration of &smb.conf; for the add group script. -[global] -... -add group script/path_to_tool/smbgrpadd.sh "%g" -... - - - - - - - Script to Configure Group Mapping - - - In our example we have created a UNIX/Linux group called ntadmin. - Our script will create the additional groups Orks, Elves, and Gnomes. - It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database. - For the sake of convenience we elect to save this script as a file called initGroups.sh. - This script is given in intGroups.sh. - - - -initGroups.sh - - Script to Set Group Mapping - -#!/bin/bash - -net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin -net groupmap modify ntgroup="Domain Users" unixgroup=users -net groupmap modify ntgroup="Domain Guests" unixgroup=nobody - -groupadd Orks -groupadd Elves -groupadd Gnomes - -net groupmap add ntgroup="Orks" unixgroup=Orks type=d -net groupmap add ntgroup="Elves" unixgroup=Elves type=d -net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d - - - - - - Of course it is expected that the administrator will modify this to suit local needs. - For information regarding the use of the net groupmap tool please - refer to the man page. - - - - - - - -Common Errors - - -At this time there are many little surprises for the unwary administrator. In a real sense -it is imperative that every step of automated control scripts must be carefully tested -manually before putting them into active service. - - - - Adding Groups Fails - - - This is a common problem when the groupadd is called directly - by the Samba interface script for the add group script in - the &smb.conf; file. - - - - The most common cause of failure is an attempt to add an MS Windows group account - that has either an upper case character and/or a space character in it. - - - - There are three possible work-arounds. First, use only group names that comply - with the limitations of the UNIX/Linux groupadd system tool. - Second, it involves the use of the script mentioned earlier in this chapter, and - third is the option is to manually create a UNIX/Linux group account that can substitute - for the MS Windows group name, then use the procedure listed above to map that group - to the MS Windows group. - - - - - - Adding MS Windows Groups to MS Windows Groups Fails - - groupsnested - - - Samba-3 does not support nested groups from the MS Windows control environment. - - - - - - Adding <emphasis>Domain Users</emphasis> to the <emphasis>Power Users</emphasis> Group - - - What must I do to add Domain Users to the Power Users group? - - -Domain Users group - - - The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. - You cannot add the Domain Users group to the Power Users group automatically, it must be done on - each workstation by logging in as the local workstation administrator and - then using the following procedure: - - - - - Click Start -> Control Panel -> Users and Passwords. - - - - Click the Advanced tab. - - - - Click the Advanced button. - - - - Click Groups. - - - - Double click Power Users. This will launch the panel to add users or groups - to the local machine Power Uses group. - - - - Click the Add button. - - - - Select the domain from which the Domain Users group is to be added. - - - - Double click the Domain Users group. - - - - Click the Ok button. If a logon box is presented during this process - please remember to enter the connect as DOMAIN\UserName. i.e., For the - domain MIDEARTH and the user root enter - MIDEARTH\root. - - - - - - - diff --git a/docs/howto/Group-Mapping.xml b/docs/howto/Group-Mapping.xml new file mode 100644 index 0000000000..41860d1757 --- /dev/null +++ b/docs/howto/Group-Mapping.xml @@ -0,0 +1,668 @@ + + + + &author.jht; + + Jean FrançoisMicouleau + + &author.jerry; + +Group Mapping &smbmdash; MS Windows and UNIX + + + +groupsmapping + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX groups. The groupmap subcommand + included with the &net; tool can be used to manage these associations. + + + + The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide + which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map + to a UNIX group that has a value other than the default (-1) will be exposed + in group selection lists in tools that access domain users and groups. + + + + + domain admin group + The domain admin group parameter has been removed in Samba-3 and should no longer + be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the + Domain Admins Windows group which gave local admin rights on their workstations + (in default configurations). + + + + +Features and Benefits + + + Samba allows the administrator to create MS Windows NT4/200x group accounts and to + arbitrarily associate them with UNIX/Linux group accounts. + + + +UID +GID + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. + Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system + accounts should be automatically created when these tools are used. In the absence of these scripts, and + so long as winbindd is running, Samba group accounts that are created using these + tools will be allocated UNIX UIDs/GIDs from the ID range specified by the + idmap uid/idmap gid + parameters in the &smb.conf; file. + + +
IDMAP: group SID to GID resolution. + + + + +
+ +
IDMAP: GID resolution to matching SID. + + + + +
+ + + In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to + IDMAP: group SID to GID resolution and IDMAP: GID resolution to matching SID. + The net groupmap is + used to establish UNIX group to NT SID mappings as shown in IDMAP: storing group mappings. + + +
IDMAP storing group mappings. + + + + +
+ + + + groupadd + groupdel + Administrators should be aware that where &smb.conf; group interface scripts make + direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd, + groupdel, and groupmod), the resulting UNIX/Linux group names will be subject + to any limits imposed by these tools. If the tool does not allow upper case characters + or space characters, then the creation of an MS Windows NT4/200x style group of + Engineering Managers will attempt to create an identically named + UNIX/Linux group, an attempt that will of course fail. + + + + + + GID + SID + There are several possible work-arounds for the operating system tools limitation. One + method is to use a script that generates a name for the UNIX/Linux system group that + fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID) + back to the calling Samba interface. This will provide a dynamic work-around solution. + + + + Another work-around is to manually create a UNIX/Linux group, then manually create the + MS Windows NT4/200x group on the Samba server and then use the net groupmap + tool to connect the two to each other. + + + + + +Discussion + + + When installing MS Windows NT4/200x on a computer, the installation + program creates default users and groups, notably the Administrators group, + and gives that group privileges necessary privileges to perform essential system tasks, + such as the ability to change the date and time or to kill (or close) any process running on the + local machine. + + + + Administrator + The Administrator user is a member of the Administrators group, and thus inherits + Administrators group privileges. If a joe user is created to be a member of the + Administrators group, joe has exactly the same rights as the user, + Administrator. + + + + When an MS Windows NT4/200x/XP machine is made a Domain Member, the Domain Admins group of the + PDC is added to the local Administrators group of the workstation. Every member of the + Domain Administrators group inherits the rights of the local Administrators group when + logging on the workstation. + + + + The following steps describe how to make Samba PDC users members of the Domain Admins group? + + + + + Create a UNIX group (usually in /etc/group), let's call it domadm. + + + + Add to this group the users that must be Administrators. For example, + if you want joe, john and mary to be administrators, + your entry in /etc/group will look like this: + + + + domadm:x:502:joe,john,mary + + + + + Map this domadm group to the Domain Admins group by running the command: + + + + + &rootprompt;net groupmap add ntgroup=Domain Admins unixgroup=domadm + + + + + Domain Admins group + The quotes around Domain Admins are necessary due to the space in the group name. + Also make sure to leave no white-space surrounding the equal character (=). + + + + + Now joe, john and mary are domain administrators. + + + + groupsdomain + It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + + + + +&rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct + + + + + Be aware that the RID parameter is a unsigned 32-bit integer that should + normally start at 1000. However, this RID must not overlap with any RID assigned + to a user. Verification for this is done differently depending on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + + + + Important Administrative Information + + + Administrative rights are necessary in two specific forms: + + + + For Samba-3 Domain Controllers and + Domain Member Servers/Clients. + To manage Domain Member Windows workstations. + + + + Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires root + level privilege. The addition of a Windows client to a Samba Domain involves the addition of a user account + for the Windows client. + + + + Many UNIX administrators continue to request the Samba Team make it possible to add Windows workstations, or + to ability to add/delete or modify user accounts, without requiring root privileges. + Such a request violates every understanding of basic UNIX system security. + + + + There is no safe way to provide access on a UNIX/Linux system without providing root + level privilege. Provision of root privileges can be done wither by logging onto + the Domain as the user root, or by permitting particular users to use a UNIX account + that is a member of the UNIX group that has a GID=0 as the primary group in the /etc/passwd + database. Users of such accounts can use tools like the NT4 Domain User Manager, and the NT4 Domain Server + Manager to manage user and group accounts as well as Domain Member server and client accounts. This level + of privilege is also needed to manage share level ACLs. + + + + Administrative tasks on a Windows Domain Member workstation, can be done by anyone who is a member of the + Domain Admins group. This group can be mapped to any convenient UNIX group. + + + + + + Default Users, Groups and Relative Identifiers + + +Relative IdentifierRID +RID + When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and + Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued + integrity of operation. Samba must be provisioned with certain essential Domain Groups that require + the appropriate RID value. When Samba-3 is configured to use tdbsam the essential + Domain Groups are automatically created. It is the LDAP administrators' responsibility to create + (provision) the default NT Groups. + + + + Each essential Domain Group must be assigned its respective well-known RID. The default Users, Groups, + Aliases, and RIDs are shown in Well-Known User Default RIDs table. + + + + When the passdb backend uses LDAP (ldapsam) it is the + administrators' responsibility to create the essential Domain Groups, and to assign each its default RID. + + + + It is permissible to create any Domain Group that may be necessary, just make certain that the essential + Domain Groups (well known) have been created and assigned its default RID. Other groups you create may + be assigned any arbitrary RID you care to use. + + + + Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group + will be available for use as an NT Domain Group. + + + + + Well-Known User Default RIDs + + + + + + + + Well-Known Entity + RID + Type + Essential + + + + + Domain Administrator + 500 + User + No + + + Domain Guest + 501 + User + No + + + Domain KRBTGT + 502 + User + No + + + Domain Admins + 512 + Group + Yes + + + Domain Users + 513 + Group + Yes + + + Domain Guests + 514 + Group + Yes + + + Domain Computers + 515 + Group + No + + + Domain Controllers + 516 + Group + No + + + Domain Certificate Admins + 517 + Group + No + + + Domain Schema Admins + 518 + Group + No + + + Domain Enterprise Admins + 519 + Group + No + + + Domain Policy Admins + 520 + Group + No + + + Builtin Admins + 544 + Alias + No + + + Builtin users + 545 + Alias + No + + + Builtin Guests + 546 + Alias + No + + + Builtin Power Users + 547 + Alias + No + + + Builtin Account Operators + 548 + Alias + No + + + Builtin System Operators + 549 + Alias + No + + + Builtin Print Operators + 550 + Alias + No + + + Builtin Backup Operators + 551 + Alias + No + + + Builtin Replicator + 552 + Alias + No + + + Builtin RAS Servers + 553 + Alias + No + + + +
+ + + + + + Example Configuration + + + You can list the various groups in the mapping database by executing + net groupmap list. Here is an example: + + +netgroupmap + + + +&rootprompt; net groupmap list +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest + + + + + For complete details on net groupmap, refer to the net(8) man page. + + + + + + + +Configuration Scripts + + + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (i.e., prepared by someone else for general use). + + + + Sample &smb.conf; Add Group Script + + + A script to create complying group names for use by the Samba group interfaces + is provided in smbgrpadd.sh. + + +smbgrpadd.sh + + + smbgrpadd.sh + + +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cp /etc/group /etc/group.bak +cat /etc/group.bak | sed "s/smbtmpgrp00/$1/g" > /etc/group + +# Now return the GID as would normally happen. +echo $thegid +exit 0 + + + + + + The &smb.conf; entry for the above script would be something like that in the following example. + +Configuration of &smb.conf; for the add group script. +[global] +... +add group script/path_to_tool/smbgrpadd.sh "%g" +... + + + + + + + Script to Configure Group Mapping + + + In our example we have created a UNIX/Linux group called ntadmin. + Our script will create the additional groups Orks, Elves, and Gnomes. + It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database. + For the sake of convenience we elect to save this script as a file called initGroups.sh. + This script is given in intGroups.sh. + + + +initGroups.sh + + Script to Set Group Mapping + +#!/bin/bash + +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody + +groupadd Orks +groupadd Elves +groupadd Gnomes + +net groupmap add ntgroup="Orks" unixgroup=Orks type=d +net groupmap add ntgroup="Elves" unixgroup=Elves type=d +net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d + + + + + + Of course it is expected that the administrator will modify this to suit local needs. + For information regarding the use of the net groupmap tool please + refer to the man page. + + + + + + + +Common Errors + + +At this time there are many little surprises for the unwary administrator. In a real sense +it is imperative that every step of automated control scripts must be carefully tested +manually before putting them into active service. + + + + Adding Groups Fails + + + This is a common problem when the groupadd is called directly + by the Samba interface script for the add group script in + the &smb.conf; file. + + + + The most common cause of failure is an attempt to add an MS Windows group account + that has either an upper case character and/or a space character in it. + + + + There are three possible work-arounds. First, use only group names that comply + with the limitations of the UNIX/Linux groupadd system tool. + Second, it involves the use of the script mentioned earlier in this chapter, and + third is the option is to manually create a UNIX/Linux group account that can substitute + for the MS Windows group name, then use the procedure listed above to map that group + to the MS Windows group. + + + + + + Adding MS Windows Groups to MS Windows Groups Fails + + groupsnested + + + Samba-3 does not support nested groups from the MS Windows control environment. + + + + + + Adding <emphasis>Domain Users</emphasis> to the <emphasis>Power Users</emphasis> Group + + + What must I do to add Domain Users to the Power Users group? + + +Domain Users group + + + The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. + You cannot add the Domain Users group to the Power Users group automatically, it must be done on + each workstation by logging in as the local workstation administrator and + then using the following procedure: + + + + + Click Start -> Control Panel -> Users and Passwords. + + + + Click the Advanced tab. + + + + Click the Advanced button. + + + + Click Groups. + + + + Double click Power Users. This will launch the panel to add users or groups + to the local machine Power Uses group. + + + + Click the Add button. + + + + Select the domain from which the Domain Users group is to be added. + + + + Double click the Domain Users group. + + + + Click the Ok button. If a logon box is presented during this process + please remember to enter the connect as DOMAIN\UserName. i.e., For the + domain MIDEARTH and the user root enter + MIDEARTH\root. + + + + + + + diff --git a/docs/howto/Install.xml b/docs/howto/Install.xml new file mode 100644 index 0000000000..a4ba1c0aa7 --- /dev/null +++ b/docs/howto/Install.xml @@ -0,0 +1,379 @@ + + + &author.tridge; + &author.jelmer; + &author.jht; + &author.kauer; + &author.danshearer; + + + + +How to Install and Test SAMBA + + + Obtaining and Installing Samba + + + Binary packages of Samba are included in almost any Linux or + UNIX distribution. There are also some packages available at + the Samba home-page. Refer to + the manual of your operating system for details on installing packages + for your specific operating system. + + + If you need to compile Samba from source, check + How to compile Samba chapter. + + + + + Configuring Samba (smb.conf) + + + Samba's configuration is stored in the &smb.conf; file, which + usually resides in /etc/samba/smb.conf + or /usr/local/samba/lib/smb.conf. You can either + edit this file yourself or do it using one of the many graphical + tools that are available, such as the Web-based interface SWAT, that + is included with Samba. + + + + Configuration file syntax + + The &smb.conf; file uses the same syntax as the various old + .ini files in Windows 3.1: Each file consists of various sections, + which are started by putting the section name between brackets ([]) + on a new line. Each contains zero or more key/value-pairs separated by an + equality sign (=). The file is just a plain-text file, so you can + open and edit it with your favorite editing tool. + + Each section in the &smb.conf; file represents a share + on the Samba server. The section global is special, since it + contains settings that apply to the whole Samba server and not + to one share in particular. + +Following example contains a very minimal &smb.conf;. + minimal configuration + + + + A minimal smb.conf + + [global] + workgroupWKG + netbios nameMYNAME + [share1] + path/tmp + + [share2] + path/my_shared_folder + commentSome random files + + + + + + Starting Samba + + + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. + An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba there + are three daemons, two of which are needed as a minimum. + + + + The Samba server is made up of the following daemons: + + + + nmbd + + smbd + starting sambasmbd + This daemon handles all name registration and resolution requests. It is the primary vehicle involved + in network browsing. It handles all UDP based protocols. The nmbd daemon should + be the first command started as part of the Samba start-up process. + + + + smbd + + nmbd + starting sambanmbd + This daemon handles all TCP/IP based connection services for file and print based operations. It also + manages local authentication. It should be started immediately following the start-up of nmbd. + + + + winbindd + + winbindd + starting sambawinbindd + This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when + Samba has trust relationships with another Domain. The winbindd daemon will check the + &smb.conf; file for the presence of the idmap uid and idmap gid + parameters. If they are not found winbindd will bail-out and refuse to start. + + + + + + When Samba has been packages by an operating system vendor the start-up process is typically a custom feature of its + integration into the platform as a whole. Please refer to your operating system platform administration manuals for + specific information pertaining to correct management of Samba start-up. + + + + + + Example Configuration + + + There are sample configuration files in the examples subdirectory in the + distribution. It is suggested you read them carefully so you can see how the options + go together in practice. See the man page for all the options. + It might be worthwhile to start out with the smb.conf.default + configuration file and adapt it to your needs. It contains plenty of + comments. + + + + The simplest useful configuration file would contain something like shown in + the next example. + + + + simple configuration + + Another simple smb.conf File +[global] +workgroup&example.workgroup; + +[homes] +guest okno +read onlyno + + + + + This will allow connections by anyone with an account on the server, using either + their login name or homes as the service name. + (Note: The workgroup that Samba should appear in must also be set. The default + workgroup name is WORKGROUP.) + + + + Make sure you put the &smb.conf; file in the correct place. + + + + For more information about security settings for the + [homes] share please refer to + Securing Samba chapter. + + + + Test Your Config File with <command>testparm</command> + + + It's important to validate the contents of the &smb.conf; file using the &testparm; program. + If testparm runs correctly, it will list the loaded services. If not, it will give an error message. + Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command: + + + + &rootprompt; testparm /etc/samba/smb.conf + + + Testparm will parse your configuration file and report + any unknown parameters or incorrect syntax. + + + + + Always run testparm again whenever the &smb.conf; file is changed! + + + + + + + SWAT + + + swat + SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. + SWAT might not be available in the Samba package that shipped with your platform, + but in a separate package. Please read the SWAT man page + on compiling, installing and configuring SWAT from source. + + + + To launch SWAT, just run your favorite Web browser and point it to + http://localhost:901/. + Replace localhost with the name of the computer on which + Samba is running if that is a different computer than your browser. + + + + SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote + machine leaves your connection open to password sniffing as passwords will be sent over the wire in the clear. + + + More information about SWAT can be found in corresponding chapter. + + + + + + + List Shares Available on the Server + + + To list shares that are available from the configured Samba server execute the + following command: + + + +&prompt;smbclient -L yourhostname + + + You should see a list of shares available on your server. If you do not, then + something is incorrectly configured. This method can also be used to see what shares + are available on other SMB servers, such as Windows 2000. + + If you choose user-level security you may find that Samba requests a password + before it will list the shares. See the smbclient man page for details. + You can force it to list the shares without a password by adding the option + to the command line. + + + + Connect with a UNIX Client + + + Enter the following command: + +&prompt;smbclient //yourhostname/aservice + + + Typically yourhostname is the name of the host on which &smbd; + has been installed. The aservice is any service that has been defined in the &smb.conf; + file. Try your user name if you just have a [homes] section in the &smb.conf; file. + + Example: If the UNIX host is called bambi and a valid login name + is fred, you would type: + + +&prompt;smbclient //bambi/fred + + + + + Connect from a Remote SMB Client + + Now that Samba is working correctly locally, you can try to + access it from other clients. Within a few minutes, the Samba host + should be listed in the Network Neighborhood on all Windows + clients of its subnet. Try browsing the server from another client + or 'mounting' it. + + Mounting disks from a DOS, Windows or OS/2 client can be done by running a command such as: + + +&dosprompt;net use d: \\servername\service + + + Try printing, e.g. + + + +&dosprompt;net use lpt1: \\servername\spoolservice + + + +&dosprompt;print filename + + + + + What If Things Don't Work? + + You might want to read The Samba Checklist. + If you are still stuck, refer to Analyzing and Solving Samba Problems chapter. + Samba has been successfully installed at thousands of sites worldwide. + It is unlikely that your particular problem is unique, so it might be + productive to perform an Internet search to see if someone else has encountered + your problem and has found a way to overcome it. + + + + +Common Errors + + +The following questions and issues are raised repeatedly on the Samba mailing list. + + + + Large Number of smbd Processes + + +Samba consists of three core programs: &nmbd;, &smbd;, and &winbindd;. &nmbd; is the name server message daemon, +&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with Domain Controllers. + + + +If Samba is not running as a WINS server, then there will be one single instance of + &nmbd; running on your system. If it is running as a WINS server then there will be +two instances &smbmdash; one to handle the WINS requests. + + + +&smbd; handles all connection requests. It spawns a new process for each client +connection made. That is why you may see so many of them, one per client connection. + + + +&winbindd; will run as one or two daemons, depending on whether or not it is being +run in split mode (in which case there will be two instances). + + + + + + Error Message: open_oplock_ipc + + An error message is observed in the log files when &smbd; is started: open_oplock_ipc: Failed to get local UDP socket + for address 100007f. Error was Cannot assign requested. + + Your loopback device isn't working correctly. Make sure it is configured correctly. The loopback + device is an internal (virtual) network device with the IP address 127.0.0.1. + Read your OS documentation for details on how to configure the loopback on your system. + + + + + <quote><errorname>The network name cannot be found</errorname></quote> + + + This error can be caused by one of these mis-configurations: + + + + You specified an non-existing path + for the share in &smb.conf;. + + The user you are trying to access the share with does not + have sufficient permissions to access the path for + the share. Both read (r) and access (x) should be possible. + + The share you are trying to access does not exist. + + + + + + diff --git a/docs/howto/PAM-Authentication-And-Samba.xml b/docs/howto/PAM-Authentication-And-Samba.xml deleted file mode 100644 index 7e5911bb19..0000000000 --- a/docs/howto/PAM-Authentication-And-Samba.xml +++ /dev/null @@ -1,939 +0,0 @@ - - - &author.jht; - - StephenLangasek - -
vorlon@netexpress.net
- - - May 31, 2003 - - -PAM-Based Distributed Authentication - - -This chapter should help you to deploy Winbind-based authentication on any PAM-enabled -UNIX/Linux system. Winbind can be used to enable User-Level application access authentication -from any MS Windows NT Domain, MS Windows 200x Active Directory-based -domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access -controls that are appropriate to your Samba configuration. - - - -In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management -possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage. - - - -The use of Winbind requires more than PAM configuration alone. -Please refer to Winbind: Use of Domain Accounts, for further information regarding Winbind. - - - -Features and Benefits - - -A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, -now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the introduction of PAM, a decision -to use an alternative to the system password database (/etc/passwd) -would require the provision of alternatives for all programs that provide security services. -Such a choice would involve provision of alternatives to programs such as: login, -passwd, chown, and so on. - - - -PAM provides a mechanism that disconnects these security programs from the underlying -authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file -/etc/pam.conf (Solaris), or by editing individual control files that are -located in /etc/pam.d. - - - -On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any -authentication backend so long as the appropriate dynamically loadable library modules -are available for it. The backend may be local to the system, or may be centralized on a -remote server. - - - -PAM support modules are available for: - - - - /etc/passwd - - There are several PAM modules that interact with this standard UNIX user - database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so - and pam_userdb.so. - - - - Kerberos - - The pam_krb5.so module allows the use of any Kerberos compliant server. - This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially - Microsoft Active Directory (if enabled). - - - - LDAP - - The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend - server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, - Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. - - - - NetWare Bindery - - The pam_ncp_auth.so module allows authentication off any bindery-enabled - NetWare Core Protocol-based server. - - - - SMB Password - - This module, called pam_smbpass.so, will allow user authentication off - the passdb backend that is configured in the Samba &smb.conf; file. - - - - SMB Server - - The pam_smb_auth.so module is the original MS Windows networking authentication - tool. This module has been somewhat outdated by the Winbind module. - - - - Winbind - - The pam_winbind.so module allows Samba to obtain authentication from any - MS Windows Domain Controller. It can just as easily be used to authenticate - users for access to any PAM-enabled application. - - - - RADIUS - - There is a PAM RADIUS (Remote Access Dial-In User Service) authentication - module. In most cases, administrators will need to locate the source code - for this tool and compile and install it themselves. RADIUS protocols are - used by many routers and terminal servers. - - - - - -Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone. - - - -Once configured, these permit a remarkable level of flexibility in the location and use -of distributed Samba Domain Controllers that can provide wide area network bandwidth -efficient authentication services for PAM-capable systems. In effect, this allows the -deployment of centrally managed and maintained distributed authentication from a -single-user account database. - - - - - -Technical Discussion - - -PAM is designed to provide the system administrator with a great deal of flexibility in -configuration of the privilege granting applications of their system. The local -configuration of system security controlled by PAM is contained in one of two places: -either the single system file, /etc/pam.conf, or the -/etc/pam.d/ directory. - - - -PAM Configuration Syntax - - -In this section we discuss the correct syntax of and generic options respected by entries to these files. -PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case -sensitive since they indicate a file's name and reflect the case -dependence of typical file systems. -The case-sensitivity of the arguments to any given module is defined for each module in turn. - - - -In addition to the lines described below, there are two special characters provided for the convenience -of the system administrator: comments are preceded by a # and extend to the next end-of-line; also, -module specification lines may be extended with a \ escaped newline. - - - -If the PAM authentication module (loadable link library file) is located in the -default location, then it is not necessary to specify the path. In the case of -Linux, the default location is /lib/security. If the module -is located outside the default, then the path must be specified as: - - - - -auth required /other_path/pam_strange_module.so - - - - -Anatomy of <filename>/etc/pam.d</filename> Entries - - -The remaining information in this subsection was taken from the documentation of the Linux-PAM -project. For more information on PAM, see -The Official Linux-PAM home page. - - - -A general configuration line of the /etc/pam.conf file has the following form: - - - - -service-name module-type control-flag module-path args - - - - -Below, we explain the meaning of each of these tokens. The second (and more recently adopted) -way of configuring Linux-PAM is via the contents of the /etc/pam.d/ directory. -Once we have explained the meaning of the above tokens, we will describe this method. - - - - service-name - - The name of the service associated with this entry. Frequently, the service name is the conventional - name of the given application. For example, ftpd, rlogind and - su, and so on. - - - - There is a special service-name reserved for defining a default authentication mechanism. It has - the name OTHER and may be specified in either lower- or upper-case characters. - Note, when there is a module specified for a named service, the OTHER - entries are ignored. - - - - - module-type - - One of (currently) four types of module. The four types are as follows: - - - - - auth: This module type provides two aspects of authenticating the user. - It establishes that the user is who he claims to be by instructing the application - to prompt the user for a password or other means of identification. Secondly, the module can - grant group membership (independently of the /etc/groups file discussed - above) or other privileges through its credential granting properties. - - - - account: This module performs non-authentication-based account management. - It is typically used to restrict/permit access to a service based on the time of day, currently - available system resources (maximum number of users) or perhaps the location of the applicant - user root login only on the console. - - - - session: Primarily, this module is associated with doing things that need - to be done for the user before and after they can be given service. Such things include the logging - of information concerning the opening and closing of some data exchange with a user, mounting - directories, and so on. - - - - password: This last module type is required for updating the authentication - token associated with the user. Typically, there is one module for each challenge/response - -based authentication (auth) module type. - - - - - - control-flag - - The control-flag is used to indicate how the PAM library will react to the success or failure of the - module it is associated with. Since modules can be stacked (modules of the same type execute in series, - one after another), the control-flags determine the relative importance of each module. The application - is not made aware of the individual success or failure of modules listed in the - /etc/pam.conf file. Instead, it receives a summary success or fail response from - the Linux-PAM library. The order of execution of these modules is that of the entries in the - /etc/pam.conf file; earlier entries are executed before later ones. - As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. - - - - The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the - severity of concern associated with the success or failure of a specific module. There are four such - keywords: required, requisite, sufficient and optional. - - - - The Linux-PAM library interprets these keywords in the following manner: - - - - - required: This indicates that the success of the module is required for the - module-type facility to succeed. Failure of this module will not be apparent to the user until all - of the remaining modules (of the same module-type) have been executed. - - - - requisite: Like required, however, in the case that such a module returns a - failure, control is directly returned to the application. The return value is that associated with - the first required or requisite module to fail. This flag can be used to protect against the - possibility of a user getting the opportunity to enter a password over an unsafe medium. It is - conceivable that such behavior might inform an attacker of valid accounts on a system. This - possibility should be weighed against the not insignificant concerns of exposing a sensitive - password in a hostile environment. - - - - sufficient: The success of this module is deemed sufficient to satisfy - the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no - previous required module has failed, no more stacked modules of this type are invoked. - (In this case, subsequent required modules are not invoked). A failure of this module is not deemed - as fatal to satisfying the application that this module-type has succeeded. - - - - optional: As its name suggests, this control-flag marks the module as not - being critical to the success or failure of the user's application for service. In general, - Linux-PAM ignores such a module when determining if the module stack will succeed or fail. - However, in the absence of any definite successes or failures of previous or subsequent stacked - modules, this module will determine the nature of the response to the application. One example of - this latter case, is when the other modules return something like PAM_IGNORE. - - - - - The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control - over how the user is authenticated. This form of the control flag is delimited with square brackets and - consists of a series of value=action tokens: - - - -[value1=action1 value2=action2 ...] - - - - Here, value1 is one of the following return values: - -success; open_err; symbol_err; service_err; system_err; buf_err; -perm_denied; auth_err; cred_insufficient; authinfo_unavail; -user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err; -cred_unavail; cred_expired; cred_err; no_module_data; conv_err; -authtok_err; authtok_recover_err; authtok_lock_busy; -authtok_disable_aging; try_again; ignore; abort; authtok_expired; -module_unknown; bad_item; and default. - - - - - The last of these (default) can be used to set the action for those return values that are not explicitly defined. - - - - The action1 can be a positive integer or one of the following tokens: - ignore; ok; done; bad; die; and reset. - A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the - current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated - stack of modules with a number of different paths of execution. Which path is taken can be determined by the - reactions of individual modules. - - - - - ignore: When used with a stack of modules, the module's return status will not - contribute to the return code the application obtains. - - - - bad: This action indicates that the return code should be thought of as indicative - of the module failing. If this module is the first in the stack to fail, its status value will be used - for that of the whole stack. - - - - die: Equivalent to bad with the side effect of terminating the module stack and - PAM immediately returning to the application. - - - - ok: This tells PAM that the administrator thinks this return code should - contribute directly to the return code of the full stack of modules. In other words, if the former - state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override - this value. Note, if the former state of the stack holds some value that is indicative of a modules - failure, this ok value will not be used to override that value. - - - - done: Equivalent to ok with the side effect of terminating the module stack and - PAM immediately returning to the application. - - - - reset: Clears all memory of the state of the module stack and starts again with - the next stacked module. - - - - - Each of the four keywords: required; requisite; sufficient; and optional, - have an equivalent expression in terms of the [...] syntax. They are as follows: - - - - - - required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]. - - - - requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die]. - - - - sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore]. - - - - optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore]. - - - - - - Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, - the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support - machine-machine authentication using the transport protocol inherent to the client/server application. With the - [ ... value=action ... ] control syntax, it is possible for an application to be configured - to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication - mode for older, legacy applications. - - - - - module-path - - The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the - module path is /, it is assumed to be a complete path. If this is not the case, the given module path is appended - to the default module path: /lib/security (but see the notes above). - - - - The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical - Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments - are ignored by a module, however, when encountering an invalid argument, the module is required to write an error - to syslog(3). For a list of generic options, see the next section. - - - - If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: - - - -squid auth required pam_mysql.so user=passwd_query passwd=mada \ -db=eminence [query=select user_name from internet_service where \ -user_name=%u and password=PASSWORD(%p) and service=web_proxy] - - - - When using this convention, you can include [ characters inside the string, and if you wish to have a ] - character inside the string that will survive the argument parsing, you should use \[. In other words: - - - -[..[..\]..] --> ..[..].. - - - - Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the - side of caution) to make the authentication process fail. A corresponding error is written to the system log files - with a call to syslog(3). - - - - - - - - - - -Example System Configurations - - -The following is an example /etc/pam.d/login configuration file. -This example had all options uncommented and is probably not usable -because it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out, except the calls to pam_pwdb.so. - - - -PAM: Original Login Config - - - - -#%PAM-1.0 -# The PAM configuration file for the login service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5 - - - - - - -PAM: Login Using <filename>pam_smbpass</filename> - - -PAM allows use of replaceable modules. Those available on a sample system include: - - -$/bin/ls /lib/security - -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so - - - -The following example for the login program replaces the use of -the pam_pwdb.so module that uses the system -password database (/etc/passwd, -/etc/shadow, /etc/group) with -the module pam_smbpass.so, which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -/usr/local/samba/private/smbpasswd, -/etc/samba/smbpasswd, or in -/etc/samba.d/smbpasswd, depending on the -Samba implementation for your UNIX/Linux system. The -pam_smbpass.so module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the - options when running Samba's -configure script. For more information -on the pam_smbpass module, see the documentation -in the source/pam_smbpass directory of the Samba -source distribution. - - - - - -#%PAM-1.0 -# The PAM configuration file for the login service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay - - - -The following is the PAM configuration file for a particular -Linux system. The default condition uses pam_pwdb.so. - - - - - -#%PAM-1.0 -# The PAM configuration file for the samba service -# -auth required pam_pwdb.so nullok nodelay shadow audit -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_pwdb.so shadow md5 - - - -In the following example, the decision has been made to use the -smbpasswd database even for basic Samba authentication. Such a -decision could also be made for the passwd program and would -thus allow the smbpasswd passwords to be changed using the -passwd program: - - - - -#%PAM-1.0 -# The PAM configuration file for the samba service -# -auth required pam_smbpass.so nodelay -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf - - - -PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within one PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implementations also -provide the pam_stack.so module that allows all -authentication to be configured in a single central file. The -pam_stack.so method has some devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want to examine the -PAM documentation for further helpful information. - - - - - - - -&smb.conf; PAM Configuration - - - There is an option in &smb.conf; called obey pam restrictions. -The following is from the online help for this option in SWAT; - - - -When Samba is configured to enable PAM support (i.e., ), this parameter will -control whether or not Samba should obey PAM's account and session management directives. The default behavior -is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always -ignores PAM for authentication in the case of encrypt passwordsyes. -The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB -password encryption. - - -Default: obey pam restrictionsno - - - - -Remote CIFS Authentication Using <filename>winbindd.so</filename> - - -All operating systems depend on the provision of users credentials acceptable to the platform. -UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). -These are both simple integer type numbers that are obtained from a password backend such -as /etc/passwd. - - - -Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for -the domain when the user or group is created. To convert the Windows NT user or group into -a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This -is one of the jobs that winbind performs. - - - -As Winbind users and groups are resolved from a server, user and group IDs are allocated -from a specified range. This is done on a first come, first served basis, although all -existing users and groups will be mapped as soon as a client performs a user or group -enumeration command. The allocated UNIX IDs are stored in a database file under the Samba -lock directory and will be remembered. - - - -The astute administrator will realize from this that the combination of pam_smbpass.so, -winbindd and a distributed passdb backend, -such as ldap, will allow the establishment of a centrally managed, distributed user/password -database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have -particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as -the reduction of wide area network authentication traffic. - - - -The RID to UNIX ID database is the only location where the user and group mappings are -stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd -to determine which user and group IDs correspond to Windows NT user and group RIDs. - - - - - -Password Synchronization Using <filename>pam_smbpass.so</filename> - - -pam_smbpass is a PAM module that can be used on conforming systems to -keep the smbpasswd (Samba password) database in sync with the UNIX -password file. PAM (Pluggable Authentication Modules) is an API supported -under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a -generic interface to authentication mechanisms. - - - -This module authenticates a local smbpasswd user database. If you require -support for authenticating against a remote SMB server, or if you are -concerned about the presence of SUID root binaries on your system, it is -recommended that you use pam_winbind instead. - - - -Options recognized by this module are shown in next table. - - Options recognized by <parameter>pam_smbpass</parameter> - - - - - debuglog more debugging info. - auditlike debug, but also logs unknown usernames. - use_first_passdo not prompt the user for passwords; take them from PAM_ items instead. - try_first_passtry to get the password from a previous PAM module fall back to prompting the user. - use_authtok - like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only). - not_set_passdo not make passwords used by this module available to other modules. - nodelaydo not insert ~1 second delays on authentication failure. - nulloknull passwords are allowed. - nonullnull passwords are not allowed. Used to override the Samba configuration. - migrateonly meaningful in an auth context; used to update smbpasswd file with a password used for successful authentication. - smbconf=filespecify an alternate path to the &smb.conf; file. - - -
- - - -The following are examples of the use of pam_smbpass.so in the format of Linux -/etc/pam.d/ files structure. Those wishing to implement this -tool on other platforms will need to adapt this appropriately. - - - -Password Synchronization Configuration - - -A sample PAM configuration that shows the use of pam_smbpass to make -sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) -is changed. Useful when an expired password might be changed by an -application (such as ssh). - - - - - -#%PAM-1.0 -# password-sync -# -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so - - - - -Password Migration Configuration - - -A sample PAM configuration that shows the use of pam_smbpass to migrate -from plaintext to encrypted passwords for Samba. Unlike other methods, -this can be used for users who have never connected to Samba shares: -password migration takes place when users ftp in, login using ssh, pop -their mail, and so on. - - - - -#%PAM-1.0 -# password-migration -# -auth requisite pam_nologin.so -# pam_smbpass is called IF pam_unix succeeds. -auth requisite pam_unix.so -auth optional pam_smbpass.so migrate -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password optional pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so - - - - -Mature Password Configuration - - -A sample PAM configuration for a mature smbpasswd installation. -private/smbpasswd is fully populated, and we consider it an error if -the SMB password does not exist or does not match the UNIX password. - - - - -#%PAM-1.0 -# password-mature -# -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so use_authtok use_first_pass -session required pam_unix.so - - - - -Kerberos Password Integration Configuration - - -A sample PAM configuration that shows pam_smbpass used together with -pam_krb5. This could be useful on a Samba PDC that is also a member of -a Kerberos realm. - - - - -#%PAM-1.0 -# kdc-pdc -# -auth requisite pam_nologin.so -auth requisite pam_krb5.so -auth optional pam_smbpass.so migrate -account required pam_krb5.so -password requisite pam_cracklib.so retry=3 -password optional pam_smbpass.so nullok use_authtok try_first_pass -password required pam_krb5.so use_authtok try_first_pass -session required pam_krb5.so - - - - - - - - - -Common Errors - - -PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from -the Samba mailing list. - - - - - pam_winbind Problem - - - A user reported: I have the following PAM configuration: - - - - - -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass nullok -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so -password required /lib/security/pam_stack.so service=system-auth - - - - - When I open a new console with [ctrl][alt][F1], I can't log in with my user pitie. - I have tried with user scienceu+pitie also. - - - - Answer: The problem may lie with your inclusion of pam_stack.so - service=system-auth. That file often contains a lot of stuff that may - duplicate what you are already doing. Try commenting out the pam_stack lines - for auth and account and see if things work. If they do, look at - /etc/pam.d/system-auth and copy only what you need from it into your - /etc/pam.d/login file. Alternately, if you want all services to use - Winbind, you can put the Winbind-specific stuff in /etc/pam.d/system-auth. - - - - - - Winbind Is Not Resolving Users and Groups - - - - My &smb.conf; file is correctly configured. I have specified - idmap uid12000, - and idmap gid3000-3500 - and winbind is running. When I do the following it all works fine. - - - - -&rootprompt;wbinfo -u -MIDEARTH+maryo -MIDEARTH+jackb -MIDEARTH+ameds -... -MIDEARTH+root - -&rootprompt;wbinfo -g -MIDEARTH+Domain Users -MIDEARTH+Domain Admins -MIDEARTH+Domain Guests -... -MIDEARTH+Accounts - -&rootprompt;getent passwd -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -... -maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false - - - - - But this command fails: - - -&rootprompt;chown maryo a_file -chown: 'maryo': invalid user - - This is driving me nuts! What can be wrong? - - - - Answer: Your system is likely running nscd, the name service - caching daemon. Shut it down, do not restart it! You will find your problem resolved. - - - - - - diff --git a/docs/howto/PAM.xml b/docs/howto/PAM.xml new file mode 100644 index 0000000000..7e5911bb19 --- /dev/null +++ b/docs/howto/PAM.xml @@ -0,0 +1,939 @@ + + + &author.jht; + + StephenLangasek + +
vorlon@netexpress.net
+ + + May 31, 2003 + + +PAM-Based Distributed Authentication + + +This chapter should help you to deploy Winbind-based authentication on any PAM-enabled +UNIX/Linux system. Winbind can be used to enable User-Level application access authentication +from any MS Windows NT Domain, MS Windows 200x Active Directory-based +domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access +controls that are appropriate to your Samba configuration. + + + +In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management +possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage. + + + +The use of Winbind requires more than PAM configuration alone. +Please refer to Winbind: Use of Domain Accounts, for further information regarding Winbind. + + + +Features and Benefits + + +A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, +now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, +authorization and resource control services. Prior to the introduction of PAM, a decision +to use an alternative to the system password database (/etc/passwd) +would require the provision of alternatives for all programs that provide security services. +Such a choice would involve provision of alternatives to programs such as: login, +passwd, chown, and so on. + + + +PAM provides a mechanism that disconnects these security programs from the underlying +authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file +/etc/pam.conf (Solaris), or by editing individual control files that are +located in /etc/pam.d. + + + +On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any +authentication backend so long as the appropriate dynamically loadable library modules +are available for it. The backend may be local to the system, or may be centralized on a +remote server. + + + +PAM support modules are available for: + + + + /etc/passwd + + There are several PAM modules that interact with this standard UNIX user + database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so + and pam_userdb.so. + + + + Kerberos + + The pam_krb5.so module allows the use of any Kerberos compliant server. + This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially + Microsoft Active Directory (if enabled). + + + + LDAP + + The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend + server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, + Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. + + + + NetWare Bindery + + The pam_ncp_auth.so module allows authentication off any bindery-enabled + NetWare Core Protocol-based server. + + + + SMB Password + + This module, called pam_smbpass.so, will allow user authentication off + the passdb backend that is configured in the Samba &smb.conf; file. + + + + SMB Server + + The pam_smb_auth.so module is the original MS Windows networking authentication + tool. This module has been somewhat outdated by the Winbind module. + + + + Winbind + + The pam_winbind.so module allows Samba to obtain authentication from any + MS Windows Domain Controller. It can just as easily be used to authenticate + users for access to any PAM-enabled application. + + + + RADIUS + + There is a PAM RADIUS (Remote Access Dial-In User Service) authentication + module. In most cases, administrators will need to locate the source code + for this tool and compile and install it themselves. RADIUS protocols are + used by many routers and terminal servers. + + + + + +Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone. + + + +Once configured, these permit a remarkable level of flexibility in the location and use +of distributed Samba Domain Controllers that can provide wide area network bandwidth +efficient authentication services for PAM-capable systems. In effect, this allows the +deployment of centrally managed and maintained distributed authentication from a +single-user account database. + + + + + +Technical Discussion + + +PAM is designed to provide the system administrator with a great deal of flexibility in +configuration of the privilege granting applications of their system. The local +configuration of system security controlled by PAM is contained in one of two places: +either the single system file, /etc/pam.conf, or the +/etc/pam.d/ directory. + + + +PAM Configuration Syntax + + +In this section we discuss the correct syntax of and generic options respected by entries to these files. +PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case +sensitive since they indicate a file's name and reflect the case +dependence of typical file systems. +The case-sensitivity of the arguments to any given module is defined for each module in turn. + + + +In addition to the lines described below, there are two special characters provided for the convenience +of the system administrator: comments are preceded by a # and extend to the next end-of-line; also, +module specification lines may be extended with a \ escaped newline. + + + +If the PAM authentication module (loadable link library file) is located in the +default location, then it is not necessary to specify the path. In the case of +Linux, the default location is /lib/security. If the module +is located outside the default, then the path must be specified as: + + + + +auth required /other_path/pam_strange_module.so + + + + +Anatomy of <filename>/etc/pam.d</filename> Entries + + +The remaining information in this subsection was taken from the documentation of the Linux-PAM +project. For more information on PAM, see +The Official Linux-PAM home page. + + + +A general configuration line of the /etc/pam.conf file has the following form: + + + + +service-name module-type control-flag module-path args + + + + +Below, we explain the meaning of each of these tokens. The second (and more recently adopted) +way of configuring Linux-PAM is via the contents of the /etc/pam.d/ directory. +Once we have explained the meaning of the above tokens, we will describe this method. + + + + service-name + + The name of the service associated with this entry. Frequently, the service name is the conventional + name of the given application. For example, ftpd, rlogind and + su, and so on. + + + + There is a special service-name reserved for defining a default authentication mechanism. It has + the name OTHER and may be specified in either lower- or upper-case characters. + Note, when there is a module specified for a named service, the OTHER + entries are ignored. + + + + + module-type + + One of (currently) four types of module. The four types are as follows: + + + + + auth: This module type provides two aspects of authenticating the user. + It establishes that the user is who he claims to be by instructing the application + to prompt the user for a password or other means of identification. Secondly, the module can + grant group membership (independently of the /etc/groups file discussed + above) or other privileges through its credential granting properties. + + + + account: This module performs non-authentication-based account management. + It is typically used to restrict/permit access to a service based on the time of day, currently + available system resources (maximum number of users) or perhaps the location of the applicant + user root login only on the console. + + + + session: Primarily, this module is associated with doing things that need + to be done for the user before and after they can be given service. Such things include the logging + of information concerning the opening and closing of some data exchange with a user, mounting + directories, and so on. + + + + password: This last module type is required for updating the authentication + token associated with the user. Typically, there is one module for each challenge/response + -based authentication (auth) module type. + + + + + + control-flag + + The control-flag is used to indicate how the PAM library will react to the success or failure of the + module it is associated with. Since modules can be stacked (modules of the same type execute in series, + one after another), the control-flags determine the relative importance of each module. The application + is not made aware of the individual success or failure of modules listed in the + /etc/pam.conf file. Instead, it receives a summary success or fail response from + the Linux-PAM library. The order of execution of these modules is that of the entries in the + /etc/pam.conf file; earlier entries are executed before later ones. + As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. + + + + The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the + severity of concern associated with the success or failure of a specific module. There are four such + keywords: required, requisite, sufficient and optional. + + + + The Linux-PAM library interprets these keywords in the following manner: + + + + + required: This indicates that the success of the module is required for the + module-type facility to succeed. Failure of this module will not be apparent to the user until all + of the remaining modules (of the same module-type) have been executed. + + + + requisite: Like required, however, in the case that such a module returns a + failure, control is directly returned to the application. The return value is that associated with + the first required or requisite module to fail. This flag can be used to protect against the + possibility of a user getting the opportunity to enter a password over an unsafe medium. It is + conceivable that such behavior might inform an attacker of valid accounts on a system. This + possibility should be weighed against the not insignificant concerns of exposing a sensitive + password in a hostile environment. + + + + sufficient: The success of this module is deemed sufficient to satisfy + the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no + previous required module has failed, no more stacked modules of this type are invoked. + (In this case, subsequent required modules are not invoked). A failure of this module is not deemed + as fatal to satisfying the application that this module-type has succeeded. + + + + optional: As its name suggests, this control-flag marks the module as not + being critical to the success or failure of the user's application for service. In general, + Linux-PAM ignores such a module when determining if the module stack will succeed or fail. + However, in the absence of any definite successes or failures of previous or subsequent stacked + modules, this module will determine the nature of the response to the application. One example of + this latter case, is when the other modules return something like PAM_IGNORE. + + + + + The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control + over how the user is authenticated. This form of the control flag is delimited with square brackets and + consists of a series of value=action tokens: + + + +[value1=action1 value2=action2 ...] + + + + Here, value1 is one of the following return values: + +success; open_err; symbol_err; service_err; system_err; buf_err; +perm_denied; auth_err; cred_insufficient; authinfo_unavail; +user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err; +cred_unavail; cred_expired; cred_err; no_module_data; conv_err; +authtok_err; authtok_recover_err; authtok_lock_busy; +authtok_disable_aging; try_again; ignore; abort; authtok_expired; +module_unknown; bad_item; and default. + + + + + The last of these (default) can be used to set the action for those return values that are not explicitly defined. + + + + The action1 can be a positive integer or one of the following tokens: + ignore; ok; done; bad; die; and reset. + A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the + current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated + stack of modules with a number of different paths of execution. Which path is taken can be determined by the + reactions of individual modules. + + + + + ignore: When used with a stack of modules, the module's return status will not + contribute to the return code the application obtains. + + + + bad: This action indicates that the return code should be thought of as indicative + of the module failing. If this module is the first in the stack to fail, its status value will be used + for that of the whole stack. + + + + die: Equivalent to bad with the side effect of terminating the module stack and + PAM immediately returning to the application. + + + + ok: This tells PAM that the administrator thinks this return code should + contribute directly to the return code of the full stack of modules. In other words, if the former + state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override + this value. Note, if the former state of the stack holds some value that is indicative of a modules + failure, this ok value will not be used to override that value. + + + + done: Equivalent to ok with the side effect of terminating the module stack and + PAM immediately returning to the application. + + + + reset: Clears all memory of the state of the module stack and starts again with + the next stacked module. + + + + + Each of the four keywords: required; requisite; sufficient; and optional, + have an equivalent expression in terms of the [...] syntax. They are as follows: + + + + + + required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]. + + + + requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die]. + + + + sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore]. + + + + optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore]. + + + + + + Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, + the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support + machine-machine authentication using the transport protocol inherent to the client/server application. With the + [ ... value=action ... ] control syntax, it is possible for an application to be configured + to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication + mode for older, legacy applications. + + + + + module-path + + The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the + module path is /, it is assumed to be a complete path. If this is not the case, the given module path is appended + to the default module path: /lib/security (but see the notes above). + + + + The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical + Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments + are ignored by a module, however, when encountering an invalid argument, the module is required to write an error + to syslog(3). For a list of generic options, see the next section. + + + + If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: + + + +squid auth required pam_mysql.so user=passwd_query passwd=mada \ +db=eminence [query=select user_name from internet_service where \ +user_name=%u and password=PASSWORD(%p) and service=web_proxy] + + + + When using this convention, you can include [ characters inside the string, and if you wish to have a ] + character inside the string that will survive the argument parsing, you should use \[. In other words: + + + +[..[..\]..] --> ..[..].. + + + + Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the + side of caution) to make the authentication process fail. A corresponding error is written to the system log files + with a call to syslog(3). + + + + + + + + + + +Example System Configurations + + +The following is an example /etc/pam.d/login configuration file. +This example had all options uncommented and is probably not usable +because it stacks many conditions before allowing successful completion +of the login process. Essentially all conditions can be disabled +by commenting them out, except the calls to pam_pwdb.so. + + + +PAM: Original Login Config + + + + +#%PAM-1.0 +# The PAM configuration file for the login service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5 + + + + + + +PAM: Login Using <filename>pam_smbpass</filename> + + +PAM allows use of replaceable modules. Those available on a sample system include: + + +$/bin/ls /lib/security + +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so + + + +The following example for the login program replaces the use of +the pam_pwdb.so module that uses the system +password database (/etc/passwd, +/etc/shadow, /etc/group) with +the module pam_smbpass.so, which uses the Samba +database which contains the Microsoft MD4 encrypted password +hashes. This database is stored in either +/usr/local/samba/private/smbpasswd, +/etc/samba/smbpasswd, or in +/etc/samba.d/smbpasswd, depending on the +Samba implementation for your UNIX/Linux system. The +pam_smbpass.so module is provided by +Samba version 2.2.1 or later. It can be compiled by specifying the + options when running Samba's +configure script. For more information +on the pam_smbpass module, see the documentation +in the source/pam_smbpass directory of the Samba +source distribution. + + + + + +#%PAM-1.0 +# The PAM configuration file for the login service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay + + + +The following is the PAM configuration file for a particular +Linux system. The default condition uses pam_pwdb.so. + + + + + +#%PAM-1.0 +# The PAM configuration file for the samba service +# +auth required pam_pwdb.so nullok nodelay shadow audit +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_pwdb.so shadow md5 + + + +In the following example, the decision has been made to use the +smbpasswd database even for basic Samba authentication. Such a +decision could also be made for the passwd program and would +thus allow the smbpasswd passwords to be changed using the +passwd program: + + + + +#%PAM-1.0 +# The PAM configuration file for the samba service +# +auth required pam_smbpass.so nodelay +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf + + + +PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within one PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implementations also +provide the pam_stack.so module that allows all +authentication to be configured in a single central file. The +pam_stack.so method has some devoted followers +on the basis that it allows for easier administration. As with all issues in +life though, every decision makes trade-offs, so you may want to examine the +PAM documentation for further helpful information. + + + + + + + +&smb.conf; PAM Configuration + + + There is an option in &smb.conf; called obey pam restrictions. +The following is from the online help for this option in SWAT; + + + +When Samba is configured to enable PAM support (i.e., ), this parameter will +control whether or not Samba should obey PAM's account and session management directives. The default behavior +is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always +ignores PAM for authentication in the case of encrypt passwordsyes. +The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB +password encryption. + + +Default: obey pam restrictionsno + + + + +Remote CIFS Authentication Using <filename>winbindd.so</filename> + + +All operating systems depend on the provision of users credentials acceptable to the platform. +UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). +These are both simple integer type numbers that are obtained from a password backend such +as /etc/passwd. + + + +Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for +the domain when the user or group is created. To convert the Windows NT user or group into +a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This +is one of the jobs that winbind performs. + + + +As Winbind users and groups are resolved from a server, user and group IDs are allocated +from a specified range. This is done on a first come, first served basis, although all +existing users and groups will be mapped as soon as a client performs a user or group +enumeration command. The allocated UNIX IDs are stored in a database file under the Samba +lock directory and will be remembered. + + + +The astute administrator will realize from this that the combination of pam_smbpass.so, +winbindd and a distributed passdb backend, +such as ldap, will allow the establishment of a centrally managed, distributed user/password +database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have +particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as +the reduction of wide area network authentication traffic. + + + +The RID to UNIX ID database is the only location where the user and group mappings are +stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd +to determine which user and group IDs correspond to Windows NT user and group RIDs. + + + + + +Password Synchronization Using <filename>pam_smbpass.so</filename> + + +pam_smbpass is a PAM module that can be used on conforming systems to +keep the smbpasswd (Samba password) database in sync with the UNIX +password file. PAM (Pluggable Authentication Modules) is an API supported +under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a +generic interface to authentication mechanisms. + + + +This module authenticates a local smbpasswd user database. If you require +support for authenticating against a remote SMB server, or if you are +concerned about the presence of SUID root binaries on your system, it is +recommended that you use pam_winbind instead. + + + +Options recognized by this module are shown in next table. + + Options recognized by <parameter>pam_smbpass</parameter> + + + + + debuglog more debugging info. + auditlike debug, but also logs unknown usernames. + use_first_passdo not prompt the user for passwords; take them from PAM_ items instead. + try_first_passtry to get the password from a previous PAM module fall back to prompting the user. + use_authtok + like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only). + not_set_passdo not make passwords used by this module available to other modules. + nodelaydo not insert ~1 second delays on authentication failure. + nulloknull passwords are allowed. + nonullnull passwords are not allowed. Used to override the Samba configuration. + migrateonly meaningful in an auth context; used to update smbpasswd file with a password used for successful authentication. + smbconf=filespecify an alternate path to the &smb.conf; file. + + +
+ + + +The following are examples of the use of pam_smbpass.so in the format of Linux +/etc/pam.d/ files structure. Those wishing to implement this +tool on other platforms will need to adapt this appropriately. + + + +Password Synchronization Configuration + + +A sample PAM configuration that shows the use of pam_smbpass to make +sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) +is changed. Useful when an expired password might be changed by an +application (such as ssh). + + + + + +#%PAM-1.0 +# password-sync +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so + + + + +Password Migration Configuration + + +A sample PAM configuration that shows the use of pam_smbpass to migrate +from plaintext to encrypted passwords for Samba. Unlike other methods, +this can be used for users who have never connected to Samba shares: +password migration takes place when users ftp in, login using ssh, pop +their mail, and so on. + + + + +#%PAM-1.0 +# password-migration +# +auth requisite pam_nologin.so +# pam_smbpass is called IF pam_unix succeeds. +auth requisite pam_unix.so +auth optional pam_smbpass.so migrate +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password optional pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so + + + + +Mature Password Configuration + + +A sample PAM configuration for a mature smbpasswd installation. +private/smbpasswd is fully populated, and we consider it an error if +the SMB password does not exist or does not match the UNIX password. + + + + +#%PAM-1.0 +# password-mature +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so use_authtok use_first_pass +session required pam_unix.so + + + + +Kerberos Password Integration Configuration + + +A sample PAM configuration that shows pam_smbpass used together with +pam_krb5. This could be useful on a Samba PDC that is also a member of +a Kerberos realm. + + + + +#%PAM-1.0 +# kdc-pdc +# +auth requisite pam_nologin.so +auth requisite pam_krb5.so +auth optional pam_smbpass.so migrate +account required pam_krb5.so +password requisite pam_cracklib.so retry=3 +password optional pam_smbpass.so nullok use_authtok try_first_pass +password required pam_krb5.so use_authtok try_first_pass +session required pam_krb5.so + + + + + + + + + +Common Errors + + +PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from +the Samba mailing list. + + + + + pam_winbind Problem + + + A user reported: I have the following PAM configuration: + + + + + +auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass nullok +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +password required /lib/security/pam_stack.so service=system-auth + + + + + When I open a new console with [ctrl][alt][F1], I can't log in with my user pitie. + I have tried with user scienceu+pitie also. + + + + Answer: The problem may lie with your inclusion of pam_stack.so + service=system-auth. That file often contains a lot of stuff that may + duplicate what you are already doing. Try commenting out the pam_stack lines + for auth and account and see if things work. If they do, look at + /etc/pam.d/system-auth and copy only what you need from it into your + /etc/pam.d/login file. Alternately, if you want all services to use + Winbind, you can put the Winbind-specific stuff in /etc/pam.d/system-auth. + + + + + + Winbind Is Not Resolving Users and Groups + + + + My &smb.conf; file is correctly configured. I have specified + idmap uid12000, + and idmap gid3000-3500 + and winbind is running. When I do the following it all works fine. + + + + +&rootprompt;wbinfo -u +MIDEARTH+maryo +MIDEARTH+jackb +MIDEARTH+ameds +... +MIDEARTH+root + +&rootprompt;wbinfo -g +MIDEARTH+Domain Users +MIDEARTH+Domain Admins +MIDEARTH+Domain Guests +... +MIDEARTH+Accounts + +&rootprompt;getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false + + + + + But this command fails: + + +&rootprompt;chown maryo a_file +chown: 'maryo': invalid user + + This is driving me nuts! What can be wrong? + + + + Answer: Your system is likely running nscd, the name service + caching daemon. Shut it down, do not restart it! You will find your problem resolved. + + + + + + diff --git a/docs/howto/UNIX_INSTALL.xml b/docs/howto/UNIX_INSTALL.xml deleted file mode 100644 index a4ba1c0aa7..0000000000 --- a/docs/howto/UNIX_INSTALL.xml +++ /dev/null @@ -1,379 +0,0 @@ - - - &author.tridge; - &author.jelmer; - &author.jht; - &author.kauer; - &author.danshearer; - - - - -How to Install and Test SAMBA - - - Obtaining and Installing Samba - - - Binary packages of Samba are included in almost any Linux or - UNIX distribution. There are also some packages available at - the Samba home-page. Refer to - the manual of your operating system for details on installing packages - for your specific operating system. - - - If you need to compile Samba from source, check - How to compile Samba chapter. - - - - - Configuring Samba (smb.conf) - - - Samba's configuration is stored in the &smb.conf; file, which - usually resides in /etc/samba/smb.conf - or /usr/local/samba/lib/smb.conf. You can either - edit this file yourself or do it using one of the many graphical - tools that are available, such as the Web-based interface SWAT, that - is included with Samba. - - - - Configuration file syntax - - The &smb.conf; file uses the same syntax as the various old - .ini files in Windows 3.1: Each file consists of various sections, - which are started by putting the section name between brackets ([]) - on a new line. Each contains zero or more key/value-pairs separated by an - equality sign (=). The file is just a plain-text file, so you can - open and edit it with your favorite editing tool. - - Each section in the &smb.conf; file represents a share - on the Samba server. The section global is special, since it - contains settings that apply to the whole Samba server and not - to one share in particular. - -Following example contains a very minimal &smb.conf;. - minimal configuration - - - - A minimal smb.conf - - [global] - workgroupWKG - netbios nameMYNAME - [share1] - path/tmp - - [share2] - path/my_shared_folder - commentSome random files - - - - - - Starting Samba - - - Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. - An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba there - are three daemons, two of which are needed as a minimum. - - - - The Samba server is made up of the following daemons: - - - - nmbd - - smbd - starting sambasmbd - This daemon handles all name registration and resolution requests. It is the primary vehicle involved - in network browsing. It handles all UDP based protocols. The nmbd daemon should - be the first command started as part of the Samba start-up process. - - - - smbd - - nmbd - starting sambanmbd - This daemon handles all TCP/IP based connection services for file and print based operations. It also - manages local authentication. It should be started immediately following the start-up of nmbd. - - - - winbindd - - winbindd - starting sambawinbindd - This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when - Samba has trust relationships with another Domain. The winbindd daemon will check the - &smb.conf; file for the presence of the idmap uid and idmap gid - parameters. If they are not found winbindd will bail-out and refuse to start. - - - - - - When Samba has been packages by an operating system vendor the start-up process is typically a custom feature of its - integration into the platform as a whole. Please refer to your operating system platform administration manuals for - specific information pertaining to correct management of Samba start-up. - - - - - - Example Configuration - - - There are sample configuration files in the examples subdirectory in the - distribution. It is suggested you read them carefully so you can see how the options - go together in practice. See the man page for all the options. - It might be worthwhile to start out with the smb.conf.default - configuration file and adapt it to your needs. It contains plenty of - comments. - - - - The simplest useful configuration file would contain something like shown in - the next example. - - - - simple configuration - - Another simple smb.conf File -[global] -workgroup&example.workgroup; - -[homes] -guest okno -read onlyno - - - - - This will allow connections by anyone with an account on the server, using either - their login name or homes as the service name. - (Note: The workgroup that Samba should appear in must also be set. The default - workgroup name is WORKGROUP.) - - - - Make sure you put the &smb.conf; file in the correct place. - - - - For more information about security settings for the - [homes] share please refer to - Securing Samba chapter. - - - - Test Your Config File with <command>testparm</command> - - - It's important to validate the contents of the &smb.conf; file using the &testparm; program. - If testparm runs correctly, it will list the loaded services. If not, it will give an error message. - Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command: - - - - &rootprompt; testparm /etc/samba/smb.conf - - - Testparm will parse your configuration file and report - any unknown parameters or incorrect syntax. - - - - - Always run testparm again whenever the &smb.conf; file is changed! - - - - - - - SWAT - - - swat - SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. - SWAT might not be available in the Samba package that shipped with your platform, - but in a separate package. Please read the SWAT man page - on compiling, installing and configuring SWAT from source. - - - - To launch SWAT, just run your favorite Web browser and point it to - http://localhost:901/. - Replace localhost with the name of the computer on which - Samba is running if that is a different computer than your browser. - - - - SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote - machine leaves your connection open to password sniffing as passwords will be sent over the wire in the clear. - - - More information about SWAT can be found in corresponding chapter. - - - - - - - List Shares Available on the Server - - - To list shares that are available from the configured Samba server execute the - following command: - - - -&prompt;smbclient -L yourhostname - - - You should see a list of shares available on your server. If you do not, then - something is incorrectly configured. This method can also be used to see what shares - are available on other SMB servers, such as Windows 2000. - - If you choose user-level security you may find that Samba requests a password - before it will list the shares. See the smbclient man page for details. - You can force it to list the shares without a password by adding the option - to the command line. - - - - Connect with a UNIX Client - - - Enter the following command: - -&prompt;smbclient //yourhostname/aservice - - - Typically yourhostname is the name of the host on which &smbd; - has been installed. The aservice is any service that has been defined in the &smb.conf; - file. Try your user name if you just have a [homes] section in the &smb.conf; file. - - Example: If the UNIX host is called bambi and a valid login name - is fred, you would type: - - -&prompt;smbclient //bambi/fred - - - - - Connect from a Remote SMB Client - - Now that Samba is working correctly locally, you can try to - access it from other clients. Within a few minutes, the Samba host - should be listed in the Network Neighborhood on all Windows - clients of its subnet. Try browsing the server from another client - or 'mounting' it. - - Mounting disks from a DOS, Windows or OS/2 client can be done by running a command such as: - - -&dosprompt;net use d: \\servername\service - - - Try printing, e.g. - - - -&dosprompt;net use lpt1: \\servername\spoolservice - - - -&dosprompt;print filename - - - - - What If Things Don't Work? - - You might want to read The Samba Checklist. - If you are still stuck, refer to Analyzing and Solving Samba Problems chapter. - Samba has been successfully installed at thousands of sites worldwide. - It is unlikely that your particular problem is unique, so it might be - productive to perform an Internet search to see if someone else has encountered - your problem and has found a way to overcome it. - - - - -Common Errors - - -The following questions and issues are raised repeatedly on the Samba mailing list. - - - - Large Number of smbd Processes - - -Samba consists of three core programs: &nmbd;, &smbd;, and &winbindd;. &nmbd; is the name server message daemon, -&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with Domain Controllers. - - - -If Samba is not running as a WINS server, then there will be one single instance of - &nmbd; running on your system. If it is running as a WINS server then there will be -two instances &smbmdash; one to handle the WINS requests. - - - -&smbd; handles all connection requests. It spawns a new process for each client -connection made. That is why you may see so many of them, one per client connection. - - - -&winbindd; will run as one or two daemons, depending on whether or not it is being -run in split mode (in which case there will be two instances). - - - - - - Error Message: open_oplock_ipc - - An error message is observed in the log files when &smbd; is started: open_oplock_ipc: Failed to get local UDP socket - for address 100007f. Error was Cannot assign requested. - - Your loopback device isn't working correctly. Make sure it is configured correctly. The loopback - device is an internal (virtual) network device with the IP address 127.0.0.1. - Read your OS documentation for details on how to configure the loopback on your system. - - - - - <quote><errorname>The network name cannot be found</errorname></quote> - - - This error can be caused by one of these mis-configurations: - - - - You specified an non-existing path - for the share in &smb.conf;. - - The user you are trying to access the share with does not - have sufficient permissions to access the path for - the share. Both read (r) and access (x) should be possible. - - The share you are trying to access does not exist. - - - - - - diff --git a/docs/xslt/docbook.xsl b/docs/xslt/docbook.xsl new file mode 100644 index 0000000000..1044b11791 --- /dev/null +++ b/docs/xslt/docbook.xsl @@ -0,0 +1,154 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ################################################################################ + XSLT stylesheets DocBook - LaTeX 2e + Reqs: LaTeX 2e installation common packages + ################################################################################ + RELEASE : + VERSION : + TAG : + WWW : http://db2latex.sourceforge.net + SUMMARY : http://www.sourceforge.net/projects/db2latex + AUTHOR : Ramon Casellas casellas@infres.enst.fr + AUTHOR : James Devenish j-devenish@users.sf.net + USING : + ################################################################################ + + + + + + + + + + + + + SAXON 6.4.X + + + SAXON 6.2.X + + + SAXON + + + XALAN + + + XALAN + + + libxslt/xsltproc + + + XT + + + UNKNOWN + + + + + + diff --git a/docs/xslt/expand-sambadoc.xsl b/docs/xslt/expand-sambadoc.xsl new file mode 100644 index 0000000000..2c9aa0a82a --- /dev/null +++ b/docs/xslt/expand-sambadoc.xsl @@ -0,0 +1,486 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Translation to + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <!DOCTYPE PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + + <!ENTITY % globalentities SYSTEM 'global.ent'> %globalentities; + ]> + + + + + + + + + + + + + + + + + + + + + + + + + + + <?latex \hspace{1cm} ?> + + + + + = + + + + + + + + + + <?latex \hspace{1cm} ?> + + + # + + + + + + + + + + + + + + + + + + + + + + + + + + + none + + + + + + + = + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Warning: smbconfexample does not have title! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + # + + + + + + + + + + + + + + + + + + + + + + + + + + latex + + + projdoc/imagefiles/ + + + + + + + + 50 + + + + 1 + + + + + + projdoc/imagefiles/.png + 50 + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + # + + + + + + + + + + + + + + + + + + + + ( + + ) + + + + + + + + + + + + + + + + + Example: + + + + + = + + + + + + + + + + + + + + Default: + + + + + = + + + + + + + + + + + + + + + No default + + + + + + + + + + + + + + + + + + + preferred + + + + + + + + + + + + + + + + + + + + This parameter is a synonym for . + + + + + + + + + preferred + + + + + + + + + + + + + + + + + + + + + + + + ( + + ) + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/xslt/extract-examples.xsl b/docs/xslt/extract-examples.xsl new file mode 100644 index 0000000000..f31e13eec6 --- /dev/null +++ b/docs/xslt/extract-examples.xsl @@ -0,0 +1,50 @@ + + + + + + + + + + + + + + + + + + examples/.conf + + + Writing + + for + + + + + + + + + + diff --git a/docs/xslt/figures/caution.eps b/docs/xslt/figures/caution.eps new file mode 100644 index 0000000000..0c10b371b1 --- /dev/null +++ b/docs/xslt/figures/caution.eps @@ -0,0 +1 @@ +%!PS-Adobe-2.0 EPSF-1.2 %%Title: Untitled-3 %%Creator: FreeHand 9.0 %%CreationDate: 2002/12/05 8:20 PM %%BoundingBox: 0 0 29 29 %%FHPathName:Untitled:FreeHand 9:English:Untitled-3 %ALDOriginalFile:Untitled:FreeHand 9:English:Untitled-3 %ALDBoundingBox: -2 -2 29 29 %%FHPageNum:1 %%DocumentSuppliedResources: procset Altsys_header 4 0 %%ColorUsage: Color %%DocumentProcessColors: Black %%EndComments %%BeginResource: procset Altsys_header 4 0 userdict begin /AltsysDict 300 dict def end AltsysDict begin /bdf{bind def}bind def /xdf{exch def}bdf /defed{where{pop true}{false}ifelse}bdf /ndf{1 index where{pop pop pop}{dup xcheck{bind}if def}ifelse}bdf /d{setdash}bdf /h{closepath}bdf /H{}bdf /J{setlinecap}bdf /j{setlinejoin}bdf /M{setmiterlimit}bdf /n{newpath}bdf /N{newpath}bdf /q{gsave}bdf /Q{grestore}bdf /w{setlinewidth}bdf /Xic{matrix invertmatrix concat}bdf /Xq{matrix currentmatrix mark}bdf /XQ{cleartomark setmatrix}bdf /sepdef{ dup where not { AltsysSepDict } if 3 1 roll exch put }bdf /st{settransfer}bdf /colorimage defed /_rci xdf /cntr 0 def /readbinarystring{ /cntr 0 def 2 copy readstring { { dup (\034) search { length exch pop exch dup length 0 ne { dup dup 0 get 32 sub 0 exch put /cntr cntr 1 add def } { pop 1 string dup 0 6 index read pop 32 sub put }ifelse 3 copy putinterval pop 1 add 1 index length 1 sub 1 index sub dup 0 le {pop pop exit}if getinterval } { pop exit } ifelse } loop }if cntr 0 gt { pop 2 copy dup length cntr sub cntr getinterval readbinarystring } if pop exch pop } bdf /_NXLevel2 defed { _NXLevel2 not { /colorimage where { userdict eq { /_rci false def } if } if } if } if /md defed{ md type /dicttype eq { /colorimage where { md eq { /_rci false def }if }if /settransfer where { md eq { /st systemdict /settransfer get def }if }if }if }if /setstrokeadjust defed { true setstrokeadjust /C{curveto}bdf /L{lineto}bdf /m{moveto}bdf } { /dr{transform .25 sub round .25 add exch .25 sub round .25 add exch itransform}bdf /C{dr curveto}bdf /L{dr lineto}bdf /m{dr moveto}bdf /setstrokeadjust{pop}bdf }ifelse /privrectpath { 4 -2 roll m dtransform round exch round exch idtransform 2 copy 0 lt exch 0 lt xor {dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto} {exch dup 0 rlineto exch 0 exch rlineto neg 0 rlineto} ifelse closepath }bdf /rectclip{newpath privrectpath clip newpath}def /rectfill{gsave newpath privrectpath fill grestore}def /rectstroke{gsave newpath privrectpath stroke grestore}def /_fonthacksave false def /currentpacking defed { /_bfh {/_fonthacksave currentpacking def false setpacking} bdf /_efh {_fonthacksave setpacking} bdf } { /_bfh {} bdf /_efh {} bdf }ifelse /packedarray{array astore readonly}ndf /` { false setoverprint /-save0- save def 5 index concat pop storerect left bottom width height rectclip pop /MMdict_count countdictstack def /MMop_count count 1 sub def userdict begin /showpage {} def 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit [] 0 setdash newpath } bdf /currentpacking defed{true setpacking}if /min{2 copy gt{exch}if pop}bdf /max{2 copy lt{exch}if pop}bdf /xformfont { currentfont exch makefont setfont } bdf /fhnumcolors 1 statusdict begin /processcolors defed { pop processcolors } { /deviceinfo defed { deviceinfo /Colors known { pop deviceinfo /Colors get } if } if } ifelse end def /printerRes gsave matrix defaultmatrix setmatrix 72 72 dtransform abs exch abs max grestore def /graycalcs [ {Angle Frequency} {GrayAngle GrayFrequency} {0 Width Height matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} {0 GrayWidth GrayHeight matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} ] def /calcgraysteps { forcemaxsteps { maxsteps } { /currenthalftone defed {currenthalftone /dicttype eq}{false}ifelse { currenthalftone begin HalftoneType 4 le {graycalcs HalftoneType 1 sub get exec} { HalftoneType 5 eq { Default begin {graycalcs HalftoneType 1 sub get exec} end } {0 60} ifelse } ifelse end } { currentscreen pop exch } ifelse printerRes 300 max exch div exch 2 copy sin mul round dup mul 3 1 roll cos mul round dup mul add 1 add dup maxsteps gt {pop maxsteps} if dup minsteps lt {pop minsteps} if } ifelse } bdf /nextrelease defed { /languagelevel defed not { /framebuffer defed { 0 40 string framebuffer 9 1 roll 8 {pop} repeat dup 516 eq exch 520 eq or { /fhnumcolors 3 def /currentscreen {60 0 {pop pop 1}}bdf /calcgraysteps {maxsteps} bdf }if }if }if }if fhnumcolors 1 ne { /calcgraysteps {maxsteps} bdf } if /currentpagedevice defed { currentpagedevice /PreRenderingEnhance known { currentpagedevice /PreRenderingEnhance get { /calcgraysteps { forcemaxsteps {maxsteps} {256 maxsteps min} ifelse } def } if } if } if /gradfrequency 144 def printerRes 1000 lt { /gradfrequency 72 def } if /adjnumsteps { dup dtransform abs exch abs max printerRes div gradfrequency mul round 5 max min }bdf /goodsep { spots exch get 4 get dup sepname eq exch (_vc_Registration) eq or }bdf /BeginGradation defed {/bb{BeginGradation}bdf} {/bb{}bdf} ifelse /EndGradation defed {/eb{EndGradation}bdf} {/eb{}bdf} ifelse /bottom -0 def /delta -0 def /frac -0 def /height -0 def /left -0 def /numsteps1 -0 def /radius -0 def /right -0 def /top -0 def /width -0 def /xt -0 def /yt -0 def /df currentflat def /tempstr 1 string def /clipflatness currentflat def /inverted? 0 currenttransfer exec .5 ge def /tc1 [0 0 0 1] def /tc2 [0 0 0 1] def /storerect{/top xdf /right xdf /bottom xdf /left xdf /width right left sub def /height top bottom sub def}bdf /concatprocs{ systemdict /packedarray known {dup type /packedarraytype eq 2 index type /packedarraytype eq or}{false}ifelse { /proc2 exch cvlit def /proc1 exch cvlit def proc1 aload pop proc2 aload pop proc1 length proc2 length add packedarray cvx } { /proc2 exch cvlit def /proc1 exch cvlit def /newproc proc1 length proc2 length add array def newproc 0 proc1 putinterval newproc proc1 length proc2 putinterval newproc cvx }ifelse }bdf /i{dup 0 eq {pop df dup} {dup} ifelse /clipflatness xdf setflat }bdf version cvr 38.0 le {/setrgbcolor{ currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll setrgbcolor}bdf}if /vms {/vmsv save def} bdf /vmr {vmsv restore} bdf /vmrs{vmsv restore /vmsv save def}bdf /eomode{ {/filler /eofill load def /clipper /eoclip load def} {/filler /fill load def /clipper /clip load def} ifelse }bdf /normtaper{}bdf /logtaper{9 mul 1 add log}bdf /CD{ /NF exch def { exch dup /FID ne 1 index/UniqueID ne and {exch NF 3 1 roll put} {pop pop} ifelse }forall NF }bdf /MN{ 1 index length /Len exch def dup length Len add string dup Len 4 -1 roll putinterval dup 0 4 -1 roll putinterval }bdf /RC{4 -1 roll /ourvec xdf 256 string cvs(|______)anchorsearch {1 index MN cvn/NewN exch def cvn findfont dup maxlength dict CD dup/FontName NewN put dup /Encoding ourvec put NewN exch definefont pop}{pop}ifelse}bdf /RF{ dup FontDirectory exch known {pop 3 -1 roll pop} {RC} ifelse }bdf /FF{dup 256 string cvs(|______)exch MN cvn dup FontDirectory exch known {exch pop findfont 3 -1 roll pop} {pop dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll {3 -1 roll dup 4 -2 roll put}forall put definefont} ifelse}bdf /RCJ{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFJ exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFJ{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCJ} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFJ { dup hasfont not { pop /Ryumin-Light-83pv-RKSJ-H hasfont { /Ryumin-Light-83pv-RKSJ-H } { /Courier } ifelse } if }bdf /FFJ{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFJ dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /GS { dup hasfont { findfont exch makesetfont exch pop ts } { pop pop pop ts } ifelse } bdf /RCK{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFK exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFK{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCK} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFK { dup hasfont not { pop /JCsm hasfont { /JCsm } { /Courier } ifelse } if }bdf /FFK{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFK dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /RCTC{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFTC exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFTC{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCTC} ifelse }bdf /FDFTC { dup hasfont not { pop /DFMing-Lt-HK-BF hasfont { /DFMing-Lt-HK-BF } { /Courier } ifelse } if }bdf /FFTC{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFTC dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /fps{ currentflat exch dup 0 le{pop 1}if { dup setflat 3 index stopped {1.3 mul dup 3 index gt{pop setflat pop pop stop}if} {exit} ifelse }loop pop setflat pop pop }bdf /fp{100 currentflat fps}bdf /clipper{clip}bdf /W{/clipper load 100 clipflatness dup setflat fps}bdf userdict begin /BDFontDict 29 dict def end BDFontDict begin /bu{}def /bn{}def /setTxMode{av 70 ge{pop}if pop}def /gm{m}def /show{pop}def /gr{pop}def /fnt{pop pop pop}def /fs{pop}def /fz{pop}def /lin{pop pop}def /:M {pop pop} def /sf {pop} def /S {pop} def /@b {pop pop pop pop pop pop pop pop} def /_bdsave /save load def /_bdrestore /restore load def /save { dup /fontsave eq {null} {_bdsave} ifelse } def /restore { dup null eq { pop } { _bdrestore } ifelse } def /fontsave null def end /MacVec 256 array def MacVec 0 /Helvetica findfont /Encoding get 0 128 getinterval putinterval MacVec 127 /DEL put MacVec 16#27 /quotesingle put MacVec 16#60 /grave put /NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI /DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US MacVec 0 32 getinterval astore pop /Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute /agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave /ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute /ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis /dagger/degree/cent/sterling/section/bullet/paragraph/germandbls /registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash /infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation /product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash /questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft /guillemotright/ellipsis/nbspace/Agrave/Atilde/Otilde/OE/oe /endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge /ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl /daggerdbl/periodcentered/quotesinglbase/quotedblbase /perthousand/Acircumflex/Ecircumflex/Aacute /Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex /apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde /macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron MacVec 128 128 getinterval astore pop /findheaderfont { /Helvetica findfont } def end %. AltsysDict %%EndResource %%EndProlog %%BeginSetup AltsysDict begin _bfh _efh end %. AltsysDict %%EndSetup AltsysDict begin /onlyk4{false}ndf /ccmyk{dup 5 -1 roll sub 0 max exch}ndf /cmyk2gray{ 4 -1 roll 0.3 mul 4 -1 roll 0.59 mul 4 -1 roll 0.11 mul add add add 1 min neg 1 add }bdf /setcmykcolor{1 exch sub ccmyk ccmyk ccmyk pop setrgbcolor}ndf /maxcolor { max max max } ndf /maxspot { pop } ndf /setcmykcoloroverprint{4{dup -1 eq{pop 0}if 4 1 roll}repeat setcmykcolor}ndf /findcmykcustomcolor{5 packedarray}ndf /setcustomcolor{exch aload pop pop 4{4 index mul 4 1 roll}repeat setcmykcolor pop}ndf /setseparationgray{setgray}ndf /setoverprint{pop}ndf /currentoverprint false ndf /cmykbufs2gray{ 0 1 2 index length 1 sub { 4 index 1 index get 0.3 mul 4 index 2 index get 0.59 mul 4 index 3 index get 0.11 mul 4 index 4 index get add add add cvi 255 min 255 exch sub 2 index 3 1 roll put }for 4 1 roll pop pop pop }bdf /colorimage{ pop pop [ 5 -1 roll/exec cvx 6 -1 roll/exec cvx 7 -1 roll/exec cvx 8 -1 roll/exec cvx /cmykbufs2gray cvx ]cvx image } %. version 47.1 on Linotronic of Postscript defines colorimage incorrectly (rgb model only) version cvr 47.1 le statusdict /product get (Lino) anchorsearch{pop pop true}{pop false}ifelse and{userdict begin bdf end}{ndf}ifelse fhnumcolors 1 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf ic im iy ik cmyk2gray /xt xdf currenttransfer {dup 1.0 exch sub xt mul add}concatprocs st image } ifelse }ndf fhnumcolors 1 ne {yt restore} if fhnumcolors 3 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf 1.0 dup ic ik add min sub 1.0 dup im ik add min sub 1.0 dup iy ik add min sub /ic xdf /iy xdf /im xdf currentcolortransfer 4 1 roll {dup 1.0 exch sub ic mul add}concatprocs 4 1 roll {dup 1.0 exch sub iy mul add}concatprocs 4 1 roll {dup 1.0 exch sub im mul add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}true 3 colorimage } ifelse }ndf fhnumcolors 3 ne {yt restore} if fhnumcolors 4 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf currentcolortransfer {1.0 exch sub ik mul ik sub 1 add}concatprocs 4 1 roll {1.0 exch sub iy mul iy sub 1 add}concatprocs 4 1 roll {1.0 exch sub im mul im sub 1 add}concatprocs 4 1 roll {1.0 exch sub ic mul ic sub 1 add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}{dummy} true 4 colorimage } ifelse }ndf fhnumcolors 4 ne {yt restore} if /separationimage{image}ndf /spotascmyk false ndf /newcmykcustomcolor{6 packedarray}ndf /inkoverprint false ndf /setinkoverprint{pop}ndf /setspotcolor { spots exch get dup 4 get (_vc_Registration) eq {pop 1 exch sub setseparationgray} {0 5 getinterval exch setcustomcolor} ifelse }ndf /currentcolortransfer{currenttransfer dup dup dup}ndf /setcolortransfer{st pop pop pop}ndf /fas{}ndf /sas{}ndf /fhsetspreadsize{pop}ndf /filler{fill}bdf /F{gsave {filler}fp grestore}bdf /f{closepath F}bdf /S{gsave {stroke}fp grestore}bdf /s{closepath S}bdf userdict /islevel2 systemdict /languagelevel known dup { pop systemdict /languagelevel get 2 ge } if put islevel2 not { /currentcmykcolor { 0 0 0 1 currentgray sub } ndf } if /tc { gsave setcmykcolor currentcmykcolor grestore } bind def /testCMYKColorThrough { tc add add add 0 ne } bind def /fhiscomposite where not { userdict /fhiscomposite islevel2 { gsave 1 1 1 1 setcmykcolor currentcmykcolor grestore add add add 4 eq } { 1 0 0 0 testCMYKColorThrough 0 1 0 0 testCMYKColorThrough 0 0 1 0 testCMYKColorThrough 0 0 0 1 testCMYKColorThrough and and and } ifelse put } { pop } ifelse /bc4 [0 0 0 0] def /_lfp4 { 1 pop /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round height abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse taperfcn /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /bcs [0 0] def /_lfs4 { /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /tint2 xdf /tint1 xdf bcs exch 1 exch put tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round height abs adjnumsteps dup 2 lt {pop 2} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 div taperfcn /frac xdf bcs 0 1.0 tint2 tint1 sub frac mul tint1 add sub put bcs vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfs6 { /tint2 xdf /tint1 xdf bcs exch 1 exch put /inrad xdf /radius xdf /yt xdf /xt xdf tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bcs 0 tint2 tint1 sub frac mul tint1 add put bcs vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfp6 { 1 pop /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf /inrad xdf /radius xdf /yt xdf /xt xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /lfp4{_lfp4}ndf /lfs4{_lfs4}ndf /rfs6{_rfs6}ndf /rfp6{_rfp6}ndf /cvc [0 0 0 1] def /vc{ AltsysDict /cvc 2 index put aload length dup 4 eq {pop dup -1 eq{pop setrgbcolor}{setcmykcolor}ifelse} {6 eq {sethexcolor} {setspotcolor} ifelse } ifelse }bdf 0 setseparationgray /imgr {1692.47 1570.59 1723.65 1601.77 } def /bleed 0 def /clpr {1692.47 1570.59 1723.65 1601.77 } def /xs 1 def /ys 1 def /botx 0 def /overlap 0 def /wdist 18 def 0 2 mul fhsetspreadsize 0 0 ne {/df 0 def /clipflatness 0 def} if /maxsteps 256 def /forcemaxsteps false def /minsteps 0 def userdict begin /AGDOrigMtx matrix currentmatrix def end vms -1694 -1572 translate /currentpacking defed{false setpacking}if /spots[ 1 0 0 0 (Process Cyan) false newcmykcustomcolor 0 1 0 0 (Process Magenta) false newcmykcustomcolor 0 0 1 0 (Process Yellow) false newcmykcustomcolor 0 0 0 1 (Process Black) false newcmykcustomcolor ]def n [] 0 d 3.863708 M 1 w 0 j 0 J false setoverprint 0 i false eomode [0 0 0 1]vc vms q [1 0 0 1 -249.981674 -586.867554] concat vms 1946.9506 2177.5114 m 1954.4907 2185.0516 L 1956.7047 2187.2656 1960.2943 2187.2656 1962.5083 2185.0516 C 1970.0485 2177.5114 L 1972.2625 2175.2974 1972.2625 2171.7078 1970.0485 2169.4938 C 1962.5083 2161.9537 L 1960.2943 2159.7396 1956.7047 2159.7396 1954.4907 2161.9537 C 1946.9506 2169.4938 L 1944.7365 2171.7078 1944.7365 2175.2974 1946.9506 2177.5114 C s n true eomode 1958.5469 2181.0039 m 1959.2148 2181.0039 1959.7012 2180.9296 1960.0059 2180.7813 C 1960.3142 2180.6326 1960.4684 2180.363 1960.4688 2179.9727 C 1960.4688 2179.7383 1960.3398 2178.8026 1960.082 2177.166 C 1959.0742 2170.4219 L 1958.9373 2170.3241 1958.7615 2170.2754 1958.5469 2170.2754 C 1958.3319 2170.2754 1958.1561 2170.3241 1958.0195 2170.4219 C 1957.0117 2177.166 L 1956.7539 2178.8026 1956.625 2179.7379 1956.625 2179.9727 C 1956.625 2180.363 1956.7792 2180.6326 1957.0879 2180.7813 C 1957.4003 2180.9296 1957.8866 2181.0035 1958.5469 2181.0039 C h 1958.5469 2165.166 m 1958.0389 2165.166 1957.5878 2165.3499 1957.1934 2165.7168 C 1956.7986 2166.0837 1956.6016 2166.5485 1956.6016 2167.1113 C 1956.6016 2167.6698 1956.7891 2168.1404 1957.1641 2168.5234 C 1957.5427 2168.9102 1958.0038 2169.1035 1958.5469 2169.1035 C 1959.1094 2169.1035 1959.5741 2168.9043 1959.9414 2168.5059 C 1960.3083 2168.1074 1960.4918 2167.6423 1960.4922 2167.1113 C 1960.4922 2166.748 1960.4102 2166.4177 1960.2461 2166.1211 C 1960.082 2165.8241 1959.8513 2165.5916 1959.5547 2165.4238 C 1959.2577 2165.2521 1958.9219 2165.1664 1958.5469 2165.166 C true setoverprint f false setoverprint n vmr Q false eomode vmr vmr end %%Trailer \ No newline at end of file diff --git a/docs/xslt/figures/important.eps b/docs/xslt/figures/important.eps new file mode 100644 index 0000000000..0c10b371b1 --- /dev/null +++ b/docs/xslt/figures/important.eps @@ -0,0 +1 @@ +%!PS-Adobe-2.0 EPSF-1.2 %%Title: Untitled-3 %%Creator: FreeHand 9.0 %%CreationDate: 2002/12/05 8:20 PM %%BoundingBox: 0 0 29 29 %%FHPathName:Untitled:FreeHand 9:English:Untitled-3 %ALDOriginalFile:Untitled:FreeHand 9:English:Untitled-3 %ALDBoundingBox: -2 -2 29 29 %%FHPageNum:1 %%DocumentSuppliedResources: procset Altsys_header 4 0 %%ColorUsage: Color %%DocumentProcessColors: Black %%EndComments %%BeginResource: procset Altsys_header 4 0 userdict begin /AltsysDict 300 dict def end AltsysDict begin /bdf{bind def}bind def /xdf{exch def}bdf /defed{where{pop true}{false}ifelse}bdf /ndf{1 index where{pop pop pop}{dup xcheck{bind}if def}ifelse}bdf /d{setdash}bdf /h{closepath}bdf /H{}bdf /J{setlinecap}bdf /j{setlinejoin}bdf /M{setmiterlimit}bdf /n{newpath}bdf /N{newpath}bdf /q{gsave}bdf /Q{grestore}bdf /w{setlinewidth}bdf /Xic{matrix invertmatrix concat}bdf /Xq{matrix currentmatrix mark}bdf /XQ{cleartomark setmatrix}bdf /sepdef{ dup where not { AltsysSepDict } if 3 1 roll exch put }bdf /st{settransfer}bdf /colorimage defed /_rci xdf /cntr 0 def /readbinarystring{ /cntr 0 def 2 copy readstring { { dup (\034) search { length exch pop exch dup length 0 ne { dup dup 0 get 32 sub 0 exch put /cntr cntr 1 add def } { pop 1 string dup 0 6 index read pop 32 sub put }ifelse 3 copy putinterval pop 1 add 1 index length 1 sub 1 index sub dup 0 le {pop pop exit}if getinterval } { pop exit } ifelse } loop }if cntr 0 gt { pop 2 copy dup length cntr sub cntr getinterval readbinarystring } if pop exch pop } bdf /_NXLevel2 defed { _NXLevel2 not { /colorimage where { userdict eq { /_rci false def } if } if } if } if /md defed{ md type /dicttype eq { /colorimage where { md eq { /_rci false def }if }if /settransfer where { md eq { /st systemdict /settransfer get def }if }if }if }if /setstrokeadjust defed { true setstrokeadjust /C{curveto}bdf /L{lineto}bdf /m{moveto}bdf } { /dr{transform .25 sub round .25 add exch .25 sub round .25 add exch itransform}bdf /C{dr curveto}bdf /L{dr lineto}bdf /m{dr moveto}bdf /setstrokeadjust{pop}bdf }ifelse /privrectpath { 4 -2 roll m dtransform round exch round exch idtransform 2 copy 0 lt exch 0 lt xor {dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto} {exch dup 0 rlineto exch 0 exch rlineto neg 0 rlineto} ifelse closepath }bdf /rectclip{newpath privrectpath clip newpath}def /rectfill{gsave newpath privrectpath fill grestore}def /rectstroke{gsave newpath privrectpath stroke grestore}def /_fonthacksave false def /currentpacking defed { /_bfh {/_fonthacksave currentpacking def false setpacking} bdf /_efh {_fonthacksave setpacking} bdf } { /_bfh {} bdf /_efh {} bdf }ifelse /packedarray{array astore readonly}ndf /` { false setoverprint /-save0- save def 5 index concat pop storerect left bottom width height rectclip pop /MMdict_count countdictstack def /MMop_count count 1 sub def userdict begin /showpage {} def 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit [] 0 setdash newpath } bdf /currentpacking defed{true setpacking}if /min{2 copy gt{exch}if pop}bdf /max{2 copy lt{exch}if pop}bdf /xformfont { currentfont exch makefont setfont } bdf /fhnumcolors 1 statusdict begin /processcolors defed { pop processcolors } { /deviceinfo defed { deviceinfo /Colors known { pop deviceinfo /Colors get } if } if } ifelse end def /printerRes gsave matrix defaultmatrix setmatrix 72 72 dtransform abs exch abs max grestore def /graycalcs [ {Angle Frequency} {GrayAngle GrayFrequency} {0 Width Height matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} {0 GrayWidth GrayHeight matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} ] def /calcgraysteps { forcemaxsteps { maxsteps } { /currenthalftone defed {currenthalftone /dicttype eq}{false}ifelse { currenthalftone begin HalftoneType 4 le {graycalcs HalftoneType 1 sub get exec} { HalftoneType 5 eq { Default begin {graycalcs HalftoneType 1 sub get exec} end } {0 60} ifelse } ifelse end } { currentscreen pop exch } ifelse printerRes 300 max exch div exch 2 copy sin mul round dup mul 3 1 roll cos mul round dup mul add 1 add dup maxsteps gt {pop maxsteps} if dup minsteps lt {pop minsteps} if } ifelse } bdf /nextrelease defed { /languagelevel defed not { /framebuffer defed { 0 40 string framebuffer 9 1 roll 8 {pop} repeat dup 516 eq exch 520 eq or { /fhnumcolors 3 def /currentscreen {60 0 {pop pop 1}}bdf /calcgraysteps {maxsteps} bdf }if }if }if }if fhnumcolors 1 ne { /calcgraysteps {maxsteps} bdf } if /currentpagedevice defed { currentpagedevice /PreRenderingEnhance known { currentpagedevice /PreRenderingEnhance get { /calcgraysteps { forcemaxsteps {maxsteps} {256 maxsteps min} ifelse } def } if } if } if /gradfrequency 144 def printerRes 1000 lt { /gradfrequency 72 def } if /adjnumsteps { dup dtransform abs exch abs max printerRes div gradfrequency mul round 5 max min }bdf /goodsep { spots exch get 4 get dup sepname eq exch (_vc_Registration) eq or }bdf /BeginGradation defed {/bb{BeginGradation}bdf} {/bb{}bdf} ifelse /EndGradation defed {/eb{EndGradation}bdf} {/eb{}bdf} ifelse /bottom -0 def /delta -0 def /frac -0 def /height -0 def /left -0 def /numsteps1 -0 def /radius -0 def /right -0 def /top -0 def /width -0 def /xt -0 def /yt -0 def /df currentflat def /tempstr 1 string def /clipflatness currentflat def /inverted? 0 currenttransfer exec .5 ge def /tc1 [0 0 0 1] def /tc2 [0 0 0 1] def /storerect{/top xdf /right xdf /bottom xdf /left xdf /width right left sub def /height top bottom sub def}bdf /concatprocs{ systemdict /packedarray known {dup type /packedarraytype eq 2 index type /packedarraytype eq or}{false}ifelse { /proc2 exch cvlit def /proc1 exch cvlit def proc1 aload pop proc2 aload pop proc1 length proc2 length add packedarray cvx } { /proc2 exch cvlit def /proc1 exch cvlit def /newproc proc1 length proc2 length add array def newproc 0 proc1 putinterval newproc proc1 length proc2 putinterval newproc cvx }ifelse }bdf /i{dup 0 eq {pop df dup} {dup} ifelse /clipflatness xdf setflat }bdf version cvr 38.0 le {/setrgbcolor{ currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll setrgbcolor}bdf}if /vms {/vmsv save def} bdf /vmr {vmsv restore} bdf /vmrs{vmsv restore /vmsv save def}bdf /eomode{ {/filler /eofill load def /clipper /eoclip load def} {/filler /fill load def /clipper /clip load def} ifelse }bdf /normtaper{}bdf /logtaper{9 mul 1 add log}bdf /CD{ /NF exch def { exch dup /FID ne 1 index/UniqueID ne and {exch NF 3 1 roll put} {pop pop} ifelse }forall NF }bdf /MN{ 1 index length /Len exch def dup length Len add string dup Len 4 -1 roll putinterval dup 0 4 -1 roll putinterval }bdf /RC{4 -1 roll /ourvec xdf 256 string cvs(|______)anchorsearch {1 index MN cvn/NewN exch def cvn findfont dup maxlength dict CD dup/FontName NewN put dup /Encoding ourvec put NewN exch definefont pop}{pop}ifelse}bdf /RF{ dup FontDirectory exch known {pop 3 -1 roll pop} {RC} ifelse }bdf /FF{dup 256 string cvs(|______)exch MN cvn dup FontDirectory exch known {exch pop findfont 3 -1 roll pop} {pop dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll {3 -1 roll dup 4 -2 roll put}forall put definefont} ifelse}bdf /RCJ{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFJ exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFJ{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCJ} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFJ { dup hasfont not { pop /Ryumin-Light-83pv-RKSJ-H hasfont { /Ryumin-Light-83pv-RKSJ-H } { /Courier } ifelse } if }bdf /FFJ{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFJ dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /GS { dup hasfont { findfont exch makesetfont exch pop ts } { pop pop pop ts } ifelse } bdf /RCK{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFK exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFK{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCK} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFK { dup hasfont not { pop /JCsm hasfont { /JCsm } { /Courier } ifelse } if }bdf /FFK{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFK dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /RCTC{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFTC exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFTC{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCTC} ifelse }bdf /FDFTC { dup hasfont not { pop /DFMing-Lt-HK-BF hasfont { /DFMing-Lt-HK-BF } { /Courier } ifelse } if }bdf /FFTC{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFTC dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /fps{ currentflat exch dup 0 le{pop 1}if { dup setflat 3 index stopped {1.3 mul dup 3 index gt{pop setflat pop pop stop}if} {exit} ifelse }loop pop setflat pop pop }bdf /fp{100 currentflat fps}bdf /clipper{clip}bdf /W{/clipper load 100 clipflatness dup setflat fps}bdf userdict begin /BDFontDict 29 dict def end BDFontDict begin /bu{}def /bn{}def /setTxMode{av 70 ge{pop}if pop}def /gm{m}def /show{pop}def /gr{pop}def /fnt{pop pop pop}def /fs{pop}def /fz{pop}def /lin{pop pop}def /:M {pop pop} def /sf {pop} def /S {pop} def /@b {pop pop pop pop pop pop pop pop} def /_bdsave /save load def /_bdrestore /restore load def /save { dup /fontsave eq {null} {_bdsave} ifelse } def /restore { dup null eq { pop } { _bdrestore } ifelse } def /fontsave null def end /MacVec 256 array def MacVec 0 /Helvetica findfont /Encoding get 0 128 getinterval putinterval MacVec 127 /DEL put MacVec 16#27 /quotesingle put MacVec 16#60 /grave put /NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI /DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US MacVec 0 32 getinterval astore pop /Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute /agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave /ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute /ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis /dagger/degree/cent/sterling/section/bullet/paragraph/germandbls /registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash /infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation /product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash /questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft /guillemotright/ellipsis/nbspace/Agrave/Atilde/Otilde/OE/oe /endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge /ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl /daggerdbl/periodcentered/quotesinglbase/quotedblbase /perthousand/Acircumflex/Ecircumflex/Aacute /Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex /apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde /macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron MacVec 128 128 getinterval astore pop /findheaderfont { /Helvetica findfont } def end %. AltsysDict %%EndResource %%EndProlog %%BeginSetup AltsysDict begin _bfh _efh end %. AltsysDict %%EndSetup AltsysDict begin /onlyk4{false}ndf /ccmyk{dup 5 -1 roll sub 0 max exch}ndf /cmyk2gray{ 4 -1 roll 0.3 mul 4 -1 roll 0.59 mul 4 -1 roll 0.11 mul add add add 1 min neg 1 add }bdf /setcmykcolor{1 exch sub ccmyk ccmyk ccmyk pop setrgbcolor}ndf /maxcolor { max max max } ndf /maxspot { pop } ndf /setcmykcoloroverprint{4{dup -1 eq{pop 0}if 4 1 roll}repeat setcmykcolor}ndf /findcmykcustomcolor{5 packedarray}ndf /setcustomcolor{exch aload pop pop 4{4 index mul 4 1 roll}repeat setcmykcolor pop}ndf /setseparationgray{setgray}ndf /setoverprint{pop}ndf /currentoverprint false ndf /cmykbufs2gray{ 0 1 2 index length 1 sub { 4 index 1 index get 0.3 mul 4 index 2 index get 0.59 mul 4 index 3 index get 0.11 mul 4 index 4 index get add add add cvi 255 min 255 exch sub 2 index 3 1 roll put }for 4 1 roll pop pop pop }bdf /colorimage{ pop pop [ 5 -1 roll/exec cvx 6 -1 roll/exec cvx 7 -1 roll/exec cvx 8 -1 roll/exec cvx /cmykbufs2gray cvx ]cvx image } %. version 47.1 on Linotronic of Postscript defines colorimage incorrectly (rgb model only) version cvr 47.1 le statusdict /product get (Lino) anchorsearch{pop pop true}{pop false}ifelse and{userdict begin bdf end}{ndf}ifelse fhnumcolors 1 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf ic im iy ik cmyk2gray /xt xdf currenttransfer {dup 1.0 exch sub xt mul add}concatprocs st image } ifelse }ndf fhnumcolors 1 ne {yt restore} if fhnumcolors 3 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf 1.0 dup ic ik add min sub 1.0 dup im ik add min sub 1.0 dup iy ik add min sub /ic xdf /iy xdf /im xdf currentcolortransfer 4 1 roll {dup 1.0 exch sub ic mul add}concatprocs 4 1 roll {dup 1.0 exch sub iy mul add}concatprocs 4 1 roll {dup 1.0 exch sub im mul add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}true 3 colorimage } ifelse }ndf fhnumcolors 3 ne {yt restore} if fhnumcolors 4 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf currentcolortransfer {1.0 exch sub ik mul ik sub 1 add}concatprocs 4 1 roll {1.0 exch sub iy mul iy sub 1 add}concatprocs 4 1 roll {1.0 exch sub im mul im sub 1 add}concatprocs 4 1 roll {1.0 exch sub ic mul ic sub 1 add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}{dummy} true 4 colorimage } ifelse }ndf fhnumcolors 4 ne {yt restore} if /separationimage{image}ndf /spotascmyk false ndf /newcmykcustomcolor{6 packedarray}ndf /inkoverprint false ndf /setinkoverprint{pop}ndf /setspotcolor { spots exch get dup 4 get (_vc_Registration) eq {pop 1 exch sub setseparationgray} {0 5 getinterval exch setcustomcolor} ifelse }ndf /currentcolortransfer{currenttransfer dup dup dup}ndf /setcolortransfer{st pop pop pop}ndf /fas{}ndf /sas{}ndf /fhsetspreadsize{pop}ndf /filler{fill}bdf /F{gsave {filler}fp grestore}bdf /f{closepath F}bdf /S{gsave {stroke}fp grestore}bdf /s{closepath S}bdf userdict /islevel2 systemdict /languagelevel known dup { pop systemdict /languagelevel get 2 ge } if put islevel2 not { /currentcmykcolor { 0 0 0 1 currentgray sub } ndf } if /tc { gsave setcmykcolor currentcmykcolor grestore } bind def /testCMYKColorThrough { tc add add add 0 ne } bind def /fhiscomposite where not { userdict /fhiscomposite islevel2 { gsave 1 1 1 1 setcmykcolor currentcmykcolor grestore add add add 4 eq } { 1 0 0 0 testCMYKColorThrough 0 1 0 0 testCMYKColorThrough 0 0 1 0 testCMYKColorThrough 0 0 0 1 testCMYKColorThrough and and and } ifelse put } { pop } ifelse /bc4 [0 0 0 0] def /_lfp4 { 1 pop /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round height abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse taperfcn /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /bcs [0 0] def /_lfs4 { /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /tint2 xdf /tint1 xdf bcs exch 1 exch put tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round height abs adjnumsteps dup 2 lt {pop 2} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 div taperfcn /frac xdf bcs 0 1.0 tint2 tint1 sub frac mul tint1 add sub put bcs vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfs6 { /tint2 xdf /tint1 xdf bcs exch 1 exch put /inrad xdf /radius xdf /yt xdf /xt xdf tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bcs 0 tint2 tint1 sub frac mul tint1 add put bcs vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfp6 { 1 pop /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf /inrad xdf /radius xdf /yt xdf /xt xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /lfp4{_lfp4}ndf /lfs4{_lfs4}ndf /rfs6{_rfs6}ndf /rfp6{_rfp6}ndf /cvc [0 0 0 1] def /vc{ AltsysDict /cvc 2 index put aload length dup 4 eq {pop dup -1 eq{pop setrgbcolor}{setcmykcolor}ifelse} {6 eq {sethexcolor} {setspotcolor} ifelse } ifelse }bdf 0 setseparationgray /imgr {1692.47 1570.59 1723.65 1601.77 } def /bleed 0 def /clpr {1692.47 1570.59 1723.65 1601.77 } def /xs 1 def /ys 1 def /botx 0 def /overlap 0 def /wdist 18 def 0 2 mul fhsetspreadsize 0 0 ne {/df 0 def /clipflatness 0 def} if /maxsteps 256 def /forcemaxsteps false def /minsteps 0 def userdict begin /AGDOrigMtx matrix currentmatrix def end vms -1694 -1572 translate /currentpacking defed{false setpacking}if /spots[ 1 0 0 0 (Process Cyan) false newcmykcustomcolor 0 1 0 0 (Process Magenta) false newcmykcustomcolor 0 0 1 0 (Process Yellow) false newcmykcustomcolor 0 0 0 1 (Process Black) false newcmykcustomcolor ]def n [] 0 d 3.863708 M 1 w 0 j 0 J false setoverprint 0 i false eomode [0 0 0 1]vc vms q [1 0 0 1 -249.981674 -586.867554] concat vms 1946.9506 2177.5114 m 1954.4907 2185.0516 L 1956.7047 2187.2656 1960.2943 2187.2656 1962.5083 2185.0516 C 1970.0485 2177.5114 L 1972.2625 2175.2974 1972.2625 2171.7078 1970.0485 2169.4938 C 1962.5083 2161.9537 L 1960.2943 2159.7396 1956.7047 2159.7396 1954.4907 2161.9537 C 1946.9506 2169.4938 L 1944.7365 2171.7078 1944.7365 2175.2974 1946.9506 2177.5114 C s n true eomode 1958.5469 2181.0039 m 1959.2148 2181.0039 1959.7012 2180.9296 1960.0059 2180.7813 C 1960.3142 2180.6326 1960.4684 2180.363 1960.4688 2179.9727 C 1960.4688 2179.7383 1960.3398 2178.8026 1960.082 2177.166 C 1959.0742 2170.4219 L 1958.9373 2170.3241 1958.7615 2170.2754 1958.5469 2170.2754 C 1958.3319 2170.2754 1958.1561 2170.3241 1958.0195 2170.4219 C 1957.0117 2177.166 L 1956.7539 2178.8026 1956.625 2179.7379 1956.625 2179.9727 C 1956.625 2180.363 1956.7792 2180.6326 1957.0879 2180.7813 C 1957.4003 2180.9296 1957.8866 2181.0035 1958.5469 2181.0039 C h 1958.5469 2165.166 m 1958.0389 2165.166 1957.5878 2165.3499 1957.1934 2165.7168 C 1956.7986 2166.0837 1956.6016 2166.5485 1956.6016 2167.1113 C 1956.6016 2167.6698 1956.7891 2168.1404 1957.1641 2168.5234 C 1957.5427 2168.9102 1958.0038 2169.1035 1958.5469 2169.1035 C 1959.1094 2169.1035 1959.5741 2168.9043 1959.9414 2168.5059 C 1960.3083 2168.1074 1960.4918 2167.6423 1960.4922 2167.1113 C 1960.4922 2166.748 1960.4102 2166.4177 1960.2461 2166.1211 C 1960.082 2165.8241 1959.8513 2165.5916 1959.5547 2165.4238 C 1959.2577 2165.2521 1958.9219 2165.1664 1958.5469 2165.166 C true setoverprint f false setoverprint n vmr Q false eomode vmr vmr end %%Trailer \ No newline at end of file diff --git a/docs/xslt/figures/note.eps b/docs/xslt/figures/note.eps new file mode 100644 index 0000000000..39be23fa77 --- /dev/null +++ b/docs/xslt/figures/note.eps @@ -0,0 +1,1387 @@ +%!PS-Adobe-2.0 EPSF-1.2 +%%Title: Untitled-1 +%%Creator: FreeHand 9.0 +%%CreationDate: 2002/07/16 10:41 PM +%%BoundingBox: 0 0 27 27 +%%FHPathName:Untitled:FreeHand 9:English:Untitled-1 +%ALDOriginalFile:Untitled:FreeHand 9:English:Untitled-1 +%ALDBoundingBox: -153 -436 442 406 +%%FHPageNum:1 +%%DocumentSuppliedResources: procset Altsys_header 4 0 +%%ColorUsage: Color +%%DocumentProcessColors: Black +%%EndComments +%%BeginResource: procset Altsys_header 4 0 +userdict begin /AltsysDict 300 dict def end +AltsysDict begin +/bdf{bind def}bind def +/xdf{exch def}bdf +/defed{where{pop true}{false}ifelse}bdf +/ndf{1 index where{pop pop pop}{dup xcheck{bind}if def}ifelse}bdf +/d{setdash}bdf +/h{closepath}bdf +/H{}bdf +/J{setlinecap}bdf +/j{setlinejoin}bdf +/M{setmiterlimit}bdf +/n{newpath}bdf +/N{newpath}bdf +/q{gsave}bdf +/Q{grestore}bdf +/w{setlinewidth}bdf +/Xic{matrix invertmatrix concat}bdf +/Xq{matrix currentmatrix mark}bdf +/XQ{cleartomark setmatrix}bdf +/sepdef{ +dup where not +{ +AltsysSepDict +} +if +3 1 roll exch put +}bdf +/st{settransfer}bdf +/colorimage defed /_rci xdf +/cntr 0 def +/readbinarystring{ +/cntr 0 def +2 copy readstring +{ +{ +dup +(\034) search +{ +length exch pop exch +dup length 0 ne +{ +dup dup 0 get 32 sub 0 exch put +/cntr cntr 1 add def +} +{ +pop 1 string dup +0 6 index read pop 32 sub put +}ifelse +3 copy +putinterval pop +1 add +1 index length 1 sub +1 index sub +dup 0 le {pop pop exit}if +getinterval +} +{ +pop exit +} ifelse +} loop +}if +cntr 0 gt +{ +pop 2 copy +dup length cntr sub cntr getinterval +readbinarystring +} if +pop exch pop +} bdf +/_NXLevel2 defed { +_NXLevel2 not { +/colorimage where { +userdict eq { +/_rci false def +} if +} if +} if +} if +/md defed{ +md type /dicttype eq { +/colorimage where { +md eq { +/_rci false def +}if +}if +/settransfer where { +md eq { +/st systemdict /settransfer get def +}if +}if +}if +}if +/setstrokeadjust defed +{ +true setstrokeadjust +/C{curveto}bdf +/L{lineto}bdf +/m{moveto}bdf +} +{ +/dr{transform .25 sub round .25 add +exch .25 sub round .25 add exch itransform}bdf +/C{dr curveto}bdf +/L{dr lineto}bdf +/m{dr moveto}bdf +/setstrokeadjust{pop}bdf +}ifelse +/privrectpath { +4 -2 roll m +dtransform round exch round exch idtransform +2 copy 0 lt exch 0 lt xor +{dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto} +{exch dup 0 rlineto exch 0 exch rlineto neg 0 rlineto} +ifelse +closepath +}bdf +/rectclip{newpath privrectpath clip newpath}def +/rectfill{gsave newpath privrectpath fill grestore}def +/rectstroke{gsave newpath privrectpath stroke grestore}def +/_fonthacksave false def +/currentpacking defed +{ +/_bfh {/_fonthacksave currentpacking def false setpacking} bdf +/_efh {_fonthacksave setpacking} bdf +} +{ +/_bfh {} bdf +/_efh {} bdf +}ifelse +/packedarray{array astore readonly}ndf +/` +{ +false setoverprint +/-save0- save def +5 index concat +pop +storerect left bottom width height rectclip +pop +/MMdict_count countdictstack def +/MMop_count count 1 sub def +userdict begin +/showpage {} def +0 setgray 0 setlinecap 1 setlinewidth +0 setlinejoin 10 setmiterlimit [] 0 setdash newpath +} bdf +/currentpacking defed{true setpacking}if +/min{2 copy gt{exch}if pop}bdf +/max{2 copy lt{exch}if pop}bdf +/xformfont { currentfont exch makefont setfont } bdf +/fhnumcolors 1 +statusdict begin +/processcolors defed +{ +pop processcolors +} +{ +/deviceinfo defed { +deviceinfo /Colors known { +pop deviceinfo /Colors get +} if +} if +} ifelse +end +def +/printerRes +gsave +matrix defaultmatrix setmatrix +72 72 dtransform +abs exch abs +max +grestore +def +/graycalcs +[ +{Angle Frequency} +{GrayAngle GrayFrequency} +{0 Width Height matrix defaultmatrix idtransform +dup mul exch dup mul add sqrt 72 exch div} +{0 GrayWidth GrayHeight matrix defaultmatrix idtransform +dup mul exch dup mul add sqrt 72 exch div} +] def +/calcgraysteps { +forcemaxsteps +{ +maxsteps +} +{ +/currenthalftone defed +{currenthalftone /dicttype eq}{false}ifelse +{ +currenthalftone begin +HalftoneType 4 le +{graycalcs HalftoneType 1 sub get exec} +{ +HalftoneType 5 eq +{ +Default begin +{graycalcs HalftoneType 1 sub get exec} +end +} +{0 60} +ifelse +} +ifelse +end +} +{ +currentscreen pop exch +} +ifelse +printerRes 300 max exch div exch +2 copy +sin mul round dup mul +3 1 roll +cos mul round dup mul +add 1 add +dup maxsteps gt {pop maxsteps} if +dup minsteps lt {pop minsteps} if +} +ifelse +} bdf +/nextrelease defed { +/languagelevel defed not { +/framebuffer defed { +0 40 string framebuffer 9 1 roll 8 {pop} repeat +dup 516 eq exch 520 eq or +{ +/fhnumcolors 3 def +/currentscreen {60 0 {pop pop 1}}bdf +/calcgraysteps {maxsteps} bdf +}if +}if +}if +}if +fhnumcolors 1 ne { +/calcgraysteps {maxsteps} bdf +} if +/currentpagedevice defed { +currentpagedevice /PreRenderingEnhance known +{ +currentpagedevice /PreRenderingEnhance get +{ +/calcgraysteps +{ +forcemaxsteps +{maxsteps} +{256 maxsteps min} +ifelse +} def +} if +} if +} if +/gradfrequency 144 def +printerRes 1000 lt { +/gradfrequency 72 def +} if +/adjnumsteps { +dup dtransform abs exch abs max +printerRes div +gradfrequency mul +round +5 max +min +}bdf +/goodsep { +spots exch get 4 get dup sepname eq exch (_vc_Registration) eq or +}bdf +/BeginGradation defed +{/bb{BeginGradation}bdf} +{/bb{}bdf} +ifelse +/EndGradation defed +{/eb{EndGradation}bdf} +{/eb{}bdf} +ifelse +/bottom -0 def +/delta -0 def +/frac -0 def +/height -0 def +/left -0 def +/numsteps1 -0 def +/radius -0 def +/right -0 def +/top -0 def +/width -0 def +/xt -0 def +/yt -0 def +/df currentflat def +/tempstr 1 string def +/clipflatness currentflat def +/inverted? +0 currenttransfer exec .5 ge def +/tc1 [0 0 0 1] def +/tc2 [0 0 0 1] def +/storerect{/top xdf /right xdf /bottom xdf /left xdf +/width right left sub def /height top bottom sub def}bdf +/concatprocs{ +systemdict /packedarray known +{dup type /packedarraytype eq 2 index type /packedarraytype eq or}{false}ifelse +{ +/proc2 exch cvlit def /proc1 exch cvlit def +proc1 aload pop proc2 aload pop +proc1 length proc2 length add packedarray cvx +} +{ +/proc2 exch cvlit def /proc1 exch cvlit def +/newproc proc1 length proc2 length add array def +newproc 0 proc1 putinterval newproc proc1 length proc2 putinterval +newproc cvx +}ifelse +}bdf +/i{dup 0 eq +{pop df dup} +{dup} ifelse +/clipflatness xdf setflat +}bdf +version cvr 38.0 le +{/setrgbcolor{ +currenttransfer exec 3 1 roll +currenttransfer exec 3 1 roll +currenttransfer exec 3 1 roll +setrgbcolor}bdf}if +/vms {/vmsv save def} bdf +/vmr {vmsv restore} bdf +/vmrs{vmsv restore /vmsv save def}bdf +/eomode{ +{/filler /eofill load def /clipper /eoclip load def} +{/filler /fill load def /clipper /clip load def} +ifelse +}bdf +/normtaper{}bdf +/logtaper{9 mul 1 add log}bdf +/CD{ +/NF exch def +{ +exch dup +/FID ne 1 index/UniqueID ne and +{exch NF 3 1 roll put} +{pop pop} +ifelse +}forall +NF +}bdf +/MN{ +1 index length +/Len exch def +dup length Len add +string dup +Len +4 -1 roll +putinterval +dup +0 +4 -1 roll +putinterval +}bdf +/RC{4 -1 roll /ourvec xdf 256 string cvs(|______)anchorsearch +{1 index MN cvn/NewN exch def cvn +findfont dup maxlength dict CD dup/FontName NewN put dup +/Encoding ourvec put NewN exch definefont pop}{pop}ifelse}bdf +/RF{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RC} +ifelse +}bdf +/FF{dup 256 string cvs(|______)exch MN cvn dup FontDirectory exch known +{exch pop findfont 3 -1 roll pop} +{pop dup findfont dup maxlength dict CD dup dup +/Encoding exch /Encoding get 256 array copy 7 -1 roll +{3 -1 roll dup 4 -2 roll put}forall put definefont} +ifelse}bdf +/RCJ{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFJ +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFJ{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCJ} +ifelse +}bdf +/hasfont +{ +/resourcestatus where +{ +pop +/Font resourcestatus +{ +pop pop true +} +{ +false +} +ifelse +} +{ +dup FontDirectory exch known +{pop true} +{ +256 string +cvs +(fonts/) exch MN +status +{pop pop pop pop true} +{false} +ifelse +} +ifelse +} +ifelse +}bdf +/FDFJ +{ +dup +hasfont +not +{ +pop +/Ryumin-Light-83pv-RKSJ-H +hasfont +{ +/Ryumin-Light-83pv-RKSJ-H +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFJ{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFJ +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/GS { +dup +hasfont +{ +findfont +exch makesetfont +exch +pop +ts +} +{ +pop pop pop +ts +} ifelse +} bdf +/RCK{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFK +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFK{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCK} +ifelse +}bdf +/hasfont +{ +/resourcestatus where +{ +pop +/Font resourcestatus +{ +pop pop true +} +{ +false +} +ifelse +} +{ +dup FontDirectory exch known +{pop true} +{ +256 string +cvs +(fonts/) exch MN +status +{pop pop pop pop true} +{false} +ifelse +} +ifelse +} +ifelse +}bdf +/FDFK +{ +dup +hasfont +not +{ +pop +/JCsm +hasfont +{ +/JCsm +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFK{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFK +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/RCTC{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFTC +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFTC{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCTC} +ifelse +}bdf +/FDFTC +{ +dup +hasfont +not +{ +pop +/DFMing-Lt-HK-BF +hasfont +{ +/DFMing-Lt-HK-BF +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFTC{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFTC +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/fps{ +currentflat +exch +dup 0 le{pop 1}if +{ +dup setflat 3 index stopped +{1.3 mul dup 3 index gt{pop setflat pop pop stop}if} +{exit} +ifelse +}loop +pop setflat pop pop +}bdf +/fp{100 currentflat fps}bdf +/clipper{clip}bdf +/W{/clipper load 100 clipflatness dup setflat fps}bdf + +userdict begin /BDFontDict 29 dict def end +BDFontDict begin +/bu{}def +/bn{}def +/setTxMode{av 70 ge{pop}if pop}def +/gm{m}def +/show{pop}def +/gr{pop}def +/fnt{pop pop pop}def +/fs{pop}def +/fz{pop}def +/lin{pop pop}def +/:M {pop pop} def +/sf {pop} def +/S {pop} def +/@b {pop pop pop pop pop pop pop pop} def +/_bdsave /save load def +/_bdrestore /restore load def +/save { dup /fontsave eq {null} {_bdsave} ifelse } def +/restore { dup null eq { pop } { _bdrestore } ifelse } def +/fontsave null def +end +/MacVec 256 array def +MacVec 0 /Helvetica findfont +/Encoding get 0 128 getinterval putinterval +MacVec 127 /DEL put MacVec 16#27 /quotesingle put MacVec 16#60 /grave put +/NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI +/DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US +MacVec 0 32 getinterval astore pop +/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute +/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave +/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute +/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis +/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls +/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash +/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation +/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash +/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft +/guillemotright/ellipsis/nbspace/Agrave/Atilde/Otilde/OE/oe +/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge +/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl +/daggerdbl/periodcentered/quotesinglbase/quotedblbase +/perthousand/Acircumflex/Ecircumflex/Aacute +/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex +/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde +/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron +MacVec 128 128 getinterval astore pop +/findheaderfont { +/Helvetica findfont +} def +end %. AltsysDict +%%EndResource +%%EndProlog + +%%BeginSetup + +AltsysDict begin +_bfh + +_efh +end %. AltsysDict + +%%EndSetup +AltsysDict begin + +/onlyk4{false}ndf +/ccmyk{dup 5 -1 roll sub 0 max exch}ndf +/cmyk2gray{ +4 -1 roll 0.3 mul 4 -1 roll 0.59 mul 4 -1 roll 0.11 mul +add add add 1 min neg 1 add +}bdf +/setcmykcolor{1 exch sub ccmyk ccmyk ccmyk pop setrgbcolor}ndf +/maxcolor { +max max max +} ndf +/maxspot { +pop +} ndf +/setcmykcoloroverprint{4{dup -1 eq{pop 0}if 4 1 roll}repeat setcmykcolor}ndf +/findcmykcustomcolor{5 packedarray}ndf +/setcustomcolor{exch aload pop pop 4{4 index mul 4 1 roll}repeat setcmykcolor pop}ndf +/setseparationgray{setgray}ndf +/setoverprint{pop}ndf +/currentoverprint false ndf +/cmykbufs2gray{ +0 1 2 index length 1 sub +{ +4 index 1 index get 0.3 mul +4 index 2 index get 0.59 mul +4 index 3 index get 0.11 mul +4 index 4 index get +add add add cvi 255 min +255 exch sub +2 index 3 1 roll put +}for +4 1 roll pop pop pop +}bdf +/colorimage{ +pop pop +[ +5 -1 roll/exec cvx +6 -1 roll/exec cvx +7 -1 roll/exec cvx +8 -1 roll/exec cvx +/cmykbufs2gray cvx +]cvx +image +} +%. version 47.1 on Linotronic of Postscript defines colorimage incorrectly (rgb model only) +version cvr 47.1 le +statusdict /product get (Lino) anchorsearch{pop pop true}{pop false}ifelse +and{userdict begin bdf end}{ndf}ifelse +fhnumcolors 1 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +ic im iy ik cmyk2gray /xt xdf +currenttransfer +{dup 1.0 exch sub xt mul add}concatprocs +st +image +} +ifelse +}ndf +fhnumcolors 1 ne {yt restore} if +fhnumcolors 3 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +1.0 dup ic ik add min sub +1.0 dup im ik add min sub +1.0 dup iy ik add min sub +/ic xdf /iy xdf /im xdf +currentcolortransfer +4 1 roll +{dup 1.0 exch sub ic mul add}concatprocs 4 1 roll +{dup 1.0 exch sub iy mul add}concatprocs 4 1 roll +{dup 1.0 exch sub im mul add}concatprocs 4 1 roll +setcolortransfer +{/dummy xdf dummy}concatprocs{dummy}{dummy}true 3 colorimage +} +ifelse +}ndf +fhnumcolors 3 ne {yt restore} if +fhnumcolors 4 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +currentcolortransfer +{1.0 exch sub ik mul ik sub 1 add}concatprocs 4 1 roll +{1.0 exch sub iy mul iy sub 1 add}concatprocs 4 1 roll +{1.0 exch sub im mul im sub 1 add}concatprocs 4 1 roll +{1.0 exch sub ic mul ic sub 1 add}concatprocs 4 1 roll +setcolortransfer +{/dummy xdf dummy}concatprocs{dummy}{dummy}{dummy} +true 4 colorimage +} +ifelse +}ndf +fhnumcolors 4 ne {yt restore} if +/separationimage{image}ndf +/spotascmyk false ndf +/newcmykcustomcolor{6 packedarray}ndf +/inkoverprint false ndf +/setinkoverprint{pop}ndf +/setspotcolor { +spots exch get +dup 4 get (_vc_Registration) eq +{pop 1 exch sub setseparationgray} +{0 5 getinterval exch setcustomcolor} +ifelse +}ndf +/currentcolortransfer{currenttransfer dup dup dup}ndf +/setcolortransfer{st pop pop pop}ndf +/fas{}ndf +/sas{}ndf +/fhsetspreadsize{pop}ndf +/filler{fill}bdf +/F{gsave {filler}fp grestore}bdf +/f{closepath F}bdf +/S{gsave {stroke}fp grestore}bdf +/s{closepath S}bdf +userdict /islevel2 +systemdict /languagelevel known dup +{ +pop systemdict /languagelevel get 2 ge +} if +put +islevel2 not +{ +/currentcmykcolor +{ +0 0 0 1 currentgray sub +} ndf +} if +/tc +{ +gsave +setcmykcolor currentcmykcolor +grestore +} bind def +/testCMYKColorThrough +{ +tc add add add 0 ne +} bind def +/fhiscomposite where not { +userdict /fhiscomposite +islevel2 +{ +gsave 1 1 1 1 setcmykcolor currentcmykcolor grestore +add add add 4 eq +} +{ +1 0 0 0 testCMYKColorThrough +0 1 0 0 testCMYKColorThrough +0 0 1 0 testCMYKColorThrough +0 0 0 1 testCMYKColorThrough +and and and +} ifelse +put +} +{ pop } +ifelse +/bc4 [0 0 0 0] def +/_lfp4 { +1 pop +/yt xdf +/xt xdf +/ang xdf +storerect +/taperfcn xdf +/k2 xdf /y2 xdf /m2 xdf /c2 xdf +/k1 xdf /y1 xdf /m1 xdf /c1 xdf +c1 c2 sub abs +m1 m2 sub abs +y1 y2 sub abs +k1 k2 sub abs +maxcolor +calcgraysteps mul abs round +height abs adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +currentflat mark +currentflat clipflatness +/delta top bottom sub numsteps1 1 add div def +/right right left sub def +/botsv top delta sub def +{ +{ +W +xt yt translate +ang rotate +xt neg yt neg translate +dup setflat +/bottom botsv def +0 1 numsteps1 +{ +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +taperfcn /frac xdf +bc4 0 c2 c1 sub frac mul c1 add put +bc4 1 m2 m1 sub frac mul m1 add put +bc4 2 y2 y1 sub frac mul y1 add put +bc4 3 k2 k1 sub frac mul k1 add put +bc4 vc +1 index setflat +{ +mark {newpath left bottom right delta rectfill}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +/bottom bottom delta sub def +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/bcs [0 0] def +/_lfs4 { +/yt xdf +/xt xdf +/ang xdf +storerect +/taperfcn xdf +/tint2 xdf +/tint1 xdf +bcs exch 1 exch put +tint1 tint2 sub abs +bcs 1 get maxspot +calcgraysteps mul abs round +height abs adjnumsteps +dup 2 lt {pop 2} if +1 sub /numsteps1 xdf +currentflat mark +currentflat clipflatness +/delta top bottom sub numsteps1 1 add div def +/right right left sub def +/botsv top delta sub def +{ +{ +W +xt yt translate +ang rotate +xt neg yt neg translate +dup setflat +/bottom botsv def +0 1 numsteps1 +{ +numsteps1 div taperfcn /frac xdf +bcs 0 +1.0 tint2 tint1 sub frac mul tint1 add sub +put bcs vc +1 index setflat +{ +mark {newpath left bottom right delta rectfill}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +/bottom bottom delta sub def +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/_rfs6 { +/tint2 xdf +/tint1 xdf +bcs exch 1 exch put +/inrad xdf +/radius xdf +/yt xdf +/xt xdf +tint1 tint2 sub abs +bcs 1 get maxspot +calcgraysteps mul abs round +radius inrad sub abs +adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse +2 div /halfstep xdf +currentflat mark +currentflat clipflatness +{ +{ +dup setflat +W +0 1 numsteps1 +{ +dup /radindex xdf +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +/frac xdf +bcs 0 +tint2 tint1 sub frac mul tint1 add +put bcs vc +1 index setflat +{ +newpath mark +xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 +{ arc +radindex numsteps1 ne +inrad 0 gt or +{ +xt yt +numsteps1 0 eq +{ inrad } +{ +radindex 1 add numsteps1 div 1 exch sub +radius inrad sub mul halfstep add inrad add +}ifelse +dup xt add yt moveto +360 0 arcn +} if +fill +}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/_rfp6 { +1 pop +/k2 xdf /y2 xdf /m2 xdf /c2 xdf +/k1 xdf /y1 xdf /m1 xdf /c1 xdf +/inrad xdf +/radius xdf +/yt xdf +/xt xdf +c1 c2 sub abs +m1 m2 sub abs +y1 y2 sub abs +k1 k2 sub abs +maxcolor +calcgraysteps mul abs round +radius inrad sub abs +adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse +2 div /halfstep xdf +currentflat mark +currentflat clipflatness +{ +{ +dup setflat +W +0 1 numsteps1 +{ +dup /radindex xdf +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +/frac xdf +bc4 0 c2 c1 sub frac mul c1 add put +bc4 1 m2 m1 sub frac mul m1 add put +bc4 2 y2 y1 sub frac mul y1 add put +bc4 3 k2 k1 sub frac mul k1 add put +bc4 vc +1 index setflat +{ +newpath mark +xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 +{ arc +radindex numsteps1 ne +inrad 0 gt or +{ +xt yt +numsteps1 0 eq +{ inrad } +{ +radindex 1 add numsteps1 div 1 exch sub +radius inrad sub mul halfstep add inrad add +}ifelse +dup xt add yt moveto +360 0 arcn +} if +fill +}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/lfp4{_lfp4}ndf +/lfs4{_lfs4}ndf +/rfs6{_rfs6}ndf +/rfp6{_rfp6}ndf +/cvc [0 0 0 1] def +/vc{ +AltsysDict /cvc 2 index put +aload length dup 4 eq +{pop dup -1 eq{pop setrgbcolor}{setcmykcolor}ifelse} +{6 eq {sethexcolor} {setspotcolor} ifelse } +ifelse +}bdf +0 setseparationgray +/imgr {1692.47 1570.59 2287.75 2412.48 } def +/bleed 0 def +/clpr {1692.47 1570.59 2287.75 2412.48 } def +/xs 1 def +/ys 1 def +/botx 0 def +/overlap 0 def +/wdist 18 def +0 2 mul fhsetspreadsize +0 0 ne {/df 0 def /clipflatness 0 def} if +/maxsteps 256 def +/forcemaxsteps false def +/minsteps 0 def + +userdict begin /AGDOrigMtx matrix currentmatrix def end +vms +0.15 0.15 scale %JND +-1845 -2006 translate + +/currentpacking defed{false setpacking}if +/spots[ + +1 0 0 0 (Process Cyan) false newcmykcustomcolor + +0 1 0 0 (Process Magenta) false newcmykcustomcolor + +0 0 1 0 (Process Yellow) false newcmykcustomcolor + +0 0 0 1 (Process Black) false newcmykcustomcolor +]def +n +[] 0 d +3.863708 M +1 w +0 j +0 J +false setoverprint +0 i +false eomode +[0 0 0 1]vc +vms +1848.4365 2094.0422 m +1848.4365 2140.987 1886.4917 2179.0422 1933.4365 2179.0422 C +1980.3813 2179.0422 2018.4365 2140.987 2018.4365 2094.0422 C +2018.4365 2047.0974 1980.3813 2009.0422 1933.4365 2009.0422 C +1886.4917 2009.0422 1848.4365 2047.0974 1848.4365 2094.0422 C +5.3858 w +3.863693 M +s +n +true eomode +1880.5612 2118.7403 m +1880.5612 2121.7396 1881.6862 2124.8795 1883.9362 2128.1622 C +1886.1862 2131.4889 1888.4581 2133.1522 1890.7565 2133.1544 C +1892.2089 2133.1544 1893.4042 2132.5677 1894.3424 2131.3966 C +1895.3268 2130.2233 1895.819 2128.7467 1895.819 2126.9669 C +1895.819 2124.0599 1894.6237 2121.0826 1892.233 2118.0372 C +1889.8885 2114.9896 1887.6144 2113.4669 1885.4127 2113.4669 C +1884.0526 2113.4669 1882.9034 2113.9591 1881.9674 2114.9435 C +1881.0292 2115.974 1880.5612 2117.2396 1880.5612 2118.7403 C +h +1948.2018 2061.1544 m +1978.4362 2061.0138 L +1980.451 2062.6068 1981.9034 2064.3163 1982.7955 2066.1466 C +1983.7316 2068.0209 1984.1996 2070.2005 1984.2018 2072.6857 C +1984.2018 2073.2482 L +1969.2252 2099.6153 L +1969.2252 2099.3341 1969.2472 2098.8639 1969.2955 2098.2091 C +1969.3417 2097.5983 1969.3636 2097.1544 1969.3658 2096.8732 C +1969.3658 2089.888 1967.5597 2083.3732 1963.9518 2077.3263 C +1960.3878 2071.2794 1955.1385 2065.8873 1948.2018 2061.1544 C +h +1905.8737 2139.4825 m +1910.0924 2124.2247 L +1964.233 2092.5841 L +1964.6066 2094.3177 1964.8636 2095.724 1965.0065 2096.8028 C +1965.1471 2097.9278 1965.2174 2098.9122 1965.2174 2099.756 C +1965.2174 2100.4108 1965.1691 2101.5599 1965.0768 2103.2013 C +1964.9823 2103.5748 1964.9362 2103.8561 1964.9362 2104.045 C +1905.8737 2139.4825 L +h +1908.4752 2120.3575 m +1898.983 2105.5216 L +1954.3893 2072.8263 L +1956.4987 2074.7005 1958.2565 2076.8561 1959.6627 2079.295 C +1961.1151 2081.7779 1962.2863 2084.6608 1963.1783 2087.9435 C +1908.4752 2120.3575 L +h +1896.2408 2102.3575 m +1880.5612 2099.0528 L +1942.9283 2062.631 L +1944.5675 2063.5209 1946.0682 2064.5272 1947.4283 2065.6544 C +1948.7863 2066.7794 1950.0057 2068.0209 1951.0846 2069.381 C +1896.2408 2102.3575 L +h +1871.2096 2120.7794 m +1876.3424 2102.3575 L +1894.2018 2105.9435 L +1906.1549 2125.2794 L +1900.8815 2142.506 L +1882.7408 2139.2013 L +1871.2096 2120.7794 L +h +1866.7096 2121.4825 m +1880.1393 2142.3653 L +1901.3033 2146.5841 L +1963.6705 2109.3888 L +1968.0299 2106.8092 1971.005 2103.9747 1972.6002 2100.881 C +1972.8815 2100.2701 1973.1144 2099.8021 1973.3033 2099.4747 C +1991.444 2068.256 L +1991.6769 2067.8341 1992.0043 2067.2474 1992.4283 2066.4982 C +1994.0675 2064.013 1994.8871 2062.0904 1994.8893 2060.7325 C +1994.8893 2059.4186 1994.3971 2058.4825 1993.4127 2057.92 C +1992.4745 2057.4037 1990.6705 2057.1466 1987.9987 2057.1466 C +1948.0612 2057.1466 L +1946.4198 2057.1466 1944.7784 2057.4037 1943.1393 2057.92 C +1941.4979 2058.4825 1939.4127 2059.513 1936.8815 2061.0138 C +1873.6705 2098.631 L +1866.7096 2121.4825 L +true setoverprint +f +false setoverprint +n +vmr +vmr +end +%%Trailer diff --git a/docs/xslt/figures/tip.eps b/docs/xslt/figures/tip.eps new file mode 100644 index 0000000000..a28ad883eb --- /dev/null +++ b/docs/xslt/figures/tip.eps @@ -0,0 +1,1503 @@ +%!PS-Adobe-2.0 EPSF-1.2 +%%Title: Untitled-1 +%%Creator: FreeHand 9.0 +%%CreationDate: 2002/07/16 10:41 PM +%%BoundingBox: 0 0 27 27 +%%FHPathName:Untitled:FreeHand 9:English:Untitled-1 +%ALDOriginalFile:Untitled:FreeHand 9:English:Untitled-1 +%ALDBoundingBox: -153 -436 442 406 +%%FHPageNum:1 +%%DocumentSuppliedResources: procset Altsys_header 4 0 +%%ColorUsage: Color +%%DocumentProcessColors: Black +%%EndComments +%%BeginResource: procset Altsys_header 4 0 +userdict begin /AltsysDict 300 dict def end +AltsysDict begin +/bdf{bind def}bind def +/xdf{exch def}bdf +/defed{where{pop true}{false}ifelse}bdf +/ndf{1 index where{pop pop pop}{dup xcheck{bind}if def}ifelse}bdf +/d{setdash}bdf +/h{closepath}bdf +/H{}bdf +/J{setlinecap}bdf +/j{setlinejoin}bdf +/M{setmiterlimit}bdf +/n{newpath}bdf +/N{newpath}bdf +/q{gsave}bdf +/Q{grestore}bdf +/w{setlinewidth}bdf +/Xic{matrix invertmatrix concat}bdf +/Xq{matrix currentmatrix mark}bdf +/XQ{cleartomark setmatrix}bdf +/sepdef{ +dup where not +{ +AltsysSepDict +} +if +3 1 roll exch put +}bdf +/st{settransfer}bdf +/colorimage defed /_rci xdf +/cntr 0 def +/readbinarystring{ +/cntr 0 def +2 copy readstring +{ +{ +dup +(\034) search +{ +length exch pop exch +dup length 0 ne +{ +dup dup 0 get 32 sub 0 exch put +/cntr cntr 1 add def +} +{ +pop 1 string dup +0 6 index read pop 32 sub put +}ifelse +3 copy +putinterval pop +1 add +1 index length 1 sub +1 index sub +dup 0 le {pop pop exit}if +getinterval +} +{ +pop exit +} ifelse +} loop +}if +cntr 0 gt +{ +pop 2 copy +dup length cntr sub cntr getinterval +readbinarystring +} if +pop exch pop +} bdf +/_NXLevel2 defed { +_NXLevel2 not { +/colorimage where { +userdict eq { +/_rci false def +} if +} if +} if +} if +/md defed{ +md type /dicttype eq { +/colorimage where { +md eq { +/_rci false def +}if +}if +/settransfer where { +md eq { +/st systemdict /settransfer get def +}if +}if +}if +}if +/setstrokeadjust defed +{ +true setstrokeadjust +/C{curveto}bdf +/L{lineto}bdf +/m{moveto}bdf +} +{ +/dr{transform .25 sub round .25 add +exch .25 sub round .25 add exch itransform}bdf +/C{dr curveto}bdf +/L{dr lineto}bdf +/m{dr moveto}bdf +/setstrokeadjust{pop}bdf +}ifelse +/privrectpath { +4 -2 roll m +dtransform round exch round exch idtransform +2 copy 0 lt exch 0 lt xor +{dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto} +{exch dup 0 rlineto exch 0 exch rlineto neg 0 rlineto} +ifelse +closepath +}bdf +/rectclip{newpath privrectpath clip newpath}def +/rectfill{gsave newpath privrectpath fill grestore}def +/rectstroke{gsave newpath privrectpath stroke grestore}def +/_fonthacksave false def +/currentpacking defed +{ +/_bfh {/_fonthacksave currentpacking def false setpacking} bdf +/_efh {_fonthacksave setpacking} bdf +} +{ +/_bfh {} bdf +/_efh {} bdf +}ifelse +/packedarray{array astore readonly}ndf +/` +{ +false setoverprint +/-save0- save def +5 index concat +pop +storerect left bottom width height rectclip +pop +/MMdict_count countdictstack def +/MMop_count count 1 sub def +userdict begin +/showpage {} def +0 setgray 0 setlinecap 1 setlinewidth +0 setlinejoin 10 setmiterlimit [] 0 setdash newpath +} bdf +/currentpacking defed{true setpacking}if +/min{2 copy gt{exch}if pop}bdf +/max{2 copy lt{exch}if pop}bdf +/xformfont { currentfont exch makefont setfont } bdf +/fhnumcolors 1 +statusdict begin +/processcolors defed +{ +pop processcolors +} +{ +/deviceinfo defed { +deviceinfo /Colors known { +pop deviceinfo /Colors get +} if +} if +} ifelse +end +def +/printerRes +gsave +matrix defaultmatrix setmatrix +72 72 dtransform +abs exch abs +max +grestore +def +/graycalcs +[ +{Angle Frequency} +{GrayAngle GrayFrequency} +{0 Width Height matrix defaultmatrix idtransform +dup mul exch dup mul add sqrt 72 exch div} +{0 GrayWidth GrayHeight matrix defaultmatrix idtransform +dup mul exch dup mul add sqrt 72 exch div} +] def +/calcgraysteps { +forcemaxsteps +{ +maxsteps +} +{ +/currenthalftone defed +{currenthalftone /dicttype eq}{false}ifelse +{ +currenthalftone begin +HalftoneType 4 le +{graycalcs HalftoneType 1 sub get exec} +{ +HalftoneType 5 eq +{ +Default begin +{graycalcs HalftoneType 1 sub get exec} +end +} +{0 60} +ifelse +} +ifelse +end +} +{ +currentscreen pop exch +} +ifelse +printerRes 300 max exch div exch +2 copy +sin mul round dup mul +3 1 roll +cos mul round dup mul +add 1 add +dup maxsteps gt {pop maxsteps} if +dup minsteps lt {pop minsteps} if +} +ifelse +} bdf +/nextrelease defed { +/languagelevel defed not { +/framebuffer defed { +0 40 string framebuffer 9 1 roll 8 {pop} repeat +dup 516 eq exch 520 eq or +{ +/fhnumcolors 3 def +/currentscreen {60 0 {pop pop 1}}bdf +/calcgraysteps {maxsteps} bdf +}if +}if +}if +}if +fhnumcolors 1 ne { +/calcgraysteps {maxsteps} bdf +} if +/currentpagedevice defed { +currentpagedevice /PreRenderingEnhance known +{ +currentpagedevice /PreRenderingEnhance get +{ +/calcgraysteps +{ +forcemaxsteps +{maxsteps} +{256 maxsteps min} +ifelse +} def +} if +} if +} if +/gradfrequency 144 def +printerRes 1000 lt { +/gradfrequency 72 def +} if +/adjnumsteps { +dup dtransform abs exch abs max +printerRes div +gradfrequency mul +round +5 max +min +}bdf +/goodsep { +spots exch get 4 get dup sepname eq exch (_vc_Registration) eq or +}bdf +/BeginGradation defed +{/bb{BeginGradation}bdf} +{/bb{}bdf} +ifelse +/EndGradation defed +{/eb{EndGradation}bdf} +{/eb{}bdf} +ifelse +/bottom -0 def +/delta -0 def +/frac -0 def +/height -0 def +/left -0 def +/numsteps1 -0 def +/radius -0 def +/right -0 def +/top -0 def +/width -0 def +/xt -0 def +/yt -0 def +/df currentflat def +/tempstr 1 string def +/clipflatness currentflat def +/inverted? +0 currenttransfer exec .5 ge def +/tc1 [0 0 0 1] def +/tc2 [0 0 0 1] def +/storerect{/top xdf /right xdf /bottom xdf /left xdf +/width right left sub def /height top bottom sub def}bdf +/concatprocs{ +systemdict /packedarray known +{dup type /packedarraytype eq 2 index type /packedarraytype eq or}{false}ifelse +{ +/proc2 exch cvlit def /proc1 exch cvlit def +proc1 aload pop proc2 aload pop +proc1 length proc2 length add packedarray cvx +} +{ +/proc2 exch cvlit def /proc1 exch cvlit def +/newproc proc1 length proc2 length add array def +newproc 0 proc1 putinterval newproc proc1 length proc2 putinterval +newproc cvx +}ifelse +}bdf +/i{dup 0 eq +{pop df dup} +{dup} ifelse +/clipflatness xdf setflat +}bdf +version cvr 38.0 le +{/setrgbcolor{ +currenttransfer exec 3 1 roll +currenttransfer exec 3 1 roll +currenttransfer exec 3 1 roll +setrgbcolor}bdf}if +/vms {/vmsv save def} bdf +/vmr {vmsv restore} bdf +/vmrs{vmsv restore /vmsv save def}bdf +/eomode{ +{/filler /eofill load def /clipper /eoclip load def} +{/filler /fill load def /clipper /clip load def} +ifelse +}bdf +/normtaper{}bdf +/logtaper{9 mul 1 add log}bdf +/CD{ +/NF exch def +{ +exch dup +/FID ne 1 index/UniqueID ne and +{exch NF 3 1 roll put} +{pop pop} +ifelse +}forall +NF +}bdf +/MN{ +1 index length +/Len exch def +dup length Len add +string dup +Len +4 -1 roll +putinterval +dup +0 +4 -1 roll +putinterval +}bdf +/RC{4 -1 roll /ourvec xdf 256 string cvs(|______)anchorsearch +{1 index MN cvn/NewN exch def cvn +findfont dup maxlength dict CD dup/FontName NewN put dup +/Encoding ourvec put NewN exch definefont pop}{pop}ifelse}bdf +/RF{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RC} +ifelse +}bdf +/FF{dup 256 string cvs(|______)exch MN cvn dup FontDirectory exch known +{exch pop findfont 3 -1 roll pop} +{pop dup findfont dup maxlength dict CD dup dup +/Encoding exch /Encoding get 256 array copy 7 -1 roll +{3 -1 roll dup 4 -2 roll put}forall put definefont} +ifelse}bdf +/RCJ{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFJ +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFJ{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCJ} +ifelse +}bdf +/hasfont +{ +/resourcestatus where +{ +pop +/Font resourcestatus +{ +pop pop true +} +{ +false +} +ifelse +} +{ +dup FontDirectory exch known +{pop true} +{ +256 string +cvs +(fonts/) exch MN +status +{pop pop pop pop true} +{false} +ifelse +} +ifelse +} +ifelse +}bdf +/FDFJ +{ +dup +hasfont +not +{ +pop +/Ryumin-Light-83pv-RKSJ-H +hasfont +{ +/Ryumin-Light-83pv-RKSJ-H +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFJ{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFJ +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/GS { +dup +hasfont +{ +findfont +exch makesetfont +exch +pop +ts +} +{ +pop pop pop +ts +} ifelse +} bdf +/RCK{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFK +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFK{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCK} +ifelse +}bdf +/hasfont +{ +/resourcestatus where +{ +pop +/Font resourcestatus +{ +pop pop true +} +{ +false +} +ifelse +} +{ +dup FontDirectory exch known +{pop true} +{ +256 string +cvs +(fonts/) exch MN +status +{pop pop pop pop true} +{false} +ifelse +} +ifelse +} +ifelse +}bdf +/FDFK +{ +dup +hasfont +not +{ +pop +/JCsm +hasfont +{ +/JCsm +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFK{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFK +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/RCTC{4 -1 roll +/ourvec xdf +256 string cvs +(|______) anchorsearch +{pop +cvn +dup FDFTC +exch +1 index +eq +{ +_bfh findfont _efh +dup +maxlength dict +CD +dup +/FontName +3 index +put +dup +/Encoding ourvec put +1 index +exch +definefont +pop +} +{exch pop} +ifelse +} +{pop} +ifelse +}bdf +/RFTC{ +dup +FontDirectory exch +known +{pop 3 -1 roll pop} +{RCTC} +ifelse +}bdf +/FDFTC +{ +dup +hasfont +not +{ +pop +/DFMing-Lt-HK-BF +hasfont +{ +/DFMing-Lt-HK-BF +} +{ +/Courier +} +ifelse +} +if +}bdf +/FFTC{ +_bfh +dup +256 string cvs +(|______)exch MN +cvn +dup +FontDirectory +exch known +{ +exch +pop +findfont +3 -1 roll +pop +} +{ +pop +FDFTC +dup findfont +dup maxlength dict +CD +dup dup +/Encoding exch +/Encoding get +256 array copy +7 -1 roll +{ +3 -1 roll +dup +4 -2 roll +put +}forall +put +definefont +} +ifelse +_efh +}bdf +/fps{ +currentflat +exch +dup 0 le{pop 1}if +{ +dup setflat 3 index stopped +{1.3 mul dup 3 index gt{pop setflat pop pop stop}if} +{exit} +ifelse +}loop +pop setflat pop pop +}bdf +/fp{100 currentflat fps}bdf +/clipper{clip}bdf +/W{/clipper load 100 clipflatness dup setflat fps}bdf + +userdict begin /BDFontDict 29 dict def end +BDFontDict begin +/bu{}def +/bn{}def +/setTxMode{av 70 ge{pop}if pop}def +/gm{m}def +/show{pop}def +/gr{pop}def +/fnt{pop pop pop}def +/fs{pop}def +/fz{pop}def +/lin{pop pop}def +/:M {pop pop} def +/sf {pop} def +/S {pop} def +/@b {pop pop pop pop pop pop pop pop} def +/_bdsave /save load def +/_bdrestore /restore load def +/save { dup /fontsave eq {null} {_bdsave} ifelse } def +/restore { dup null eq { pop } { _bdrestore } ifelse } def +/fontsave null def +end +/MacVec 256 array def +MacVec 0 /Helvetica findfont +/Encoding get 0 128 getinterval putinterval +MacVec 127 /DEL put MacVec 16#27 /quotesingle put MacVec 16#60 /grave put +/NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI +/DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US +MacVec 0 32 getinterval astore pop +/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute +/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave +/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute +/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis +/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls +/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash +/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation +/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash +/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft +/guillemotright/ellipsis/nbspace/Agrave/Atilde/Otilde/OE/oe +/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge +/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl +/daggerdbl/periodcentered/quotesinglbase/quotedblbase +/perthousand/Acircumflex/Ecircumflex/Aacute +/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex +/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde +/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron +MacVec 128 128 getinterval astore pop +/findheaderfont { +/Helvetica findfont +} def +end %. AltsysDict +%%EndResource +%%EndProlog + +%%BeginSetup + +AltsysDict begin +_bfh + +_efh +end %. AltsysDict + +%%EndSetup +AltsysDict begin + +/onlyk4{false}ndf +/ccmyk{dup 5 -1 roll sub 0 max exch}ndf +/cmyk2gray{ +4 -1 roll 0.3 mul 4 -1 roll 0.59 mul 4 -1 roll 0.11 mul +add add add 1 min neg 1 add +}bdf +/setcmykcolor{1 exch sub ccmyk ccmyk ccmyk pop setrgbcolor}ndf +/maxcolor { +max max max +} ndf +/maxspot { +pop +} ndf +/setcmykcoloroverprint{4{dup -1 eq{pop 0}if 4 1 roll}repeat setcmykcolor}ndf +/findcmykcustomcolor{5 packedarray}ndf +/setcustomcolor{exch aload pop pop 4{4 index mul 4 1 roll}repeat setcmykcolor pop}ndf +/setseparationgray{setgray}ndf +/setoverprint{pop}ndf +/currentoverprint false ndf +/cmykbufs2gray{ +0 1 2 index length 1 sub +{ +4 index 1 index get 0.3 mul +4 index 2 index get 0.59 mul +4 index 3 index get 0.11 mul +4 index 4 index get +add add add cvi 255 min +255 exch sub +2 index 3 1 roll put +}for +4 1 roll pop pop pop +}bdf +/colorimage{ +pop pop +[ +5 -1 roll/exec cvx +6 -1 roll/exec cvx +7 -1 roll/exec cvx +8 -1 roll/exec cvx +/cmykbufs2gray cvx +]cvx +image +} +%. version 47.1 on Linotronic of Postscript defines colorimage incorrectly (rgb model only) +version cvr 47.1 le +statusdict /product get (Lino) anchorsearch{pop pop true}{pop false}ifelse +and{userdict begin bdf end}{ndf}ifelse +fhnumcolors 1 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +ic im iy ik cmyk2gray /xt xdf +currenttransfer +{dup 1.0 exch sub xt mul add}concatprocs +st +image +} +ifelse +}ndf +fhnumcolors 1 ne {yt restore} if +fhnumcolors 3 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +1.0 dup ic ik add min sub +1.0 dup im ik add min sub +1.0 dup iy ik add min sub +/ic xdf /iy xdf /im xdf +currentcolortransfer +4 1 roll +{dup 1.0 exch sub ic mul add}concatprocs 4 1 roll +{dup 1.0 exch sub iy mul add}concatprocs 4 1 roll +{dup 1.0 exch sub im mul add}concatprocs 4 1 roll +setcolortransfer +{/dummy xdf dummy}concatprocs{dummy}{dummy}true 3 colorimage +} +ifelse +}ndf +fhnumcolors 3 ne {yt restore} if +fhnumcolors 4 ne {/yt save def} if +/customcolorimage{ +aload pop +(_vc_Registration) eq +{ +pop pop pop pop separationimage +} +{ +/ik xdf /iy xdf /im xdf /ic xdf +currentcolortransfer +{1.0 exch sub ik mul ik sub 1 add}concatprocs 4 1 roll +{1.0 exch sub iy mul iy sub 1 add}concatprocs 4 1 roll +{1.0 exch sub im mul im sub 1 add}concatprocs 4 1 roll +{1.0 exch sub ic mul ic sub 1 add}concatprocs 4 1 roll +setcolortransfer +{/dummy xdf dummy}concatprocs{dummy}{dummy}{dummy} +true 4 colorimage +} +ifelse +}ndf +fhnumcolors 4 ne {yt restore} if +/separationimage{image}ndf +/spotascmyk false ndf +/newcmykcustomcolor{6 packedarray}ndf +/inkoverprint false ndf +/setinkoverprint{pop}ndf +/setspotcolor { +spots exch get +dup 4 get (_vc_Registration) eq +{pop 1 exch sub setseparationgray} +{0 5 getinterval exch setcustomcolor} +ifelse +}ndf +/currentcolortransfer{currenttransfer dup dup dup}ndf +/setcolortransfer{st pop pop pop}ndf +/fas{}ndf +/sas{}ndf +/fhsetspreadsize{pop}ndf +/filler{fill}bdf +/F{gsave {filler}fp grestore}bdf +/f{closepath F}bdf +/S{gsave {stroke}fp grestore}bdf +/s{closepath S}bdf +userdict /islevel2 +systemdict /languagelevel known dup +{ +pop systemdict /languagelevel get 2 ge +} if +put +islevel2 not +{ +/currentcmykcolor +{ +0 0 0 1 currentgray sub +} ndf +} if +/tc +{ +gsave +setcmykcolor currentcmykcolor +grestore +} bind def +/testCMYKColorThrough +{ +tc add add add 0 ne +} bind def +/fhiscomposite where not { +userdict /fhiscomposite +islevel2 +{ +gsave 1 1 1 1 setcmykcolor currentcmykcolor grestore +add add add 4 eq +} +{ +1 0 0 0 testCMYKColorThrough +0 1 0 0 testCMYKColorThrough +0 0 1 0 testCMYKColorThrough +0 0 0 1 testCMYKColorThrough +and and and +} ifelse +put +} +{ pop } +ifelse +/bc4 [0 0 0 0] def +/_lfp4 { +1 pop +/yt xdf +/xt xdf +/ang xdf +storerect +/taperfcn xdf +/k2 xdf /y2 xdf /m2 xdf /c2 xdf +/k1 xdf /y1 xdf /m1 xdf /c1 xdf +c1 c2 sub abs +m1 m2 sub abs +y1 y2 sub abs +k1 k2 sub abs +maxcolor +calcgraysteps mul abs round +height abs adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +currentflat mark +currentflat clipflatness +/delta top bottom sub numsteps1 1 add div def +/right right left sub def +/botsv top delta sub def +{ +{ +W +xt yt translate +ang rotate +xt neg yt neg translate +dup setflat +/bottom botsv def +0 1 numsteps1 +{ +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +taperfcn /frac xdf +bc4 0 c2 c1 sub frac mul c1 add put +bc4 1 m2 m1 sub frac mul m1 add put +bc4 2 y2 y1 sub frac mul y1 add put +bc4 3 k2 k1 sub frac mul k1 add put +bc4 vc +1 index setflat +{ +mark {newpath left bottom right delta rectfill}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +/bottom bottom delta sub def +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/bcs [0 0] def +/_lfs4 { +/yt xdf +/xt xdf +/ang xdf +storerect +/taperfcn xdf +/tint2 xdf +/tint1 xdf +bcs exch 1 exch put +tint1 tint2 sub abs +bcs 1 get maxspot +calcgraysteps mul abs round +height abs adjnumsteps +dup 2 lt {pop 2} if +1 sub /numsteps1 xdf +currentflat mark +currentflat clipflatness +/delta top bottom sub numsteps1 1 add div def +/right right left sub def +/botsv top delta sub def +{ +{ +W +xt yt translate +ang rotate +xt neg yt neg translate +dup setflat +/bottom botsv def +0 1 numsteps1 +{ +numsteps1 div taperfcn /frac xdf +bcs 0 +1.0 tint2 tint1 sub frac mul tint1 add sub +put bcs vc +1 index setflat +{ +mark {newpath left bottom right delta rectfill}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +/bottom bottom delta sub def +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/_rfs6 { +/tint2 xdf +/tint1 xdf +bcs exch 1 exch put +/inrad xdf +/radius xdf +/yt xdf +/xt xdf +tint1 tint2 sub abs +bcs 1 get maxspot +calcgraysteps mul abs round +radius inrad sub abs +adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse +2 div /halfstep xdf +currentflat mark +currentflat clipflatness +{ +{ +dup setflat +W +0 1 numsteps1 +{ +dup /radindex xdf +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +/frac xdf +bcs 0 +tint2 tint1 sub frac mul tint1 add +put bcs vc +1 index setflat +{ +newpath mark +xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 +{ arc +radindex numsteps1 ne +inrad 0 gt or +{ +xt yt +numsteps1 0 eq +{ inrad } +{ +radindex 1 add numsteps1 div 1 exch sub +radius inrad sub mul halfstep add inrad add +}ifelse +dup xt add yt moveto +360 0 arcn +} if +fill +}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/_rfp6 { +1 pop +/k2 xdf /y2 xdf /m2 xdf /c2 xdf +/k1 xdf /y1 xdf /m1 xdf /c1 xdf +/inrad xdf +/radius xdf +/yt xdf +/xt xdf +c1 c2 sub abs +m1 m2 sub abs +y1 y2 sub abs +k1 k2 sub abs +maxcolor +calcgraysteps mul abs round +radius inrad sub abs +adjnumsteps +dup 1 lt {pop 1} if +1 sub /numsteps1 xdf +radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse +2 div /halfstep xdf +currentflat mark +currentflat clipflatness +{ +{ +dup setflat +W +0 1 numsteps1 +{ +dup /radindex xdf +numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse +/frac xdf +bc4 0 c2 c1 sub frac mul c1 add put +bc4 1 m2 m1 sub frac mul m1 add put +bc4 2 y2 y1 sub frac mul y1 add put +bc4 3 k2 k1 sub frac mul k1 add put +bc4 vc +1 index setflat +{ +newpath mark +xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 +{ arc +radindex numsteps1 ne +inrad 0 gt or +{ +xt yt +numsteps1 0 eq +{ inrad } +{ +radindex 1 add numsteps1 div 1 exch sub +radius inrad sub mul halfstep add inrad add +}ifelse +dup xt add yt moveto +360 0 arcn +} if +fill +}stopped +{cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} +{cleartomark exit}ifelse +}loop +}for +} +gsave stopped grestore +{exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} +{exit}ifelse +}loop +cleartomark setflat +}bdf +/lfp4{_lfp4}ndf +/lfs4{_lfs4}ndf +/rfs6{_rfs6}ndf +/rfp6{_rfp6}ndf +/cvc [0 0 0 1] def +/vc{ +AltsysDict /cvc 2 index put +aload length dup 4 eq +{pop dup -1 eq{pop setrgbcolor}{setcmykcolor}ifelse} +{6 eq {sethexcolor} {setspotcolor} ifelse } +ifelse +}bdf +0 setseparationgray +/imgr {1692.47 1570.59 2287.75 2412.48 } def +/bleed 0 def +/clpr {1692.47 1570.59 2287.75 2412.48 } def +/xs 1 def +/ys 1 def +/botx 0 def +/overlap 0 def +/wdist 18 def +0 2 mul fhsetspreadsize +0 0 ne {/df 0 def /clipflatness 0 def} if +/maxsteps 256 def +/forcemaxsteps false def +/minsteps 0 def + +userdict begin /AGDOrigMtx matrix currentmatrix def end +vms +0.15 0.15 scale %JND +-1845 -2006 translate + +/currentpacking defed{false setpacking}if +/spots[ + +1 0 0 0 (Process Cyan) false newcmykcustomcolor + +0 1 0 0 (Process Magenta) false newcmykcustomcolor + +0 0 1 0 (Process Yellow) false newcmykcustomcolor + +0 0 0 1 (Process Black) false newcmykcustomcolor +]def +n +[] 0 d +3.863708 M +1 w +0 j +0 J +false setoverprint +0 i +false eomode +[0 0 0 1]vc +vms +1848.4365 2094.0422 m +1848.4365 2140.987 1886.4917 2179.0422 1933.4365 2179.0422 C +1980.3813 2179.0422 2018.4365 2140.987 2018.4365 2094.0422 C +2018.4365 2047.0974 1980.3813 2009.0422 1933.4365 2009.0422 C +1886.4917 2009.0422 1848.4365 2047.0974 1848.4365 2094.0422 C +5.3858 w +3.863693 M +s +n +true eomode +1897.6516 2067.1709 m +1897.6087 2066.5538 L +1885.3743 2066.1319 L +1883.1946 2062.4053 L +1869.9055 2063.9522 L +1869.9055 2067.1712 L +1897.6516 2067.1709 L +h +1944.0852 2067.1709 m +1944.0852 2067.0077 1944.0852 2066.8741 1944.0852 2066.7647 C +1944.1314 2066.5757 1944.1775 2066.4131 1944.2258 2066.2725 C +1945.0213 2065.0992 1946.0056 2064.2554 1947.179 2063.7413 C +1948.3963 2063.2249 1950.0134 2062.9678 1952.0305 2062.9678 C +1956.0142 2062.9678 1959.7627 2063.9522 1963.2805 2065.9209 C +1964.0204 2066.3353 1964.6824 2066.7527 1965.2665 2067.1732 C +1971.313 2067.1709 L +1970.2122 2065.693 1968.5893 2064.3153 1966.4446 2063.0381 C +1962.0369 2060.4585 1956.8821 2059.1709 1950.9758 2059.1709 C +1948.6775 2059.1709 1946.7791 2059.5445 1945.2805 2060.2959 C +1943.7798 2061.0914 1942.5142 2062.357 1941.4837 2064.0928 C +1941.2486 2064.0928 1940.8728 2064.0928 1940.3587 2064.0928 C +1937.5462 2063.9039 1935.4829 2063.8116 1934.1712 2063.8116 C +1929.2954 2063.8116 1925.1228 2064.2796 1921.6555 2065.2178 C +1919.9787 2065.6936 1918.2362 2066.3443 1916.4282 2067.1704 C +1944.0852 2067.1709 L +true setoverprint +f +false setoverprint +n +1884.4125 2075.1709 m +1884.4602 2073.585 L +1893.1087 2073.0225 L +1893.1087 2075.1712 L +1910.8456 2075.1709 L +1910.98 2075.0913 1911.1146 2075.0069 1911.2493 2074.9209 C +1911.9986 2074.3584 1912.583 2073.9585 1913.0071 2073.7256 C +1916.804 2071.4756 1920.2954 2069.9288 1923.4837 2069.085 C +1926.718 2068.2413 1931.0071 2067.8194 1936.3508 2067.8194 C +1940.3587 2067.8194 L +1940.7805 2070.7022 L +1938.9524 2070.8428 1937.522 2071.4053 1936.4915 2072.3897 C +1935.7726 2073.1422 1935.3163 2074.0693 1935.1223 2075.1726 C +1940.1696 2075.1709 L +1940.3293 2074.9768 1940.5095 2074.8018 1940.7102 2074.6397 C +1941.7407 2073.8421 1943.147 2073.4444 1944.929 2073.4444 C +1948.4128 2073.4444 1951.8259 2074.0193 1955.1674 2075.169 C +1963.5704 2075.1709 L +1962.8877 2074.843 1962.0411 2074.4337 1961.0305 2073.9366 C +1958.1697 2072.5303 1955.2166 2071.4976 1952.1712 2070.8428 C +1951.3274 2070.7022 1950.2244 2070.5132 1948.8665 2070.2803 C +1945.6782 2069.7178 1944.0852 2068.8038 1944.0852 2067.5381 C +1944.0852 2067.4017 1944.0852 2067.2776 1944.0852 2067.1658 C +1916.4282 2067.1709 L +1914.4953 2068.0535 1912.4877 2069.1369 1910.4055 2070.4209 C +1910.0759 2070.6539 1909.6321 2070.9593 1909.0696 2071.335 C +1905.9275 2073.5367 1902.9041 2074.6375 1899.9993 2074.6397 C +1899.9509 2074.6397 1899.6939 2074.6155 1899.2258 2074.5694 C +1898.7556 2074.521 1898.4041 2074.5452 1898.1712 2074.6397 C +1897.6516 2067.1709 L +1869.9055 2067.1709 L +1869.9055 2075.1714 L +1884.4125 2075.1709 L +h +1972.5022 2075.1709 m +1972.8687 2074.2606 1973.0523 2073.2652 1973.054 2072.1788 C +1973.054 2070.3983 1972.4736 2068.7289 1971.313 2067.1709 C +1965.2666 2067.1709 L +1967.4581 2068.751 1968.554 2070.3727 1968.554 2072.0381 C +1968.554 2073.0686 1968.2486 2073.9827 1967.6399 2074.7803 C +1967.5373 2074.922 1967.4334 2075.0518 1967.3283 2075.1698 C +1972.5022 2075.1709 L +true setoverprint +f +false setoverprint +n +1869.9055 2075.1709 m +1869.9055 2119.0772 L +1897.1868 2119.8506 L +1897.8899 2114.2256 L +1899.2962 2114.2256 L +1901.0759 2114.2256 1902.7876 2114.5069 1904.429 2115.0694 C +1906.1165 2115.678 1908.2478 2116.825 1910.8274 2118.5147 C +1911.9524 2119.2178 L +1919.5923 2124.1397 1925.4041 2126.6006 1929.3899 2126.6006 C +1930.8423 2126.6006 1932.3408 2126.3655 1933.8899 2125.8975 C +1935.4368 2125.4756 1937.1463 2124.7945 1939.0227 2123.8584 C +1940.1939 2123.9046 1941.8814 2123.9507 1944.0852 2123.9991 C +1950.0376 2124.0914 1954.0674 2124.1375 1956.179 2124.1397 C +1972.7244 2124.1397 1984.583 2123.1311 1991.7571 2121.1163 C +1998.9751 2119.1475 2002.583 2115.9351 2002.5852 2111.4834 C +2002.5852 2107.8272 2000.2869 2105.2959 1995.6946 2103.8897 C +1991.1463 2102.5296 1981.865 2101.8506 1967.8508 2101.8506 C +1963.5618 2101.8506 L +1964.6384 2100.8179 1965.4361 2099.8116 1965.9524 2098.8272 C +1966.4666 2097.8428 1966.7236 2096.8343 1966.7258 2095.8038 C +1966.7258 2095.3335 1966.6314 2094.7952 1966.4446 2094.1866 C +1966.2556 2093.6241 1965.9041 2092.8506 1965.3899 2091.8663 C +1967.1697 2091.1631 1968.5056 2090.1788 1969.3977 2088.9131 C +1970.2876 2087.6936 1970.7315 2086.1929 1970.7337 2084.4131 C +1970.7337 2083.521 1970.615 2082.6311 1970.3821 2081.7413 C +1970.147 2080.8492 1969.7954 2079.9593 1969.3274 2079.0694 C +1970.5447 2078.2256 1971.4588 2077.2171 1972.0696 2076.0459 C +1972.2346 2075.7625 1972.3788 2075.4685 1972.5022 2075.1642 C +1967.3284 2075.1709 L +1966.8077 2075.7539 1966.2562 2076.0459 1965.6712 2076.0459 C +1965.5191 2076.0459 1964.8189 2075.7521 1963.5704 2075.1643 C +1955.1674 2075.1709 L +1956.5004 2075.6277 1957.8219 2076.1778 1959.1321 2076.8194 C +1963.7727 2079.1155 1966.093 2081.5523 1966.093 2084.1319 C +1966.093 2085.303 1965.7173 2086.2632 1964.968 2087.0147 C +1964.2649 2087.764 1963.3508 2088.1375 1962.2258 2088.1397 C +1961.7556 2088.1397 1959.0838 2086.9905 1954.2102 2084.6944 C +1949.3806 2082.396 1944.4368 2080.6624 1939.3743 2079.4913 C +1939.2798 2079.3023 1939.2337 2079.0914 1939.2337 2078.8584 C +1939.2337 2078.6695 1939.2337 2078.3663 1939.2337 2077.9444 C +1939.2337 2076.8248 1939.5456 2075.8974 1940.1695 2075.1644 C +1935.1224 2075.1709 L +1935.0507 2075.5803 1935.0149 2076.012 1935.0149 2076.4678 C +1935.0149 2076.8414 1935.0369 2077.2391 1935.0852 2077.6631 C +1935.1775 2078.085 1935.294 2078.5992 1935.4368 2079.21 C +1934.7337 2079.21 L +1931.9673 2079.21 1929.7876 2080.0296 1928.1946 2081.6709 C +1926.5994 2083.3101 1925.804 2085.514 1925.804 2088.2803 C +1925.804 2088.9834 L +1924.3032 2088.6077 1922.9673 2088.3265 1921.7962 2088.1397 C +1920.6712 2087.9507 1919.6626 2087.8584 1918.7727 2087.8584 C +1916.8501 2087.8584 1914.9517 2088.232 1913.0774 2088.9834 C +1911.2493 2089.7789 1909.2102 2091.0906 1906.9602 2092.9209 C +1906.8196 2094.6084 L +1909.1619 2093.7647 1911.2713 2093.1077 1913.1477 2092.6397 C +1915.022 2092.2178 1916.7556 2092.0069 1918.3508 2092.0069 C +1920.6931 2092.0069 1922.9431 2092.521 1925.1008 2093.5538 C +1927.3025 2094.5843 1929.5986 2096.2476 1931.9915 2098.5459 C +1925.804 2107.7569 L +1927.0696 2109.4444 L +1928.4275 2108.3655 1930.2556 2106.7945 1932.554 2104.7334 C +1938.2251 2099.6226 1942.9361 2097.0694 1946.6868 2097.0694 C +1948.5149 2097.0694 1950.1782 2097.5132 1951.679 2098.4053 C +1953.2258 2099.2952 1953.9993 2100.1851 1953.9993 2101.0772 C +1953.9993 2101.6397 1952.9446 2103.1866 1950.8352 2105.7178 C +1948.772 2108.2491 1946.1946 2111.0374 1943.1008 2114.085 C +1939.4446 2117.6006 1936.7244 2119.8023 1934.9446 2120.6944 C +1933.2088 2121.6304 1931.3103 2122.0984 1929.2493 2122.1006 C +1925.3579 2122.1006 1920.3657 2120.0374 1914.2727 2115.9131 C +1913.5696 2115.4913 1913.0532 2115.1617 1912.7258 2114.9288 C +1909.6321 2112.8194 1907.1228 2111.4131 1905.2024 2110.71 C +1903.2798 2110.053 1901.2166 2109.7256 1899.0149 2109.7256 C +1898.0305 2109.7256 L +1898.0305 2078.6475 L +1899.8587 2078.6475 L +1903.4329 2078.6475 1907.0952 2077.4884 1910.8456 2075.1742 C +1893.1087 2075.1709 L +1893.1087 2115.7725 L +1883.1946 2115.6319 L +1884.4125 2075.171 L +1869.9055 2075.1709 L +h +1957.9368 2101.0772 m +1957.3259 2098.5459 1956.0603 2096.6695 1954.1399 2095.4522 C +1952.2634 2094.2327 1949.6399 2093.6241 1946.2649 2093.6241 C +1945.1861 2093.6241 1943.615 2093.9273 1941.554 2094.5381 C +1939.5369 2095.1929 1938.0383 2095.5203 1937.054 2095.5225 C +1935.3665 2095.5225 1933.679 2094.8194 1931.9915 2093.4131 C +1930.3501 2092.0069 1929.5305 2090.5765 1929.5305 2089.1241 C +1929.5305 2087.107 1930.0447 2085.5601 1931.0774 2084.4834 C +1932.1079 2083.4507 1933.6065 2082.9366 1935.5774 2082.9366 C +1937.5462 2082.9366 1940.1477 2083.4046 1943.3821 2084.3428 C +1946.6626 2085.3272 1949.9673 2086.5928 1953.2962 2088.1397 C +1956.3416 2089.5459 1958.5674 2090.8819 1959.9758 2092.1475 C +1961.3821 2093.4131 1962.0852 2094.6788 1962.0852 2095.9444 C +1962.0852 2096.8343 1961.7556 2097.678 1961.1008 2098.4756 C +1960.4439 2099.3194 1959.3892 2100.1851 1957.9368 2101.0772 C +h +1943.3821 2119.71 m +1946.054 2117.1788 1948.3501 2114.8584 1950.2727 2112.7491 C +1952.2415 2110.6397 1954.0213 2108.5303 1955.6165 2106.4209 C +1958.5696 2106.1397 1961.2876 2105.9288 1963.7727 2105.7881 C +1966.304 2105.6475 1968.6243 2105.5772 1970.7337 2105.5772 C +1980.7642 2105.5772 1987.7471 2106.021 1991.6868 2106.9131 C +1995.6704 2107.803 1997.6611 2109.3719 1997.6633 2111.6241 C +1997.6633 2114.4366 1994.2883 2116.5459 1987.5383 2117.9522 C +1980.8345 2119.4046 1970.8259 2120.1297 1957.5149 2120.1319 C +1955.4055 2120.1319 1953.1555 2120.0835 1950.7649 2119.9913 C +1948.4204 2119.9429 1945.9595 2119.8506 1943.3821 2119.71 C +true setoverprint +f +false setoverprint +n +vmr +vmr +end +%%Trailer diff --git a/docs/xslt/figures/warning.eps b/docs/xslt/figures/warning.eps new file mode 100644 index 0000000000..0c10b371b1 --- /dev/null +++ b/docs/xslt/figures/warning.eps @@ -0,0 +1 @@ +%!PS-Adobe-2.0 EPSF-1.2 %%Title: Untitled-3 %%Creator: FreeHand 9.0 %%CreationDate: 2002/12/05 8:20 PM %%BoundingBox: 0 0 29 29 %%FHPathName:Untitled:FreeHand 9:English:Untitled-3 %ALDOriginalFile:Untitled:FreeHand 9:English:Untitled-3 %ALDBoundingBox: -2 -2 29 29 %%FHPageNum:1 %%DocumentSuppliedResources: procset Altsys_header 4 0 %%ColorUsage: Color %%DocumentProcessColors: Black %%EndComments %%BeginResource: procset Altsys_header 4 0 userdict begin /AltsysDict 300 dict def end AltsysDict begin /bdf{bind def}bind def /xdf{exch def}bdf /defed{where{pop true}{false}ifelse}bdf /ndf{1 index where{pop pop pop}{dup xcheck{bind}if def}ifelse}bdf /d{setdash}bdf /h{closepath}bdf /H{}bdf /J{setlinecap}bdf /j{setlinejoin}bdf /M{setmiterlimit}bdf /n{newpath}bdf /N{newpath}bdf /q{gsave}bdf /Q{grestore}bdf /w{setlinewidth}bdf /Xic{matrix invertmatrix concat}bdf /Xq{matrix currentmatrix mark}bdf /XQ{cleartomark setmatrix}bdf /sepdef{ dup where not { AltsysSepDict } if 3 1 roll exch put }bdf /st{settransfer}bdf /colorimage defed /_rci xdf /cntr 0 def /readbinarystring{ /cntr 0 def 2 copy readstring { { dup (\034) search { length exch pop exch dup length 0 ne { dup dup 0 get 32 sub 0 exch put /cntr cntr 1 add def } { pop 1 string dup 0 6 index read pop 32 sub put }ifelse 3 copy putinterval pop 1 add 1 index length 1 sub 1 index sub dup 0 le {pop pop exit}if getinterval } { pop exit } ifelse } loop }if cntr 0 gt { pop 2 copy dup length cntr sub cntr getinterval readbinarystring } if pop exch pop } bdf /_NXLevel2 defed { _NXLevel2 not { /colorimage where { userdict eq { /_rci false def } if } if } if } if /md defed{ md type /dicttype eq { /colorimage where { md eq { /_rci false def }if }if /settransfer where { md eq { /st systemdict /settransfer get def }if }if }if }if /setstrokeadjust defed { true setstrokeadjust /C{curveto}bdf /L{lineto}bdf /m{moveto}bdf } { /dr{transform .25 sub round .25 add exch .25 sub round .25 add exch itransform}bdf /C{dr curveto}bdf /L{dr lineto}bdf /m{dr moveto}bdf /setstrokeadjust{pop}bdf }ifelse /privrectpath { 4 -2 roll m dtransform round exch round exch idtransform 2 copy 0 lt exch 0 lt xor {dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto} {exch dup 0 rlineto exch 0 exch rlineto neg 0 rlineto} ifelse closepath }bdf /rectclip{newpath privrectpath clip newpath}def /rectfill{gsave newpath privrectpath fill grestore}def /rectstroke{gsave newpath privrectpath stroke grestore}def /_fonthacksave false def /currentpacking defed { /_bfh {/_fonthacksave currentpacking def false setpacking} bdf /_efh {_fonthacksave setpacking} bdf } { /_bfh {} bdf /_efh {} bdf }ifelse /packedarray{array astore readonly}ndf /` { false setoverprint /-save0- save def 5 index concat pop storerect left bottom width height rectclip pop /MMdict_count countdictstack def /MMop_count count 1 sub def userdict begin /showpage {} def 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit [] 0 setdash newpath } bdf /currentpacking defed{true setpacking}if /min{2 copy gt{exch}if pop}bdf /max{2 copy lt{exch}if pop}bdf /xformfont { currentfont exch makefont setfont } bdf /fhnumcolors 1 statusdict begin /processcolors defed { pop processcolors } { /deviceinfo defed { deviceinfo /Colors known { pop deviceinfo /Colors get } if } if } ifelse end def /printerRes gsave matrix defaultmatrix setmatrix 72 72 dtransform abs exch abs max grestore def /graycalcs [ {Angle Frequency} {GrayAngle GrayFrequency} {0 Width Height matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} {0 GrayWidth GrayHeight matrix defaultmatrix idtransform dup mul exch dup mul add sqrt 72 exch div} ] def /calcgraysteps { forcemaxsteps { maxsteps } { /currenthalftone defed {currenthalftone /dicttype eq}{false}ifelse { currenthalftone begin HalftoneType 4 le {graycalcs HalftoneType 1 sub get exec} { HalftoneType 5 eq { Default begin {graycalcs HalftoneType 1 sub get exec} end } {0 60} ifelse } ifelse end } { currentscreen pop exch } ifelse printerRes 300 max exch div exch 2 copy sin mul round dup mul 3 1 roll cos mul round dup mul add 1 add dup maxsteps gt {pop maxsteps} if dup minsteps lt {pop minsteps} if } ifelse } bdf /nextrelease defed { /languagelevel defed not { /framebuffer defed { 0 40 string framebuffer 9 1 roll 8 {pop} repeat dup 516 eq exch 520 eq or { /fhnumcolors 3 def /currentscreen {60 0 {pop pop 1}}bdf /calcgraysteps {maxsteps} bdf }if }if }if }if fhnumcolors 1 ne { /calcgraysteps {maxsteps} bdf } if /currentpagedevice defed { currentpagedevice /PreRenderingEnhance known { currentpagedevice /PreRenderingEnhance get { /calcgraysteps { forcemaxsteps {maxsteps} {256 maxsteps min} ifelse } def } if } if } if /gradfrequency 144 def printerRes 1000 lt { /gradfrequency 72 def } if /adjnumsteps { dup dtransform abs exch abs max printerRes div gradfrequency mul round 5 max min }bdf /goodsep { spots exch get 4 get dup sepname eq exch (_vc_Registration) eq or }bdf /BeginGradation defed {/bb{BeginGradation}bdf} {/bb{}bdf} ifelse /EndGradation defed {/eb{EndGradation}bdf} {/eb{}bdf} ifelse /bottom -0 def /delta -0 def /frac -0 def /height -0 def /left -0 def /numsteps1 -0 def /radius -0 def /right -0 def /top -0 def /width -0 def /xt -0 def /yt -0 def /df currentflat def /tempstr 1 string def /clipflatness currentflat def /inverted? 0 currenttransfer exec .5 ge def /tc1 [0 0 0 1] def /tc2 [0 0 0 1] def /storerect{/top xdf /right xdf /bottom xdf /left xdf /width right left sub def /height top bottom sub def}bdf /concatprocs{ systemdict /packedarray known {dup type /packedarraytype eq 2 index type /packedarraytype eq or}{false}ifelse { /proc2 exch cvlit def /proc1 exch cvlit def proc1 aload pop proc2 aload pop proc1 length proc2 length add packedarray cvx } { /proc2 exch cvlit def /proc1 exch cvlit def /newproc proc1 length proc2 length add array def newproc 0 proc1 putinterval newproc proc1 length proc2 putinterval newproc cvx }ifelse }bdf /i{dup 0 eq {pop df dup} {dup} ifelse /clipflatness xdf setflat }bdf version cvr 38.0 le {/setrgbcolor{ currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll currenttransfer exec 3 1 roll setrgbcolor}bdf}if /vms {/vmsv save def} bdf /vmr {vmsv restore} bdf /vmrs{vmsv restore /vmsv save def}bdf /eomode{ {/filler /eofill load def /clipper /eoclip load def} {/filler /fill load def /clipper /clip load def} ifelse }bdf /normtaper{}bdf /logtaper{9 mul 1 add log}bdf /CD{ /NF exch def { exch dup /FID ne 1 index/UniqueID ne and {exch NF 3 1 roll put} {pop pop} ifelse }forall NF }bdf /MN{ 1 index length /Len exch def dup length Len add string dup Len 4 -1 roll putinterval dup 0 4 -1 roll putinterval }bdf /RC{4 -1 roll /ourvec xdf 256 string cvs(|______)anchorsearch {1 index MN cvn/NewN exch def cvn findfont dup maxlength dict CD dup/FontName NewN put dup /Encoding ourvec put NewN exch definefont pop}{pop}ifelse}bdf /RF{ dup FontDirectory exch known {pop 3 -1 roll pop} {RC} ifelse }bdf /FF{dup 256 string cvs(|______)exch MN cvn dup FontDirectory exch known {exch pop findfont 3 -1 roll pop} {pop dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll {3 -1 roll dup 4 -2 roll put}forall put definefont} ifelse}bdf /RCJ{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFJ exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFJ{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCJ} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFJ { dup hasfont not { pop /Ryumin-Light-83pv-RKSJ-H hasfont { /Ryumin-Light-83pv-RKSJ-H } { /Courier } ifelse } if }bdf /FFJ{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFJ dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /GS { dup hasfont { findfont exch makesetfont exch pop ts } { pop pop pop ts } ifelse } bdf /RCK{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFK exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFK{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCK} ifelse }bdf /hasfont { /resourcestatus where { pop /Font resourcestatus { pop pop true } { false } ifelse } { dup FontDirectory exch known {pop true} { 256 string cvs (fonts/) exch MN status {pop pop pop pop true} {false} ifelse } ifelse } ifelse }bdf /FDFK { dup hasfont not { pop /JCsm hasfont { /JCsm } { /Courier } ifelse } if }bdf /FFK{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFK dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /RCTC{4 -1 roll /ourvec xdf 256 string cvs (|______) anchorsearch {pop cvn dup FDFTC exch 1 index eq { _bfh findfont _efh dup maxlength dict CD dup /FontName 3 index put dup /Encoding ourvec put 1 index exch definefont pop } {exch pop} ifelse } {pop} ifelse }bdf /RFTC{ dup FontDirectory exch known {pop 3 -1 roll pop} {RCTC} ifelse }bdf /FDFTC { dup hasfont not { pop /DFMing-Lt-HK-BF hasfont { /DFMing-Lt-HK-BF } { /Courier } ifelse } if }bdf /FFTC{ _bfh dup 256 string cvs (|______)exch MN cvn dup FontDirectory exch known { exch pop findfont 3 -1 roll pop } { pop FDFTC dup findfont dup maxlength dict CD dup dup /Encoding exch /Encoding get 256 array copy 7 -1 roll { 3 -1 roll dup 4 -2 roll put }forall put definefont } ifelse _efh }bdf /fps{ currentflat exch dup 0 le{pop 1}if { dup setflat 3 index stopped {1.3 mul dup 3 index gt{pop setflat pop pop stop}if} {exit} ifelse }loop pop setflat pop pop }bdf /fp{100 currentflat fps}bdf /clipper{clip}bdf /W{/clipper load 100 clipflatness dup setflat fps}bdf userdict begin /BDFontDict 29 dict def end BDFontDict begin /bu{}def /bn{}def /setTxMode{av 70 ge{pop}if pop}def /gm{m}def /show{pop}def /gr{pop}def /fnt{pop pop pop}def /fs{pop}def /fz{pop}def /lin{pop pop}def /:M {pop pop} def /sf {pop} def /S {pop} def /@b {pop pop pop pop pop pop pop pop} def /_bdsave /save load def /_bdrestore /restore load def /save { dup /fontsave eq {null} {_bdsave} ifelse } def /restore { dup null eq { pop } { _bdrestore } ifelse } def /fontsave null def end /MacVec 256 array def MacVec 0 /Helvetica findfont /Encoding get 0 128 getinterval putinterval MacVec 127 /DEL put MacVec 16#27 /quotesingle put MacVec 16#60 /grave put /NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI /DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US MacVec 0 32 getinterval astore pop /Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute /agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave /ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute /ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis /dagger/degree/cent/sterling/section/bullet/paragraph/germandbls /registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash /infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation /product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash /questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft /guillemotright/ellipsis/nbspace/Agrave/Atilde/Otilde/OE/oe /endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge /ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl /daggerdbl/periodcentered/quotesinglbase/quotedblbase /perthousand/Acircumflex/Ecircumflex/Aacute /Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex /apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde /macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron MacVec 128 128 getinterval astore pop /findheaderfont { /Helvetica findfont } def end %. AltsysDict %%EndResource %%EndProlog %%BeginSetup AltsysDict begin _bfh _efh end %. AltsysDict %%EndSetup AltsysDict begin /onlyk4{false}ndf /ccmyk{dup 5 -1 roll sub 0 max exch}ndf /cmyk2gray{ 4 -1 roll 0.3 mul 4 -1 roll 0.59 mul 4 -1 roll 0.11 mul add add add 1 min neg 1 add }bdf /setcmykcolor{1 exch sub ccmyk ccmyk ccmyk pop setrgbcolor}ndf /maxcolor { max max max } ndf /maxspot { pop } ndf /setcmykcoloroverprint{4{dup -1 eq{pop 0}if 4 1 roll}repeat setcmykcolor}ndf /findcmykcustomcolor{5 packedarray}ndf /setcustomcolor{exch aload pop pop 4{4 index mul 4 1 roll}repeat setcmykcolor pop}ndf /setseparationgray{setgray}ndf /setoverprint{pop}ndf /currentoverprint false ndf /cmykbufs2gray{ 0 1 2 index length 1 sub { 4 index 1 index get 0.3 mul 4 index 2 index get 0.59 mul 4 index 3 index get 0.11 mul 4 index 4 index get add add add cvi 255 min 255 exch sub 2 index 3 1 roll put }for 4 1 roll pop pop pop }bdf /colorimage{ pop pop [ 5 -1 roll/exec cvx 6 -1 roll/exec cvx 7 -1 roll/exec cvx 8 -1 roll/exec cvx /cmykbufs2gray cvx ]cvx image } %. version 47.1 on Linotronic of Postscript defines colorimage incorrectly (rgb model only) version cvr 47.1 le statusdict /product get (Lino) anchorsearch{pop pop true}{pop false}ifelse and{userdict begin bdf end}{ndf}ifelse fhnumcolors 1 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf ic im iy ik cmyk2gray /xt xdf currenttransfer {dup 1.0 exch sub xt mul add}concatprocs st image } ifelse }ndf fhnumcolors 1 ne {yt restore} if fhnumcolors 3 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf 1.0 dup ic ik add min sub 1.0 dup im ik add min sub 1.0 dup iy ik add min sub /ic xdf /iy xdf /im xdf currentcolortransfer 4 1 roll {dup 1.0 exch sub ic mul add}concatprocs 4 1 roll {dup 1.0 exch sub iy mul add}concatprocs 4 1 roll {dup 1.0 exch sub im mul add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}true 3 colorimage } ifelse }ndf fhnumcolors 3 ne {yt restore} if fhnumcolors 4 ne {/yt save def} if /customcolorimage{ aload pop (_vc_Registration) eq { pop pop pop pop separationimage } { /ik xdf /iy xdf /im xdf /ic xdf currentcolortransfer {1.0 exch sub ik mul ik sub 1 add}concatprocs 4 1 roll {1.0 exch sub iy mul iy sub 1 add}concatprocs 4 1 roll {1.0 exch sub im mul im sub 1 add}concatprocs 4 1 roll {1.0 exch sub ic mul ic sub 1 add}concatprocs 4 1 roll setcolortransfer {/dummy xdf dummy}concatprocs{dummy}{dummy}{dummy} true 4 colorimage } ifelse }ndf fhnumcolors 4 ne {yt restore} if /separationimage{image}ndf /spotascmyk false ndf /newcmykcustomcolor{6 packedarray}ndf /inkoverprint false ndf /setinkoverprint{pop}ndf /setspotcolor { spots exch get dup 4 get (_vc_Registration) eq {pop 1 exch sub setseparationgray} {0 5 getinterval exch setcustomcolor} ifelse }ndf /currentcolortransfer{currenttransfer dup dup dup}ndf /setcolortransfer{st pop pop pop}ndf /fas{}ndf /sas{}ndf /fhsetspreadsize{pop}ndf /filler{fill}bdf /F{gsave {filler}fp grestore}bdf /f{closepath F}bdf /S{gsave {stroke}fp grestore}bdf /s{closepath S}bdf userdict /islevel2 systemdict /languagelevel known dup { pop systemdict /languagelevel get 2 ge } if put islevel2 not { /currentcmykcolor { 0 0 0 1 currentgray sub } ndf } if /tc { gsave setcmykcolor currentcmykcolor grestore } bind def /testCMYKColorThrough { tc add add add 0 ne } bind def /fhiscomposite where not { userdict /fhiscomposite islevel2 { gsave 1 1 1 1 setcmykcolor currentcmykcolor grestore add add add 4 eq } { 1 0 0 0 testCMYKColorThrough 0 1 0 0 testCMYKColorThrough 0 0 1 0 testCMYKColorThrough 0 0 0 1 testCMYKColorThrough and and and } ifelse put } { pop } ifelse /bc4 [0 0 0 0] def /_lfp4 { 1 pop /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round height abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse taperfcn /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /bcs [0 0] def /_lfs4 { /yt xdf /xt xdf /ang xdf storerect /taperfcn xdf /tint2 xdf /tint1 xdf bcs exch 1 exch put tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round height abs adjnumsteps dup 2 lt {pop 2} if 1 sub /numsteps1 xdf currentflat mark currentflat clipflatness /delta top bottom sub numsteps1 1 add div def /right right left sub def /botsv top delta sub def { { W xt yt translate ang rotate xt neg yt neg translate dup setflat /bottom botsv def 0 1 numsteps1 { numsteps1 div taperfcn /frac xdf bcs 0 1.0 tint2 tint1 sub frac mul tint1 add sub put bcs vc 1 index setflat { mark {newpath left bottom right delta rectfill}stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop /bottom bottom delta sub def }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfs6 { /tint2 xdf /tint1 xdf bcs exch 1 exch put /inrad xdf /radius xdf /yt xdf /xt xdf tint1 tint2 sub abs bcs 1 get maxspot calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bcs 0 tint2 tint1 sub frac mul tint1 add put bcs vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /_rfp6 { 1 pop /k2 xdf /y2 xdf /m2 xdf /c2 xdf /k1 xdf /y1 xdf /m1 xdf /c1 xdf /inrad xdf /radius xdf /yt xdf /xt xdf c1 c2 sub abs m1 m2 sub abs y1 y2 sub abs k1 k2 sub abs maxcolor calcgraysteps mul abs round radius inrad sub abs adjnumsteps dup 1 lt {pop 1} if 1 sub /numsteps1 xdf radius inrad sub numsteps1 dup 0 eq {pop} {div} ifelse 2 div /halfstep xdf currentflat mark currentflat clipflatness { { dup setflat W 0 1 numsteps1 { dup /radindex xdf numsteps1 dup 0 eq {pop pop 0.5} {div} ifelse /frac xdf bc4 0 c2 c1 sub frac mul c1 add put bc4 1 m2 m1 sub frac mul m1 add put bc4 2 y2 y1 sub frac mul y1 add put bc4 3 k2 k1 sub frac mul k1 add put bc4 vc 1 index setflat { newpath mark xt yt radius inrad sub 1 frac sub mul halfstep add inrad add 0 360 { arc radindex numsteps1 ne inrad 0 gt or { xt yt numsteps1 0 eq { inrad } { radindex 1 add numsteps1 div 1 exch sub radius inrad sub mul halfstep add inrad add }ifelse dup xt add yt moveto 360 0 arcn } if fill }stopped {cleartomark exch 1.3 mul dup setflat exch 2 copy gt{stop}if} {cleartomark exit}ifelse }loop }for } gsave stopped grestore {exch pop 2 index exch 1.3 mul dup 100 gt{cleartomark setflat stop}if} {exit}ifelse }loop cleartomark setflat }bdf /lfp4{_lfp4}ndf /lfs4{_lfs4}ndf /rfs6{_rfs6}ndf /rfp6{_rfp6}ndf /cvc [0 0 0 1] def /vc{ AltsysDict /cvc 2 index put aload length dup 4 eq {pop dup -1 eq{pop setrgbcolor}{setcmykcolor}ifelse} {6 eq {sethexcolor} {setspotcolor} ifelse } ifelse }bdf 0 setseparationgray /imgr {1692.47 1570.59 1723.65 1601.77 } def /bleed 0 def /clpr {1692.47 1570.59 1723.65 1601.77 } def /xs 1 def /ys 1 def /botx 0 def /overlap 0 def /wdist 18 def 0 2 mul fhsetspreadsize 0 0 ne {/df 0 def /clipflatness 0 def} if /maxsteps 256 def /forcemaxsteps false def /minsteps 0 def userdict begin /AGDOrigMtx matrix currentmatrix def end vms -1694 -1572 translate /currentpacking defed{false setpacking}if /spots[ 1 0 0 0 (Process Cyan) false newcmykcustomcolor 0 1 0 0 (Process Magenta) false newcmykcustomcolor 0 0 1 0 (Process Yellow) false newcmykcustomcolor 0 0 0 1 (Process Black) false newcmykcustomcolor ]def n [] 0 d 3.863708 M 1 w 0 j 0 J false setoverprint 0 i false eomode [0 0 0 1]vc vms q [1 0 0 1 -249.981674 -586.867554] concat vms 1946.9506 2177.5114 m 1954.4907 2185.0516 L 1956.7047 2187.2656 1960.2943 2187.2656 1962.5083 2185.0516 C 1970.0485 2177.5114 L 1972.2625 2175.2974 1972.2625 2171.7078 1970.0485 2169.4938 C 1962.5083 2161.9537 L 1960.2943 2159.7396 1956.7047 2159.7396 1954.4907 2161.9537 C 1946.9506 2169.4938 L 1944.7365 2171.7078 1944.7365 2175.2974 1946.9506 2177.5114 C s n true eomode 1958.5469 2181.0039 m 1959.2148 2181.0039 1959.7012 2180.9296 1960.0059 2180.7813 C 1960.3142 2180.6326 1960.4684 2180.363 1960.4688 2179.9727 C 1960.4688 2179.7383 1960.3398 2178.8026 1960.082 2177.166 C 1959.0742 2170.4219 L 1958.9373 2170.3241 1958.7615 2170.2754 1958.5469 2170.2754 C 1958.3319 2170.2754 1958.1561 2170.3241 1958.0195 2170.4219 C 1957.0117 2177.166 L 1956.7539 2178.8026 1956.625 2179.7379 1956.625 2179.9727 C 1956.625 2180.363 1956.7792 2180.6326 1957.0879 2180.7813 C 1957.4003 2180.9296 1957.8866 2181.0035 1958.5469 2181.0039 C h 1958.5469 2165.166 m 1958.0389 2165.166 1957.5878 2165.3499 1957.1934 2165.7168 C 1956.7986 2166.0837 1956.6016 2166.5485 1956.6016 2167.1113 C 1956.6016 2167.6698 1956.7891 2168.1404 1957.1641 2168.5234 C 1957.5427 2168.9102 1958.0038 2169.1035 1958.5469 2169.1035 C 1959.1094 2169.1035 1959.5741 2168.9043 1959.9414 2168.5059 C 1960.3083 2168.1074 1960.4918 2167.6423 1960.4922 2167.1113 C 1960.4922 2166.748 1960.4102 2166.4177 1960.2461 2166.1211 C 1960.082 2165.8241 1959.8513 2165.5916 1959.5547 2165.4238 C 1959.2577 2165.2521 1958.9219 2165.1664 1958.5469 2165.166 C true setoverprint f false setoverprint n vmr Q false eomode vmr vmr end %%Trailer \ No newline at end of file diff --git a/docs/xslt/generate-attributions.xsl b/docs/xslt/generate-attributions.xsl new file mode 100644 index 0000000000..79bf942504 --- /dev/null +++ b/docs/xslt/generate-attributions.xsl @@ -0,0 +1,81 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + < + + + 1 + + + mailto: + + + + + > + + + + + ( + + ) + + + + + + + + + + diff --git a/docs/xslt/html-chunk.xsl b/docs/xslt/html-chunk.xsl new file mode 100644 index 0000000000..e98a3df8dc --- /dev/null +++ b/docs/xslt/html-chunk.xsl @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/docs/xslt/html-common.xsl b/docs/xslt/html-common.xsl new file mode 100644 index 0000000000..dce900ef67 --- /dev/null +++ b/docs/xslt/html-common.xsl @@ -0,0 +1,25 @@ + + + + + + + + + + +text/css + + + + + + + + ..html + + + + + + diff --git a/docs/xslt/html.xsl b/docs/xslt/html.xsl new file mode 100644 index 0000000000..bb07516ad2 --- /dev/null +++ b/docs/xslt/html.xsl @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/docs/xslt/html/samba.css b/docs/xslt/html/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/xslt/html/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/xslt/latex.xsl b/docs/xslt/latex.xsl new file mode 100644 index 0000000000..8cc6b0d546 --- /dev/null +++ b/docs/xslt/latex.xsl @@ -0,0 +1,107 @@ + + + + + + + + + +sambadoc +twoside,11pt,letterpaper + +hyperfigures,hyperindex,citecolor=black,urlcolor=black,filecolor=black,linkcolor=black,menucolor=red,pagecolor=black +default +xslt/figures +1 + + +1 + +1 + + + + + +{\bfseries } + + +\documentclass[twoside,openright,pt]{xslt/latex/sambadoc} + +\usepackage[twoside,dvips]{geometry} + +%\usepackage[section]{placeins} + +\geometry{% +paperwidth=7in, +paperheight=9.25in, +lmargin=.75in, +rmargin=.75in, +bmargin=.625in, +tmargin=.625in, +width=5.5in, +height=7.525in, %7.3 +marginparwidth=0.35in, +headheight=0.2in, +headsep=.25in, +footskip=.025in} + +\setlength{\headwidth}{\textwidth} + + +\usepackage[letter,center,dvips]{crop} + +\usepackage{amsmath}% +\usepackage{amsfonts}% +\usepackage{amssymb} + + +\special{papersize=11in,8.5in} + +%\crop[frame] +\crop + + +\makeindex + +%% Preamble: + +% New commands and/or command redefinitions +% +% Added for the samba book +%----------------------- paragraph ---------------------------------- +\cleardoublepage +\pagenumbering{roman} + +\setcounter{page}{2} +\setcounter{totalnumber}{8} +\setcounter{bottomnumber}{3} +\setcounter{topnumber}{3} +\renewcommand{\textfraction}{0.1} +\renewcommand{\topfraction}{1.0} +\renewcommand{\bottomfraction}{1.0} + +%% Document Parts + +english +1 + + + + + + + + + + + + + diff --git a/docs/xslt/latex/sambadoc.cls b/docs/xslt/latex/sambadoc.cls new file mode 100644 index 0000000000..c55bc970a5 --- /dev/null +++ b/docs/xslt/latex/sambadoc.cls @@ -0,0 +1,466 @@ +% +% $Id: sambadoc.cls,v 1.4 2003/12/11 19:30:50 jelmer Exp $ +% + +% phstyle.cls -- Macros for formatting Prentice-Hall Books +% -- Compiled by J.K. Shultis, Dec. 1993 +% -- Modified and enhanced for LaTeX2e mdh/rlm 1997/02 +% -- Style Modifications Lori Hughes June 2002 + +\NeedsTeXFormat{LaTeX2e}% +\ProvidesClass{sambadoc}[1997/02/20 Prentice Hall Book Class, February 1997] + +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{report}} + +\ProcessOptions% + +% Base everything on the default class 'article'. +\LoadClass{report}% + + +%================================================================================ +% 1. Page layout dimensions +% 3. Define new fonts for headings +% 4. Define LaTeX logos (usually ot needed) +% 5. Redefines the way "figure" amd "table" are formated in a \caption +% 6. Defines a \capt macro which defines (1) \captwidth, (2) \captsize +% and \beforetableskip. +% 7. New Environemnts: Eqnarray, reflist, exerlist +% 8. Defines and modifies FANCYHDS.STY for headers and foots +% 9. Change sectioning headings to bold sans serif fonts +%10. Turn off leader dots in Table of Contents +%====================================================================== + +%====================== Page Layout +% \oddsidemargin 0.750in \evensidemargin 0.750in \textwidth 5.00in +% \topmargin 0.625in \headheight 0.3in \headsep 0.2in +% \textheight 7.3in %\footheight .2in +% \footskip 0.3in +% \parskip 0ex \marginparwidth 1.00in \marginparsep 0.5in +%\setlength\arraycolsep{1pt} + +\textwidth 5.00in + +%====================== Define special fonts +\newfont{\BIG}{cminch} %--- One-inch font +\newfont{\sfbHuge}{cmssbx10 scaled\magstep5} %-- 25pt sans serif bold +\newfont{\sfblarge}{cmssbx10 scaled\magstep1} %-- 12pt sans serif bold +\newfont{\sfbeleven}{cmssbx10 scaled\magstephalf} %-- 11pt sans serif bold +\newfont{\sfb}{cmssbx10} %-- 10pt sans serif bold +\newfont{\sfeight}{cmss8} %-- 8pt sans serif +\newfont{\sfnine}{cmss8 at 9pt} %-- 9pt sans serif + +\newfont{\defnem}{cmbxti10} %-- 10pt sans serif bold +\def\spacingset#1{\def\baselinestretch{#1}\small\normalsize} + +%-----------Change section heading font sizes here---- +\newfont{\sfbsection}{cmssbx10 at 13pt} +\newfont{\sfbsubsec}{cmssbx10 at 12pt} +\newfont{\sfbsubsub}{cmssbx10 at 11pt} +\newfont{\sfbpara}{cmssbx10} +%--------------------------------------------------- + + +%===================== LaTeX and TeX type logos +\newcount\TestCount +\def\La{\TestCount=\the\fam \leavevmode L\raise.42ex + \hbox{$\fam\TestCount\scriptstyle\kern-.3em A$}} +\def\LaTeX{\La\kern-.15em\TeX} +\def\AllTeX{{(\La)\TeX}} + +% +% Theorem hack +% + +\def\@begintheorem#1#2{\trivlist + \item[\hskip \labelsep{\bfseries #1\ #2:}]\itshape} + +%===================== Redefine the \@makecaption command + \long\def\@makecaption#1#2{\vskip 10\p@ +%% \setbox\@tempboxa\hbox{#1: #2}% %% original label definition + \setbox\@tempboxa\hbox{\textbf{ \small #1.} \small #2}% %% bold and . instead of : + \ifdim \wd\@tempboxa >\hsize +%% #1: #2\par %% original definition + \textbf{ \small #1.} \small #2\par %% bold and . instead of : + \else + \hbox to\hsize{\hfil\box\@tempboxa\hfil}% %% original +%% \hbox to\hsize{\box\@tempboxa\hfil}% %% no centering + \fi} + +%===================== New caption macro +\newlength{\captsize} \let\captsize=\footnotesize +\newlength{\captwidth} \setlength{\captwidth}{\textwidth} +\newlength{\beforetableskip} \setlength{\beforetableskip}{.5\baselineskip} +\newcommand{\capt}[1]{\begin{minipage}{\captwidth} + \let\normalsize=\captsize + \caption[#1]{#1} + \end{minipage}\\ \vspace{\beforetableskip}} + + +%---------- Change Figure Label +\newcommand{\thefigurename}{Figure} %-- set default: Figure +\def\fnum@figure{\thefigurename\ \thefigure} + +% This is to get the equation numbers in the form (section.equation), +% and to have the equation counter reset every time the section +% counter is incremented. + +\def\theequation{\thechapter.\arabic{equation}} +\@addtoreset{equation}{chapter} + + +%===================== New Environments + +%------ Reference List Macro +\newenvironment{reflist}{\begin{list}{}{\leftmargin 1em \labelwidth 0in +\labelsep 0in \itemsep 0ex \rightmargin 0in}}{\end{list}} +\newcommand{\refitem}{\item \hspace*{-1em}} %--- item for ref list +\newcommand{\SC}{\scriptsize} %--- small capitals for reference lists + + +%------ New environment for better spacing in Eqnarray +\def\eqnarray{% + \stepcounter{equation}% + \def\@currentlabel{\p@equation\theequation}% + \global\@eqnswtrue + \m@th + \global\@eqcnt\z@ + \tabskip\@centering + \let\\\@eqncr + $$\everycr{}\halign to\displaywidth\bgroup + \hskip\@centering$\displaystyle\tabskip\z@skip{##}$\@eqnsel + &\global\@eqcnt\@ne\hskip \arraycolsep \hfil${##}$\hfil + &\global\@eqcnt\tw@ \hskip \arraycolsep + $\displaystyle{##}$\hfil\tabskip\@centering + &\global\@eqcnt\thr@@ \hb@xt@\z@\bgroup\hss##\egroup + \tabskip\z@skip + \cr +} + + + + + +%\newenvironment{Eqnarray}{\arraycolsep 0.14em\begin{eqnarray}}{\end{eqnarray}} + +% The hangitem environment -- like description, but text lines up with +% the item descriptor. You give an additional argument containing text +% of the width that you want indentations. +% +\def\hangitem#1{\list{}{\settowidth\labelwidth{#1} + \leftmargin\labelwidth\advance\leftmargin\labelsep }} +\let\endhangitem\endlist + +%------ Problem List Macro +\newcounter{probnum} +\newenvironment{exerlist}% + {\begin{list}{\bf \theprobnum.}% + {\usecounter{probnum} \itemsep 1ex \leftmargin 2.0em \labelsep 0.5em + \rightmargin 0in}}{\end{list}} + + + + +%===================== Define FANCYHDS.STY +% fancyheadings.sty version 1.1 +% Fancy headers and footers. +% Piet van Oostrum, Dept of Computer Science, University of Utrecht +% Padualaan 14, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands +% Telephone: +31-30-531806. piet@cs.ruu.nl (mcvax!hp4nl!ruuinf!piet) +% Sep 23, 1992. + +\def\lhead{\@ifnextchar[{\@xlhead}{\@ylhead}} +\def\@xlhead[#1]#2{\gdef\@elhead{#1}\gdef\@olhead{#2}} +\def\@ylhead#1{\gdef\@elhead{#1}\gdef\@olhead{#1}} + +\def\chead{\@ifnextchar[{\@xchead}{\@ychead}} +\def\@xchead[#1]#2{\gdef\@echead{#1}\gdef\@ochead{#2}} +\def\@ychead#1{\gdef\@echead{#1}\gdef\@ochead{#1}} + +\def\rhead{\@ifnextchar[{\@xrhead}{\@yrhead}} +\def\@xrhead[#1]#2{\gdef\@erhead{#1}\gdef\@orhead{#2}} +\def\@yrhead#1{\gdef\@erhead{#1}\gdef\@orhead{#1}} + +\def\lfoot{\@ifnextchar[{\@xlfoot}{\@ylfoot}} +\def\@xlfoot[#1]#2{\gdef\@elfoot{#1}\gdef\@olfoot{#2}} +\def\@ylfoot#1{\gdef\@elfoot{#1}\gdef\@olfoot{#1}} + +\def\cfoot{\@ifnextchar[{\@xcfoot}{\@ycfoot}} +\def\@xcfoot[#1]#2{\gdef\@ecfoot{#1}\gdef\@ocfoot{#2}} +\def\@ycfoot#1{\gdef\@ecfoot{#1}\gdef\@ocfoot{#1}} + +\def\rfoot{\@ifnextchar[{\@xrfoot}{\@yrfoot}} +\def\@xrfoot[#1]#2{\gdef\@erfoot{#1}\gdef\@orfoot{#2}} +\def\@yrfoot#1{\gdef\@erfoot{#1}\gdef\@orfoot{#1}} + +\newdimen\headrulewidth +\newdimen\footrulewidth +\newdimen\plainheadrulewidth +\newdimen\plainfootrulewidth +\newdimen\headwidth +\newif\if@fancyplain \@fancyplainfalse +\def\fancyplain#1#2{\if@fancyplain#1\else#2\fi} + +% Initialization of the head and foot text. + +\headrulewidth 0.4pt +\footrulewidth\z@ +\plainheadrulewidth\z@ +\plainfootrulewidth\z@ + +\lhead[\fancyplain{}{\sl\rightmark}]{\fancyplain{}{\sl\leftmark}} +% i.e. empty on ``plain'' pages \rightmark on even, \leftmark on odd pages +\chead{} +\rhead[\fancyplain{}{\sl\leftmark}]{\fancyplain{}{\sl\rightmark}} +% i.e. empty on ``plain'' pages \leftmark on even, \rightmark on odd pages +\lfoot{} +\cfoot{\rm\thepage} % page number +\rfoot{} + +% Put together a header or footer given the left, center and +% right text, fillers at left and right and a rule. +% The \lap commands put the text into an hbox of zero size, +% so overlapping text does not generate an errormessage. + +\def\@fancyhead#1#2#3#4#5{#1\hbox to\headwidth{\vbox{\hbox +{\rlap{\parbox[b]{\headwidth}{\raggedright#2\strut}}\hfill +\parbox[b]{\headwidth}{\centering#3\strut}\hfill +\llap{\parbox[b]{\headwidth}{\raggedleft#4\strut}}}\headrule}}#5} + + +\def\@fancyfoot#1#2#3#4#5{#1\hbox to\headwidth{\vbox{\footrule +\hbox{\rlap{\parbox[t]{\headwidth}{\raggedright#2\strut}}\hfill +\parbox[t]{\headwidth}{\centering#3\strut}\hfill +\llap{\parbox[t]{\headwidth}{\raggedleft#4\strut}}}}}#5} + +\def\headrule{{\if@fancyplain\headrulewidth\plainheadrulewidth\fi +\hrule\@height\headrulewidth\@width\headwidth \vskip-\headrulewidth}} + +\def\footrule{{\if@fancyplain\footrulewidth\plainfootrulewidth\fi +\vskip-0.3\normalbaselineskip\vskip-\footrulewidth +\hrule\@width\headwidth\@height\footrulewidth\vskip-0.3\normalbaselineskip}} + +\def\ps@fancy{ +\let\@mkboth\markboth +\@ifundefined{chapter}{\def\sectionmark##1{\markboth +{{\ifnum \c@secnumdepth>\z@ %MEUH + \thesection\hskip 1em\relax \fi ##1}}{}} +\def\subsectionmark##1{\markright {\ifnum \c@secnumdepth >\@ne + \thesubsection\hskip 1em\relax \fi ##1}}} +% +{\def\chaptermark##1{\markboth {{\ifnum \c@secnumdepth>\m@ne %MEUH + \@chapapp\ \thechapter. \ \fi ##1}}{}} +\def\sectionmark##1{\markright{{\ifnum \c@secnumdepth >\z@ %MEUH + \thesection. \ \fi ##1}}}} +\ps@@fancy +\headwidth\textwidth} +\def\ps@fancyplain{\ps@fancy \let\ps@plain\ps@plain@fancy} +\def\ps@plain@fancy{\@fancyplaintrue\ps@@fancy} +\def\ps@@fancy{ +\def\@oddhead{\@fancyhead\relax\@olhead\@ochead\@orhead\hss} +\def\@oddfoot{\@fancyfoot\relax\@olfoot\@ocfoot\@orfoot\hss} +\def\@evenhead{\@fancyhead\hss\@elhead\@echead\@erhead\relax} +\def\@evenfoot{\@fancyfoot\hss\@elfoot\@ecfoot\@erfoot\relax} +} +%------------------- Modify Headers for Prentice-Hall Book Style +%---------- Setup headers and footers +\pagestyle{fancyplain} +\plainfootrulewidth 0pt %---- no foot rule for chapter page +\footrulewidth 0pt %---- no rule for foot + +%--- Redefine Headers +\renewcommand{\sectionmark}[1]{\markright{\thesection\ #1}} +% +\lhead[\fancyplain{}{\bf\thepage}]{\fancyplain{}{\sfnine\rightmark}} +% +%\rhead[\fancyplain{}{\footnotesize\sf\CHHEAD}]{\fancyplain{}{\bf\thepage}} + \rhead[\fancyplain{}{\sfnine \leftmark}]{\fancyplain{}{\bf\thepage}} +%--- Empty footers on every page (except initial chapter page which has +%--- page number) and optionally a small date stamp +\cfoot[\fancyplain{}{}]{\fancyplain{}{}} +\rfoot[\fancyplain{}{}]{\fancyplain{\hspace{\fill}\\ \bf\thepage}{}} +\lfoot[\fancyplain{\hspace{\fill}\\ \bf\thepage}{}]{\fancyplain{}{}} +%-- replace the two lines above with the two below for a date stamp footer +%\rfoot[\fancyplain{\scriptsize \today}{\scriptsize \today}]{\fancyplain{\bf\thepage}{}} +%\lfoot[\fancyplain{\bf\thepage}{}]{\fancyplain{\scriptsize \today}{\scriptsize \today}} +%--- Change format of section header +% +% rlm added chaptermark 10/11/96 +\def\sectionmark#1{\markright{\ifnum \c@secnumdepth >\z@ + {\sfeight Section}~\thesection.\quad \fi #1}} +\def\sectionsmark#1{\markright{#1}{#1}} +% +\def\chaptermark#1{\markboth{#1 \quad \@chapapp{}~\thechapter}{}} +\def\chaptersmark#1{\markboth{#1}{#1}} + + + + +%===================== Change Section Heads to Bold Sans Serif +% Create bolds sans serif sectioning headings. Also the headings have +% been reduced in size with less space before and after the heading. +% Modified from macros given in BK10.STY +% +%----------------------------- part --------------------------------- +\def\@part[#1]#2{% + \thispagestyle{empty} + \ifodd\c@page\hbox{}\else\clearpage\fi + \addtocounter{page}{-2} + \thispagestyle{empty} + \ifnum \c@secnumdepth >-2\relax + \refstepcounter{part}% + \addcontentsline{toc}{part}{Part \thepart\hspace{1em}#1}% + \else + \addcontentsline{toc}{part}{Part #1}% + \fi + {\centering + \interlinepenalty \@M + \normalfont + \ifnum \c@secnumdepth >-2\relax + \huge\bfseries \partname\nobreakspace\thepart + \par + \vskip 20\p@ + \fi + \Huge \bfseries #2\par}% + \@endpart} + +%------------------------- appendix ----------------------------------- + +\let\oldappendix\appendix +\def\appendix{\oldappendix\def\addchaptertoloe{}} + +%------------------------- chapter ----------------------------------- +\def\addchaptertoloe{% + \addtocontents{loe}{\protect\addvspace{14pt}}% + \addtocontents{loe}{\noindent {\bfseries Chapter~\thechapter}\protect\par}% + \addtocontents{loe}{\protect\addvspace{10pt}}% +} + +\def\chapter{\clearpage \thispagestyle{plain} \global\@topnum\z@ +\@afterindentfalse \secdef\@chapter\@schapter} +\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne + \refstepcounter{chapter} + \typeout{\@chapapp\space\thechapter.} + \addcontentsline{toc}{chapter}{Chapter~\protect + \numberline{\thechapter}\uppercase{#1}}\else + \addcontentsline{toc}{chapter}{Chapter~\uppercase{#1}}\fi + \chaptermark{#1} + \addchaptertoloe + \addtocontents{lof}{\protect\addvspace{10pt}} +\addtocontents{lot}{\protect\addvspace{10pt}} \if@twocolumn +\@topnewpage[\@makechapterhead{#2}] + \else \@makechapterhead{#2} + \@afterheading \fi} +% +\def\@schapter#1{\if@twocolumn \@topnewpage[\@makeschapterhead{#1}] + \else \@makeschapterhead{#1}\chaptersmark{#1} + \@afterheading\fi\addcontentsline{toc}{chapter}{\uppercase{#1}}} + + + +\def\@makechapterhead#1{\vspace*{-20pt}{\parindent0pt\raggedright +\ifnum\c@secnumdepth>\m@ne\LARGE\sf\@chapapp{}~\thechapter\par +\vskip3pt\hrule\vskip3pt\hrule +\vskip30pt\fi\raggedright\Huge\sfbHuge\uppercase{#1}\par +\nobreak\vskip70pt}}%\chaptermark{#1}} + +\def\@makeschapterhead#1{\vspace*{4pt}{\parindent0pt +\vskip3pt\hrule\vskip3pt\hrule +\vskip36pt\raggedright\Huge\sfbHuge\uppercase{#1}\par +\nobreak\vskip70pt}}%\chaptersmark{#1}} + +%------------------------ section ----------------------------------- +\def\section{\@startsection{section}{1}{\z@}{-3.5ex plus-1ex + minus -.2ex}{1.8ex}{\sfbsection}} + +%--------------------- subsection ----------------------------------- +\def\subsection{\@startsection{subsection}{2}{\z@}{-2.75ex plus -1ex + minus -.2ex}{1.2ex}{\sfbsubsec}} + +%-------------------- subsubsection -------------------------------- +\def\subsubsection{\@startsection{subsubsection}{3}{\z@}{-2.75ex + plus -1ex minus -.2ex}{1.2ex}{\sfbsubsub}} + +%----------------------- paragraph ---------------------------------- +\def\paragraph{\@startsection{paragraph}{4}{\z@}{1.25ex plus + 1ex minus .2ex}{-1em}{\sfbpara}} + +%---------------------- subparagraph -------------------------------- +\def\subparagraph{\@startsection{subparagraph}{4}{\parindent}{1.25ex + plus 1ex minus .2ex}{-1em}{\normalsize\sfb}} + + + +%====================== Turn off leader dots in Table of Contents +\renewcommand{\@dotsep}{500} + +\def\tableofcontents{\markboth{}{}\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\thispagestyle{plain} \@makeschapterhead{Contents} + \@afterheading + \chaptersmark{Contents} + \sectionsmark{Contents} + \@starttoc{toc}\if@restonecol\twocolumn\fi} + + +\def\thebibliography#1{\chapter*{Bibliography}\list +% \addcontentsline{toc}{chapter}{Bibliography} + {[\arabic{enumi}]}{\settowidth\labelwidth{2em}\leftmargin\labelwidth +% \advance\leftmargin\labelsep + \usecounter{enumi}} + \def\newblock{\hskip .11em plus .33em minus .07em} + \sloppy\clubpenalty4000\widowpenalty4000 + \sfcode`\.=1000\relax} +\let\endthebibliography=\endlist + + +%% BIBLIOGRAPHY +% +%% separate citations with "], [" +\def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi +\def\@citea{}\@cite{\@for\@citeb:=#2\do {\@citea\def\@citea{], +[}\@ifundefined {b@\@citeb}{{\bf ?}\@warning {Citation `\@citeb' on +page \thepage \space undefined}}% +{\csname b@\@citeb\endcsname}}}{#1}} + +\def\@cite#1#2{[{#1\if@tempswa, #2\fi}]} + + +%% index + +%\def\theindex{\@restonecoltrue\if@twocolumn\@restonecolfalse\fi +%\columnseprule \z@ +%\columnsep 35pt\twocolumn[\@makeschapterhead{Subject Index}] +% \addcontentsline{toc}{chapter}{SUBJECT INDEX} +% \thispagestyle{plain}\parindent\z@ +% \parskip\z@ plus .3pt\relax\let\item\@idxitem} + +\def\theindex{\cleardoublepage\@restonecoltrue\if@twocolumn\@restonecolfalse\fi +\columnseprule \z@ +\columnsep 35pt\twocolumn[\@makeschapterhead{Subject Index}] + \chaptersmark{Subject Index}% + \addcontentsline{toc}{chapter}{SUBJECT INDEX} + \thispagestyle{plain}\parindent\z@ + \parskip\z@ plus .3pt\relax\let\item\@idxitem} + + +\renewcommand{\cleardoublepage}{\clearpage\if@twoside \ifodd\c@page\else +\hbox{}\thispagestyle{empty}\newpage\if@twocolumn\hbox{}\newpage\fi\fi\fi} + +\renewcommand{\numberline}[1]{\sbox\@tempboxa{#1\hspace{2pt}}% + \ifdim\wd\@tempboxa>\@tempdima \else \wd\@tempboxa\@tempdima\fi + \box\@tempboxa} + +\def\listofexamples{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\chapter*{List of Examples} + \renewcommand\@pnumwidth{0em} + \@starttoc{loe}\if@restonecol + \twocolumn\fi} + +\def\l@example{\noindent\@dottedtocline{1}{0em}{3.5em}} + +\parskip 1.5ex +\parindent 0pt + +\renewcommand\listfigurename{\uppercase{List Of Figures}} +\renewcommand\listtablename{\uppercase{List Of Tables}} + diff --git a/docs/xslt/lists.mod.xsl b/docs/xslt/lists.mod.xsl new file mode 100644 index 0000000000..49e39d5e7f --- /dev/null +++ b/docs/xslt/lists.mod.xsl @@ -0,0 +1,29 @@ + + + + + + + + + \begin{itemize} + + \end{itemize} + + + + + %--- Item + \item[] + + + + + diff --git a/docs/xslt/man.xsl b/docs/xslt/man.xsl new file mode 100644 index 0000000000..2a27bc4c04 --- /dev/null +++ b/docs/xslt/man.xsl @@ -0,0 +1,169 @@ + + + + + + + + + + + + + + + + + + + + : + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + .\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH " + + " + + " + + " " + + " " + + " + + + + + + + + + + + + + + + + .nf + + .fi + + + + \fB + + \fR + + + + + + + + + + + + + + + + + + + + + + + + + + .SS " + + " + + + + + diff --git a/docs/xslt/normalize-scape.mod.xsl b/docs/xslt/normalize-scape.mod.xsl new file mode 100644 index 0000000000..1ea5cbe8de --- /dev/null +++ b/docs/xslt/normalize-scape.mod.xsl @@ -0,0 +1,395 @@ + + + + + + + + + + + + $Id: normalize-scape.mod.xsl,v 1.1 2003/12/05 06:53:48 ab Exp $ + + + Ramon Casellas + James Devenish + + 2000200120022003 + Ramon Casellas + + + Normalize and Scape strings. + +
Introduction + +
+ + + + + + + + + + + + Error: this style requires support for extension 'exsl:node-set()' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + { + + {\caption{ + + + + + + + } + }} + + + + \captionswapskip{} + + \captionswapskip{} + + + + + + + + + + + + + Abstract XSL template. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /\dbz{} + / + + + .\dbz{} + . + + + + + + + + + + + + + + /\dbz{} + / + + + .\dbz{} + . + + + + + + + + + + + + + + + + + + + + + + + Escape the ] character in LaTeX optional arguments (experimental) + + + + + + + {\rbrack} + ] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/xslt/table.mod.xsl b/docs/xslt/table.mod.xsl new file mode 100644 index 0000000000..b20752d91d --- /dev/null +++ b/docs/xslt/table.mod.xsl @@ -0,0 +1,743 @@ + + + + + + + + + + + + + + Ramon Casellas + James Devenish + + + 2000 2001 2002 2003 + Ramon Casellas + + + + Tables <filename>table.mod.xsl</filename> + +
Introduction + +
+ + + + + + + + + + XSL template for docbook tables. + + + Remarks and Bugs + + + + Default Behaviour + + + + + + + + + + + + + + \caption{ + + } + + + + \captionswapskip{} + + \captionswapskip{} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + >{ + + + \hsize= + + \hsize + + + \RaggedRight + \RaggedLeft + \Centering + Table column char alignment is not supported. + + } + + + X + + + p{} + + + + | + + + + + l + r + c + X + cTable column char alignment is not supported. + X + + + | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + >{\RaggedRight} + >{\RaggedLeft} + >{\Centering} + Table column char alignment is not supported. + + p{} + + | + + + + + l + r + c + l + cTable column char alignment is not supported. + c + + + | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + all + + + + + + + + + + + 1 + + + + 1 + + + + 1 + + + 1 + + + + + + 1 + + + + \begin{tabularx}{\linewidth}{ + + + \begin{minipage}{\linewidth} + \begin{tabular}{ + + + + | + + + + + + + + + + + + + + + + + + + + | + + } + + \hline + + + + + + \hline + + + + \end{tabularx} + + + \end{tabular} + \end{minipage} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \tabularnewline + + + + + + + + + + + + + + + + + + + \hline + + + + + + + + + + \tabularnewline + + + + + + + + + + + + + + + + + + -1 + + + + \multicolumn{ + + |}{ + + l + r + c + cTable entry char alignment is not supported. + c + + + } + + + + + \docbooktolatexalignll + \docbooktolatexalignrl + \docbooktolatexaligncl + Table entry char alignment is not supported. + + + { + + \rotatebox{90} + entry[@rotate='1' and @align!=''] probably doesn't work. + + { + + The morerows attribute is not supported. + + + + }} + + + + \docbooktolatexalignlr + \docbooktolatexalignrr + \docbooktolatexaligncr + + + + + + + + + + + + + + + + + + td + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +   + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + 1 + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/xslt/unicode.mapping.dtd b/docs/xslt/unicode.mapping.dtd new file mode 100644 index 0000000000..d2b6b3db3a --- /dev/null +++ b/docs/xslt/unicode.mapping.dtd @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/docs/xslt/unicode.mapping.xml b/docs/xslt/unicode.mapping.xml new file mode 100644 index 0000000000..06866efd53 --- /dev/null +++ b/docs/xslt/unicode.mapping.xml @@ -0,0 +1,72 @@ + + + + + + < + \guilsinglleft{} + \guilsinglleft{} + + + > + \guilsinglright{} + \guilsinglright{} + + + # + \# + \# + + + $ + \textdollar{} + \$ + \textdollar{} + + + % + \% + \% + + + & + \& + \& + + + ~ + \textasciitilde{} + \textasciitilde{} + + + _ + \_ + \_ + + + ^ + \^{} + \^{} + + + \ + \textbackslash{} + \backslash + \textbackslash{} + + + { + \{ + \{ + + + } + \} + \} + + + | + $\vert$ + $\vert$ + + -- cgit