From 61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 11 Oct 2001 20:00:58 +0000 Subject: More docs sync. Jeremy. --- docs/htmldocs/Integrating-with-Windows.html | 4 +- docs/htmldocs/Samba-HOWTO-Collection.html | 1673 ++++++++++++++++++++------- docs/htmldocs/Samba-PDC-HOWTO.html | 60 +- docs/htmldocs/UNIX_INSTALL.html | 33 +- docs/htmldocs/nmbd.8.html | 32 +- docs/htmldocs/printer_driver2.html | 2 +- docs/htmldocs/smb.conf.5.html | 1433 +++++++++++++++++------ docs/htmldocs/smbclient.1.html | 23 +- docs/htmldocs/smbcontrol.1.html | 14 +- docs/htmldocs/smbd.8.html | 17 +- docs/htmldocs/smbmnt.8.html | 16 +- docs/htmldocs/smbmount.8.html | 54 +- docs/htmldocs/smbpasswd.8.html | 2 +- docs/htmldocs/wbinfo.1.html | 7 +- docs/htmldocs/winbind.html | 758 +++++++++++- docs/htmldocs/winbindd.8.html | 79 +- docs/manpages/nmbd.8 | 17 +- docs/manpages/smb.conf.5 | 590 +++++++--- docs/manpages/smbclient.1 | 7 +- docs/manpages/smbcontrol.1 | 7 +- docs/manpages/smbd.8 | 10 +- docs/manpages/smbmnt.8 | 14 +- docs/manpages/smbmount.8 | 43 +- docs/manpages/smbpasswd.8 | 4 +- docs/manpages/smbumount.8 | 2 +- docs/manpages/wbinfo.1 | 9 +- docs/manpages/winbindd.8 | 33 +- 27 files changed, 3707 insertions(+), 1236 deletions(-) (limited to 'docs') diff --git a/docs/htmldocs/Integrating-with-Windows.html b/docs/htmldocs/Integrating-with-Windows.html index fbfad867bab..7c5fe316272 100644 --- a/docs/htmldocs/Integrating-with-Windows.html +++ b/docs/htmldocs/Integrating-with-Windows.html @@ -1001,7 +1001,7 @@ the procedure for creating an account.

	# useradd -s /bin/bash -d /home/"userid" -m
+>	# useradd -s /bin/bash -d /home/"userid" -m "userid"
 	# passwd "userid"
 	  Enter Password: <pw>
 	  
@@ -1023,7 +1023,7 @@ controller.  Refer to the Samba-PDC-HOWTO for more details.
	# useradd -a /bin/false -d /dev/null "machine_name"\$
+>	# useradd -s /bin/false -d /dev/null "machine_name"\$
 	# passwd -l "machine_name"\$
 	# smbpasswd -a -m "machine_name"
Abstract
Last Update : Tue Jul 31 15:58:03 CDT 2001
This book is a collection of HOWTOs added to Samba documentation over the years.
 I try to ensure that all are current, but sometimes the is a larger job
 than one person can maintain.  The most recent version of this document
@@ -69,27 +73,27 @@ HREF="#INSTALL"
 >
1.1. Step 0: Read the man pages
1.2. Step 1: Building the Binaries
1.3. Step 2: The all important step
1.4. Step 3: Create the smb configuration file.
1.5. Step 4: Test your config file with 
 	
1.6. Step 5: Starting the smbd and nmbd
1.6.1. Step 5a: Starting from inetd.conf
1.6.2. Step 5b. Alternative: starting it as a daemon
1.7. Step 6: Try listing the shares available on your 
 	server
1.8. Step 7: Try connecting with the unix client
1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, 
 	Win2k, OS/2, etc... client
1.10. What If Things Don't Work?
1.10.1. Diagnosing Problems
1.10.2. Scope IDs
1.10.3. Choosing the Protocol Level
1.10.4. Printing from UNIX to a Client PC
1.10.5. Locking
1.10.6. Mapping Usernames
1.10.7. Other Character Sets
2.1. Agenda
2.2. Name Resolution in a pure Unix/Linux world
2.2.1. /etc/hosts
2.2.2. /etc/resolv.conf
2.2.3. /etc/host.conf
2.2.4. /etc/nsswitch.conf
2.3. Name resolution as used within MS Windows networking
2.3.1. The NetBIOS Name Cache
2.3.2. The LMHOSTS file
2.3.3. HOSTS file
2.3.4. DNS Lookup
2.3.5. WINS Lookup
2.4. How browsing functions and how to deploy stable and 
 dependable browsing using Samba
2.5. MS Windows security options and how to configure 
 Samba for seemless integration
2.5.1. Use MS Windows NT as an authentication server
2.5.2. Make Samba a member of an MS Windows NT security domain
2.5.3. Configure Samba as an authentication server
2.5.3.1. Users
2.5.3.2. MS Windows NT Machine Accounts
2.6. Conclusions
3.1. Samba and PAM
3.2. Distributed Authentication
3.3. PAM Configuration in smb.conf
4.1. Instructions
4.1.1. Notes
5.1. Viewing and changing UNIX permissions using the NT 
 	security dialogs
5.2. How to view file security on a Samba share
5.3. Viewing file ownership
5.4. Viewing file or directory permissions
5.4.1. File Permissions
5.4.2. Directory Permissions
5.5. Modifying file or directory permissions
5.6. Interaction with the standard Samba create mask 
 	parameters
5.7. Interaction with the standard Samba file attribute 
 	mapping
6.1. Introduction
6.2. Configuration
6.2.1. Creating [print$]
6.2.2. Setting Drivers for Existing Printers
6.2.3. Support a large number of printers
6.2.4. Adding New Printers via the Windows NT APW
6.2.5. Samba and Printer Ports
6.3. The Imprints Toolset
6.3.1. What is Imprints?
6.3.2. Creating Printer Driver Packages
6.3.3. The Imprints server
6.3.4. The Installation Client
6.4. 
7.1. Joining an NT Domain with Samba 2.2
7.2. Samba and Windows 2000 Domains
7.3. Why is this better than security = server?
8.1. Prerequisite Reading
8.2. Background
8.3. Configuring the Samba Domain Controller
8.4. Creating Machine Trust Accounts and Joining Clients 
 to the Domain
8.4.1. Manually creating machine trust accounts
8.4.2. Creating machine trust accounts "on the fly"
8.5. Common Problems and Errors
8.6. System Policies and Profiles
8.7. What other help can I get ?
8.8. Domain Control for Windows 9x/ME
8.8.1. Configuration Instructions:	Network Logons
8.8.2. Configuration Instructions:	Setting up Roaming User Profiles
8.8.2.1. Windows NT Configuration
8.8.2.2. Windows 9X Configuration
8.8.2.3. Win9X and WinNT Configuration
8.8.2.4. Windows 9X Profile Setup
8.8.2.5. Windows NT Workstation 4.0
8.8.2.6. Windows NT Server
8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0
8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
9.1. Abstract
9.2. Introduction
9.3. What Winbind Provides
9.3.1. Target Uses
9.4. How Winbind Works
9.4.1. Microsoft Remote Procedure Calls
9.4.2. Name Service Switch
9.4.3. Pluggable Authentication Modules
9.4.4. User and Group ID Allocation
9.4.5. Result Caching
9.5. Installation and Configuration
9.5.1. Introduction
9.5.2. Requirements
9.5.3. Testing Things Out
9.5.3.1. Configure and compile SAMBA
9.5.3.2. Configure nsswitch.conf and the winbind libraries
9.5.3.3. Configure smb.conf
9.5.3.4. Join the SAMBA server to the PDC domain
9.5.3.5. Start up the winbindd daemon and test it!
9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files
9.5.3.7. Configure Winbind and PAM
9.6. Limitations
9.7. Conclusion
10.1. FAQs
10.1.1. How can I configure OS/2 Warp Connect or 
 		OS/2 Warp 4 as a client for Samba?
10.1.2. How can I configure OS/2 Warp 3 (not Connect), 
 		OS/2 1.2, 1.3 or 2.x for Samba?
10.1.3. Are there any other issues when OS/2 (any version) 
 		is used as a client?
10.1.4. How do I get printer driver download working 
 		for OS/2 clients?
11.1. Introduction
11.2. CVS Access to samba.org
11.2.1. Access via CVSweb
11.2.2. Access via cvs
Index
1.1. Step 0: Read the man pages
1.2. Step 1: Building the Binaries
1.3. Step 2: The all important step
1.4. Step 3: Create the smb configuration file.
1.5. Step 4: Test your config file with 
 	
1.6. Step 5: Starting the smbd and nmbd
1.6.1. Step 5a: Starting from inetd.conf
1.6.2. Step 5b. Alternative: starting it as a daemon
1.7. Step 6: Try listing the shares available on your 
 	server
1.8. Step 7: Try connecting with the unix client
1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, 
 	Win2k, OS/2, etc... client
1.10. What If Things Don't Work?
1.10.1. Diagnosing Problems
1.10.2. Scope IDs
1.10.3. Choosing the Protocol Level
1.10.4. Printing from UNIX to a Client PC
1.10.5. Locking
Samba supports "record locking" using the fcntl() unix system
-		call. This is often implemented using rpc calls to a rpc.lockd process
-		running on the system that owns the filesystem. Unfortunately many
-		rpc.lockd implementations are very buggy, particularly when made to
-		talk to versions from other vendors. It is not uncommon for the
-		rpc.lockd to crash.
There is also a problem translating the 32 bit lock 
-		requests generated by PC clients to 31 bit requests supported 
-		by most unixes. Unfortunately many PC applications (typically 
-		OLE2 applications) use byte ranges with the top bit set 
-		as semaphore sets. Samba attempts translation to support 
-		these types of applications, and the translation has proved 
-		to be quite successful.
Record locking semantics under Unix is very
+		different from record locking under Windows. Versions
+		of Samba before 2.2 have tried to use the native
+		fcntl() unix system call to implement proper record
+		locking between different Samba clients. This can not
+		be fully correct due to several reasons. The simplest
+		is the fact that a Windows client is allowed to lock a
+		byte range up to 2^32 or 2^64, depending on the client
+		OS. The unix locking only supports byte ranges up to
+		2^31. So it is not possible to correctly satisfy a
+		lock request above 2^31. There are many more
+		differences, too many to be listed here.
Samba 2.2 and above implements record locking
+		completely independent of the underlying unix
+		system. If a byte range lock that the client requests
+		happens to fall into the range 0-2^31, Samba hands
+		this request down to the Unix system. All other locks
+		can not be seen by unix anyway.
Strictly a SMB server should check for locks before 
 		every read and write call on a file. Unfortunately with the 
@@ -1617,7 +1684,7 @@ CLASS="SECT2"
 >
1.10.6. Mapping Usernames
1.10.7. Other Character Sets
2.1. Agenda
2.2. Name Resolution in a pure Unix/Linux world
2.2.1. /etc/hosts
2.2.2. /etc/resolv.conf
2.2.3. /etc/host.conf
2.2.4. /etc/nsswitch.conf
2.3. Name resolution as used within MS Windows networking
2.3.1. The NetBIOS Name Cache
2.3.2. The LMHOSTS file
2.3.3. HOSTS file
2.3.4. DNS Lookup
2.3.5. WINS Lookup
2.4. How browsing functions and how to deploy stable and 
 dependable browsing using Samba
2.5. MS Windows security options and how to configure 
 Samba for seemless integration
2.5.1. Use MS Windows NT as an authentication server
2.5.2. Make Samba a member of an MS Windows NT security domain
2.5.3. Configure Samba as an authentication server
2.5.3.1. Users
	# useradd -s /bin/bash -d /home/"userid" -m
+>	# useradd -s /bin/bash -d /home/"userid" -m "userid"
 	# passwd "userid"
 	  Enter Password: <pw>
 	  
@@ -2747,7 +2814,7 @@ CLASS="SECT3"
 >
2.5.3.2. MS Windows NT Machine Accounts
	# useradd -a /bin/false -d /dev/null "machine_name"\$
+>	# useradd -s /bin/false -d /dev/null "machine_name"\$
 	# passwd -l "machine_name"\$
 	# smbpasswd -a -m "machine_name"
2.6. Conclusions
3.1. Samba and PAM
3.2. Distributed Authentication
3.3. PAM Configuration in smb.conf
4.1. Instructions
4.1.1. Notes
5.1. Viewing and changing UNIX permissions using the NT 
 	security dialogs
5.2. How to view file security on a Samba share
5.3. Viewing file ownership
5.4. Viewing file or directory permissions
5.4.1. File Permissions
5.4.2. Directory Permissions
5.5. Modifying file or directory permissions
5.6. Interaction with the standard Samba create mask 
 	parameters
5.7. Interaction with the standard Samba file attribute 
 	mapping
6.1. Introduction
6.2. Configuration
6.2.1. Creating [print$]
 is used to allow administrative 
 level user accounts to have write access in order to update files 
 on the share.  See the smb.conf(5) 
 man page
6.2.2. Setting Drivers for Existing Printers
6.2.3. Support a large number of printers
6.2.4. Adding New Printers via the Windows NT APW
6.2.5. Samba and Printer Ports
6.3. The Imprints Toolset
6.3.1. What is Imprints?
6.3.2. Creating Printer Driver Packages
6.3.3. The Imprints server
6.3.4. The Installation Client
6.4. 
Given that printer driver management has changed (we hope improved) in 
 2.2 over prior releases, migration from an existing setup to 2.2 can 
-follow several paths.
Windows clients have a tendency to remember things for quite a while.
-For example, if a Windows NT client has attached to a Samba 2.0 server,
-it will remember the server as a LanMan printer server.  Upgrading 
-the Samba host to 2.2 makes support for MSRPC printing possible, but 
-the NT client will still remember the previous setting.
  • In order to give an NT client printing "amnesia" (only necessary if you 
-want to use the newer MSRPC printing functionality in Samba), delete 
-the registry keys associated with the print server contained in 
-[HKLM\SYSTEM\CurrentControlSet\Control\Print].  The 
-spooler service on the client should be stopped prior to doing this:
    If you do not desire the new Windows NT 
+	print driver support, nothing needs to be done.  
+	All existing parameters work the same.
  • C:\WINNT\ > net stop spooler
    If you want to take advantage of NT printer 
+	driver support but do not want to migrate the 
+	9x drivers to the new setup, the leave the existing 
+	printers.def file.  When smbd attempts 
+	to locate a 
+	9x driver for the printer in the TDB and fails it 
+	will drop down to using the printers.def (and all 
+	associated parameters).  The make_printerdef 
+	tool will also remain for backwards compatibility but will 
+	be removed in the next major release.
  • All the normal disclaimers about editing the registry go 
-here.  Be careful, and know what you are doing.
    If you install a Windows 9x driver for a printer 
+	on your Samba host (in the printing TDB), this information will 
+	take precedence and the three old printing parameters
+	will be ignored (including print driver location).
  • The spooler service should be restarted after you have finished 
-removing the appropriate registry entries by replacing the 
-If you want to migrate an existing printers.def 
+	file into the new setup, the current only solution is to use the Windows 
+	NT APW to install the NT drivers and the 9x  drivers.  This can be scripted 
+	using stop command above with smbclient and start.
    Windows 9x clients will continue to use LanMan printing calls
-with a 2.2 Samba server so there is no need to perform any of these
-modifications on non-NT clients.
    rpcclient.  See the 
+	Imprints installation client at http://imprints.sourceforge.net/ 
+	for an example.
+	
The following smb.conf parameters are considered to be depreciated and will 
-be removed soon.  Do not use them in new installations
The following smb.conf parameters are considered to 
+be deprecated and will be removed soon.  Do not use them in new 
+installations
    Here are the possible scenarios for supporting migration:
    • If you do not desire the new Windows NT 
-	print driver support, nothing needs to be done.  
-	All existing parameters work the same.
    • If you want to take advantage of NT printer 
-	driver support but do not want to migrate the 
-	9x drivers to the new setup, the leave the existing 
-	printers.def file.  When smbd attempts to locate a 
-	9x driver for the printer in the TDB and fails it 
-	will drop down to using the printers.def (and all 
-	associated parameters).  The make_printerdef 
-	tool will also remain for backwards compatibility but will 
-	be moved to the "this tool is the old way of doing it" 
-	pile.
    • If you install a Windows 9x driver for a printer 
-	on your Samba host (in the printing TDB), this information will 
-	take precedence and the three old printing parameters
-	will be ignored (including print driver location).
    • If you want to migrate an existing printers.def 
-	file into the new setup, the current only solution is to use the Windows 
-	NT APW to install the NT drivers and the 9x  drivers.  This can be scripted 
-	using smbclient and rpcclient.  See the 
-	Imprints installation client at http://imprints.sourceforge.net/ 
-	for an example.
-	
    The have been two new parameters add in Samba 2.2.2 to for 
+better support of Samba 2.0.x backwards capability (disable
+spoolss) and for using local printers drivers on Windows 
+NT/2000 clients (use client driver). Both of 
+these options are described in the smb.coinf(5) man page and are 
+disabled by default.
    7.1. Joining an NT Domain with Samba 2.2
    7.2. Samba and Windows 2000 Domains
    7.3. Why is this better than security = server?
    8.1. Prerequisite Reading
    8.2. Background
    8.3. Configuring the Samba Domain Controller
    As Samba 2.2 does not offer a complete implementation of group mapping between 
 Windows NT groups and UNIX groups (this is really quite complicated to explain 
 in a short space), you should refer to the domain 
-admin users and domain 
 admin group smb.conf parameters for information of creating a Domain Admins 
+> smb.conf parameter for information of creating "Domain Admins"
 style accounts.
    8.4. Creating Machine Trust Accounts and Joining Clients 
 to the Domain
    8.4.1. Manually creating machine trust accounts
    /usr/sbin/useradd -g 100 -d /dev/null -c machine_nickname"machine 
+nickname" -s /bin/false machine_name -m -s /bin/false $ 
    root# passwd -l machine_name
    8.4.2. Creating machine trust accounts "on the fly"
    .  The password 
 SHOULD be set to s different password that the 
+> be set to a different password that the 
 associated /etc/passwd
    8.5. Common Problems and Errors
    8.6. System Policies and Profiles
    8.7. What other help can I get ?
    8.8. Domain Control for Windows 9x/ME
    8.8.1. Configuration Instructions:	Network Logons
    8.8.2. Configuration Instructions:	Setting up Roaming User Profiles
    8.8.2.1. Windows NT Configuration
    8.8.2.2. Windows 9X Configuration
    8.8.2.3. Win9X and WinNT Configuration
    8.8.2.4. Windows 9X Profile Setup
    8.8.2.5. Windows NT Workstation 4.0
    8.8.2.6. Windows NT Server
    8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0
    8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
    9.1. Abstract
    Integration of UNIX and Microsoft Windows NT through 
 	a unified logon has been considered a "holy grail" in heterogeneous 
-	computing environments for a long time. We present winbind
-	, a component of the Samba suite of programs as a 
-	solution to the unified logon problem. Winbind uses a UNIX implementation 
+	computing environments for a long time. We present 
+	winbind, a component of the Samba suite 
+	of programs as a solution to the unified logon problem. Winbind 
+	uses a UNIX implementation 
 	of Microsoft RPC calls, Pluggable Authentication Modules, and the Name 
 	Service Switch to allow Windows NT domain users to appear and operate 
 	as UNIX users on a UNIX machine. This paper describes the winbind 
@@ -7834,7 +7887,7 @@ CLASS="SECT1"
 >
    9.2. Introduction
    9.3. What Winbind Provides
    The end result is that whenever any 
 	program on the UNIX machine asks the operating system to lookup 
 	a user or group name, the query will be resolved by asking the 
-	NT domain controller for the specied domain to do the lookup.
+	NT domain controller for the specified domain to do the lookup.
 	Because Winbind hooks into the operating system at a low level 
 	(via the NSS name resolution modules in the C library) this 
 	redirection to the NT domain controller is completely 
@@ -7919,18 +7972,18 @@ NAME="AEN1664"
 	that redirection to a domain controller is wanted for a particular 
 	lookup and which trusted domain is being referenced.
    Additionally, Winbind provides a authentication service 
+>Additionally, Winbind provides an authentication service 
 	that hooks into the Pluggable Authentication Modules (PAM) system 
 	to provide authentication via a NT domain to any PAM enabled 
 	applications. This capability solves the problem of synchronizing 
-	passwords between systems as all passwords are stored in a single 
+	passwords between systems since all passwords are stored in a single 
 	location (on the domain controller).
    9.3.1. Target Uses
    Another interesting way in which we expect Winbind to 
 		be used is as a central part of UNIX based appliances. Appliances 
@@ -7954,7 +8007,7 @@ CLASS="SECT1"
 >
    9.4. How Winbind Works
    9.4.1. Microsoft Remote Procedure Calls
    9.4.2. Name Service Switch
    The NSS application programming interface allows winbind 
@@ -8024,11 +8077,12 @@ NAME="AEN1684"
 		a NT domain plus any trusted domain as though they were local 
 		users and groups.
    The primary control le for NSS is The primary control file for NSS is 
+		/etc/nsswitch.conf
-		. When a UNIX application makes a request to do a lookup 
+>/etc/nsswitch.conf. 
+		When a UNIX application makes a request to do a lookup 
 		the C library looks in /etc/nsswitch.conf
    9.4.3. Pluggable Authentication Modules
    PAM is configured by providing control files in the directory 
@@ -8118,7 +8172,7 @@ CLASS="FILENAME"
 		is copied to /lib/security/ and the pam 
+> and the PAM 
 		control files for relevant services are updated to allow 
 		authentication via winbind. See the PAM documentation
 		for more details.
    9.4.4. User and Group ID Allocation
    When a user or group is created under Windows NT 
 		is it allocated a numerical relative identifier (RID). This is 
-		slightly different to UNIX which has a range of numbers which are 
+		slightly different to UNIX which has a range of numbers that are 
 		used to identify users, and the same range in which to identify 
 		groups. It is winbind's job to convert RIDs to UNIX id numbers and
 		vice versa.  When winbind is configured it is given part of the UNIX 
@@ -8146,7 +8200,7 @@ NAME="AEN1708"
 		to UNIX user ids and group ids.
    The results of this mapping are stored persistently in 
-		a ID mapping database held in a tdb database). This ensures that 
+		an ID mapping database held in a tdb database). This ensures that 
 		RIDs are mapped to UNIX IDs in a consistent way.
    9.4.5. Result Caching
    9.5. Installation and Configuration
    The easiest way to install winbind is by using the packages 
-	provided in the pub/samba/appliance/ 
-	directory on your nearest 
-	Samba mirror. These packages provide snapshots of the Samba source 
-	code and binaries already setup to provide the full functionality 
-	of winbind. This setup is a little more complex than a normal Samba 
-	build as winbind needs a small amount of functionality from a 
-	development code branch called SAMBA_TNG.
    Once you have installed the packages you should read 
-	the winbindd(8) man page which will provide you 
-	with configuration information and give you sample configuration files. 
-	You may also wish to update the main Samba daemons smbd and nmbd) 
-	with a more recent development release, such as the recently
-	announced Samba 2.2 alpha release.
    Many thanks to John Trostel jtrostel@snapserver.com
+for providing the HOWTO for this section.
    This HOWTO describes how to get winbind services up and running 
+to control access and authenticate users on your Linux box using 
+the winbind services which come with SAMBA 2.2.2.
    9.6. Limitations
    9.5.1. Introduction
    Winbind has a number of limitations in its current 
-	released version which we hope to overcome in future 
-	releases:
    This HOWTO describes the procedures used to get winbind up and 
+running on my RedHat 7.1 system.  Winbind is capable of providing access 
+and authentication control for Windows Domain users through an NT 
+or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
+well for SAMBA services.
    This HOWTO has been written from a 'RedHat-centric' perspective, so if 
+you are using another distribution, you may have to modify the instructions 
+somewhat to fit the way your distribution works.
    • Winbind is currently only available for 
-		the Linux operating system, although ports to other operating 
-		systems are certainly possible. For such ports to be feasible, 
-		we require the C library of the target operating system to 
-		support the Name Service Switch and Pluggable Authentication
-		Modules systems. This is becoming more common as NSS and 
-		PAM gain	support among UNIX vendors.
    • 	Why should I to this?
+	
      The mappings of Windows NT RIDs to UNIX ids 
-		is not made algorithmically and depends on the order in which 
-		unmapped users or groups are seen by winbind. It may be difficult 
-		to recover the mappings of rid to UNIX id mapping if the file 
-		containing this information is corrupted or destroyed.
      This allows the SAMBA administrator to rely on the 
+	authentication mechanisms on the NT/Win2K PDC for the authentication 
+	of domain members.  NT/Win2K users no longer need to have separate 
+	accounts on the SAMBA server.
+	
    • Currently the winbind PAM module does not take 
-		into account possible workstation and logon time restrictions 
-		that may be been set for Windows NT users.
      	Who should be reading this document?
+	
      	This HOWTO is designed for system administrators.  If you are 
+	implementing SAMBA on a file server and wish to (fairly easily) 
+	integrate existing NT/Win2K users from your PDC onto the
+	SAMBA server, this HOWTO is for you.  That said, I am no NT or PAM 
+	expert, so you may find a better or easier way to accomplish 
+	these tasks.
+	
    9.5.2. Requirements
    If you have a samba configuration file that you are currently 
+using... BACK IT UP!  If your system already uses PAM, BACK UP 
+THE /etc/pam.d directory contents! If you 
+haven't already made a boot disk, MAKE ON NOW!
    Messing with the pam configuration files can make it nearly impossible 
+to log in to yourmachine. That's why you want to be able to boot back 
+into your machine in single user mode and restore your 
+/etc/pam.d back to the original state they were in if 
+you get frustrated with the way things are going.  ;-)
    Building winbind from source is currently 
-		quite tedious as it requires combining source code from two Samba 
-		branches. Work is underway to solve this by providing all 
-		the necessary functionality in the main Samba code branch.
    The newest version of SAMBA (version 2.2.2), available from 
+cvs.samba.org, now include a functioning winbindd daemon.  Please refer 
+to the main SAMBA web page or, better yet, your closest SAMBA mirror 
+site for instructions on downloading the source code.
    To allow Domain users the ability to access SAMBA shares and 
+files, as well as potentially other services provided by your 
+SAMBA machine, PAM (pluggable authentication modules) must
+be setup properly on your machine.  In order to compile the 
+winbind modules, you should have at least the pam libraries resident 
+on your system.  For recent RedHat systems (7.1, for instance), that 
+means 'pam-0.74-22'.  For best results, it is helpful to also
+install the development packages in 'pam-devel-0.74-22'.
    9.5.3. Testing Things Out
    Before starting, it is probably best to kill off all the SAMBA 
+related daemons running on your server.  Kill off all smbd, 
+nmbd, and winbindd processes that may 
+be running.  To use PAM, you will want to make sure that you have the 
+standard PAM package (for RedHat) which supplies the /etc/pam.d 
+directory structure, including the pam modules are used by pam-aware 
+services, several pam libraries, and the /usr/doc 
+and /usr/man entries for pam.  Winbind built better 
+in SAMBA if the pam-devel package was also installed.  This package includes 
+the header files needed to compile pam-aware applications. For instance, my RedHat 
+system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.
    9.5.3.1. Configure and compile SAMBA
    The configuration and compilation of SAMBA is pretty straightforward.
+The first three steps maynot be necessary depending upon
+whether or not you have previously built the Samba binaries.
    root#  autoconf
+root#  make clean
+root#  rm config.cache
+root#  ./configure --with-winbind
+root#  make
+root#  make install
    This will, by default, install SAMBA in /usr/local/samba.  See the 
+main SAMBA documentation if you want to install SAMBA somewhere else.  
+It will also build the winbindd executable and libraries. 
    9.5.3.2. Configure nsswitch.conf and the winbind libraries
    The libraries needed to run the winbind daemon through nsswitch 
+need to be copied to their proper locations, so
    root#  cp ../samba/source/nsswitch/libnss_winbind.so /lib
    I also found it necessary to make the following symbolic link:
    root#  ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
    Now, as root you need to edit /etc/nsswitch.conf to 
+allow user and group entries to be visible from the winbindd 
+daemon, as well as from your /etc/hosts files and NIS servers.  My 
+/etc/nsswitch.conf file look like this after editing:
    	passwd:     files winbind
+	shadow:     files winbind
+	group:      files winbind
    	
+The libraries needed by the winbind daemon will be automatically 
+entered into the ldconfig cache the next time your system reboots, but it 
+is faster (and you don't need to reboot) if you do it manually:
    root#  /sbin/ldconfig -v | grep winbind
    This makes libnss_winbind available to winbindd 
+and echos back a check to you.
    9.5.3.3. Configure smb.conf
    Several parameters are needed in the smb.conf file to control 
+the behavior of winbindd. Configure 
+smb.conf These are described in more detail in 
+the winbindd(8) man page.  My 
+smb.conf file was modified to
+include the following entries in the [global] section:
    [global]
+     <...>
+     # separate domain and username with '+', like DOMAIN+username
+     winbind separator = +
+     # use uids from 10000 to 20000 for domain users
+     winbind uid = 10000-20000
+     # use gids from 10000 to 20000 for domain groups
+     winbind gid = 10000-20000
+     # allow enumeration of winbind users and groups
+     winbind enum users = yes
+     winbind enum groups = yes
+     # give winbind users a real shell (only needed if they have telnet access)
+     template shell = /bin/bash
    9.5.3.4. Join the SAMBA server to the PDC domain
    Enter the following command to make the SAMBA server join the 
+PDC domain, where DOMAIN is the name of 
+your Windows domain and Administrator is 
+a domain user who has administrative privileges in the domain.
    root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
    The proper response to the command should be: "Joined the domain 
+DOMAIN" where DOMAIN 
+is your DOMAIN name.
    9.5.3.5. Start up the winbindd daemon and test it!
    Eventually, you will want to modify your smb startup script to 
+automatically invoke the winbindd daemon when the other parts of 
+SAMBA start, but it is possible to test out just the winbind
+portion first.  To start up winbind services, enter the following 
+command as root:
    root# /usr/local/samba/bin/winbindd
    I'm always paranoid and like to make sure the daemon 
+is really running...
    root#  ps -ae | grep winbindd 
+3025 ?        00:00:00 winbindd
    Now... for the real test, try to get some information about the 
+users on your PDC
    root#  # /usr/local/samba/bin/wbinfo -u
    	
+This should echo back a list of users on your Windows users on 
+your PDC.  For example, I get the following response:
    CEO+Administrator
+CEO+burdell
+CEO+Guest
+CEO+jt-ad
+CEO+krbtgt
+CEO+TsInternetUser
    Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.
    You can do the same sort of thing to get group information from 
+the PDC:
    root# /usr/local/samba/bin/wbinfo -g
+CEO+Domain Admins
+CEO+Domain Users
+CEO+Domain Guests
+CEO+Domain Computers
+CEO+Domain Controllers
+CEO+Cert Publishers
+CEO+Schema Admins
+CEO+Enterprise Admins
+CEO+Group Policy Creator Owners
    The function 'getent' can now be used to get unified 
+lists of both local and PDC users and groups.
+Try the following command:
    root#  getent passwd
    You should get a list that looks like your /etc/passwd 
+list followed by the domain users with their new uids, gids, home 
+directories and default shells.
    The same thing can be done for groups with the command
    root#  getent group
    9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files
    The winbindd daemon needs to start up after the 
+smbd and nmbd daemons are running.  
+To accomplish this task, you need to modify the /etc/init.d/smb
+script to add commands to invoke this daemon in the proper sequence.  My 
+/etc/init.d/smb file starts up smbd, 
+nmbd, and winbindd from the 
+/usr/local/samba/bin directory directly.  The 'start' 
+function in the script looks like this:
    start() {
+        KIND="SMB"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
+        RETVAL=$?
+        echo
+        KIND="NMB"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
+        RETVAL2=$?
+        echo
+        KIND="Winbind"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/winbindd
+        RETVAL3=$?
+        echo
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
+           RETVAL=1
+        return $RETVAL
+}
    The 'stop' function has a corresponding entry to shut down the 
+services and look s like this:
    stop() {
+        KIND="SMB"
+        echo -n $"Shutting down $KIND services: "
+        killproc smbd
+        RETVAL=$?
+        echo
+        KIND="NMB"
+        echo -n $"Shutting down $KIND services: "
+        killproc nmbd
+        RETVAL2=$?
+        echo
+        KIND="Winbind"
+        echo -n $"Shutting down $KIND services: "
+        killproc winbindd
+        RETVAL3=$?
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
+        echo ""
+        return $RETVAL
+}
    9.5.3.7. Configure Winbind and PAM
    If you have made it this far, you know that winbindd is working.  
+Now it is time to integrate it into the operation of samba and other 
+services.  The pam configuration files need to be altered in
+this step.  (Did you remember to make backups of your original 
+/etc/pam.d files? If not, do it now.)
    To get samba to allow domain users and groups, I modified the 
+/etc/pam.d/samba file from
    auth    required        /lib/security/pam_stack.so service=system-auth
+account required        /lib/security/pam_stack.so service=system-auth
    to
    auth    required        /lib/security/pam_winbind.so
+auth    required        /lib/security/pam_stack.so service=system-auth
+account required        /lib/security/pam_winbind.so
+account required        /lib/security/pam_stack.so service=system-auth
    The other services that I modified to allow the use of winbind 
+as an authentication service were the normal login on the console (or a terminal 
+session), telnet logins, and ftp service.  In order to enable these 
+services, you may first need to change the entries in 
+/etc/xinetd.d (or /etc/inetd.conf).  
+RedHat 7.1 uses the new xinetd.d structure, in this case you need 
+to change the lines in /etc/xinetd.d/telnet 
+and /etc/xinetd.d/wu-ftp from 
    enable = no
    to
    enable = yes
    	
+For ftp services to work properly, you will also need to either 
+have individual directories for the domain users already present on 
+the server, or change the home directory template to a general
+directory for all domain users.  These can be easily set using 
+the smb.conf global entry 
+template homedir.
    The /etc/pam.d/ftp file can be changed 
+to allow winbind ftp access in a manner similar to the
+samba file.  My /etc/pam.d/ftp file was 
+changed to look like this:
    auth       sufficient   /lib/security/pam_winbind.so
+auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_shells.so
+account    required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
    The /etc/pam.d/login file can be changed nearly the 
+same way.  It now looks like this:
    auth       required     /lib/security/pam_securetty.so
+auth       sufficient   /lib/security/pam_winbind.so
+auth       sufficient   /lib/security/pam_unix.so use_first_pass
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_nologin.so
+account    sufficient   /lib/security/pam_winbind.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so
    In this case, I added the auth sufficient /lib/security/pam_winbind.so 
+lines as before, but also added the required pam_securetty.so 
+above it, to disallow root logins over the network.  I also added a 
+sufficient /lib/security/pam_unix.so use_first_pass
+line after the winbind.so line to get rid of annoying 
+double prompts for passwords.
    Finally, don't forget to copy the winbind pam modules from 
+the source directory in which you originally compiled the new 
+SAMBA up to the /lib/security directory so that pam can use it:
    root#  cp ../samba/source/nsswitch/pam_winbind.so /lib/security
    9.6. Limitations
    Winbind has a number of limitations in its current 
+	released version that we hope to overcome in future 
+	releases:
    • Winbind is currently only available for 
+		the Linux operating system, although ports to other operating 
+		systems are certainly possible. For such ports to be feasible, 
+		we require the C library of the target operating system to 
+		support the Name Service Switch and Pluggable Authentication
+		Modules systems. This is becoming more common as NSS and 
+		PAM gain	support among UNIX vendors.
    • The mappings of Windows NT RIDs to UNIX ids 
+		is not made algorithmically and depends on the order in which 
+		unmapped users or groups are seen by winbind. It may be difficult 
+		to recover the mappings of rid to UNIX id mapping if the file 
+		containing this information is corrupted or destroyed.
    • Currently the winbind PAM module does not take 
+		into account possible workstation and logon time restrictions 
+		that may be been set for Windows NT users.
    9.7. Conclusion
    10.1. FAQs
    10.1.1. How can I configure OS/2 Warp Connect or 
 		OS/2 Warp 4 as a client for Samba?
    10.1.2. How can I configure OS/2 Warp 3 (not Connect), 
 		OS/2 1.2, 1.3 or 2.x for Samba?
    10.1.3. Are there any other issues when OS/2 (any version) 
 		is used as a client?
    10.1.4. How do I get printer driver download working 
 		for OS/2 clients?
    11.1. Introduction
    11.2. CVS Access to samba.org
    11.2.1. Access via CVSweb
    11.2.2. Access via cvs
    Index
    Primary  Domain Controller,
     Background
   
    As Samba 2.2 does not offer a complete implementation of group mapping between 
 Windows NT groups and UNIX groups (this is really quite complicated to explain 
 in a short space), you should refer to the domain 
-admin users and domain 
 admin group smb.conf parameters for information of creating a Domain Admins 
+> smb.conf parameter for information of creating "Domain Admins"
 style accounts.
    Creating Machine Trust Accounts and Joining Clients 
 to the Domain
    Manually creating machine trust accounts
    /usr/sbin/useradd -g 100 -d /dev/null -c machine_nickname"machine 
+nickname" -m -s /bin/false  -s /bin/false machine_name$ 
    root# passwd -l machine_name
    Creating machine trust accounts "on the fly"
    SHOULD be set to s different password that the 
+> be set to a different password that the 
 associated /etc/passwd
    Common Problems and Errors
    System Policies and Profiles
    What other help can I get ?
    Domain Control for Windows 9x/ME
    Configuration Instructions:	Network Logons
    Configuration Instructions:	Setting up Roaming User Profiles
    Windows NT Configuration
    Windows 9X Configuration
    Win9X and WinNT Configuration
    Windows 9X Profile Setup
    Windows NT Workstation 4.0
    Windows NT Server
    Sharing Profiles between W95 and NT Workstation 4.0
    DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
    Samba supports "record locking" using the fcntl() unix system
-		call. This is often implemented using rpc calls to a rpc.lockd process
-		running on the system that owns the filesystem. Unfortunately many
-		rpc.lockd implementations are very buggy, particularly when made to
-		talk to versions from other vendors. It is not uncommon for the
-		rpc.lockd to crash.
    There is also a problem translating the 32 bit lock 
-		requests generated by PC clients to 31 bit requests supported 
-		by most unixes. Unfortunately many PC applications (typically 
-		OLE2 applications) use byte ranges with the top bit set 
-		as semaphore sets. Samba attempts translation to support 
-		these types of applications, and the translation has proved 
-		to be quite successful.
    Record locking semantics under Unix is very
+		different from record locking under Windows. Versions
+		of Samba before 2.2 have tried to use the native
+		fcntl() unix system call to implement proper record
+		locking between different Samba clients. This can not
+		be fully correct due to several reasons. The simplest
+		is the fact that a Windows client is allowed to lock a
+		byte range up to 2^32 or 2^64, depending on the client
+		OS. The unix locking only supports byte ranges up to
+		2^31. So it is not possible to correctly satisfy a
+		lock request above 2^31. There are many more
+		differences, too many to be listed here.
    Samba 2.2 and above implements record locking
+		completely independent of the underlying unix
+		system. If a byte range lock that the client requests
+		happens to fall into the range 0-2^31, Samba hands
+		this request down to the Unix system. All other locks
+		can not be seen by unix anyway.
    Strictly a SMB server should check for locks before 
 		every read and write call on a file. Unfortunately with the 
diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html
index 29bd8180407..31afa11cf89 100644
--- a/docs/htmldocs/nmbd.8.html
+++ b/docs/htmldocs/nmbd.8.html
@@ -36,7 +36,7 @@ NAME="AEN8"
 >
    smbdnmbd  [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log file>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]
    log.nmb file. In addition, the debug log level 
-	of nmbd may be raised by sending it a SIGUSR1 (kill -USR1
-	<nmbd-pid>) and lowered by sending it a
-	SIGUSR2 ( file.
    The debug log level of nmbd may be raised or lowered using
+	kill -USR2 <nmbd-pid>). This is to 
-	allow transient problems to be diagnosed, whilst still running at a 
-	normally low log level.
    smbcontrol(1)    
+	 (SIGUSR[1|2] signals are no longer used in Samba 2.2). This is
+	to allow transient problems to be diagnosed, whilst still running
+	at a normally low log level.
    VERSION
    SEE ALSO
    AUTHOR
     is used to allow administrative 
 level user accounts to have write access in order to update files 
 on the share.  See the smb.conf(5) 
 man pageSections other than guest services will require a password 
 	to access them. The client provides the username. As older clients 
 	only provide passwords and not usernames, you may specify a list 
-	of usernames to check against the password using the "user=" 
+	of usernames to check against the password using the "user =" 
 	option in the share definition. For modern clients such as 
 	Windows 95/98/ME/NT/2000, this should not be necessary.
    If you decide to use a path=path = line 
 		in your [homes] section then you may find it useful 
 		to use the %S macro. For example :
    path=/data/pchome/%Spath = /data/pchome/%S
     flag for 
 		auto home directories will be inherited from the global browseable 
 		flag, not the [homes] browseable flag. This is useful as 
-		it means setting browseable=no in the [homes] section 
-		will hide the [homes] share but make any auto home 
-		directories visible.
    browseable = no in
+		the [homes] section will hide the [homes] share but make
+		any auto home directories visible.
    The [printers] section
    PARAMETERS
    VARIABLE SUBSTITUTIONS
    --with-automount 
-		option then this value will be the same as %.
    %p
    NAME MANGLING
    mangle case= yes/no
    mangle case = yes/no
     controls if names that have characters that 
@@ -769,7 +771,7 @@ CLASS="VARIABLELIST"
 >
    NOTE ABOUT USERNAME/PASSWORD VALIDATION
     file for the service and the client 
 		has supplied a password, and that password matches (according to 
 		the UNIX system's password checking) with one of the usernames 
-		from the "user=" field then the connection is made as 
-		the username in the "user=" line. If one 
-		of the username in the "user=" list begins with a
+		from the "user =" field then the connection is made as 
+		the username in the "user =" line. If one 
+		of the username in the "user =" list begins with a
 		'@' then that name expands to a list of names in 
 		the group of the same name.
    COMPLETE LIST OF GLOBAL PARAMETERS
  • abort shutdown script
  • add machine script
  • disable spoolss
  • ldap admin dn
  • ldap filter
  • ldap port
  • ldap server
  • ldap ssl
  • ldap suffix
  • shutdown script
  • ssl egd socket
  • ssl entropy bytes
  • ssl entropy file
  • utmp
  • winbind enum users
  • winbind enum groups
  • COMPLETE LIST OF SERVICE PARAMETERS
  • share modes
  • useruse client driver
  • usernameuser
  • usersusername
  • utmpusers
    EXPLANATION OF EACH PARAMETER
    abort shutdown script (G)
    This parameter only exists in the HEAD cvs branch
+		This a full path name to a script called by
+		smbd(8)  that
+		should stop a shutdown procedure issued by the shutdown script.
    This command will be run as user.
    Default: None.
    Example: abort shutdown script = /sbin/shutdown -c
    add printer command (G)
    • add machine script (G)
    This is the full pathname to a script that will 
+		be run by smbd(8)  when a machine is added
+                to it's domain using the administrator username and password method. 
    This option is only required when using sam back-ends tied to the
+                Unix uid method of RID calculation such as smbpasswd.  This option is only
+                available in Samba 3.0.
    Default: add machine script = <empty string>
+		
    Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+                
    add user script (G)
    security=serversecurity = server or 		security=domain		security = domain and 
    Default: announce version = 4.2announce version = 4.5
    Example: 
    See the discussion in the section NAME MANGLING.
    codingsystem (G)coding system (G)
    This parameter is used to determine how incoming 
@@ -6043,7 +6296,7 @@ HREF="#DIRECTORYMODE"
 >		directory mode"directory mode parameter for masking 
@@ -6286,14 +6539,14 @@ NAME="DEFAULTCASE"
 >
    See the section on 		NAME MANGLING. Also note the 		short preserve case"short preserve case parameter.
    delete share
+>add share
 		commandchange 
-		share    .
@@ -6646,7 +6899,7 @@ CLASS="COMMAND"
 		set to security=domainsecurity = domain and security=serversecurity = server option 
 		as well as security=domainsecurity = domain. The reason for this
 		is only when Samba is a domain member does it get the information
@@ -6690,7 +6943,7 @@ CLASS="PARAMETER"
 		security=serversecurity = server mode a missing user
 		is treated the same as an invalid password logon attempt. Deleting
@@ -6745,7 +6998,7 @@ CLASS="PARAMETER"
 >
    See also security=domainsecurity = domain,
 		
    dns proxy (G)
    disable spoolss (G)
    Specifies that nmbd(8) 
-		when acting as a WINS server and finding that a NetBIOS name has not 
-		been registered, should treat the NetBIOS name word-for-word as a DNS 
-		name and do a lookup with the DNS server for that name on behalf of 
-		the name-querying client.
    Enabling this parameter will disables Samba's support
+		for the SPOOLSS set of MS-RPC's and will yield identical behavior
+		as Samba 2.0.x.  Windows NT/2000 clients will downgrade to using
+		Lanman style printing commands. Windows 9x/ME will be uneffected by
+		the parameter. However, this will also disable the ability to upload
+		printer drivers to a Samba server via the Windows NT Add Printer
+		Wizard or by using the NT printer properties dialog window.  It will
+		also disable the capability of Windows NT/2000 clients to download
+		print drivers from the Samba host upon demand.
+		Be very careful about enabling this parameter.
+		
    Note that the maximum length for a NetBIOS name is 15 
-		characters, so the DNS name (or DNS alias) can likewise only be 
+>See also use client driver
+		
    Default : disable spoolss = no
    dns proxy (G)
    Specifies that nmbd(8) 
+		when acting as a WINS server and finding that a NetBIOS name has not 
+		been registered, should treat the NetBIOS name word-for-word as a DNS 
+		name and do a lookup with the DNS server for that name on behalf of 
+		the name-querying client.
    Note that the maximum length for a NetBIOS name is 15 
+		characters, so the DNS name (or DNS alias) can likewise only be 
 		15 characters, maximum.
     program for information on how to set up 
  		and maintain this file), or set the security=[server|domain]security = [server|domain] parameter which 
 		causes This option enables a couple of enhancements to 
 		cross-subnet browse propagation that have been added in Samba 
 		but which are not standard in Microsoft implementations.  
-		These enhancements are currently only available in
-		the HEAD Samba CVS tree (not Samba 2.2.x).
    The first enhancement to browse propagation consists of a regular
 		wildcard query to a Samba WINS server for all Domain Master Browsers,
@@ -8579,7 +8861,7 @@ CLASS="COMMAND"
 >hide unreadable(G)hide unreadable (S)
    This parameter prevents clients from seeing the
@@ -9199,7 +9481,7 @@ CLASS="PARAMETER"
 		the value &+group"&+group means check the NIS
 		netgroup database, followed by the UNIX group database (the 
@@ -9317,12 +9599,9 @@ CLASS="COMMAND"
 >This parameter defaults to on on systems 
-		that have the support, and off on systems that 
-		don't. You should never need to touch this parameter.
    , but is translated
+		to a no-op on systems that no not have the necessary kernel support.
+		You should never need to touch this parameter.
    See also the large readwrite(G)large readwrite (G)
    This parameter determines whether or not 
    ldap admin dn (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    		The ldap admin dn defines the Distinguished 
+		Name (DN) name used by Samba to contact the ldap
+		server when retreiving user account information. The ldap
+		admin dn is used in conjunction with the admin dn password
+		stored in the private/secrets.tdb file.  See the
+		smbpasswd(8) man
+		page for more information on how to accmplish this.
+		
    Default : none
    ldap filter (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    		This parameter specifies the RFC 2254 compliant LDAP search filter.
+		The default is to match the login name with the uid 
+		attribute for all entries matching the sambaAccount		
+		objectclass.  Note that this filter should only return one entry.
+		
    Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))
    ldap port (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    		This option is used to control the tcp port number used to contact
+		the ldap server.
+		The default is to use the stand LDAP port 389.
+		
    Default : ldap port = 389
    ldap server (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    		This parameter should contains the FQDN of the ldap directory 
+		server which should be queried to locate user account information.
+		
    Default : ldap server = localhost
    ldap ssl (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    		This option is used to define whether or not Samba should
+		use SSL when connecting to the ldap
+		server.  This is NOT related to
+		Samba SSL support which is enabled by specifying the 
+		--with-ssl option to the configure 
+		script (see ssl).
+		
    		The ldap ssl can be set to one of three values:
+		(a) on - Always use SSL when contacting the 
+		ldap	server, (b) off -
+		Never use SSL when querying the directory, or (c) start 
+		tls - Use the LDAPv3 StartTLS extended operation 
+		(RFC2830) for communicating with the directory server.
+		
    Default : ldap ssl = off
    ldap suffix (G)
    This parameter is only available if Samba has been
+		configure to include the --with-ldapsam option
+		at compile time. This option should be considered experimental and
+		under active development.
+		
    Default : none
    level2 oplocks (S)
    A boolean variable that controls whether all 
 		printers in the printcap will be loaded for browsing by default. 
 		See the printers section for 
 		more details.
    net use /home"    net use /home    
 		but use the whole string when dealing with profiles.
    If a Samba server is a member of a Windows 
 		NT Domain (see the security=domainsecurity = domain) 
 		parameter) then periodically a running , and the 		security=domain		security = domain) parameter.
    Default: 
    See the section on 		NAME MANGLING
    See the section on 		NAME MANGLING for details on how to control the mangling process.
    magic character in name mangling. The default is a '~'
 		but this may interfere with some software. Use this option to set 
@@ -10955,7 +11478,7 @@ HREF="#SECURITY"
 > modes other than security=sharesecurity = share 
 		- i.e. 		wins support=yeswins support = yes) what the maximum
@@ -11441,7 +11964,7 @@ HREF="#MINWINSTTL"
 CLASS="PARAMETER"
 >min 
-		wins ttl" parameter.
    With the addition of better PAM support in Samba 2.2, 
   		this parameter, it is possible to use PAM's password change control 
   		flag for Samba.  If enabled, then PAM will be used for password
- 		changes when requested by an SMB client insted of the program listed in 
+ 		changes when requested by an SMB client instead of the program listed in 
                 
-                paramater for most setups.
+                parameter for most setups.
   		
    Default: 
    The string can contain the macros Note that this parameter only is only used if the %ounix 
+		password sync 
-		and  parameter is set to yes. This 
+		sequence is then called AS ROOT when the SMB password 
+		in the smbpasswd file is being changed, without access to the old 
+		password cleartext. This means that root must be able to reset the user's password
+ 		without knowing the text of the previous password. In the presence of NIS/YP, 
+		this means that the passwd program must be 
+		executed on the NIS master.
+		
    The string can contain the macro %n which are substituted for the old 
-		and new passwords respectively. It can also contain the standard 
+> which is substituted 
+		for the new password.  The chat sequence can also contain the standard 
 		macros \n		\t and %s\s to give line-feed, 
-		carriage-return, tab and space.
    The string can also contain a '*' which matches 
-		any sequence of characters.
    Double quotes can be used to collect strings with spaces 
+		carriage-return, tab and space.  The chat sequence string can also contain 
+		a '*' which matches any sequence of characters.
+		Double quotes can be used to collect strings with spaces 
 		in them into a single string.
    If the send string in any part of the chat sequence 
 		is a full stop ".",  then no string is sent. Similarly, 
 		if the expect string is a full stop then no string is expected.
    Note that if the unix 
-		password sync parameter is set to true, then this 
-		sequence is called AS ROOT when the SMB password 
-		in the smbpasswd file is being changed, without access to the old 
-		password cleartext. In this case the old password cleartext is set 
-		to "" (the empty string).
    Also, if the If the .  This is a 
 			restriction of the SMB/CIFS protocol when in security=server
+>security = server
 			 mode and cannot be fixed in Samba.
    			security=server			security = server      mode the network logon will appear to 
-			come from there rather than from the user's workstation.
    See the section on NAME 
 		MANGLING for a fuller discussion.
    Default: For printing= BSD, AIX, QNX, LPRNG 
+>printing = BSD, AIX, QNX, LPRNG 
 		or PLP :
    For printing= SYS or HPUX :printing = SYS or HPUX :
    For printing=SOFTQ :printing = SOFTQ :
    		/etc/printcap). See the discussion of the [printers] section above for reasons 
 		why you might want to do this.
    This option can be set on a per printer basis
    See also the discussion in the 		[printers] section.
    security = server or security=domain
+>security = domain
 		.
    See also the section 		NOTE ABOUT USERNAME/PASSWORD VALIDATION.
    This is the default security setting in Samba 2.2. 
-		With user-level security a client must first "log=on" with a 
+		With user-level security a client must first "log-on" with a 
 		valid username and password (which can be mapped using the  parameter for details on doing this.
    See also the section 		NOTE ABOUT USERNAME/PASSWORD VALIDATION.
     parameter for details on doing this.
    See also the section 		NOTE ABOUT USERNAME/PASSWORD VALIDATION.
    See also the section 		NOTE ABOUT USERNAME/PASSWORD VALIDATION.
    share modes (S)
    This enables or disables the honoring of 
-		the share modes during a file open. These 
-		modes are used by clients to gain exclusive read or write access 
-		to a file.
    These open modes are not directly supported by UNIX, so
-		they are simulated using shared memory, or lock files if your 
-		UNIX doesn't support shared memory (almost all do).
    The share modes that are enabled by this option are 
-		DENY_DOS, DENY_ALL,
-		DENY_READ, DENY_WRITE,
-		DENY_NONE and DENY_FCB.
-		
    This option gives full share compatibility and enabled 
-		by default.
    You should NEVER turn this parameter 
-		off as many Windows applications will break if you do so.
    Default: share modes = yes
    short preserve case (S)
    See the section on 		NAME MANGLING.
    smb passwd file (G)
    shutdown script (G)
    This option sets the path to the encrypted 
- 		smbpasswd file.  By default the path to the smbpasswd file 
-		is compiled into Samba.
    Default: This parameter only exists in the HEAD cvs branch
+		This a full path name to a script called by
+		smb passwd file = ${prefix}/private/smbpasswd
-		
    smbd(8) that
+		should start a shutdown procedure.
    This command will be run as the user connected to the
+		server.
    %m %t %r %f parameters are expanded
    %m will be substituted with the
+		shutdown message sent to the server.
    %t will be substituted with the
+		number of seconds to wait before effectively starting the
+		shutdown procedure.
    %r will be substituted with the
+		switch -r. It means reboot after shutdown
+		for NT.
+		
    %f will be substituted with the
+		switch -f. It means force the shutdown
+		even if applications do not respond for NT.
    Default: None.
    Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f
    Shutdown script example:
+		
    		#!/bin/bash
+		
+		$time=0
+		let "time/60"
+		let "time++"
+
+		/sbin/shutdown $3 $4 +$time $1 &
+		
    
+		Shutdown does not return so we need to launch it in background.
+		
    See also abort shutdown script.
    smb passwd file (G)
    This option sets the path to the encrypted 
+ 		smbpasswd file.  By default the path to the smbpasswd file 
+		is compiled into Samba.
    Default: smb passwd file = ${prefix}/private/smbpasswd
+		
    Example: 
    To specify an argument use the syntax SOME_OPTION=VALUE 
+>To specify an argument use the syntax SOME_OPTION = VALUE 
 		for example SO_SNDBUF=8192SO_SNDBUF = 8192. Note that you must 
 		not have any spaces before or after the = sign.
    SAMBA_NETBIOS_NAME=myhostnameSAMBA_NETBIOS_NAME = myhostname
    Default:  was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This variable enables or disables the entire SSL mode. If 
 		it is set to 
    Default: ssl=nossl = no
     was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This variable defines where to look up the Certification
 		Authorities. The given directory should contain one file for 
 		each CA that Samba will trust.  The file name must be the hash 
@@ -16164,14 +16719,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This variable is a second way to define the trusted CAs. 
 		The certificates of the trusted CAs are collected in one big 
 		file and this variable points to the file. You will probably 
@@ -16202,14 +16749,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This variable defines the ciphers that should be offered 
 		during SSL negotiation. You should not set this variable unless 
 		you know what you are doing.
     was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    The certificate in this file is used by  was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This is the private key for  was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This variable defines whether SSLeay should be configured 
+>This variable defines whether OpenSSL should be configured 
 		for bug compatibility with other SSL implementations. This is 
 		probably not desirable because currently no clients with SSL 
-		implementations other than SSLeay exist.
    Default: 
    ssl egd socket (G)
    This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option --with-ssl was 
+		given at configure time.
    		This option is used to define the location of the communiation socket of 
+		an EGD or PRNGD daemon, from which entropy can be retrieved. This option 
+		can be used instead of or together with the ssl entropy file 
+		directive. 255 bytes of entropy will be retrieved from the daemon.
+		
    Default: none
    ssl entropy bytes (G)
    This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option --with-ssl was 
+		given at configure time.
    		This parameter is used to define the number of bytes which should 
+		be read from the ssl entropy 
+		file If a -1 is specified, the entire file will
+		be read.
+		
    Default: ssl entropy bytes = 255
    ssl entropy file (G)
    This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option --with-ssl was 
+		given at configure time.
    		This parameter is used to specify a file from which processes will 
+		read "random bytes" on startup.  In order to seed the internal pseudo 
+		random number generator, entropy must be provided. On system with a 
+		/dev/urandom device file, the processes
+		will retrieve its entropy from the kernel. On systems without kernel
+		entropy support, a file can be supplied that will be read on startup
+		and that will be used to seed the PRNG.
+		
    Default: none
    ssl hosts (G)
     was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    These two variables define whether Samba will go 
 		into SSL mode or not. If none of them is defined, Samba will 
 		allow only SSL connections. If the  was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    If this variable is set to yes was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    If this variable is set to yes was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This is the file containing the server's certificate. 
 		The server must was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This file contains the private key of the server. If 
 		this variable is not defined, the key is looked up in the 
 		certificate file (it may be appended to the certificate). 
@@ -16634,14 +17207,6 @@ CLASS="COMMAND"
 > was 
 		given at configure time.
    Note that for export control reasons 
-		this code is NOT enabled by default in any 
-		current binary version of Samba.
    This enumeration variable defines the versions of the 
 		SSL protocol that will be used. template homedir (G)
    NOTE: this parameter is 
-		only available in Samba 3.0.
    When filling out the user information for a Windows NT 
 		user, the template shell (G)
    NOTE: this parameter is 
-		only available in Samba 3.0.
    When filling out the user information for a Windows NT 
 		user, the 
    use client driver (S)
    This parameter applies only to Windows NT/2000
+		clients.  It has no affect on Windows 95/98/ME clients.  When 
+		serving a printer to Windows NT/2000 clients without first installing
+		a valid printer driver on the Samba host, the client will be required
+		to install a local printer driver.  From this point on, the client
+		will treat the print as a local printer and not a network printer 
+		connection.  This is much the same behavior that will occur
+		when disable spoolss = yes.  
    The differentiating 
+		factor is that under normal circumstances, the NT/2000 client will 
+		attempt to open the network printer using MS-RPC.  The problem is that
+		because the client considers the printer to be local, it will attempt
+		to issue the OpenPrinterEx() call requesting access rights associated 
+		with the logged on user. If the user possesses local administator rights
+		but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
+		call will fail.  The result is that the client will now display an "Access
+		Denied; Unable to connect" message in the printer queue window (even though
+		jobs may successfully be printed).  
    If this parameter is enabled for a printer, then any attempt
+		to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+		to PRINTER_ACCESS_USE instead.  Thus allowing the OpenPrinterEx()
+		call to succeed.  This parameter MUST not be able enabled
+		on a print share which has valid print driver installed on the Samba 
+		server.
    See also disable spoolss
+		
    Default: use client driver = no
    use rhosts (G)
    See the section NOTE ABOUT 
 		USERNAME/PASSWORD VALIDATION for more information on how 
@@ -17562,7 +18167,7 @@ CLASS="COMMAND"
 >utmp (S)utmp (G)
    This boolean parameter is only available if 
@@ -17837,14 +18442,25 @@ CLASS="PARAMETER"
 > option 
 		is applicable in vetoing files.
    One feature of the veto files parameter that it is important 
-		to be aware of, is that if a directory contains nothing but files 
-		that match the veto files parameter (which means that Windows/DOS 
-		clients cannot ever see them) is deleted, the veto files within 
-		that directory are automatically deleted along 
-		with it, if the user has UNIX permissions to do so.
    One feature of the veto files parameter that it
+		is important to be aware of is Samba's behaviour when
+		trying to delete a directory. If a directory that is
+		to be deleted contains nothing but veto files this
+		deletion will fail unless you also set
+		the delete veto files parameter to
+		yes.
    Setting this parameter will affect the performance 
 		of Samba, as it will be forced to check all files and directories 
@@ -17944,7 +18560,7 @@ CLASS="FILENAME"
 >
    Example: veto oplock files = /*;.SEM/
+>veto oplock files = /*.SEM/
 		
    winbind cache time
    NOTE: this parameter is only 
-		available in Samba 3.0.
    This parameter specifies the number of seconds the
 		
    winbind gid
    winbind enum
+		users
    On large installations using
+		winbindd(8) it may be
+		necessary to suppress the enumeration of users through the
+		 setpwent(),
+		getpwent() and
+		endpwent() group of system calls.  If
+		the winbind enum users parameter is
+		false, calls to the getpwent system call
+		will not return any data. 
    NOTE: this parameter is only 
-		available in Samba 3.0.
    Warning:     Turning off user
+		enumeration may cause some programs to behave oddly.  For
+		example, the finger program relies on having access to the
+		full user list when searching for matching
+		usernames. 
    Default: winbind enum users = yes 
    winbind enum
+		groups
    On large installations using
+		winbindd(8) it may be
+		necessary to suppress the enumeration of groups through the
+		 setgrent(),
+		getgrent() and
+		endgrent() group of system calls.  If
+		the winbind enum groups parameter is
+		false, calls to the getgrent() system
+		call will not return any data. 
    Warning: Turning off group
+		enumeration may cause some programs to behave oddly.
+		
    Default: winbind enum groups = yes 
+		
    winbind gid
    The winbind gid parameter specifies the range of group 
 		ids that are allocated by the winbind separator
    NOTE: this parameter is only 
-		available in Samba 3.0.
    This parameter allows an admin to define the character 
 		used when listing a username of the form of winbind uid
    NOTE: this parameter is only 
-		available in Samba 3.0.
    The winbind gid parameter specifies the range of group 
 		ids that are allocated by the security=domainsecurity = domain
 		setting.
    WARNINGS
    VERSION
    SEE ALSO
    AUTHOR
    smbclient  {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-S server] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan]
      {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan]
    DESCRIPTION
    OPTIONS
    rfc1001.txt     and  
+		and rfc1002.txt.
@@ -975,7 +976,7 @@ CLASS="COMMAND"
 >
    OPERATIONS
    NOTES
    ENVIRONMENT VARIABLES
    INSTALLATION
    DIAGNOSTICS
    VERSION
    AUTHOR
    smbd    .
    The close-share message-type sends a
+		message to smbd which forces smbd to close the share that was
+		specified as an argument. This may be useful if you made changes
+		to the access controls on the share.  
    parameters
    VERSION
    SEE ALSO
    AUTHOR
    The debug log level of smbd may be raised by sending 
-	it a SIGUSR1 (kill -USR1 <smbd-pid>)
-	and lowered by sending it a SIGUSR2 ( may be raised
+	or lowered using kill -USR2 <smbd-pid>
+>smbcontrol(1)
 	). This is to allow transient problems to be diagnosed, 
+> program (SIGUSR[1|2] signals are no longer used in
+	Samba 2.2). This is to allow transient problems to be diagnosed, 
 	whilst still running at a normally low log level.
    Note that as the signal handlers send a debug write, 
diff --git a/docs/htmldocs/smbmnt.8.html b/docs/htmldocs/smbmnt.8.html
index 6546b7c7070..a7d10b6e191 100644
--- a/docs/htmldocs/smbmnt.8.html
+++ b/docs/htmldocs/smbmnt.8.html
@@ -54,10 +54,11 @@ CLASS="COMMAND"
 	smbmnt is meant to be installed setuid root 
-	so that normal users can mount their SMB shares. It checks 
-	whether the user has write permissions on the mount point and 
-	then mounts the directory.
     can be installed setuid root if you want
+	normal users to be able to mount their SMB shares.
    A setuid smbmnt will only allow mounts on directories owned
+	by the user, and that the user has write permission on.
    The 
 	. It should not be invoked directly by users. 
    smbmount searches the normal PATH for smbmnt. You must ensure
+	that the smbmnt version in your path matches the smbmount used.
    OPTIONS
    AUTHOR
    smbmount mounts a SMB filesystem. It 
+> mounts a Linux SMB filesystem. It 
 	is usually invoked as mount.smb from 
+>mount.smbfs     by
 	the mount(8) command when using the 
-	"-t smb" option. The kernel must support the smbfs filesystem. 
    Options to 
    sets the debug level. This is useful for 
-		tracking down SMB connection problems. 
    ip=<arg>
    The variable PASSWD_FILE may contain the pathname of
-	a file to read the password from. A single line of input is
+> may contain the pathname
+	of a file to read the password from. A single line of input is
 	read and used as the password.
    BUGS
    Not many known smbmount bugs. But one smbfs bug is
-	important enough to mention here anyway:
    Passwords and other options containing , can not be handled.
+	For passwords an alternative way of passing them is in a credentials
+	file or in the PASSWD environment.
    The credentials file does not handle usernames or passwords with
+	leading space.
    One smbfs bug is important enough to mention here, even if it
+	is a bit misplaced:
      Mounts sometimes stop working. This is usually
 	caused by smbmount terminating. Since smbfs needs smbmount to
-	reconnect when the server disconnects, the mount will go
-	dead. A re-mount normally fixes this. At least 2 ways to
+	reconnect when the server disconnects, the mount will eventually go
+	dead. An umount/mount normally fixes this. At least 2 ways to
 	trigger this bug are known.
    SEE ALSO
    Documentation/filesystems/smbfs.txt in the kernel source tree
-	may contain additional options and information.
    Documentation/filesystems/smbfs.txt in the linux kernel
+	source tree may contain additional options and information.
    FreeBSD also has a smbfs, but it is not related to smbmount
    For Solaris, HP-UX and others you may want to look at
+	smbsh(1) or at other
+	solutions, such as sharity or perhaps replacing the SMB server with
+	a NFS server.
    AUTHOR
    smbpasswd  [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]
      [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [username]
    nmblookupwbinfo  [-u] [-g] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m]
    VERSION
    This man page is correct for version 2.2 of 
-	the Samba suite.  winbindd is however not available in
-	stable release of Samba as of yet.
    winbindd
-	were written by TIm Potter.
    The conversion to DocBook for Samba 2.2 was done 
 	by Gerald Carter
    Integration of UNIX and Microsoft Windows NT through 
 	a unified logon has been considered a "holy grail" in heterogeneous 
-	computing environments for a long time. We present winbind
-	, a component of the Samba suite of programs as a 
-	solution to the unified logon problem. Winbind uses a UNIX implementation 
+>winbind, a component of the Samba suite 
+	of programs as a solution to the unified logon problem. Winbind 
+	uses a UNIX implementation 
 	of Microsoft RPC calls, Pluggable Authentication Modules, and the Name 
 	Service Switch to allow Windows NT domain users to appear and operate 
 	as UNIX users on a UNIX machine. This paper describes the winbind 
@@ -66,7 +67,7 @@ NAME="AEN7"
 	and use the Samba suite of programs to provide file and print services 
 	between the two. This solution is far from perfect however, as 
 	adding and deleting users on both sets of machines becomes a chore 
-	and two sets of passwords are required both of which which
+	and two sets of passwords are required both of which
 	can lead to synchronization problems between the UNIX and Windows 
 	systems and confusion for users.
    The end result is that whenever any 
 	program on the UNIX machine asks the operating system to lookup 
 	a user or group name, the query will be resolved by asking the 
-	NT domain controller for the specied domain to do the lookup.
+	NT domain controller for the specified domain to do the lookup.
 	Because Winbind hooks into the operating system at a low level 
 	(via the NSS name resolution modules in the C library) this 
 	redirection to the NT domain controller is completely 
@@ -136,11 +137,11 @@ NAME="AEN20"
 	that redirection to a domain controller is wanted for a particular 
 	lookup and which trusted domain is being referenced.
    Additionally, Winbind provides a authentication service 
+>Additionally, Winbind provides an authentication service 
 	that hooks into the Pluggable Authentication Modules (PAM) system 
 	to provide authentication via a NT domain to any PAM enabled 
 	applications. This capability solves the problem of synchronizing 
-	passwords between systems as all passwords are stored in a single 
+	passwords between systems since all passwords are stored in a single 
 	location (on the domain controller).
    Another interesting way in which we expect Winbind to 
 		be used is as a central part of UNIX based appliances. Appliances 
@@ -226,9 +227,9 @@ NAME="AEN40"
 		information such as hostnames, mail aliases and user information 
 		to be resolved from different sources. For example, a standalone 
 		UNIX workstation may resolve system information from a series of 
-		flat files stored on the local lesystem. A networked workstation 
+		flat files stored on the local filesystem. A networked workstation 
 		may first attempt to resolve system information from local files, 
-		then consult a NIS database for user information or a DNS server 
+		and then consult a NIS database for user information or a DNS server 
 		for hostname information.
    The NSS application programming interface allows winbind 
@@ -241,11 +242,12 @@ NAME="AEN40"
 		a NT domain plus any trusted domain as though they were local 
 		users and groups.
    The primary control le for NSS is The primary control file for NSS is 
+		/etc/nsswitch.conf
-		. When a UNIX application makes a request to do a lookup 
+>/etc/nsswitch.conf. 
+		When a UNIX application makes a request to do a lookup 
 		the C library looks in /etc/nsswitch.conf
    PAM is configured by providing control files in the directory 
@@ -335,7 +337,7 @@ CLASS="FILENAME"
 		is copied to /lib/security/ and the pam 
+> and the PAM 
 		control files for relevant services are updated to allow 
 		authentication via winbind. See the PAM documentation
 		for more details.
    When a user or group is created under Windows NT 
 		is it allocated a numerical relative identifier (RID). This is 
-		slightly different to UNIX which has a range of numbers which are 
+		slightly different to UNIX which has a range of numbers that are 
 		used to identify users, and the same range in which to identify 
 		groups. It is winbind's job to convert RIDs to UNIX id numbers and
 		vice versa.  When winbind is configured it is given part of the UNIX 
@@ -363,7 +365,7 @@ NAME="AEN64"
 		to UNIX user ids and group ids.
    The results of this mapping are stored persistently in 
-		a ID mapping database held in a tdb database). This ensures that 
+		an ID mapping database held in a tdb database). This ensures that 
 		RIDs are mapped to UNIX IDs in a consistent way.
    Installation and Configuration
    The easiest way to install winbind is by using the packages 
-	provided in the Many thanks to John Trostel jtrostel@snapserver.com
+for providing the HOWTO for this section.
    This HOWTO describes how to get winbind services up and running 
+to control access and authenticate users on your Linux box using 
+the winbind services which come with SAMBA 2.2.2.
    Introduction
    This HOWTO describes the procedures used to get winbind up and 
+running on my RedHat 7.1 system.  Winbind is capable of providing access 
+and authentication control for Windows Domain users through an NT 
+or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
+well for SAMBA services.
    This HOWTO has been written from a 'RedHat-centric' perspective, so if 
+you are using another distribution, you may have to modify the instructions 
+somewhat to fit the way your distribution works.
    • 	Why should I to this?
+	
      This allows the SAMBA administrator to rely on the 
+	authentication mechanisms on the NT/Win2K PDC for the authentication 
+	of domain members.  NT/Win2K users no longer need to have separate 
+	accounts on the SAMBA server.
+	
    • 	Who should be reading this document?
+	
      	This HOWTO is designed for system administrators.  If you are 
+	implementing SAMBA on a file server and wish to (fairly easily) 
+	integrate existing NT/Win2K users from your PDC onto the
+	SAMBA server, this HOWTO is for you.  That said, I am no NT or PAM 
+	expert, so you may find a better or easier way to accomplish 
+	these tasks.
+	
    Requirements
    If you have a samba configuration file that you are currently 
+using... BACK IT UP!  If your system already uses PAM, BACK UP 
+THE /etc/pam.d directory contents! If you 
+haven't already made a boot disk, MAKE ON NOW!
    Messing with the pam configuration files can make it nearly impossible 
+to log in to yourmachine. That's why you want to be able to boot back 
+into your machine in single user mode and restore your 
+/etc/pam.d back to the original state they were in if 
+you get frustrated with the way things are going.  ;-)
    The newest version of SAMBA (version 2.2.2), available from 
+cvs.samba.org, now include a functioning winbindd daemon.  Please refer 
+to the main SAMBA web page or, better yet, your closest SAMBA mirror 
+site for instructions on downloading the source code.
    To allow Domain users the ability to access SAMBA shares and 
+files, as well as potentially other services provided by your 
+SAMBA machine, PAM (pluggable authentication modules) must
+be setup properly on your machine.  In order to compile the 
+winbind modules, you should have at least the pam libraries resident 
+on your system.  For recent RedHat systems (7.1, for instance), that 
+means 'pam-0.74-22'.  For best results, it is helpful to also
+install the development packages in 'pam-devel-0.74-22'.
    Testing Things Out
    Before starting, it is probably best to kill off all the SAMBA 
+related daemons running on your server.  Kill off all smbd, 
+nmbd, and winbindd processes that may 
+be running.  To use PAM, you will want to make sure that you have the 
+standard PAM package (for RedHat) which supplies the /etc/pam.d 
+directory structure, including the pam modules are used by pam-aware 
+services, several pam libraries, and the /usr/doc 
+and /usr/man entries for pam.  Winbind built better 
+in SAMBA if the pam-devel package was also installed.  This package includes 
+the header files needed to compile pam-aware applications. For instance, my RedHat 
+system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.
    Configure and compile SAMBA
    The configuration and compilation of SAMBA is pretty straightforward.
+The first three steps maynot be necessary depending upon
+whether or not you have previously built the Samba binaries.
    root#  autoconf
+root#  make clean
+root#  rm config.cache
+root#  ./configure --with-winbind
+root#  make
+root#  make install
    This will, by default, install SAMBA in /usr/local/samba.  See the 
+main SAMBA documentation if you want to install SAMBA somewhere else.  
+It will also build the winbindd executable and libraries. 
    Configure nsswitch.conf and the winbind libraries
    The libraries needed to run the winbind daemon through nsswitch 
+need to be copied to their proper locations, so
    root#  cp ../samba/source/nsswitch/libnss_winbind.so /lib
    I also found it necessary to make the following symbolic link:
    root#  ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
    Now, as root you need to edit pub/samba/appliance//etc/nsswitch.conf to 
+allow user and group entries to be visible from the winbindd 
-	directory on your nearest 
-	Samba mirror. These packages provide snapshots of the Samba source 
-	code and binaries already setup to provide the full functionality 
-	of winbind. This setup is a little more complex than a normal Samba 
-	build as winbind needs a small amount of functionality from a 
-	development code branch called SAMBA_TNG.
    Once you have installed the packages you should read 
-	the /etc/nsswitch.conf file look like this after editing:
    	passwd:     files winbind
+	shadow:     files winbind
+	group:      files winbind
    	
+The libraries needed by the winbind daemon will be automatically 
+entered into the ldconfig cache the next time your system reboots, but it 
+is faster (and you don't need to reboot) if you do it manually:
    root#  /sbin/ldconfig -v | grep winbind
    This makes libnss_winbind available to winbindd 
+and echos back a check to you.
    Configure smb.conf
    Several parameters are needed in the smb.conf file to control 
+the behavior of winbindd(8) man page which will provide you 
-	with configuration information and give you sample configuration files. 
-	You may also wish to update the main Samba daemons smbd and nmbd) 
-	with a more recent development release, such as the recently
-	announced Samba 2.2 alpha release.
    winbindd. Configure 
+smb.conf These are described in more detail in 
+the winbindd(8) man page.  My 
+smb.conf file was modified to
+include the following entries in the [global] section:
    [global]
+     <...>
+     # separate domain and username with '+', like DOMAIN+username
+     winbind separator = +
+     # use uids from 10000 to 20000 for domain users
+     winbind uid = 10000-20000
+     # use gids from 10000 to 20000 for domain groups
+     winbind gid = 10000-20000
+     # allow enumeration of winbind users and groups
+     winbind enum users = yes
+     winbind enum groups = yes
+     # give winbind users a real shell (only needed if they have telnet access)
+     template shell = /bin/bash
    Join the SAMBA server to the PDC domain
    Enter the following command to make the SAMBA server join the 
+PDC domain, where DOMAIN is the name of 
+your Windows domain and Administrator is 
+a domain user who has administrative privileges in the domain.
    root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
    The proper response to the command should be: "Joined the domain 
+DOMAIN" where DOMAIN 
+is your DOMAIN name.
    Start up the winbindd daemon and test it!
    Eventually, you will want to modify your smb startup script to 
+automatically invoke the winbindd daemon when the other parts of 
+SAMBA start, but it is possible to test out just the winbind
+portion first.  To start up winbind services, enter the following 
+command as root:
    root# /usr/local/samba/bin/winbindd
    I'm always paranoid and like to make sure the daemon 
+is really running...
    root#  ps -ae | grep winbindd 
+3025 ?        00:00:00 winbindd
    Now... for the real test, try to get some information about the 
+users on your PDC
    root#  # /usr/local/samba/bin/wbinfo -u
    	
+This should echo back a list of users on your Windows users on 
+your PDC.  For example, I get the following response:
    CEO+Administrator
+CEO+burdell
+CEO+Guest
+CEO+jt-ad
+CEO+krbtgt
+CEO+TsInternetUser
    Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.
    You can do the same sort of thing to get group information from 
+the PDC:
    root# /usr/local/samba/bin/wbinfo -g
+CEO+Domain Admins
+CEO+Domain Users
+CEO+Domain Guests
+CEO+Domain Computers
+CEO+Domain Controllers
+CEO+Cert Publishers
+CEO+Schema Admins
+CEO+Enterprise Admins
+CEO+Group Policy Creator Owners
    The function 'getent' can now be used to get unified 
+lists of both local and PDC users and groups.
+Try the following command:
    root#  getent passwd
    You should get a list that looks like your /etc/passwd 
+list followed by the domain users with their new uids, gids, home 
+directories and default shells.
    The same thing can be done for groups with the command
    root#  getent group
    Fix the /etc/rc.d/init.d/smb startup files
    The winbindd daemon needs to start up after the 
+smbd and nmbd daemons are running.  
+To accomplish this task, you need to modify the /etc/init.d/smb
+script to add commands to invoke this daemon in the proper sequence.  My 
+/etc/init.d/smb file starts up smbd, 
+nmbd, and winbindd from the 
+/usr/local/samba/bin directory directly.  The 'start' 
+function in the script looks like this:
    start() {
+        KIND="SMB"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
+        RETVAL=$?
+        echo
+        KIND="NMB"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
+        RETVAL2=$?
+        echo
+        KIND="Winbind"
+        echo -n $"Starting $KIND services: "
+        daemon /usr/local/samba/bin/winbindd
+        RETVAL3=$?
+        echo
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
+           RETVAL=1
+        return $RETVAL
+}
    The 'stop' function has a corresponding entry to shut down the 
+services and look s like this:
    stop() {
+        KIND="SMB"
+        echo -n $"Shutting down $KIND services: "
+        killproc smbd
+        RETVAL=$?
+        echo
+        KIND="NMB"
+        echo -n $"Shutting down $KIND services: "
+        killproc nmbd
+        RETVAL2=$?
+        echo
+        KIND="Winbind"
+        echo -n $"Shutting down $KIND services: "
+        killproc winbindd
+        RETVAL3=$?
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
+        echo ""
+        return $RETVAL
+}
    Configure Winbind and PAM
    If you have made it this far, you know that winbindd is working.  
+Now it is time to integrate it into the operation of samba and other 
+services.  The pam configuration files need to be altered in
+this step.  (Did you remember to make backups of your original 
+/etc/pam.d files? If not, do it now.)
    To get samba to allow domain users and groups, I modified the 
+/etc/pam.d/samba file from
    auth    required        /lib/security/pam_stack.so service=system-auth
+account required        /lib/security/pam_stack.so service=system-auth
    to
    auth    required        /lib/security/pam_winbind.so
+auth    required        /lib/security/pam_stack.so service=system-auth
+account required        /lib/security/pam_winbind.so
+account required        /lib/security/pam_stack.so service=system-auth
    The other services that I modified to allow the use of winbind 
+as an authentication service were the normal login on the console (or a terminal 
+session), telnet logins, and ftp service.  In order to enable these 
+services, you may first need to change the entries in 
+/etc/xinetd.d (or /etc/inetd.conf).  
+RedHat 7.1 uses the new xinetd.d structure, in this case you need 
+to change the lines in /etc/xinetd.d/telnet 
+and /etc/xinetd.d/wu-ftp from 
    enable = no
    to
    enable = yes
    	
+For ftp services to work properly, you will also need to either 
+have individual directories for the domain users already present on 
+the server, or change the home directory template to a general
+directory for all domain users.  These can be easily set using 
+the smb.conf global entry 
+template homedir.
    The /etc/pam.d/ftp file can be changed 
+to allow winbind ftp access in a manner similar to the
+samba file.  My /etc/pam.d/ftp file was 
+changed to look like this:
    auth       sufficient   /lib/security/pam_winbind.so
+auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_shells.so
+account    required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
    The /etc/pam.d/login file can be changed nearly the 
+same way.  It now looks like this:
    auth       required     /lib/security/pam_securetty.so
+auth       sufficient   /lib/security/pam_winbind.so
+auth       sufficient   /lib/security/pam_unix.so use_first_pass
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_nologin.so
+account    sufficient   /lib/security/pam_winbind.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so
    In this case, I added the auth sufficient /lib/security/pam_winbind.so 
+lines as before, but also added the required pam_securetty.so 
+above it, to disallow root logins over the network.  I also added a 
+sufficient /lib/security/pam_unix.so use_first_pass
+line after the winbind.so line to get rid of annoying 
+double prompts for passwords.
    Finally, don't forget to copy the winbind pam modules from 
+the source directory in which you originally compiled the new 
+SAMBA up to the /lib/security directory so that pam can use it:
    root#  cp ../samba/source/nsswitch/pam_winbind.so /lib/security
    Limitations
    Winbind has a number of limitations in its current 
-	released version which we hope to overcome in future 
+	released version that we hope to overcome in future 
 	releases:
  • Building winbind from source is currently 
-		quite tedious as it requires combining source code from two Samba 
-		branches. Work is underway to solve this by providing all 
-		the necessary functionality in the main Samba code branch.
    • Conclusion
    nmblookup  [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
    winbindd  [-i] [-d <debug level>] [-s <smb config file>]
    DESCRIPTION
    This tool is part of the This program is part of the 	Samba suite version 3.0 and describes functionality not 
-	yet implemented in the main version of Samba.
     suite.
    OPTIONS
    NAME AND ID RESOLUTION
    CONFIGURATION
    EXAMPLE SETUP
    The next step is to join the domain. To do that use the 
 	sameditsmbpasswd     program like this:  
    samedit -S '*' -W DOMAIN -UAdministratorsmbpasswd -j DOMAIN -r PDC -U
+	Administrator
    The username after the -U can be any Domain 
-	user that has administrator privileges on the machine. Next from 
-	within samedit, run the command: 
    createuser MACHINE$ -j DOMAIN -L
    This assumes your domain is called "DOMAIN" and your Samba 
-	workstation is called "MACHINE". 
     can be any
+	Domain user that has administrator privileges on the machine.
+	Substitute your domain name for "DOMAIN" and the name of your PDC
+	for "PDC".
    Next copy 
    Notes
    NOTES
    The following notes are useful when configuring and 
 	running winbindd
 	nsswitch module read an environment variable named 	$WINBINDD_DOMAIN	$WINBINDD_DOMAIN.  If this variable contains a comma separated
 	list of Windows NT domain names, then winbindd will only resolve users
 	and groups within those Windows NT domains. 
    Signals
    SIGNALS
    The following signals can be used to manipulate the 
 	
    Files
    FILES
    Storage for the Windows NT rid to UNIX user/group 
 		id mapping.  The lock directory is specified when Samba is initially 
 		compiled using the --with-lockdir option.  
+CLASS="PARAMETER"
+>--with-lockdir option.
 		This directory is by default /usr/local/samba/var/locks
@@ -857,19 +847,18 @@ CLASS="FILENAME"
 >
    VERSION
    This man page is correct for version 2.2 of 
-	the Samba suite.  winbindd is however not available in
-	the stable release of Samba as of yet.
    This man page is correct for version 2.2 of
+        the Samba suite.
    SEE ALSO
    AUTHOR
     
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "NMBD" "8" "09 July 2001" "" ""
+.TH "NMBD" "8" "26 September 2001" "" ""
 .SH NAME
 nmbd \- NetBIOS name server to provide NetBIOS  over IP naming services to clients
 .SH SYNOPSIS
 .sp
-\fBsmbd\fR [ \fB-D\fR ]  [ \fB-a\fR ]  [ \fB-o\fR ]  [ \fB-P\fR ]  [ \fB-h\fR ]  [ \fB-V\fR ]  [ \fB-d \fR ]  [ \fB-H \fR ]  [ \fB-l \fR ]  [ \fB-n \fR ]  [ \fB-p \fR ]  [ \fB-s \fR ] 
+\fBnmbd\fR [ \fB-D\fR ]  [ \fB-a\fR ]  [ \fB-o\fR ]  [ \fB-P\fR ]  [ \fB-h\fR ]  [ \fB-V\fR ]  [ \fB-d \fR ]  [ \fB-H \fR ]  [ \fB-l \fR ]  [ \fB-n \fR ]  [ \fB-p \fR ]  [ \fB-s \fR ] 
 .SH "DESCRIPTION"
 .PP
 This program is part of the Samba suite.
@@ -208,12 +208,13 @@ it to dump out its namelists into the file \fInamelist.debug
 directory (or the \fIvar/locks\fR directory configured 
 under wherever Samba was configured to install itself). This will also 
 cause \fBnmbd\fR to dump out its server database in
-the \fIlog.nmb\fR file. In addition, the debug log level 
-of nmbd may be raised by sending it a SIGUSR1 (\fBkill -USR1
-\fR) and lowered by sending it a
-SIGUSR2 (\fBkill -USR2 \fR). This is to 
-allow transient problems to be diagnosed, whilst still running at a 
-normally low log level.
+the \fIlog.nmb\fR file.
+.PP
+The debug log level of nmbd may be raised or lowered using
+\fBsmbcontrol(1)\fR
+(SIGUSR[1|2] signals are no longer used in Samba 2.2). This is
+to allow transient problems to be diagnosed, whilst still running
+at a normally low log level.
 .SH "VERSION"
 .PP
 This man page is correct for version 2.2 of 
diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5
index 98f614c5667..885307f9ab6 100644
--- a/docs/manpages/smb.conf.5
+++ b/docs/manpages/smb.conf.5
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMB.CONF" "5" "09 July 2001" "" ""
+.TH "SMB.CONF" "5" "11 October 2001" "" ""
 .SH NAME
 smb.conf \- The configuration file for the Samba suite
 .SH "SYNOPSIS"
@@ -78,7 +78,7 @@ privileges in this case.
 Sections other than guest services will require a password 
 to access them. The client provides the username. As older clients 
 only provide passwords and not usernames, you may specify a list 
-of usernames to check against the password using the "user=" 
+of usernames to check against the password using the "user =" 
 option in the share definition. For modern clients such as 
 Windows 95/98/ME/NT/2000, this should not be necessary.
 .PP
@@ -148,12 +148,12 @@ the located username.
 If no path was given, the path is set to
 the user's home directory.
 .PP
-If you decide to use a \fBpath=\fR line 
+If you decide to use a \fBpath =\fR line 
 in your [homes] section then you may find it useful 
 to use the %S macro. For example :
 .PP
 .PP
-\fBpath=/data/pchome/%S\fR
+\fBpath = /data/pchome/%S\fR
 .PP
 .PP
 would be useful if you have different home directories 
@@ -197,9 +197,9 @@ access\fR.
 Note that the \fBbrowseable\fR flag for 
 auto home directories will be inherited from the global browseable 
 flag, not the [homes] browseable flag. This is useful as 
-it means setting browseable=no in the [homes] section 
-will hide the [homes] share but make any auto home 
-directories visible.
+it means setting \fBbrowseable = no\fR in
+the [homes] section will hide the [homes] share but make
+any auto home directories visible.
 .PP
 .SS "THE  PRINTERS  SECTION"
 .PP
@@ -368,7 +368,7 @@ the Internet name of the client machine.
 the name of your NIS home directory server. 
 This is obtained from your NIS auto.map entry. If you have 
 not compiled Samba with the \fB--with-automount\fR 
-option then this value will be the same as %.
+option then this value will be the same as %L.
 .TP
 \fB%p\fR
 the path of the service's home directory, 
@@ -421,7 +421,7 @@ All of these options can be set separately for each service
 .PP
 The options are: 
 .TP
-\fBmangle case= yes/no\fR
+\fBmangle case = yes/no\fR
 controls if names that have characters that 
 aren't of the "default" case are mangled. For example, 
 if this is yes then a name like "Mail" would be mangled. 
@@ -487,9 +487,9 @@ If a "user = " field is given in the
 \fIsmb.conf\fR file for the service and the client 
 has supplied a password, and that password matches (according to 
 the UNIX system's password checking) with one of the usernames 
-from the "user=" field then the connection is made as 
-the username in the "user=" line. If one 
-of the username in the "user=" list begins with a
+from the "user =" field then the connection is made as 
+the username in the "user =" line. If one 
+of the username in the "user =" list begins with a
 \&'@' then that name expands to a list of names in 
 the group of the same name.
 .IP 6. 
@@ -503,6 +503,9 @@ Here is a list of all global parameters. See the section of
 each parameter for details. Note that some are synonyms.
 .TP 0.2i
 \(bu
+\fIabort shutdown script\fR
+.TP 0.2i
+\(bu
 \fIadd printer command\fR
 .TP 0.2i
 \(bu
@@ -512,6 +515,9 @@ each parameter for details. Note that some are synonyms.
 \fIadd user script\fR
 .TP 0.2i
 \(bu
+\fIadd machine script\fR
+.TP 0.2i
+\(bu
 \fIallow trusted domains\fR
 .TP 0.2i
 \(bu
@@ -587,6 +593,9 @@ each parameter for details. Note that some are synonyms.
 \fIdfree command\fR
 .TP 0.2i
 \(bu
+\fIdisable spoolss\fR
+.TP 0.2i
+\(bu
 \fIdns proxy\fR
 .TP 0.2i
 \(bu
@@ -644,6 +653,24 @@ each parameter for details. Note that some are synonyms.
 \fIlarge readwrite\fR
 .TP 0.2i
 \(bu
+\fIldap admin dn\fR
+.TP 0.2i
+\(bu
+\fIldap filter\fR
+.TP 0.2i
+\(bu
+\fIldap port\fR
+.TP 0.2i
+\(bu
+\fIldap server\fR
+.TP 0.2i
+\(bu
+\fIldap ssl\fR
+.TP 0.2i
+\(bu
+\fIldap suffix\fR
+.TP 0.2i
+\(bu
 \fIlm announce\fR
 .TP 0.2i
 \(bu
@@ -851,6 +878,9 @@ each parameter for details. Note that some are synonyms.
 \fIshow add printer wizard\fR
 .TP 0.2i
 \(bu
+\fIshutdown script\fR
+.TP 0.2i
+\(bu
 \fIsmb passwd file\fR
 .TP 0.2i
 \(bu
@@ -884,6 +914,15 @@ each parameter for details. Note that some are synonyms.
 \fIssl compatibility\fR
 .TP 0.2i
 \(bu
+\fIssl egd socket\fR
+.TP 0.2i
+\(bu
+\fIssl entropy bytes\fR
+.TP 0.2i
+\(bu
+\fIssl entropy file\fR
+.TP 0.2i
+\(bu
 \fIssl hosts\fR
 .TP 0.2i
 \(bu
@@ -953,6 +992,9 @@ each parameter for details. Note that some are synonyms.
 \fIusername map\fR
 .TP 0.2i
 \(bu
+\fIutmp\fR
+.TP 0.2i
+\(bu
 \fIutmp directory\fR
 .TP 0.2i
 \(bu
@@ -962,6 +1004,12 @@ each parameter for details. Note that some are synonyms.
 \fIwinbind cache time\fR
 .TP 0.2i
 \(bu
+\fIwinbind enum users\fR
+.TP 0.2i
+\(bu
+\fIwinbind enum groups\fR
+.TP 0.2i
+\(bu
 \fIwinbind gid\fR
 .TP 0.2i
 \(bu
@@ -1278,9 +1326,6 @@ each parameter for details. Note that some are synonyms.
 \fIset directory\fR
 .TP 0.2i
 \(bu
-\fIshare modes\fR
-.TP 0.2i
-\(bu
 \fIshort preserve case\fR
 .TP 0.2i
 \(bu
@@ -1296,6 +1341,9 @@ each parameter for details. Note that some are synonyms.
 \fIsync always\fR
 .TP 0.2i
 \(bu
+\fIuse client driver\fR
+.TP 0.2i
+\(bu
 \fIuser\fR
 .TP 0.2i
 \(bu
@@ -1305,9 +1353,6 @@ each parameter for details. Note that some are synonyms.
 \fIusers\fR
 .TP 0.2i
 \(bu
-\fIutmp\fR
-.TP 0.2i
-\(bu
 \fIvalid users\fR
 .TP 0.2i
 \(bu
@@ -1344,6 +1389,18 @@ each parameter for details. Note that some are synonyms.
 \fIwriteable\fR
 .SH "EXPLANATION OF EACH PARAMETER"
 .TP
+\fBabort shutdown script (G)\fR
+\fBThis parameter only exists in the HEAD cvs branch\fR
+This a full path name to a script called by
+\fBsmbd(8)\fRthat
+should stop a shutdown procedure issued by the \fIshutdown script\fR.
+
+This command will be run as user.
+
+Default: \fBNone\fR.
+
+Example: \fBabort shutdown script = /sbin/shutdown -c\fR
+.TP
 \fBadd printer command (G)\fR
 With the introduction of MS-RPC based printing
 support for Windows NT/2000 clients in Samba 2.2, The MS Add
@@ -1456,6 +1513,19 @@ Default: \fBnone\fR
 Example: \fBadd share command = /usr/local/bin/addshare\fR
 .PP
 .TP
+\fBadd machine script (G)\fR
+This is the full pathname to a script that will 
+be run by smbd(8)when a machine is added
+to it's domain using the administrator username and password method. 
+
+This option is only required when using sam back-ends tied to the
+Unix uid method of RID calculation such as smbpasswd. This option is only
+available in Samba 3.0.
+
+Default: \fBadd machine script = 
+\fR
+Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+\fR.TP
 \fBadd user script (G)\fR
 This is the full pathname to a script that will 
 be run \fBAS ROOT\fR by smbd(8)
@@ -1469,7 +1539,7 @@ Windows NT PDC is an onerous task. This option allows smbdto create the required
 \fBON DEMAND\fR when a user accesses the Samba server.
 
 In order to use this option, smbd
-must be set to \fIsecurity=server\fR or \fI security=domain\fR and \fIadd user script\fR
+must be set to \fIsecurity = server\fR or \fI security = domain\fR and \fIadd user script\fR
 must be set to a full pathname for a script that will create a UNIX 
 user given one argument of \fI%u\fR, which expands into 
 the UNIX user name to create.
@@ -1556,7 +1626,7 @@ that nmbd will use when announcing itself as a server. The default
 is 4.2. Do not change this parameter unless you have a specific 
 need to set a Samba server to be a downlevel server.
 
-Default: \fBannounce version = 4.2\fR
+Default: \fBannounce version = 4.5\fR
 
 Example: \fBannounce version = 2.0\fR
 .TP
@@ -1887,7 +1957,7 @@ Default: \fBcode page directory = ${prefix}/lib/codepages
 \fR
 Example: \fBcode page directory = /usr/share/samba/codepages
 \fR.TP
-\fBcodingsystem (G)\fR
+\fBcoding system (G)\fR
 This parameter is used to determine how incoming 
 Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR
 used by the client, into file names in the UNIX filesystem. 
@@ -2006,7 +2076,7 @@ parameter \fIdirectory mode
 
 See also the \fIforce 
 create mode\fR parameter for forcing particular mode 
-bits to be set on created files. See also the  \fIdirectory mode"\fR parameter for masking 
+bits to be set on created files. See also the  \fIdirectory mode\fR parameter for masking 
 mode bits on created directories. See also the  \fIinherit permissions\fR parameter.
 
 Note that this parameter does not apply to permissions
@@ -2091,7 +2161,7 @@ Synonym for \fI log level\fR.
 A synonym for \fI default service\fR.
 .TP
 \fBdefault case (S)\fR
-See the section on  NAME MANGLING. Also note the  \fIshort preserve case"\fR parameter.
+See the section on  NAME MANGLING. Also note the  \fIshort preserve case\fR parameter.
 
 Default: \fBdefault case = lower\fR
 .TP
@@ -2194,9 +2264,9 @@ see the \fIdelete printer
 command\fR.
 .PP
 .PP
-See also \fIdelete share
+See also \fIadd share
 command\fR, \fIchange 
-share\fR.
+share command\fR.
 .PP
 .PP
 Default: \fBnone\fR
@@ -2219,16 +2289,16 @@ DEMAND\fR when a user accesses the Samba server and the
 Windows NT user no longer exists.
 
 In order to use this option, \fBsmbd\fR must be 
-set to \fIsecurity=domain\fR and \fIdelete 
+set to \fIsecurity = domain\fR and \fIdelete 
 user script\fR must be set to a full pathname for a script 
 that will delete a UNIX user given one argument of \fI%u
 \fR, which expands into the UNIX user name to delete.
 \fBNOTE\fR that this is different to the \fIadd user script\fR
-which will work with the \fIsecurity=server\fR option 
-as well as \fIsecurity=domain\fR. The reason for this
+which will work with the \fIsecurity = server\fR option 
+as well as \fIsecurity = domain\fR. The reason for this
 is only when Samba is a domain member does it get the information
 on an attempted user logon that a user no longer exists. In the
-\fIsecurity=server\fR mode a missing user
+\fIsecurity = server\fR mode a missing user
 is treated the same as an invalid password logon attempt. Deleting
 the user in this circumstance would not be a good idea.
 
@@ -2248,7 +2318,7 @@ This script should delete the given UNIX username. In this way,
 UNIX users are dynamically deleted to match existing Windows NT 
 accounts.
 
-See also security=domain,
+See also security = domain,
 \fIpassword server\fR
 , \fIadd user script\fR
 \&.
@@ -2418,6 +2488,22 @@ Default: \fBdirectory security mask = 0777\fR
 
 Example: \fBdirectory security mask = 0700\fR
 .TP
+\fBdisable spoolss (G)\fR
+Enabling this parameter will disables Samba's support
+for the SPOOLSS set of MS-RPC's and will yield identical behavior
+as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
+Lanman style printing commands. Windows 9x/ME will be uneffected by
+the parameter. However, this will also disable the ability to upload
+printer drivers to a Samba server via the Windows NT Add Printer
+Wizard or by using the NT printer properties dialog window. It will
+also disable the capability of Windows NT/2000 clients to download
+print drivers from the Samba host upon demand.
+\fBBe very careful about enabling this parameter.\fR
+
+See also use client driver
+
+Default : \fBdisable spoolss = no\fR
+.TP
 \fBdns proxy (G)\fR
 Specifies that nmbd(8)
 when acting as a WINS server and finding that a NetBIOS name has not 
@@ -2586,7 +2672,7 @@ In order for encrypted passwords to work correctly
 \fBsmbd(8)\fRmust either 
 have access to a local \fIsmbpasswd(5)
 \fRprogram for information on how to set up 
-and maintain this file), or set the security=[server|domain] parameter which 
+and maintain this file), or set the security = [server|domain] parameter which 
 causes \fBsmbd\fR to authenticate against another 
 server.
 
@@ -2596,8 +2682,6 @@ Default: \fBencrypt passwords = no\fR
 This option enables a couple of enhancements to 
 cross-subnet browse propagation that have been added in Samba 
 but which are not standard in Microsoft implementations. 
-\fBThese enhancements are currently only available in
-the HEAD Samba CVS tree (not Samba 2.2.x).\fR
 
 The first enhancement to browse propagation consists of a regular
 wildcard query to a Samba WINS server for all Domain Master Browsers,
@@ -2765,7 +2849,7 @@ would force all created directories to have read and execute
 permissions set for 'group' and 'other' as well as the
 read/write/execute bits set for the 'user'.
 .TP
-\fBforce directory\fR
+\fBforce directory  security mode (S)\fR
 This parameter controls what UNIX permission bits 
 can be modified when a Windows NT client is manipulating the UNIX 
 permission on a directory using the native NT security dialog box.
@@ -2991,7 +3075,7 @@ users (root, wheel, floppy, etc) from remote clients.
 
 Default: \fBhide local users = no\fR
 .TP
-\fBhide unreadable(G)\fR
+\fBhide unreadable (S)\fR
 This parameter prevents clients from seeing the
 existance of files that cannot be read. Defaults to off.
 
@@ -3240,7 +3324,7 @@ by looking in the UNIX group database. A name starting with
 \&'+' and '&' may be used at the start of the name in either order 
 so the value \fI+&group\fR means check the 
 UNIX group database, followed by the NIS netgroup database, and 
-the value \fI&+group"\fR means check the NIS
+the value \fI&+group\fR means check the NIS
 netgroup database, followed by the UNIX group database (the 
 same as the '@' prefix).
 
@@ -3281,9 +3365,9 @@ has oplocked. This allows complete data consistency between
 SMB/CIFS, NFS and local file access (and is a \fBvery\fR 
 cool feature :-).
 
-This parameter defaults to on on systems 
-that have the support, and off on systems that 
-don't. You should never need to touch this parameter.
+This parameter defaults to on, but is translated
+to a no-op on systems that no not have the necessary kernel support.
+You should never need to touch this parameter.
 
 See also the \fIoplocks\fR
 and \fIlevel2 oplocks
@@ -3300,7 +3384,7 @@ network client) will be able to connect to the Samba host.
 
 Default : \fBlanman auth = yes\fR
 .TP
-\fBlarge readwrite(G)\fR
+\fBlarge readwrite (G)\fR
 This parameter determines whether or not smbd
 supports the new 64k streaming read and write varient SMB requests introduced
 with Windows 2000. Note that due to Windows 2000 client redirector bugs
@@ -3311,6 +3395,88 @@ code paths.
 
 Default : \fBlarge readwrite = no\fR
 .TP
+\fBldap admin dn (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+The \fIldap admin dn\fR defines the Distinguished 
+Name (DN) name used by Samba to contact the ldap
+server when retreiving user account information. The \fIldap
+admin dn\fR is used in conjunction with the admin dn password
+stored in the \fIprivate/secrets.tdb\fR file. See the
+\fBsmbpasswd(8)\fRman
+page for more information on how to accmplish this.
+
+Default : \fBnone\fR
+.TP
+\fBldap filter (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+This parameter specifies the RFC 2254 compliant LDAP search filter.
+The default is to match the login name with the uid 
+attribute for all entries matching the sambaAccount 
+objectclass. Note that this filter should only return one entry.
+
+Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
+.TP
+\fBldap port (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+This option is used to control the tcp port number used to contact
+the \fIldap server\fR.
+The default is to use the stand LDAP port 389.
+
+Default : \fBldap port = 389\fR
+.TP
+\fBldap server (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+This parameter should contains the FQDN of the ldap directory 
+server which should be queried to locate user account information.
+
+Default : \fBldap server = localhost\fR
+.TP
+\fBldap ssl (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+This option is used to define whether or not Samba should
+use SSL when connecting to the \fIldap
+server\fR. This is \fBNOT\fR related to
+Samba SSL support which is enabled by specifying the 
+\fB--with-ssl\fR option to the \fIconfigure\fR 
+script (see \fIssl\fR).
+
+The \fIldap ssl\fR can be set to one of three values:
+(a) \fBon\fR - Always use SSL when contacting the 
+\fIldap server\fR, (b) \fBoff\fR -
+Never use SSL when querying the directory, or (c) \fBstart 
+tls\fR - Use the LDAPv3 StartTLS extended operation 
+(RFC2830) for communicating with the directory server.
+
+Default : \fBldap ssl = off\fR
+.TP
+\fBldap suffix (G)\fR
+This parameter is only available if Samba has been
+configure to include the \fB--with-ldapsam\fR option
+at compile time. This option should be considered experimental and
+under active development.
+
+Default : \fBnone\fR
+.TP
 \fBlevel2 oplocks (S)\fR
 This parameter controls whether Samba supports
 level2 (read-only) oplocks on a share.
@@ -3495,7 +3661,7 @@ home directory. This is done in the following way:
 This tells Samba to return the above string, with 
 substitutions made when a client requests the info, generally 
 in a NetUserGetInfo request. Win9X clients truncate the info to
-\\\\server\\share when a user does \fBnet use /home"\fR
+\\\\server\\share when a user does \fBnet use /home\fR
 but use the whole string when dealing with profiles.
 
 Note that in prior versions of Samba, the  \fIlogon path\fR was returned rather than 
@@ -3749,7 +3915,7 @@ Example 2: \fBlprm command = /usr/bin/cancel %p-%j
 \fR.TP
 \fBmachine password timeout (G)\fR
 If a Samba server is a member of a Windows 
-NT Domain (see the security=domain) 
+NT Domain (see the security = domain) 
 parameter) then periodically a running  smbd(8)process will try and change the MACHINE ACCOUNT 
 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
 \fR\&. This parameter specifies how often this password 
@@ -3757,7 +3923,7 @@ will be changed, in seconds. The default is one week (expressed in
 seconds), the same as a Windows NT Domain member server.
 
 See also \fBsmbpasswd(8)
-\fR, and the  security=domain) parameter.
+\fR, and the  security = domain) parameter.
 
 Default: \fBmachine password timeout = 604800\fR
 .TP
@@ -3956,7 +4122,7 @@ it must include 010). See the parameter  \fIcreate mask\fR for details.
 Default: \fBmap system = no\fR
 .TP
 \fBmap to guest (G)\fR
-This parameter is only useful in  security modes other than \fIsecurity=share\fR 
+This parameter is only useful in  security modes other than \fIsecurity = share\fR 
 - i.e. user, server, 
 and domain.
 
@@ -4158,13 +4324,13 @@ Default: \fBmax ttl = 259200\fR
 .TP
 \fBmax wins ttl (G)\fR
 This option tells nmbd(8)
-when acting as a WINS server ( \fIwins support=yes\fR) what the maximum
+when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
 \&'time to live' of NetBIOS names that \fBnmbd\fR 
 will grant will be (in seconds). You should never need to change this
 parameter. The default is 6 days (518400 seconds).
 
 See also the \fImin 
-wins ttl"\fR parameter.
+wins ttl\fR parameter.
 
 Default: \fBmax wins ttl = 518400\fR
 .TP
@@ -4604,11 +4770,11 @@ Default: \fBos2 driver map = 
 With the addition of better PAM support in Samba 2.2, 
 this parameter, it is possible to use PAM's password change control 
 flag for Samba. If enabled, then PAM will be used for password
-changes when requested by an SMB client insted of the program listed in 
+changes when requested by an SMB client instead of the program listed in 
 \fIpasswd program\fR. 
 It should be possible to enable this without changing your 
 \fIpasswd chat\fR
-paramater for most setups.
+parameter for most setups.
 
 Default: \fBpam password change = no\fR
 .TP
@@ -4635,15 +4801,20 @@ This chat sequence is often quite site specific, depending
 on what local methods are used for password control (such as NIS 
 etc).
 
-The string can contain the macros \fI%o\fR 
-and \fI%n\fR which are substituted for the old 
-and new passwords respectively. It can also contain the standard 
-macros \\n, \\r,  \\t and %s to give line-feed, 
-carriage-return, tab and space.
-
-The string can also contain a '*' which matches 
-any sequence of characters.
-
+Note that this parameter only is only used if the \fIunix 
+password sync\fR parameter is set to yes. This 
+sequence is then called \fBAS ROOT\fR when the SMB password 
+in the smbpasswd file is being changed, without access to the old 
+password cleartext. This means that root must be able to reset the user's password
+without knowing the text of the previous password. In the presence of NIS/YP, 
+this means that the passwd program must be 
+executed on the NIS master.
+
+The string can contain the macro \fI%n\fR which is substituted 
+for the new password. The chat sequence can also contain the standard 
+macros \\n, \\r,  \\t and \\s to give line-feed, 
+carriage-return, tab and space. The chat sequence string can also contain 
+a '*' which matches any sequence of characters.
 Double quotes can be used to collect strings with spaces 
 in them into a single string.
 
@@ -4651,14 +4822,7 @@ If the send string in any part of the chat sequence
 is a full stop ".", then no string is sent. Similarly, 
 if the expect string is a full stop then no string is expected.
 
-Note that if the \fIunix 
-password sync\fR parameter is set to true, then this 
-sequence is called \fBAS ROOT\fR when the SMB password 
-in the smbpasswd file is being changed, without access to the old 
-password cleartext. In this case the old password cleartext is set 
-to "" (the empty string).
-
-Also, if the \fIpam
+If the \fIpam
 password change\fR parameter is set to true, the chat pairs
 may be matched in any order, and sucess is determined by the PAM result, 
 not any particular output. The \\n macro is ignored for PAM conversions.
@@ -4830,14 +4994,14 @@ the \fIpassword server\fR parameter, however if an
 \fBsmbd\fR makes a connection to a password server, 
 and then the password server fails, no more users will be able 
 to be authenticated from this \fBsmbd\fR. This is a 
-restriction of the SMB/CIFS protocol when in \fBsecurity=server
+restriction of the SMB/CIFS protocol when in \fBsecurity = server
 \fRmode and cannot be fixed in Samba.
 .TP 0.2i
 \(bu
 If you are using a Windows NT server as your 
 password server then you will have to ensure that your users 
-are able to login from the Samba server, as when in \fB security=server\fR mode the network logon will appear to 
-come from there rather than from the user's workstation.
+are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to 
+come from there rather than from the users workstation.
 .RE
 .PP
 See also the \fIsecurity
@@ -5045,16 +5209,16 @@ You may have to vary this command considerably depending
 on how you normally print files on your system. The default for 
 the parameter varies depending on the setting of the  \fIprinting\fR parameter.
 
-Default: For \fBprinting= BSD, AIX, QNX, LPRNG 
+Default: For \fBprinting = BSD, AIX, QNX, LPRNG 
 or PLP :\fR
 
 \fBprint command = lpr -r -P%p %s\fR
 
-For \fBprinting= SYS or HPUX :\fR
+For \fBprinting = SYS or HPUX :\fR
 
 \fBprint command = lp -c -d%p %s; rm %s\fR
 
-For \fBprinting=SOFTQ :\fR
+For \fBprinting = SOFTQ :\fR
 
 \fBprint command = lp -d%p -s %s; rm %s\fR
 
@@ -5551,7 +5715,7 @@ the most common setting needed when talking to Windows 98 and
 Windows NT.
 
 The alternatives are \fBsecurity = share\fR,
-\fBsecurity = server\fR or \fBsecurity=domain
+\fBsecurity = server\fR or \fBsecurity = domain
 \fR\&.
 
 In versions of Samba prior to 2..0, the default was 
@@ -5658,7 +5822,7 @@ See also the section  NOTE ABOUT USERNAME/PASSWORD VALIDATION.
 \fR.PP
 .PP
 This is the default security setting in Samba 2.2. 
-With user-level security a client must first "log=on" with a 
+With user-level security a client must first "log-on" with a 
 valid username and password (which can be mapped using the \fIusername map\fR 
 parameter). Encrypted passwords (see the  \fIencrypted passwords\fR parameter) can also
 be used in this security mode. Parameters such as  \fIuser\fR and  \fIguest only\fR if set are then applied and 
@@ -5829,29 +5993,6 @@ for details.
 
 Default: \fBset directory = no\fR
 .TP
-\fBshare modes (S)\fR
-This enables or disables the honoring of 
-the \fIshare modes\fR during a file open. These 
-modes are used by clients to gain exclusive read or write access 
-to a file.
-
-These open modes are not directly supported by UNIX, so
-they are simulated using shared memory, or lock files if your 
-UNIX doesn't support shared memory (almost all do).
-
-The share modes that are enabled by this option are 
-DENY_DOS, DENY_ALL,
-DENY_READ, DENY_WRITE,
-DENY_NONE and DENY_FCB.
-
-This option gives full share compatibility and enabled 
-by default.
-
-You should \fBNEVER\fR turn this parameter 
-off as many Windows applications will break if you do so.
-
-Default: \fBshare modes = yes\fR
-.TP
 \fBshort preserve case (S)\fR
 This boolean parameter controls if new files 
 which conform to 8.3 syntax, that is all in upper case and of 
@@ -5892,6 +6033,53 @@ command\fR,  \fIdeleteprinter command\fR, \fIprinter admin\fR
 
 Default :\fBshow add printer wizard = yes\fR
 .TP
+\fBshutdown script (G)\fR
+\fBThis parameter only exists in the HEAD cvs branch\fR
+This a full path name to a script called by
+\fBsmbd(8)\fRthat
+should start a shutdown procedure.
+
+This command will be run as the user connected to the
+server.
+
+%m %t %r %f parameters are expanded
+
+\fI%m\fR will be substituted with the
+shutdown message sent to the server.
+
+\fI%t\fR will be substituted with the
+number of seconds to wait before effectively starting the
+shutdown procedure.
+
+\fI%r\fR will be substituted with the
+switch \fB-r\fR. It means reboot after shutdown
+for NT.
+
+\fI%f\fR will be substituted with the
+switch \fB-f\fR. It means force the shutdown
+even if applications do not respond for NT.
+
+Default: \fBNone\fR.
+
+Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR
+
+Shutdown script example:
+.sp
+.nf
+		#!/bin/bash
+		
+		$time=0
+		let "time/60"
+		let "time++"
+
+		/sbin/shutdown $3 $4 +$time $1 &
+		
+.sp
+.fi
+Shutdown does not return so we need to launch it in background.
+
+See also \fIabort shutdown script\fR.
+.TP
 \fBsmb passwd file (G)\fR
 This option sets the path to the encrypted 
 smbpasswd file. By default the path to the smbpasswd file 
@@ -5978,8 +6166,8 @@ or disable the option, by default they will be enabled if you
 don't specify 1 or 0.
 .PP
 .PP
-To specify an argument use the syntax SOME_OPTION=VALUE 
-for example \fBSO_SNDBUF=8192\fR. Note that you must 
+To specify an argument use the syntax SOME_OPTION = VALUE 
+for example \fBSO_SNDBUF = 8192\fR. Note that you must 
 not have any spaces before or after the = sign.
 .PP
 .PP
@@ -6024,7 +6212,7 @@ be formatted as the output of the standard Unix \fBenv(1)
 
 Example environment entry:
 
-\fBSAMBA_NETBIOS_NAME=myhostname\fR
+\fBSAMBA_NETBIOS_NAME = myhostname\fR
 
 Default: \fBNo default value\fR
 
@@ -6039,17 +6227,13 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This variable enables or disables the entire SSL mode. If 
 it is set to no, the SSL-enabled Samba behaves 
 exactly like the non-SSL Samba. If set to yes, 
 it depends on the variables \fI ssl hosts\fR and  \fIssl hosts resign\fR whether an SSL 
 connection will be required.
 
-Default: \fBssl=no\fR
+Default: \fBssl = no\fR
 .TP
 \fBssl CA certDir (G)\fR
 This variable is part of SSL-enabled Samba. This 
@@ -6057,10 +6241,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This variable defines where to look up the Certification
 Authorities. The given directory should contain one file for 
 each CA that Samba will trust. The file name must be the hash 
@@ -6077,10 +6257,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This variable is a second way to define the trusted CAs. 
 The certificates of the trusted CAs are collected in one big 
 file and this variable points to the file. You will probably 
@@ -6098,10 +6274,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This variable defines the ciphers that should be offered 
 during SSL negotiation. You should not set this variable unless 
 you know what you are doing.
@@ -6112,10 +6284,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 The certificate in this file is used by  \fBsmbclient(1)\fRif it exists. It's needed 
 if the server requires a client certificate.
 
@@ -6127,10 +6295,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This is the private key for  \fBsmbclient(1)\fR. It's only needed if the 
 client should have a certificate. 
 
@@ -6142,17 +6306,55 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
-This variable defines whether SSLeay should be configured 
+This variable defines whether OpenSSL should be configured 
 for bug compatibility with other SSL implementations. This is 
 probably not desirable because currently no clients with SSL 
-implementations other than SSLeay exist.
+implementations other than OpenSSL exist.
 
 Default: \fBssl compatibility = no\fR
 .TP
+\fBssl egd socket (G)\fR
+This variable is part of SSL-enabled Samba. This 
+is only available if the SSL libraries have been compiled on your 
+system and the configure option \fB--with-ssl\fR was 
+given at configure time.
+
+This option is used to define the location of the communiation socket of 
+an EGD or PRNGD daemon, from which entropy can be retrieved. This option 
+can be used instead of or together with the \fIssl entropy file\fR 
+directive. 255 bytes of entropy will be retrieved from the daemon.
+
+Default: \fBnone\fR
+.TP
+\fBssl entropy bytes (G)\fR
+This variable is part of SSL-enabled Samba. This 
+is only available if the SSL libraries have been compiled on your 
+system and the configure option \fB--with-ssl\fR was 
+given at configure time.
+
+This parameter is used to define the number of bytes which should 
+be read from the \fIssl entropy 
+file\fR If a -1 is specified, the entire file will
+be read.
+
+Default: \fBssl entropy bytes = 255\fR
+.TP
+\fBssl entropy file (G)\fR
+This variable is part of SSL-enabled Samba. This 
+is only available if the SSL libraries have been compiled on your 
+system and the configure option \fB--with-ssl\fR was 
+given at configure time.
+
+This parameter is used to specify a file from which processes will 
+read "random bytes" on startup. In order to seed the internal pseudo 
+random number generator, entropy must be provided. On system with a 
+\fI/dev/urandom\fR device file, the processes
+will retrieve its entropy from the kernel. On systems without kernel
+entropy support, a file can be supplied that will be read on startup
+and that will be used to seed the PRNG.
+
+Default: \fBnone\fR
+.TP
 \fBssl hosts (G)\fR
 See \fI ssl hosts resign\fR.
 .TP
@@ -6162,10 +6364,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 These two variables define whether Samba will go 
 into SSL mode or not. If none of them is defined, Samba will 
 allow only SSL connections. If the  \fIssl hosts\fR variable lists
@@ -6191,10 +6389,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 If this variable is set to yes, the 
 server will not tolerate connections from clients that don't 
 have a valid certificate. The directory/file given in \fIssl CA certDir\fR
@@ -6217,10 +6411,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 If this variable is set to yes, the 
 \fBsmbclient(1)\fR
 will request a certificate from the server. Same as 
@@ -6235,10 +6425,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This is the file containing the server's certificate. 
 The server \fBmust\fR have a certificate. The 
 file may also contain the server's private key. See later for 
@@ -6252,10 +6438,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This file contains the private key of the server. If 
 this variable is not defined, the key is looked up in the 
 certificate file (it may be appended to the certificate). 
@@ -6271,10 +6453,6 @@ is only available if the SSL libraries have been compiled on your
 system and the configure option \fB--with-ssl\fR was 
 given at configure time.
 
-\fBNote\fR that for export control reasons 
-this code is \fBNOT\fR enabled by default in any 
-current binary version of Samba.
-
 This enumeration variable defines the versions of the 
 SSL protocol that will be used. ssl2or3 allows 
 dynamic negotiation of SSL v2 or v3, ssl2 results 
@@ -6390,9 +6568,6 @@ the debug log files.
 Default: \fBsyslog only = no\fR
 .TP
 \fBtemplate homedir (G)\fR
-\fBNOTE:\fR this parameter is 
-only available in Samba 3.0.
-
 When filling out the user information for a Windows NT 
 user, the winbindd(8)daemon 
 uses this parameter to fill in the home directory for that user. 
@@ -6404,9 +6579,6 @@ NT user name.
 Default: \fBtemplate homedir = /home/%D/%U\fR
 .TP
 \fBtemplate shell (G)\fR
-\fBNOTE:\fR this parameter is 
-only available in Samba 3.0.
-
 When filling out the user information for a Windows NT 
 user, the winbindd(8)daemon 
 uses this parameter to fill in the login shell for that user.
@@ -6489,6 +6661,38 @@ password in order to connect correctly, and to update their hashed
 
 Default: \fBupdate encrypted = no\fR
 .TP
+\fBuse client driver (S)\fR
+This parameter applies only to Windows NT/2000
+clients. It has no affect on Windows 95/98/ME clients. When 
+serving a printer to Windows NT/2000 clients without first installing
+a valid printer driver on the Samba host, the client will be required
+to install a local printer driver. From this point on, the client
+will treat the print as a local printer and not a network printer 
+connection. This is much the same behavior that will occur
+when \fBdisable spoolss = yes\fR. 
+
+The differentiating 
+factor is that under normal circumstances, the NT/2000 client will 
+attempt to open the network printer using MS-RPC. The problem is that
+because the client considers the printer to be local, it will attempt
+to issue the OpenPrinterEx() call requesting access rights associated 
+with the logged on user. If the user possesses local administator rights
+but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
+call will fail. The result is that the client will now display an "Access
+Denied; Unable to connect" message in the printer queue window (even though
+jobs may successfully be printed). 
+
+If this parameter is enabled for a printer, then any attempt
+to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
+call to succeed. \fBThis parameter MUST not be able enabled
+on a print share which has valid print driver installed on the Samba 
+server.\fR
+
+See also disable spoolss
+
+Default: \fBuse client driver = no\fR
+.TP
 \fBuse rhosts (G)\fR
 If this global parameter is true, it specifies 
 that the UNIX user's \fI.rhosts\fR file in their home directory 
@@ -6675,7 +6879,7 @@ Default: \fBno username map\fR
 
 Example: \fBusername map = /usr/local/samba/lib/users.map
 \fR.TP
-\fButmp (S)\fR
+\fButmp (G)\fR
 This boolean parameter is only available if 
 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to true then Samba will attempt
 to add utmp or utmpx records (depending on the UNIX system) whenever a
@@ -6788,12 +6992,13 @@ separator '/'.
 Note that the \fIcase sensitive\fR option 
 is applicable in vetoing files.
 
-One feature of the veto files parameter that it is important 
-to be aware of, is that if a directory contains nothing but files 
-that match the veto files parameter (which means that Windows/DOS 
-clients cannot ever see them) is deleted, the veto files within 
-that directory \fBare automatically deleted\fR along 
-with it, if the user has UNIX permissions to do so.
+One feature of the veto files parameter that it
+is important to be aware of is Samba's behaviour when
+trying to delete a directory. If a directory that is
+to be deleted contains nothing but veto files this
+deletion will \fBfail\fR unless you also set
+the \fIdelete veto files\fR parameter to
+\fIyes\fR.
 
 Setting this parameter will affect the performance 
 of Samba, as it will be forced to check all files and directories 
@@ -6838,7 +7043,7 @@ To cause Samba not to grant oplocks on these files you would use
 the line (either in the [global] section or in the section for 
 the particular NetBench share :
 
-Example: \fBveto oplock files = /*;.SEM/
+Example: \fBveto oplock files = /*.SEM/
 \fR.TP
 \fBvfs object (S)\fR
 This parameter specifies a shared object file that 
@@ -6878,9 +7083,6 @@ that Samba has to do in order to perform the link checks.
 Default: \fBwide links = yes\fR
 .TP
 \fBwinbind cache time\fR
-\fBNOTE:\fR this parameter is only 
-available in Samba 3.0.
-
 This parameter specifies the number of seconds the
 winbindd(8)daemon will cache 
 user and group information before querying a Windows NT server 
@@ -6888,10 +7090,42 @@ again.
 
 Default: \fBwinbind cache type = 15\fR
 .TP
+\fBwinbind enum users\fR
+On large installations using
+winbindd(8)it may be
+necessary to suppress the enumeration of users through the
+\fBsetpwent()\fR,
+\fBgetpwent()\fR and
+\fBendpwent()\fR group of system calls. If
+the \fIwinbind enum users\fR parameter is
+false, calls to the \fBgetpwent\fR system call
+will not return any data. 
+
+\fBWarning:\fR Turning off user
+enumeration may cause some programs to behave oddly. For
+example, the finger program relies on having access to the
+full user list when searching for matching
+usernames. 
+
+Default: \fBwinbind enum users = yes \fR
+.TP
+\fBwinbind enum groups\fR
+On large installations using
+winbindd(8)it may be
+necessary to suppress the enumeration of groups through the
+\fBsetgrent()\fR,
+\fBgetgrent()\fR and
+\fBendgrent()\fR group of system calls. If
+the \fIwinbind enum groups\fR parameter is
+false, calls to the \fBgetgrent()\fR system
+call will not return any data. 
+
+\fBWarning:\fR Turning off group
+enumeration may cause some programs to behave oddly.
+
+Default: \fBwinbind enum groups = yes \fR
+.TP
 \fBwinbind gid\fR
-\fBNOTE:\fR this parameter is only 
-available in Samba 3.0.
-
 The winbind gid parameter specifies the range of group 
 ids that are allocated by the  winbindd(8)daemon. This range of group ids should have no 
 existing local or NIS groups within it as strange conflicts can 
@@ -6902,9 +7136,6 @@ Default: \fBwinbind gid = 
 Example: \fBwinbind gid = 10000-20000\fR
 .TP
 \fBwinbind separator\fR
-\fBNOTE:\fR this parameter is only 
-available in Samba 3.0.
-
 This parameter allows an admin to define the character 
 used when listing a username of the form of \fIDOMAIN
 \fR\\\fIuser\fR. This parameter 
@@ -6916,9 +7147,6 @@ Example: \fBwinbind separator = \\\fR
 Example: \fBwinbind separator = +\fR
 .TP
 \fBwinbind uid\fR
-\fBNOTE:\fR this parameter is only 
-available in Samba 3.0.
-
 The winbind gid parameter specifies the range of group 
 ids that are allocated by the  winbindd(8)daemon. This range of ids should have no 
 existing local or NIS users within it as strange conflicts can 
@@ -7013,7 +7241,7 @@ Default: \fBwins support = no\fR
 \fBworkgroup (G)\fR
 This controls what workgroup your server will 
 appear to be in when queried by clients. Note that this parameter 
-also controls the Domain name used with the \fBsecurity=domain\fR
+also controls the Domain name used with the \fBsecurity = domain\fR
 setting.
 
 Default: \fBset at compile time to WORKGROUP\fR
diff --git a/docs/manpages/smbclient.1 b/docs/manpages/smbclient.1
index 29cd3094a7c..41102ca822c 100644
--- a/docs/manpages/smbclient.1
+++ b/docs/manpages/smbclient.1
@@ -3,12 +3,12 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBCLIENT" "1" "09 July 2001" "" ""
+.TH "SMBCLIENT" "1" "15 September 2001" "" ""
 .SH NAME
 smbclient \- ftp-like client to access SMB/CIFS resources  on servers
 .SH SYNOPSIS
 .sp
-\fBsmbclient\fR \fBservicename\fR [ \fBpassword\fR ]  [ \fB-b \fR ]  [ \fB-d debuglevel\fR ]  [ \fB-D Directory\fR ]  [ \fB-S server\fR ]  [ \fB-U username\fR ]  [ \fB-W workgroup\fR ]  [ \fB-M \fR ]  [ \fB-m maxprotocol\fR ]  [ \fB-A authfile\fR ]  [ \fB-N\fR ]  [ \fB-l logfile\fR ]  [ \fB-L \fR ]  [ \fB-I destinationIP\fR ]  [ \fB-E \fR ]  [ \fB-c \fR ]  [ \fB-i scope\fR ]  [ \fB-O \fR ]  [ \fB-p port\fR ]  [ \fB-R \fR ]  [ \fB-s \fR ]  [ \fB-TIXFqgbNan\fR ] 
+\fBsmbclient\fR \fBservicename\fR [ \fBpassword\fR ]  [ \fB-b \fR ]  [ \fB-d debuglevel\fR ]  [ \fB-D Directory\fR ]  [ \fB-U username\fR ]  [ \fB-W workgroup\fR ]  [ \fB-M \fR ]  [ \fB-m maxprotocol\fR ]  [ \fB-A authfile\fR ]  [ \fB-N\fR ]  [ \fB-l logfile\fR ]  [ \fB-L \fR ]  [ \fB-I destinationIP\fR ]  [ \fB-E \fR ]  [ \fB-c \fR ]  [ \fB-i scope\fR ]  [ \fB-O \fR ]  [ \fB-p port\fR ]  [ \fB-R \fR ]  [ \fB-s \fR ]  [ \fB-TIXFqgbNan\fR ] 
 .SH "DESCRIPTION"
 .PP
 This tool is part of the  Sambasuite.
@@ -157,7 +157,8 @@ messages.
 \fB-i scope\fR
 This specifies a NetBIOS scope that smbclient will 
 use to communicate with when generating NetBIOS names. For details 
-on the use of NetBIOS scopes, see \fIrfc1001.txt\fR and \fIrfc1002.txt\fR.
+on the use of NetBIOS scopes, see \fIrfc1001.txt\fR 
+and \fIrfc1002.txt\fR.
 NetBIOS scopes are \fBvery\fR rarely used, only set 
 this parameter if you are the system administrator in charge of all 
 the NetBIOS systems you communicate with. 
diff --git a/docs/manpages/smbcontrol.1 b/docs/manpages/smbcontrol.1
index 6e4fd851562..ee7ba6e629b 100644
--- a/docs/manpages/smbcontrol.1
+++ b/docs/manpages/smbcontrol.1
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBCONTROL" "1" "09 July 2001" "" ""
+.TH "SMBCONTROL" "1" "03 August 2001" "" ""
 .SH NAME
 smbcontrol \- send messages to smbd or nmbd processes
 .SH SYNOPSIS
@@ -84,6 +84,11 @@ message to smbd which in turn sends a printer notify message to
 any Windows NT clients connected to a printer. This message-type 
 takes an argument of the printer name to send notify messages to. 
 This message can only be sent to smbd.
+
+The close-share message-type sends a
+message to smbd which forces smbd to close the share that was
+specified as an argument. This may be useful if you made changes
+to the access controls on the share. 
 .TP
 \fBparameters\fR
 any parameters required for the message-type
diff --git a/docs/manpages/smbd.8 b/docs/manpages/smbd.8
index 84000136083..bfcac80157d 100644
--- a/docs/manpages/smbd.8
+++ b/docs/manpages/smbd.8
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBD" "8" "09 July 2001" "" ""
+.TH "SMBD" "8" "31 July 2001" "" ""
 .SH NAME
 smbd \- server to provide SMB/CIFS services to clients
 .SH SYNOPSIS
@@ -445,10 +445,10 @@ memory area in an inconsistent state. The safe way to terminate
 an \fBsmbd\fR is to send it a SIGTERM (-15) signal and wait for 
 it to die on its own.
 .PP
-The debug log level of \fBsmbd\fR may be raised by sending 
-it a SIGUSR1 (\fBkill -USR1 \fR)
-and lowered by sending it a SIGUSR2 (\fBkill -USR2 
-\fR). This is to allow transient problems to be diagnosed, 
+The debug log level of \fBsmbd\fR may be raised
+or lowered using \fBsmbcontrol(1)
+\fRprogram (SIGUSR[1|2] signals are no longer used in
+Samba 2.2). This is to allow transient problems to be diagnosed, 
 whilst still running at a normally low log level.
 .PP
 Note that as the signal handlers send a debug write, 
diff --git a/docs/manpages/smbmnt.8 b/docs/manpages/smbmnt.8
index 37626fa19fe..93e334f25c2 100644
--- a/docs/manpages/smbmnt.8
+++ b/docs/manpages/smbmnt.8
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBMNT" "8" "09 July 2001" "" ""
+.TH "SMBMNT" "8" "06 October 2001" "" ""
 .SH NAME
 smbmnt \- helper utility for mounting SMB filesystems
 .SH SYNOPSIS
@@ -13,14 +13,18 @@ smbmnt \- helper utility for mounting SMB filesystems
 .PP
 \fBsmbmnt\fR is a helper application used 
 by the smbmount program to do the actual mounting of SMB shares. 
-\fBsmbmnt\fR is meant to be installed setuid root 
-so that normal users can mount their SMB shares. It checks 
-whether the user has write permissions on the mount point and 
-then mounts the directory.
+\fBsmbmnt\fR can be installed setuid root if you want
+normal users to be able to mount their SMB shares.
+.PP
+A setuid smbmnt will only allow mounts on directories owned
+by the user, and that the user has write permission on.
 .PP
 The \fBsmbmnt\fR program is normally invoked 
 by \fBsmbmount(8)\fR
 . It should not be invoked directly by users. 
+.PP
+smbmount searches the normal PATH for smbmnt. You must ensure
+that the smbmnt version in your path matches the smbmount used.
 .SH "OPTIONS"
 .TP
 \fB-r\fR
diff --git a/docs/manpages/smbmount.8 b/docs/manpages/smbmount.8
index 2c86b922400..f57c0b54da4 100644
--- a/docs/manpages/smbmount.8
+++ b/docs/manpages/smbmount.8
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBMOUNT" "8" "09 July 2001" "" ""
+.TH "SMBMOUNT" "8" "06 October 2001" "" ""
 .SH NAME
 smbmount \- mount an smbfs filesystem
 .SH SYNOPSIS
@@ -11,10 +11,11 @@ smbmount \- mount an smbfs filesystem
 \fBsmbumount\fR \fBservice\fR \fBmount-point\fR [ \fB-o options\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBsmbmount\fR mounts a SMB filesystem. It 
-is usually invoked as \fBmount.smb\fR from 
+\fBsmbmount\fR mounts a Linux SMB filesystem. It 
+is usually invoked as \fBmount.smbfs\fR by
 the \fBmount(8)\fR command when using the 
-"-t smb" option. The kernel must support the smbfs filesystem. 
+"-t smbfs" option. This command only works in Linux, and the kernel must
+support the smbfs filesystem. 
 .PP
 Options to \fBsmbmount\fR are specified as a comma-separated
 list of key=value pairs. It is possible to send options other
@@ -102,7 +103,9 @@ The default is based on the current umask.
 .TP
 \fBdebug=\fR
 sets the debug level. This is useful for 
-tracking down SMB connection problems. 
+tracking down SMB connection problems. A suggested value to
+start with is 4. If set too high there will be a lot of
+output, possibly hiding the useful output.
 .TP
 \fBip=\fR
 sets the destination host or IP address.
@@ -160,19 +163,26 @@ person using the client. This information is used only if the
 protocol level is high enough to support session-level
 passwords.
 .PP
-The variable \fBPASSWD_FILE\fR may contain the pathname of
-a file to read the password from. A single line of input is
+The variable \fBPASSWD_FILE\fR may contain the pathname
+of a file to read the password from. A single line of input is
 read and used as the password.
 .SH "BUGS"
 .PP
-Not many known smbmount bugs. But one smbfs bug is
-important enough to mention here anyway:
+Passwords and other options containing , can not be handled.
+For passwords an alternative way of passing them is in a credentials
+file or in the PASSWD environment.
+.PP
+The credentials file does not handle usernames or passwords with
+leading space.
+.PP
+One smbfs bug is important enough to mention here, even if it
+is a bit misplaced:
 .TP 0.2i
 \(bu
 Mounts sometimes stop working. This is usually
 caused by smbmount terminating. Since smbfs needs smbmount to
-reconnect when the server disconnects, the mount will go
-dead. A re-mount normally fixes this. At least 2 ways to
+reconnect when the server disconnects, the mount will eventually go
+dead. An umount/mount normally fixes this. At least 2 ways to
 trigger this bug are known.
 .PP
 Note that the typical response to a bug report is suggestion
@@ -182,8 +192,15 @@ when reporting bugs (minimum: samba, kernel, distribution)
 .PP
 .SH "SEE ALSO"
 .PP
-Documentation/filesystems/smbfs.txt in the kernel source tree
-may contain additional options and information.
+Documentation/filesystems/smbfs.txt in the linux kernel
+source tree may contain additional options and information.
+.PP
+FreeBSD also has a smbfs, but it is not related to smbmount
+.PP
+For Solaris, HP-UX and others you may want to look at
+\fBsmbsh(1)\fRor at other
+solutions, such as sharity or perhaps replacing the SMB server with
+a NFS server.
 .SH "AUTHOR"
 .PP
 Volker Lendecke, Andrew Tridgell, Michael H. Warfield 
diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8
index fc68324facf..464e73240a1 100644
--- a/docs/manpages/smbpasswd.8
+++ b/docs/manpages/smbpasswd.8
@@ -3,12 +3,12 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBPASSWD" "8" "09 July 2001" "" ""
+.TH "SMBPASSWD" "8" "16 September 2001" "" ""
 .SH NAME
 smbpasswd \- change a user's SMB password
 .SH SYNOPSIS
 .sp
-\fBsmbpasswd\fR [ \fB-a\fR ]  [ \fB-x\fR ]  [ \fB-d\fR ]  [ \fB-e\fR ]  [ \fB-D debuglevel\fR ]  [ \fB-n\fR ]  [ \fB-r \fR ]  [ \fB-R \fR ]  [ \fB-m\fR ]  [ \fB-j DOMAIN\fR ]  [ \fB-U username\fR ]  [ \fB-h\fR ]  [ \fB-s\fR ]  [ \fBusername\fR ] 
+\fBsmbpasswd\fR [ \fB-a\fR ]  [ \fB-x\fR ]  [ \fB-d\fR ]  [ \fB-e\fR ]  [ \fB-D debuglevel\fR ]  [ \fB-n\fR ]  [ \fB-r \fR ]  [ \fB-R \fR ]  [ \fB-m\fR ]  [ \fB-j DOMAIN\fR ]  [ \fB-U username[%password]\fR ]  [ \fB-h\fR ]  [ \fB-s\fR ]  [ \fBusername\fR ] 
 .SH "DESCRIPTION"
 .PP
 This tool is part of the  Sambasuite.
diff --git a/docs/manpages/smbumount.8 b/docs/manpages/smbumount.8
index efd3ba0cac7..ba5c6ea257c 100644
--- a/docs/manpages/smbumount.8
+++ b/docs/manpages/smbumount.8
@@ -3,7 +3,7 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "SMBUMOUNT" "8" "09 July 2001" "" ""
+.TH "SMBUMOUNT" "8" "06 October 2001" "" ""
 .SH NAME
 smbumount \- smbfs umount for normal users
 .SH SYNOPSIS
diff --git a/docs/manpages/wbinfo.1 b/docs/manpages/wbinfo.1
index 67a24f9613d..eebc67d2b7f 100644
--- a/docs/manpages/wbinfo.1
+++ b/docs/manpages/wbinfo.1
@@ -3,12 +3,12 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "WBINFO" "1" "09 July 2001" "" ""
+.TH "WBINFO" "1" "26 September 2001" "" ""
 .SH NAME
 wbinfo \- Query information from winbind daemon
 .SH SYNOPSIS
 .sp
-\fBnmblookup\fR [ \fB-u\fR ]  [ \fB-g\fR ]  [ \fB-n name\fR ]  [ \fB-s sid\fR ]  [ \fB-U uid\fR ]  [ \fB-G gid\fR ]  [ \fB-S sid\fR ]  [ \fB-Y sid\fR ]  [ \fB-t\fR ]  [ \fB-m\fR ] 
+\fBwbinfo\fR [ \fB-u\fR ]  [ \fB-g\fR ]  [ \fB-n name\fR ]  [ \fB-s sid\fR ]  [ \fB-U uid\fR ]  [ \fB-G gid\fR ]  [ \fB-S sid\fR ]  [ \fB-Y sid\fR ]  [ \fB-t\fR ]  [ \fB-m\fR ] 
 .SH "DESCRIPTION"
 .PP
 This tool is part of the  Sambasuite.
@@ -91,8 +91,7 @@ failure.
 .SH "VERSION"
 .PP
 This man page is correct for version 2.2 of 
-the Samba suite. winbindd is however not available in
-stable release of Samba as of yet.
+the Samba suite.
 .SH "SEE ALSO"
 .PP
 \fBwinbindd(8)\fR
@@ -105,7 +104,7 @@ by the Samba Team as an Open Source project similar
 to the way the Linux kernel is developed.
 .PP
 \fBwbinfo\fR and \fBwinbindd\fR
-were written by TIm Potter.
+were written by Tim Potter.
 .PP
 The conversion to DocBook for Samba 2.2 was done 
 by Gerald Carter
diff --git a/docs/manpages/winbindd.8 b/docs/manpages/winbindd.8
index 72d4d304e93..c3d445c1c1d 100644
--- a/docs/manpages/winbindd.8
+++ b/docs/manpages/winbindd.8
@@ -3,16 +3,15 @@
 .\"  
 .\" Please send any bug reports, improvements, comments, patches, 
 .\" etc. to Steve Cheng .
-.TH "WINBINDD" "8" "09 July 2001" "" ""
+.TH "WINBINDD" "8" "26 September 2001" "" ""
 .SH NAME
 winbindd \- Name Service Switch daemon for resolving names  from NT servers
 .SH SYNOPSIS
 .sp
-\fBnmblookup\fR [ \fB-d debuglevel\fR ]  [ \fB-i\fR ]  [ \fB-S\fR ]  [ \fB-r\fR ]  [ \fB-A\fR ]  [ \fB-h\fR ]  [ \fB-B \fR ]  [ \fB-U \fR ]  [ \fB-d \fR ]  [ \fB-s \fR ]  [ \fB-i \fR ]  [ \fB-T\fR ]  \fBname\fR
+\fBwinbindd\fR [ \fB-i\fR ]  [ \fB-d \fR ]  [ \fB-s \fR ] 
 .SH "DESCRIPTION"
 .PP
-This tool is part of the  Sambasuite version 3.0 and describes functionality not 
-yet implemented in the main version of Samba.
+This program is part of the  Sambasuite.
 .PP
 \fBwinbindd\fR is a daemon that provides 
 a service for the Name Service Switch capability that is present 
@@ -237,18 +236,15 @@ Now replace the account lines with this:
 \fBaccount required /lib/security/pam_winbind.so
 \fR.PP
 The next step is to join the domain. To do that use the 
-\fBsamedit\fR program like this: 
+\fBsmbpasswd\fR program like this: 
 .PP
-\fBsamedit -S '*' -W DOMAIN -UAdministrator\fR
+\fBsmbpasswd -j DOMAIN -r PDC -U
+Administrator\fR
 .PP
-The username after the \fI-U\fR can be any Domain 
-user that has administrator privileges on the machine. Next from 
-within \fBsamedit\fR, run the command: 
-.PP
-\fBcreateuser MACHINE$ -j DOMAIN -L\fR
-.PP
-This assumes your domain is called "DOMAIN" and your Samba 
-workstation is called "MACHINE". 
+The username after the \fI-U\fR can be any
+Domain user that has administrator privileges on the machine.
+Substitute your domain name for "DOMAIN" and the name of your PDC
+for "PDC".
 .PP
 Next copy \fIlibnss_winbind.so\fR to 
 \fI/lib\fR and \fIpam_winbind.so\fR
@@ -295,7 +291,7 @@ on startup and when a SIGHUP is received. Thus, for a running \fB winbindd\fR to
 servers, it must be sent a SIGHUP signal. 
 .PP
 Client processes resolving names through the \fBwinbindd\fR
-nsswitch module read an environment variable named \fI $WINBINDD_DOMAIN\fR. If this variable contains a comma separated
+nsswitch module read an environment variable named \fB $WINBINDD_DOMAIN\fR. If this variable contains a comma separated
 list of Windows NT domain names, then winbindd will only resolve users
 and groups within those Windows NT domains. 
 .PP
@@ -348,7 +344,7 @@ Implementation of name service switch library.
 \fB$LOCKDIR/winbindd_idmap.tdb\fR
 Storage for the Windows NT rid to UNIX user/group 
 id mapping. The lock directory is specified when Samba is initially 
-compiled using the \fI--with-lockdir\fR option. 
+compiled using the \fI--with-lockdir\fR option.
 This directory is by default \fI/usr/local/samba/var/locks
 \fR\&. 
 .TP
@@ -356,9 +352,8 @@ This directory is by default \fI/usr/local/samba/var/locks
 Storage for cached user and group information.
 .SH "VERSION"
 .PP
-This man page is correct for version 2.2 of 
-the Samba suite. winbindd is however not available in
-the stable release of Samba as of yet.
+This man page is correct for version 2.2 of
+the Samba suite.
 .SH "SEE ALSO"
 .PP
 \fInsswitch.conf(5)\fR,
-- 
cgit v1.2.1