Merge from HEAD.

docs/docbook/projdoc/ADS-HOWTO.sgml

@@ -19,16 +19,16 @@ Windows2000 KDC.
 <para>You must use at least the following 3 options in smb.conf:</para>
 
 <para><programlisting>
-  realm = YOUR.KERBEROS.REALM
-  security = ADS
-  encrypt passwords = yes
+	realm = YOUR.KERBEROS.REALM
+	security = ADS
+	encrypt passwords = yes
 </programlisting></para>
 
 <para>
 In case samba can't figure out your ads server using your realm name, use the 
 <command>ads server</command> option in <filename>smb.conf</filename>:
 <programlisting>
-  ads server = your.kerberos.server
+	ads server = your.kerberos.server
 </programlisting>
 </para>
 
@@ -49,10 +49,10 @@ In case samba can't figure out your ads server using your realm name, use the
 <para>The minimal configuration for <filename>krb5.conf</filename> is:</para>
 
 <para><programlisting>
-[realms]
-    YOUR.KERBEROS.REALM = {
-	kdc = your.kerberos.server
-    }
+	[realms]
+	    YOUR.KERBEROS.REALM = {
+		kdc = your.kerberos.server
+	    }
 </programlisting></para>
 
 <para>Test your config by doing a <userinput>kinit
@@ -98,7 +98,9 @@ is only needed if you want kerberos support for &smbd; and &winbindd;.
 <para>
 As a user that has write permission on the Samba private directory
 (usually root) run:
-<userinput>net ads join</userinput>
+<programlisting>
+	<userinput>net join -U Administrator%password</userinput>
+</programlisting>
 </para>
 
 <sect2>
@@ -106,16 +108,16 @@ As a user that has write permission on the Samba private directory
 
 <para>
 <variablelist>
-<varlistentry><term>"ADS support not compiled in"</term>
-<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
-(make clean all install) after the kerberos libs and headers are installed.
-</para></listitem></varlistentry>
+	<varlistentry><term>"ADS support not compiled in"</term>
+	<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
+	(make clean all install) after the kerberos libs and headers are installed.
+	</para></listitem></varlistentry>
 
-<varlistentry><term>net ads join prompts for user name</term>
-<listitem><para>You need to login to the domain using <userinput>kinit
-<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
-<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
-to the domain.  </para></listitem></varlistentry>
+	<varlistentry><term>net join prompts for user name</term>
+	<listitem><para>You need to login to the domain using <userinput>kinit
+	<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
+	<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
+	to the domain.  </para></listitem></varlistentry>
 </variablelist>
 </para>
 

docs/docbook/projdoc/DOMAIN_MEMBER.sgml

@@ -12,15 +12,18 @@
 <sect1>
 
 	<title>Joining an NT Domain with Samba 3.0</title>
+<!--changed by RS: IMHO, this would read better and be easier to reference as a listrather than written out in paragraph form-->
+	<para>
+	<variablelist>
+	<varlistentry><term>"Assumptions:"</term>
+	<listitem>NetBIOS name: <constant>SERV1</constant></listitem>
+	<listitem>Win2K/NT domain name: <constant>DOM</constant></listitem>
+	<listitem>Domain's PDC NetBIOS name: <constant>DOMPDC</constant></listitem>
+	<listitem>Domain's BDC NetBIOS names: <constant>DOMBDC1</constant> and <constant>DOMBDC2</constant></listitem>
+	</variablelist>
+	</para>
 
-	<para>Assume you have a Samba 3.0 server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining a Win2k or NT domain called
-	<constant>DOM</constant>, which has a PDC with a NetBIOS name
-	of <constant>DOMPDC</constant> and two backup domain controllers 
-	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
-	</constant>.</para>
-
-	<para>Firstly, you must edit your &smb.conf; file to tell Samba it should
+	<para>First, you must edit your &smb.conf; file to tell Samba it should
 	now use domain security.</para>
 	
 	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
@@ -66,9 +69,14 @@
 	<para>In order to actually join the domain, you must run this
         command:</para>
 
-	<para><prompt>root# </prompt><userinput>net rpc join -S DOMPDC
+	<para><prompt>root# </prompt><userinput>net join -S DOMPDC
 	-U<replaceable>Administrator%password</replaceable></userinput></para>
 
+	<para>
+	If the <userinput>-S DOMPDC</userinput> argument is not given then
+	the domain name will be obtained from smb.conf.
+	</para>
+
 	<para>as we are joining the domain DOM and the PDC for that domain 
 	(the only machine that has write access to the domain SAM database) 
 	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
@@ -83,7 +91,7 @@
 	<para>in your terminal window. See the <ulink url="net.8.html">
 	net(8)</ulink> man page for more details.</para>
 	
-	<para>This process joins the server to thedomain
+	<para>This process joins the server to the domain
 	without having to create the machine trust account on the PDC
 	beforehand.</para>
 
@@ -120,8 +128,7 @@
 	<para>Please refer to the <ulink url="winbind.html">Winbind 
 	paper</ulink> for information on a system to automatically
 	assign UNIX uids and gids to Windows NT Domain users and groups.
-	This code is available in development branches only at the moment,
-	but will be moved to release branches soon.</para>
+	</para>
 
 	<para>The advantage to domain-level security is that the 
 	authentication in domain-level security is passed down the authenticated 
@@ -129,7 +136,7 @@
 	means Samba servers now participate in domain trust relationships in 
 	exactly the same way NT servers do (i.e., you can add Samba servers into 
 	a resource domain and have the authentication passed on from a resource
-	domain PDC to an account domain PDC.</para>
+	domain PDC to an account domain PDC).</para>
 
 	<para>In addition, with <command>security = server</command> every Samba 
 	daemon on a server has to keep a connection open to the 

docs/docbook/projdoc/Diagnosis.sgml

@@ -20,13 +20,15 @@ then it is probably working fine.
 <para>
 You should do ALL the tests, in the order shown. We have tried to
 carefully choose them so later tests only use capabilities verified in
-the earlier tests.
+the earlier tests.  However, do not stop at the first error as there
+have been some instances when continuing with the tests has helped
+to solve a problem.
 </para>
 
 <para>
 If you send one of the samba mailing lists  an email saying "it doesn't work"
 and you have not followed this test procedure then you should not be surprised
-your email is ignored.
+if your email is ignored.
 </para>
 
 </sect1>
@@ -46,7 +48,7 @@ The procedure is similar for other types of clients.
 <para>
 It is also assumed you know the name of an available share in your
 &smb.conf;. I will assume this share is called <replaceable>tmp</replaceable>.
-You can add a <replaceable>tmp</replaceable> share like by adding the
+You can add a <replaceable>tmp</replaceable> share like this by adding the
 following to &smb.conf;:
 </para>
 
@@ -61,12 +63,13 @@ following to &smb.conf;:
 </para>
 
 <note><para>
-These tests assume version 3.0 or later of the samba suite. Some commands shown did not exist in earlier versions. 
+These tests assume version 3.0 or later of the samba suite.
+Some commands shown did not exist in earlier versions. 
 </para></note>
 
 <para>
 Please pay attention to the error messages you receive. If any error message
-reports that your server is being unfriendly you should first check that you
+reports that your server is being unfriendly you should first check that your
 IP name resolution is correctly set up. eg: Make sure your <filename>/etc/resolv.conf</filename>
 file points to name servers that really do exist.
 </para>
@@ -77,6 +80,21 @@ that the settings for your &smb.conf; file results in <command>dns proxy = no</c
 best way to check this is with <userinput>testparm smb.conf</userinput>.
 </para>
 
+<para>
+It is helpful to monitor the log files during testing by using the
+<command>tail -F <replaceable>log_file_name</replaceable> in a separate
+terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). 
+Relevant log files can be found (for default installations) in
+<filename>/usr/local/samba/var</filename>.  Also, connection logs from
+machines can be found here or possibly in <filename>/var/log/samba</filename>
+depending on how or if you specified logging in your &smb.conf; file.
+</para>
+
+<para>
+If you make changes to your &smb.conf; file while going through these test,
+don't forget to restart &smbd; and &nmbd;.
+</para>
+
 </sect1>
 
 <sect1>
@@ -124,6 +142,11 @@ software. You will need to relax the rules to let in the workstation
 in question, perhaps by allowing access from another subnet (on Linux
 this is done via the <application>ipfwadm</application> program.)
 </para>
+
+<para>
+Note: Modern Linux distributions install ipchains/iptables by default. 
+This is a common problem that is often overlooked.
+</para>
 </step>
 
 <step performance="required">
@@ -149,6 +172,13 @@ it is running, and check that the netbios-ssn port is in a LISTEN
 state using <userinput>netstat -a</userinput>.
 </para>
 
+<note><para>
+Some Unix / Linux systems use <command>xinetd</command> in place of
+<command>inetd</command>. Check your system documentation for the location
+of the control file/s for your particular system implementation of
+this network super daemon.
+</para></note>
+
 <para>
 If you get a "session request failed" then the server refused the
 connection. If it says "Your server software is being unfriendly" then
@@ -265,7 +295,7 @@ hosts.
 <para>
 If this doesn't give a similar result to the previous test then
 nmblookup isn't correctly getting your broadcast address through its
-automatic mechanism. In this case you should experiment use the
+automatic mechanism. In this case you should experiment with the
 <command>interfaces</command> option in &smb.conf; to manually configure your IP
 address, broadcast and netmask. 
 </para>
@@ -358,7 +388,7 @@ when you type <command>dir</command>.
 <step performance="required">
 
 <para>
-On the PC type the command <userinput>net view \\BIGSERVER</userinput>. You will 
+On the PC, type the command <userinput>net view \\BIGSERVER</userinput>. You will 
 need to do this from within a "dos prompt" window. You should get back a 
 list of available shares on the server.
 </para>
@@ -463,7 +493,7 @@ an election is held at startup.
 <step performance="required">
 
 <para>
-From file manager try to browse the server. Your samba server should
+>From file manager try to browse the server. Your samba server should
 appear in the browse list of your local workgroup (or the one you
 specified in smb.conf). You should be able to double click on the name
 of the server and get a list of shares. If you get a "invalid

docs/docbook/projdoc/NetworkBrowsing.sgml

@@ -8,7 +8,7 @@
 <title>Samba / MS Windows Network Browsing Guide</title>
 
 <para>
-This document contains detailed informataion as well as a fast track guide to
+This document contains detailed information as well as a fast track guide to
 implementing browsing across subnets and / or across workgroups (or domains).
 WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
 NOT involved in browse list handling except by way of name to address resolution.

docs/docbook/projdoc/Samba-PDC-HOWTO.sgml

@@ -169,6 +169,11 @@ Here is an example &smb.conf; for acting as a PDC:
     <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
     <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
 
+    ; User and Machine Account Backends
+    ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ...
+    ;              mysqlsam, xmlsam, guest
+    <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest
+
     ; we should act as the domain and local master browser
     <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
     <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
@@ -209,6 +214,20 @@ Here is an example &smb.conf; for acting as a PDC:
     <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
 </programlisting></para>
 
+<note><para>
+The above parameters make for a full set of parameters that may define the server's mode
+of operation. The following parameters are the essentials alone:
+
+<programlisting>
+	workgroup = NARNIA
+	domain logons = Yes
+	security = User
+</programlisting>
+
+The additional parameters shown in the longer listing above just makes for a
+more complete environment.
+</para></note>
+
 <para>
 There are a couple of points to emphasize in the above configuration.
 </para>
@@ -264,13 +283,13 @@ shared secret with the domain controller.
 
 <para>A Windows PDC stores each machine trust account in the Windows
 Registry. A Samba-3 PDC also has to store machine trust account information
-in a suitable back-end data store. With Samba-3 there can be multiple back-ends
+in a suitable backend data store. With Samba-3 there can be multiple back-ends
 for this including:
 </para>
 
 <itemizedlist>
 	<listitem><para>
-	<emphasis>smbpaswd</emphasis> - the plain ascii file stored used by
+	<emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
 	earlier versions of Samba. This file configuration option requires
 	a Unix/Linux system account for EVERY entry (ie: both for user and for
 	machine accounts). This file will be located in the <emphasis>private</emphasis>
@@ -311,9 +330,16 @@ for this including:
 	</para></listitem>
 </itemizedlist>
 
-<para>Read the chapter about the <link linkend="passdb">User Database</link> 
+<para>Read the chapter about the <link linkend="passdb backend">User Database</link> 
 for details.</para>
 
+<note><para>
+The new tdbsam and ldapsam account backends store vastly more information than
+smbpasswd is capable of. The new backend database includes capacity to specify
+per user settings for many parameters, over-riding global settings given in the
+<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
+</para></note>
+
 <para>
 A Samba PDC, however, stores each machine trust account in two parts,
 as follows:
@@ -420,7 +446,7 @@ the corresponding Unix account.
 	equivalent of creating a machine trust account on a Windows NT PDC using 
 	the "Server Manager".  From the time at which the account is created
 	to the time which the client joins the domain and changes the password,
-	your domain is vulnerable to an intruder joining your domain using a
+	your domain is vulnerable to an intruder joining your domain using
 	a machine with the same NetBIOS name.  A PDC inherently trusts
 	members of the domain and will serve out a large degree of user 
 	information to such clients.  You have been warned!
@@ -469,20 +495,22 @@ version of Windows.
 <itemizedlist>
 <listitem><para><emphasis>Windows 2000</emphasis></para>
 
-	<para> When the user elects to join the client to a domain, Windows prompts for
-	an account and password that is privileged to join the domain.  A
-	Samba administrative account (i.e., a Samba account that has root
-	privileges on the Samba server) must be entered here; the
-	operation will fail if an ordinary user account is given. 
-	The password for this account should be
-	set to a different password than the associated
-	<filename>/etc/passwd</filename> entry, for security
-	reasons. </para>
+	<para>
+	When the user elects to join the client to a domain, Windows prompts for
+	an account and password that is privileged to join the domain. A Samba administrative
+	account (i.e., a Samba account that has root privileges on the Samba server) must be
+	entered here; the operation will fail if an ordinary user account is given. 
+	The password for this account should be set to a different password than the associated
+	<filename>/etc/passwd</filename> entry, for security reasons.
+	</para>
 
-	<para>The session key of the Samba administrative account acts as an
+	<para>
+	The session key of the Samba administrative account acts as an
 	encryption key for setting the password of the machine trust
 	account. The machine trust account will be created on-the-fly, or
-	updated if it already exists.</para>
+	updated if it already exists.
+	</para>
+
 </listitem>
 
 <listitem><para><emphasis>Windows NT</emphasis></para>
@@ -522,11 +550,9 @@ systems?) won't create a user with a '$' in their name.
 </para>
 
 <para>
-The problem is only in the program used to make the entry, once 
-made, it works perfectly. So create a user without the '$' and 
-use <command>vipw</command> to edit the entry, adding the '$'. Or create 
-the whole entry with vipw if you like, make sure you use a 
-unique User ID !
+The problem is only in the program used to make the entry. Once made, it works perfectly.
+Create a user without the '$' using <command>vipw</command> to edit the entry, adding
+the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!
 </para>
 </sect2>
 
@@ -547,7 +573,7 @@ will remove all network drive connections:
 </para>
 
 <para>
-Further, if the machine is a already a 'member of a workgroup' that 
+Further, if the machine is already a 'member of a workgroup' that 
 is the same name as the domain you are joining (bad idea) you will 
 get this message.  Change the workgroup name to something else, it 
 does not matter what, reboot, and try again.
@@ -569,8 +595,18 @@ is changed. The most common cause of a change in domain SID is when
 the domain name and/or the server name (netbios name) is changed.
 The only way to correct the problem is to restore the original domain 
 SID or remove the domain client from the domain and rejoin. The domain
-SID may be reset using either the smbpasswd or rpcclient utilities.
+SID may be reset using either the net or rpcclient utilities.
 </para>
+
+<para>
+The reset or change the domain SID you can use the net command as follows:
+
+<programlisting>
+	net getlocalsid 'OLDNAME'
+	net setlocalsid 'SID'
+</programlisting>
+</para>
+
 </sect2>
 
 <sect2>

docs/docbook/projdoc/security_level.sgml

@@ -128,6 +128,13 @@ That real authentication server can be another Samba server or can be a
 Windows NT server, the later natively capable of encrypted password support.
 </para>
 
+<note><para>
+<emphasis>Server</emphasis> level security is incompatible with what is known 
+as </empahsis>schannel</emphasis> or "sign and seal" protocols. This means that
+if you want to use <empahsis>server</emphasis> level security you must disable
+the use of "sign and seal" on all machines on your network.
+</para></note>
+
 <sect3>
 <title>Configuring Samba for Seemless Windows Network Integration</title>
 
@@ -270,7 +277,7 @@ all authentication requests to be passed through to the domain controllers.
 <title>Samba as a member of an MS Windows NT security domain</title>
 
 <para>
-This method involves additon of the following paramters in the &smb.conf; file:
+This method involves addition of the following parameters in the &smb.conf; file:
 </para>
 
 <para><programlisting>
@@ -297,7 +304,9 @@ MS Windows NT security domain. This is done as follows:
 	</para></listitem>
 	
 	<listitem><para>Next, on the Linux system execute: 
-	<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command>
+	<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> (samba 2.x)
+
+	<command>net join -U administrator%password</command>   (samba-3)
 	</para></listitem>
 </itemizedlist>