More doco updates, in particular the fact that you must configure the smb.conf

*before* you join, otherwise we don't have all the info that 'net join' needs.

Also move from smbpasswd -j to 'net join' in the examples.

Andrew Bartlett
(This used to be commit 9494c1e153)

docs/docbook/manpages/winbindd.8.sgml

@@ -271,13 +271,11 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
   	<para>The next step is to join the domain. To do that use the 
 	<command>smbpasswd</command> program like this:  </para>
  
-	<para><command>smbpasswd -j DOMAIN -r PDC -U
-	Administrator</command></para>
+	<para><command>net join -S PDC -U Administrator</command></para>
  
 	<para>The username after the <parameter>-U</parameter> can be any
 	Domain user that has administrator privileges on the machine.
-	Substitute your domain name for "DOMAIN" and the name of your PDC
-	for "PDC".</para>
+	Substitute the name or IP of your PDC for "PDC".</para>
 
 	<para>Next copy <filename>libnss_winbind.so</filename> to 
 	<filename>/lib</filename> and <filename>pam_winbind.so

docs/docbook/projdoc/DOMAIN_MEMBER.sgml

@@ -25,79 +25,29 @@
 </chapterinfo>
 
 
-<title>Samba as a NT4 domain member</title>
+<title>Samba as a NT4 or Win2k domain member</title>
 
 <sect1>
 
-	<title>Joining an NT Domain with Samba 2.2</title>
+	<title>Joining an NT Domain with Samba 3.0</title>
 
-	<para>Assume you have a Samba 2.x server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining an NT domain called
+	<para>Assume you have a Samba 3.0 server with a NetBIOS name of 
+	<constant>SERV1</constant> and are joining an or Win2k NT domain called
 	<constant>DOM</constant>, which has a PDC with a NetBIOS name
 	of <constant>DOMPDC</constant> and two backup domain controllers 
 	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
 	</constant>.</para>
 
-	<para>In order to join the domain, first stop all Samba daemons 
-	and run the command:</para>
-
-	<para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
-	-U<replaceable>Administrator%password</replaceable></userinput></para>
-
-	<para>as we are joining the domain DOM and the PDC for that domain 
-	(the only machine that has write access to the domain SAM database) 
-	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
-	the login name and password for an account which has the necessary 
-	privilege to add machines to the domain.  If this is successful 
-	you will see the message:</para>
-
-	<para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
-	</para>
-
-	<para>in your terminal window. See the <ulink url="smbpasswd.8.html">
-	smbpasswd(8)</ulink> man page for more details.</para>
-	
-	<para>There is existing development code to join a domain
-	without having to create the machine trust account on the PDC
-	beforehand.  This code will hopefully be available soon
-	in release branches as well.</para>
-
-	<para>This command goes through the machine account password 
-	change protocol, then writes the new (random) machine account 
-	password for this Samba server into a file in the same directory 
-	in which an smbpasswd file would be stored - normally :</para>
-
-	<para><filename>/usr/local/samba/private</filename></para>
-
-	<para>In Samba 2.0.x, the filename looks like this:</para>
-
-	<para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba 
-	Server Name&gt;</replaceable>.mac</filename></para>
-	
-	<para>The <filename>.mac</filename> suffix stands for machine account 
-	password file. So in our example above, the file would be called:</para>
-
-	<para><filename>DOM.SERV1.mac</filename></para>
-
-	<para>In Samba 2.2, this file has been replaced with a TDB 
-	(Trivial Database) file named <filename>secrets.tdb</filename>.
-	</para>
-
-
-	<para>This file is created and owned by root and is not 
-	readable by any other user. It is the key to the domain-level 
-	security for your system, and should be treated as carefully 
-	as a shadow password file.</para>
-
-	<para>Now, before restarting the Samba daemons you must 
-	edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+	<para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
 	</ulink> file to tell Samba it should now use domain security.</para>
 	
 	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
 	<parameter>security =</parameter></ulink> line in the [global] section 
 	of your smb.conf to read:</para>
 
-	<para><command>security = domain</command></para>
+	<para><command>security = domain</command> or
+	<command>security = ads</command> depending on if the PDC is
+	NT4 or running Active Directory respectivly.</para>
 
 	<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
 	workgroup =</parameter></ulink> line in the [global] section to read: </para>
@@ -128,11 +78,47 @@
 
 	<para><command>password server = *</command></para>
 
-	<para>This method, which was introduced in Samba 2.0.6, 
-	allows Samba to use exactly the same mechanism that NT does. This 
+	<para>This method, allows Samba to use exactly the same
+        mechanism that NT does. This 
 	method either broadcasts or uses a WINS database in order to
 	find domain controllers to authenticate against.</para>
 
+	<para>In order to actually join the domain, you must run this
+        command:</para>
+
+	<para><prompt>root# </prompt><userinput>net join -S DOMPDC
+	-U<replaceable>Administrator%password</replaceable></userinput></para>
+
+	<para>as we are joining the domain DOM and the PDC for that domain 
+	(the only machine that has write access to the domain SAM database) 
+	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
+	the login name and password for an account which has the necessary 
+	privilege to add machines to the domain.  If this is successful 
+	you will see the message:</para>
+
+	<para><computeroutput>Joined domain DOM.</computeroutput>
+	or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
+	</para>
+
+	<para>in your terminal window. See the <ulink url="net.8.html">
+	net(8)</ulink> man page for more details.</para>
+	
+	<para>This process joins the server to thedomain
+	without having to create the machine trust account on the PDC
+	beforehand.</para>
+
+	<para>This command goes through the machine account password 
+	change protocol, then writes the new (random) machine account 
+	password for this Samba server into a file in the same directory 
+	in which an smbpasswd file would be stored - normally :</para>
+
+	<para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
+
+	<para>This file is created and owned by root and is not 
+	readable by any other user. It is the key to the domain-level 
+	security for your system, and should be treated as carefully 
+	as a shadow password file.</para>
+
 	<para>Finally, restart your Samba daemons and get ready for 
 	clients to begin using domain security!</para>
 </sect1>
@@ -144,23 +130,8 @@
 <para>
 Many people have asked regarding the state of Samba's ability to participate in
 a Windows 2000 Domain.  Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode.
-</para>
-
-<para>
-There is much confusion between the circumstances that require a "mixed" mode
-Win2k DC and a when this host can be switched to "native" mode.  A "mixed" mode
-Win2k domain controller is only needed if Windows NT BDCs must exist in the same
-domain.  By default, a Win2k DC in "native" mode will still support
-NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and 
-NT 4.0.  Samba has the same requirements as a Windows NT 4.0 member server.
-</para>
-
-<para>
-The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
-for adding a Samba server to a Windows NT 4.0 domain. The only exception is that 
-the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and 
-Computers" MMC (Microsoft Management Console) plugin.
+2000 domain operating in mixed or native mode.  The steps above apply
+to both NT4 and Windows 2000.
 </para>
 
 </sect1>
@@ -205,13 +176,7 @@ Computers" MMC (Microsoft Management Console) plugin.
 	<para>And finally, acting in the same manner as an NT server 
 	authenticating to a PDC means that as part of the authentication 
 	reply, the Samba server gets the user identification information such 
-	as the user SID, the list of NT groups the user belongs to, etc. All 
-	this information will allow Samba to be extended in the future into 
-	a mode the developers currently call appliance mode. In this mode, 
-	no local Unix users will be necessary, and Samba will generate Unix 
-	uids and gids from the information passed back from the PDC when a 
-	user is authenticated, making a Samba server truly plug and play 
-	in an NT domain environment. Watch for this code soon.</para>
+	as the user SID, the list of NT groups the user belongs to, etc. </para>
 
 	<para><emphasis>NOTE:</emphasis> Much of the text of this document 
 	was first published in the Web magazine <ulink url="http://www.linuxworld.com">