[PATCH 1/2] doc: remove outdate Samba3-ByExample

Björn Jacke bj at sernet.de
Fri Jan 31 15:20:32 MST 2014


our users expect the documentation to be correct but this one is completely
outdated and it is less than helpful for people who look for help for recent
samba versions as we can see on the samba mailing list recently.

Signed-off-by: Bjoern Jacke <bj at sernet.de>
---
 docs-xml/Makefile                                  |    2 -
 docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml  | 1635 ----
 docs-xml/Samba3-ByExample/SBE-500UserNetwork.xml   | 2012 -----
 .../Samba3-ByExample/SBE-AddingUNIXClients.xml     | 2865 ------
 docs-xml/Samba3-ByExample/SBE-Appendix1.xml        | 1622 ----
 docs-xml/Samba3-ByExample/SBE-Appendix2.xml        | 1283 ---
 .../Samba3-ByExample/SBE-DomainAppsSupport.xml     |  918 --
 docs-xml/Samba3-ByExample/SBE-HighAvailability.xml |  701 --
 .../Samba3-ByExample/SBE-KerberosFastStart.xml     | 2073 -----
 docs-xml/Samba3-ByExample/SBE-MakingHappyUsers.xml | 4518 ----------
 docs-xml/Samba3-ByExample/SBE-MigrateNT4Samba3.xml | 1787 ----
 docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml | 1798 ----
 .../Samba3-ByExample/SBE-SecureOfficeServer.xml    | 2693 ------
 .../Samba3-ByExample/SBE-SimpleOfficeServer.xml    | 1589 ----
 docs-xml/Samba3-ByExample/SBE-Support.xml          |  163 -
 docs-xml/Samba3-ByExample/SBE-TheSmallOffice.xml   | 1260 ---
 docs-xml/Samba3-ByExample/SBE-UpgradingSamba.xml   | 1249 ---
 docs-xml/Samba3-ByExample/SBE-acknowledgements.xml |   53 -
 docs-xml/Samba3-ByExample/SBE-foreword.xml         |   88 -
 docs-xml/Samba3-ByExample/SBE-front-matter.xml     |   11 -
 docs-xml/Samba3-ByExample/SBE-glossary.xml         |  258 -
 docs-xml/Samba3-ByExample/SBE-inside-cover.xml     |   44 -
 docs-xml/Samba3-ByExample/SBE-preface.xml          |  609 --
 docs-xml/Samba3-ByExample/conventions.xml          |   60 -
 docs-xml/Samba3-ByExample/gpl-3.0.xml              |  836 --
 docs-xml/Samba3-ByExample/gpl.xml                  |  425 -
 .../Samba3-ByExample/images/AccountingNetwork.svg  | 1588 ----
 .../Samba3-ByExample/images/Charity-Network.svg    | 1039 ---
 .../images/Domain-WorkgroupAnnouncement.png        |  Bin 37482 -> 0 bytes
 .../Samba3-ByExample/images/HostAnnouncment.png    |  Bin 38156 -> 0 bytes
 .../images/LocalMasterAnnouncement.png             |  Bin 38525 -> 0 bytes
 docs-xml/Samba3-ByExample/images/NullConnect.png   |  Bin 21931 -> 0 bytes
 .../images/UNIX-Samba-and-LDAP.svg                 |  312 -
 docs-xml/Samba3-ByExample/images/UserConnect.png   |  Bin 22583 -> 0 bytes
 docs-xml/Samba3-ByExample/images/UserMgrNT4.png    |  Bin 31074 -> 0 bytes
 .../images/WINREPRESSME-Capture.png                |  Bin 57046 -> 0 bytes
 .../images/WINREPRESSME-Capture2.png               |  Bin 50864 -> 0 bytes
 ...-ME-WINEPRESSME-Startup-30min-ProtocolStats.png |  Bin 6460 -> 0 bytes
 ...ows-ME-WINEPRESSME-Startup-30min-TraceStats.png |  Bin 8005 -> 0 bytes
 .../images/WindowsXP-NullConnection.png            |  Bin 23120 -> 0 bytes
 .../images/WindowsXP-UserConnection.png            |  Bin 24505 -> 0 bytes
 docs-xml/Samba3-ByExample/images/XP-screen001.png  |  Bin 14290 -> 0 bytes
 docs-xml/Samba3-ByExample/images/acct2net.svg      | 1901 ----
 .../images/ch7-dual-additive-LDAP-Ok.svg           |  143 -
 .../images/ch7-dual-additive-LDAP.svg              |  153 -
 .../Samba3-ByExample/images/ch7-fail-overLDAP.svg  |  120 -
 .../Samba3-ByExample/images/ch7-singleLDAP.svg     |   73 -
 docs-xml/Samba3-ByExample/images/ch8-migration.svg |  767 --
 docs-xml/Samba3-ByExample/images/chap4-net.svg     | 2148 -----
 docs-xml/Samba3-ByExample/images/chap5-net.svg     | 3668 --------
 docs-xml/Samba3-ByExample/images/chap6-net.svg     | 3714 --------
 docs-xml/Samba3-ByExample/images/chap7-idresol.svg |  514 --
 docs-xml/Samba3-ByExample/images/chap7-net-A.svg   | 9436 --------------------
 docs-xml/Samba3-ByExample/images/chap7-net-Ar.png  |  Bin 97993 -> 0 bytes
 docs-xml/Samba3-ByExample/images/chap7-net.svg     | 9010 -------------------
 docs-xml/Samba3-ByExample/images/chap7-net2-B.svg  | 9085 -------------------
 docs-xml/Samba3-ByExample/images/chap7-net2-Br.png |  Bin 99789 -> 0 bytes
 docs-xml/Samba3-ByExample/images/chap7-net2.svg    | 9075 -------------------
 docs-xml/Samba3-ByExample/images/chap7-net2r.png   |  Bin 95770 -> 0 bytes
 docs-xml/Samba3-ByExample/images/chap7-netr.png    |  Bin 84215 -> 0 bytes
 docs-xml/Samba3-ByExample/images/chap9-ADSDC.svg   | 1321 ---
 docs-xml/Samba3-ByExample/images/chap9-SambaDC.svg | 1443 ---
 .../Samba3-ByExample/images/imc-usermanager2.png   |  Bin 91149 -> 0 bytes
 docs-xml/Samba3-ByExample/images/lam-config.png    |  Bin 73791 -> 0 bytes
 .../Samba3-ByExample/images/lam-group-members.png  |  Bin 82762 -> 0 bytes
 docs-xml/Samba3-ByExample/images/lam-groups.png    |  Bin 94035 -> 0 bytes
 docs-xml/Samba3-ByExample/images/lam-hosts.png     |  Bin 86779 -> 0 bytes
 docs-xml/Samba3-ByExample/images/lam-login.png     |  Bin 86345 -> 0 bytes
 docs-xml/Samba3-ByExample/images/lam-users.png     |  Bin 102751 -> 0 bytes
 docs-xml/Samba3-ByExample/images/openmag.png       |  Bin 18146 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp001.png       |  Bin 31712 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp004.png       |  Bin 29694 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp006.png       |  Bin 12651 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp007.png       |  Bin 12781 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp008.png       |  Bin 19550 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp010.png       |  Bin 19725 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp011.png       |  Bin 8579 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp012.png       |  Bin 8918 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp013.png       |  Bin 30107 -> 0 bytes
 docs-xml/Samba3-ByExample/images/wxpp015.png       |  Bin 9713 -> 0 bytes
 docs-xml/Samba3-ByExample/index.xml                |  153 -
 docs-xml/build/catalog.xml.in                      |    3 -
 82 files changed, 86218 deletions(-)
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-500UserNetwork.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-Appendix1.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-Appendix2.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-DomainAppsSupport.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-HighAvailability.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-KerberosFastStart.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-MakingHappyUsers.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-SimpleOfficeServer.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-Support.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-TheSmallOffice.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-UpgradingSamba.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-acknowledgements.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-foreword.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-front-matter.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-glossary.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-inside-cover.xml
 delete mode 100644 docs-xml/Samba3-ByExample/SBE-preface.xml
 delete mode 100644 docs-xml/Samba3-ByExample/conventions.xml
 delete mode 100644 docs-xml/Samba3-ByExample/gpl-3.0.xml
 delete mode 100644 docs-xml/Samba3-ByExample/gpl.xml
 delete mode 100644 docs-xml/Samba3-ByExample/images/AccountingNetwork.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/Charity-Network.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/Domain-WorkgroupAnnouncement.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/HostAnnouncment.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/LocalMasterAnnouncement.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/NullConnect.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/UNIX-Samba-and-LDAP.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/UserConnect.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/UserMgrNT4.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/WINREPRESSME-Capture.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/WINREPRESSME-Capture2.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/Windows-ME-WINEPRESSME-Startup-30min-ProtocolStats.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/Windows-ME-WINEPRESSME-Startup-30min-TraceStats.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/WindowsXP-NullConnection.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/WindowsXP-UserConnection.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/XP-screen001.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/acct2net.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/ch7-dual-additive-LDAP.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/ch7-fail-overLDAP.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/ch7-singleLDAP.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/ch8-migration.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap4-net.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap5-net.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap6-net.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-idresol.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net-A.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net-Ar.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net2-B.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net2-Br.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net2.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-net2r.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap7-netr.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap9-ADSDC.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/chap9-SambaDC.svg
 delete mode 100644 docs-xml/Samba3-ByExample/images/imc-usermanager2.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-config.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-group-members.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-groups.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-hosts.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-login.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/lam-users.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/openmag.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp001.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp004.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp006.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp007.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp008.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp010.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp011.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp012.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp013.png
 delete mode 100644 docs-xml/Samba3-ByExample/images/wxpp015.png
 delete mode 100644 docs-xml/Samba3-ByExample/index.xml

diff --git a/docs-xml/Makefile b/docs-xml/Makefile
index d9ae92b..40ff228 100644
--- a/docs-xml/Makefile
+++ b/docs-xml/Makefile
@@ -39,7 +39,6 @@ help:
 	@echo " htmlman - Build HTML version of manpages"
 	@echo " samples - Extract examples"
 
-$(PDFDIR)/Samba3-ByExample.pdf $(PSDIR)/Samba3-ByExample.ps $(DOCBOOKDIR)/Samba3-ByExample.xml Samba3-ByExample.tex: $(wildcard Samba3-ByExample/*.xml)
 $(PDFDIR)/Samba3-HOWTO.pdf $(PSDIR)/Samba3-HOWTO.ps Samba3-HOWTO.tex $(DOCBOOKDIR)/Samba3-HOWTO.xml: $(wildcard Samba3-HOWTO/*.xml) Samba3-HOWTO-attributions.xml
 Samba3-HOWTO/manpages.xml: $(MANPAGEDIR)/smb.conf.5.xml
 $(PDFDIR)/Samba3-Developers-Guide.pdf $(PSDIR)/Samba3-Developers-Guide.ps $(DOCBOOKDIR)/Samba3-Developers-Guide.xml Samba3-Developers-Guide.tex: $(wildcard Samba3-Developers-Guide/*.xml) Samba3-Developers-Guide-attributions.xml
@@ -262,7 +261,6 @@ samples: $(DOCBOOKDIR)/Samba3-HOWTO.xml xslt/extract-examples.xsl scripts/indent
 archive: pdf
 	@mkdir -p $(ARCHIVEDIR)
 	cp $(PDFDIR)/Samba3-HOWTO.pdf $(ARCHIVEDIR)/TOSHARG-$(DATETIME).pdf
-	cp $(PDFDIR)/Samba3-ByExample.pdf $(ARCHIVEDIR)/S3bE-$(DATETIME).pdf
 
 # XSL scripts
 xslt/html.xsl: xslt/html-common.xsl 
diff --git a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml b/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
deleted file mode 100644
index e0c3c7c..0000000
--- a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
+++ /dev/null
@@ -1,1635 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="net2000users">
-  <title>A Distributed 2000-User Network</title>
-
-<para>
-There is something indeed mystical about things that are
-big. Large networks exhibit a certain magnetism and exude a sense of
-importance that obscures reality. You and I know that it is no more
-difficult to secure a large network than it is a small one. We all
-know that over and above a particular number of network clients, the
-rules no longer change; the only real dynamic is the size of the domain
-(much like a kingdom) over which the network ruler (oops, administrator)
-has control. The real dynamic then transforms from the technical to the
-political. Then again, that point is often reached well before the
-kingdom (or queendom) grows large.
-</para>
-
-<para>
-If you have systematically worked your way to this chapter, hopefully you
-have found some gems and techniques that are applicable in your
-world. The network designs you have worked with in this book have their
-strong points as well as weak ones. That is to be expected given that
-they are based on real business environments, the specifics of which are
-molded to serve the purposes of this book.
-</para>
-
-<para>
-This chapter is intent on wrapping up issues that are central to
-implementation and design of progressively larger networks. Are you ready
-for this chapter? Good, it is time to move on.
-</para>
-
-<para>
-In previous chapters, you made the assumption that your network
-administration staff need detailed instruction right down to the
-nuts and bolts of implementing the solution. That is still the case,
-but they have graduated now. You decide to document only those issues,
-methods, and techniques that are new or complex. Routine tasks such as
-implementing a DNS or a DHCP server are under control. Even the basics of
-Samba are largely under control. So in this section you focus on the
-specifics of implementing LDAP changes, Samba changes, and approach and
-design of the solution and its deployment.
-</para>
-
-<sect1>
-<title>Introduction</title>
-
-<para>
-Abmas is a miracle company. Most businesses would have collapsed under
-the weight of rapid expansion that this company has experienced. Samba 
-is flexible, so there is no need to reinstall the whole operating 
-system just because you need to implement a new network design. In fact, 
-you can keep an old server running right up to the moment of cutover 
-and then do a near-live conversion. There is no need to reinstall a 
-Samba server just to change the way your network should function.
-</para>
-
-<para>
-<indexterm><primary>LDAP</primary></indexterm>
-Network growth is common to all organizations. In this exercise,
-your preoccupation is with the mechanics of implementing Samba and
-LDAP so that network users on each network segment can work
-without impediment.
-</para>
-
-	<sect2>
-	<title>Assignment Tasks</title>
-
-	<para>
-	Starting with the configuration files for the server called
-	<constant>MASSIVE</constant> in <link linkend="happy"/>, you now deal with the
-	issues that are particular to large distributed networks. Your task
-	is simple &smbmdash; identify the challenges, consider the 
-	alternatives, and then design and implement a solution.
-	</para>
-
-	<para>
-	<indexterm><primary>VPN</primary></indexterm>
-	Remember, you have users based in London (UK), Los Angeles,
-	Washington. DC, and, three buildings in New York. A significant portion
-	of your workforce have notebook computers and roam all over the
-	world. Some dial into the office, others use VPN connections over the
-	Internet, and others just move between buildings.i
-	</para>
-
-	<para>
-	What do you say to an employee who normally uses a desktop
-	system but must spend six weeks on the road with a notebook computer?
-	She is concerned about email access and how to keep coworkers current
-	with changing documents.
-	</para>
-
-		<para>
-	To top it all off, you have one network support person and one 
-	help desk person based in London, a single person dedicated to all 
-	network operations in Los Angeles, five staff for user administration 
-	and help desk in New York, plus one <emphasis>floater</emphasis> for 
-	Washington.
-	</para>
-
-		<para>
-	You have outsourced all desktop deployment and management to
-	DirectPointe. Your concern is server maintenance and third-level
-	support. Build a plan and show what must be done.
-	</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-<title>Dissection and Discussion</title>
-
-<para>
-<indexterm><primary>passdb backend</primary></indexterm>
-<indexterm><primary>LDAP</primary></indexterm>
-In <link linkend="happy"/>, you implemented an LDAP server that provided the
-<parameter>passdb backend</parameter> for the Samba servers. You
-explored ways to accelerate Windows desktop profile handling and you
-took control of network performance.
-</para>
-
-<para>
-<indexterm><primary>ldapsam</primary></indexterm>
-<indexterm><primary>tdbsam</primary></indexterm>
-<indexterm><primary>smbpasswd</primary></indexterm>
-<indexterm><primary>replicated</primary></indexterm>
-The implementation of an LDAP-based passdb backend (known as
-<emphasis>ldapsam</emphasis> in Samba parlance), or some form of database
-that can be distributed, is essential to permit the deployment of Samba
-Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem
-is that the <emphasis>tdbsam</emphasis>-style passdb backend does not
-lend itself to being replicated. The older plain-text-based
-<emphasis>smbpasswd</emphasis>-style passdb backend can be replicated
-using a tool such as <command>rsync</command>, but
-<emphasis>smbpasswd</emphasis> suffers the drawback that it does not
-support the range of account facilities demanded by modern network
-managers.
-</para>
-
-<para>
-<indexterm><primary>XML</primary></indexterm>
-<indexterm><primary>SQL</primary></indexterm>
-The new <emphasis>tdbsam</emphasis> facility supports functionality
-that is similar to an <emphasis>ldapsam</emphasis>, but the lack of
-distributed infrastructure sorely limits the scope for its
-deployment. This raises the following questions: Why can't I just use
-an XML-based backend, or for that matter, why not use an SQL-based
-backend? Is support for these tools broken? Answers to these
-questions require a bit of background.</para>
-
-<para>
-<indexterm><primary>directory</primary></indexterm>
-<indexterm><primary>database</primary></indexterm>
-<indexterm><primary>transaction processing</primary></indexterm>
-<indexterm><primary>LDAP</primary></indexterm>
-<emphasis>What is a directory?</emphasis> A directory is a
-collection of information regarding objects that can be accessed to
-rapidly find information that is relevant in a particular and
-consistent manner. A directory differs from a database in that it is
-generally more often searched (read) than updated. As a consequence, the
-information is organized to facilitate read access rather than to
-support transaction processing.</para>
-
-<para>
-<indexterm><primary>Lightweight Directory Access Protocol</primary><see>LDAP</see></indexterm>
-<indexterm><primary>LDAP</primary></indexterm>
-<indexterm><primary>master</primary></indexterm>
-<indexterm><primary>slave</primary></indexterm>
-The Lightweight Directory Access Protocol (LDAP) differs
-considerably from a traditional database. It has a simple search
-facility that uniquely makes a highly preferred mechanism for managing
-user identities. LDAP provides a scalable mechanism for distributing
-the data repository and for keeping all copies (slaves) in sync with
-the master repository.</para>
-
-<para>
-<indexterm><primary>identity management</primary></indexterm>
-<indexterm><primary>Active Directory</primary></indexterm>
-<indexterm><primary>OpenLDAP</primary></indexterm>
-Samba is a flexible and powerful file and print sharing
-technology. It can use many external authentication sources and can be
-part of a total authentication and identity management
-infrastructure. The two most important external sources for large sites
-are Microsoft Active Directory and LDAP. Sites that specifically wish to
-avoid the proprietary implications of Microsoft Active Directory
-naturally gravitate toward OpenLDAP.</para>
-
-<para>
-<indexterm><primary>network</primary><secondary>routed</secondary></indexterm>
-In <link linkend="happy"/>, you had to deal with a locally routed
-network. All deployment concerns focused around making users happy,
-and that simply means taking control over all network practices and
-usage so that no one user is disadvantaged by any other. The real
-lesson is one of understanding that no matter how much network
-bandwidth you provide, bandwidth remains a precious resource.</para>
-
-<para>In this chapter, you must now consider how the overall network must
-function. In particular, you must be concerned with users who move
-between offices. You must take into account the way users need to
-access information globally. And you must make the network robust
-enough so that it can sustain partial breakdown without causing loss of
-productivity.</para>
-
-	<sect2>
-	<title>Technical Issues</title>
-
-	<para>
-	There are at least three areas that need to be addressed as you
-	approach the challenge of designing a network solution for the newly
-	expanded business:
-	</para>
-
-	<itemizedlist>
-		<listitem><para><indexterm><primary>mobility</primary></indexterm>
-		User needs such as mobility and data access</para></listitem>
-
-		<listitem><para>The nature of Windows networking protocols</para></listitem>
-
-		<listitem><para>Identity management infrastructure needs</para></listitem>
-	</itemizedlist>
-
-	<para>Let's look at each in turn.</para>
-
-	<sect3>
-	  <title>User Needs</title>
-
-	<para>
-	The new company has three divisions. Staff for each division are spread across
-	the company. Some staff are office-bound and some are mobile users. Mobile
-	users travel globally. Some spend considerable periods working in other offices.
-	Everyone wants to be able to work without constraint of productivity.
-	</para> 
-
-	<para>
-	The challenge is not insignificant. In some parts of the world, even dial-up
-	connectivity is poor, while in other regions political encumbrances severely
-	curtail user needs. Parts of the global Internet infrastructure remain shielded
-	off for reasons outside the scope of this discussion.
-	</para>
-
-	<para>
-	<indexterm><primary>synchronize</primary></indexterm>
-	Decisions must be made regarding where data is to be stored, how it will be
-	replicated (if at all), and what the network bandwidth implications are. For
-	example, one decision that can be made is to give each office its own master
-	file storage area that can be synchronized to a central repository in New
-	York. This would permit global data to be backed up from a single location.
-	The synchronization tool could be <command>rsync,</command> run via a cron
-	job. Mobile users may use off-line file storage under Windows XP Professional.
-	This way, they can synchronize all files that have changed since each logon
-	to the network.
-	</para>
-
-	<para>
-	<indexterm><primary>bandwidth</primary><secondary>requirements</secondary></indexterm>
-	<indexterm><primary>roaming profile</primary></indexterm>
-	No matter which way you look at this, the bandwidth requirements
-	for acceptable performance are substantial even if only 10 percent of
-	staff are global data users. A company with 3,500 employees,
-	280 of whom are mobile users who use a similarly distributed
-	network, found they needed at least 2 Mb/sec connectivity
-	between the UK and US offices. Even over 2 Mb/sec bandwidth, this
-	company abandoned any attempt to run roaming profile usage for
-	mobile users. At that time, the average roaming profile took 480
-	KB, while today the minimum Windows XP Professional roaming
-	profile involves a transfer of over 750 KB from the profile
-	server to and from the client.
-	</para>
-
-	<para>
-	<indexterm><primary>wide-area</primary></indexterm>
-	Obviously then, user needs and wide-area practicalities dictate the economic and
-	technical aspects of your network design as well as for standard operating procedures.
-	</para>
-
-	</sect3>
-
-	<sect3>
-	  <title>The Nature of Windows Networking Protocols</title>
-
-	<para>
-	<indexterm><primary>profile</primary><secondary>mandatory</secondary></indexterm>
-	Network logons that include roaming profile handling requires from 140 KB to 2 MB.
-	The inclusion of support for a minimal set of common desktop applications can push
-	the size of a complete profile to over 15 MB. This has substantial implications
-	for location of user profiles. Additionally, it is a significant factor in
-	determining the nature and style of mandatory profiles that may be enforced as
-	part of a total service-level assurance program that might be implemented.
-	</para>
-
-	<para>
-	<indexterm><primary>logon traffic</primary></indexterm>
-	<indexterm><primary>redirected folders</primary></indexterm>
-	One way to reduce the network bandwidth impact of user logon
-	traffic is through folder redirection. In <link linkend="happy"/>, you
-	implemented this in the new Windows XP Professional standard
-	desktop configuration. When desktop folders such as <guimenu>My
-	Documents</guimenu> are redirected to a network drive, they should
-	also be excluded from synchronization to and from the server on
-	logon or logout. Redirected folders are analogous to network drive
-	connections.
-	</para>
-
-	<para><indexterm><primary>application servers</primary></indexterm>
-	Of course, network applications should only be run off
-	local application servers. As a general rule, even with 2 Mb/sec
-	network bandwidth, it would not make sense at all for someone who
-	is working out of the London office to run applications off a
-	server that is located in New York.
-	</para>
-
-	<para>
-	<indexterm><primary>affordability</primary></indexterm>
-	When network bandwidth becomes a precious commodity (that is most
-	of the time), there is a significant demand to understand network
-	processes and to mold the limits of acceptability around the
-	constraints of affordability.
-	</para>
-
-	<para>
-	When a Windows NT4/200x/XP Professional client user logs onto
-	the network, several important things must happen.
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		<indexterm><primary>DHCP</primary></indexterm>
-		The client obtains an IP address via DHCP. (DHCP is
-		necessary so that users can roam between offices.)
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>WINS</primary></indexterm>
-		<indexterm><primary>DNS</primary></indexterm>
-		The client must register itself with the WINS and/or DNS server.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>Domain Controller</primary><secondary>closest</secondary></indexterm>
-		The client must locate the closest domain controller.
-		</para></listitem>
-
-		<listitem><para>
-		The client must log onto a domain controller and obtain as part of
-		that process the location of the user's profile, load it, connect to
-		redirected folders, and establish all network drive and printer connections.
-		</para></listitem>
-
-		<listitem><para>
-		The domain controller must be able to resolve the user's
-		credentials before the logon process is fully implemented.
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	Given that this book is about Samba and that it implements the Windows
-	NT4-style domain semantics, it makes little sense to compare Samba with
-	Microsoft Active Directory insofar as the logon protocols and principles
-	of operation are concerned. The following information pertains exclusively
-	to the interaction between a Windows XP Professional workstation and a
-	Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS.
-	</para>
-
-	<para>
-	As soon as the Windows workstation starts up, it obtains an
-	IP address. This is immediately followed by registration of its
-	name both by broadcast and Unicast registration that is directed
-	at the WINS server.
-	</para>
-
-	<para>
-	<indexterm><primary>Unicast</primary></indexterm>
-	<indexterm><primary>broadcast</primary><secondary>directed</secondary>
-	</indexterm><indexterm><primary>NetBIOS</primary></indexterm>
-	Given that the client is already a domain member, it then sends
-	a directed (Unicast) request to the WINS server seeking the list of
-	IP addresses for domain controllers (NetBIOS name type 0x1C). The
-	WINS server replies with the information requested.</para>
-
-	<para>
-	<indexterm><primary>broadcast</primary><secondary>mailslot</secondary></indexterm>
-	<indexterm><primary>Unicast</primary></indexterm>
-	<indexterm><primary>WINS</primary></indexterm>
-	The client sends two netlogon mailslot broadcast requests
-	to the local network and to each of the IP addresses returned by
-	the WINS server. Whichever answers this request first appears to
-	be the machine that the Windows XP client attempts to use to
-	process the network logon. The mailslot messages use UDP broadcast
-	to the local network and UDP Unicast directed at each machine that
-	was listed in the WINS server response to a request for the list of
-	domain controllers.
-	</para>
-
-	<para>
-	<indexterm><primary>protocol</primary><secondary>negotiation</secondary></indexterm>
-	<indexterm><primary>logon server</primary></indexterm>
-	<indexterm><primary>fail</primary></indexterm>
-	The logon process begins with negotiation of the SMB/CIFS
-	protocols that are to be used; this is followed by an exchange of
-	information that ultimately includes the client sending the
-	credentials with which the user is attempting to logon. The logon
-	server must now approve the further establishment of the
-	connection, but that is a good point to halt for now. The priority
-	here must center around identification of network infrastructure
-	needs. A secondary fact we need to know is, what happens when
-	local domain controllers fail or break?
-	</para>
-
-	<para>
-	<indexterm><primary>Domain Controller</primary></indexterm>
-	<indexterm><primary>PDC</primary></indexterm>
-	<indexterm><primary>BDC</primary></indexterm>
-	<indexterm><primary>netlogon</primary></indexterm>
-	Under most circumstances, the nearest domain controller
-	responds to the netlogon mailslot broadcast. The exception to this
-	norm occurs when the nearest domain controller is too busy or is out
-	of service. Herein lies an important fact. This means it is
-	important that every network segment should have at least two
-	domain controllers. Since there can be only one PDC, all additional
-	domain controllers are by definition BDCs.
-	</para>
-
-	<para>
-	<indexterm><primary>authentication</primary></indexterm>
-	<indexterm><primary>Identity Management</primary></indexterm>
-	The provision of sufficient servers that are BDCs is an
-	important design factor. The second important design factor
-	involves how each of the BDCs obtains user authentication
-	data. That is the subject of the next section, which involves key
-	decisions regarding Identity Management facilities.
-	</para>
-
-	</sect3>
-
-	<sect3>
-	<title>Identity Management Needs</title>
-
-	<para>
-	<indexterm><primary>privacy</primary></indexterm>
-	<indexterm><primary>user credentials</primary></indexterm>
-	<indexterm><primary>validated</primary></indexterm>
-	<indexterm><primary>privileges</primary></indexterm>
-	Network managers recognize that in large organizations users
-	generally need to be given resource access based on needs, while
-	being excluded from other resources for reasons of privacy. It is
-	therefore essential that all users identify themselves at the
-	point of network access. The network logon is the principal means
-	by which user credentials are validated and filtered and appropriate
-	rights and privileges are allocated.
-	</para>
-
-	<para>
-	<indexterm><primary>Identity Management</primary></indexterm>
-	<indexterm><primary>Yellow Pages</primary></indexterm>
-	<indexterm><primary>NIS</primary></indexterm>
-	Unfortunately, network resources tend to have their own Identity 
-	Management facilities, the quality and manageability of which varies 
-	from quite poor to exceptionally good. Corporations that use a mixture 
-	of systems soon discover that until recently, few systems were 
-	designed to interoperate. For example, UNIX systems each have an 
-	independent user database. Sun Microsystems developed a facility that 
-	was originally called <constant>Yellow Pages</constant>, and was renamed 
-	when a telephone company objected to the use of its trademark. 
-	What was once called <constant>Yellow Pages</constant> is today known 
-	as <constant>Network Information System</constant> (NIS).
-	</para>
-
-	<para>
-	<indexterm><primary>NIS+</primary></indexterm>
-	NIS gained a strong following throughout the UNIX/VMS space in a short
-	period of time and retained that appeal and use for over a decade.
-	Security concerns and inherent limitations have caused it to enter its
-	twilight. NIS did not gain widespread appeal outside of the UNIX world
-	and was not universally adopted. Sun updated this to a more secure
-	implementation called NIS+, but even it has fallen victim to changing
-	demands as the demand for directory services that can be coupled with
-	other information systems is catching on.
-	</para>
-
-
-	<para>
-	<indexterm><primary>NIS</primary></indexterm>
-	<indexterm><primary>government</primary></indexterm>
-	<indexterm><primary>education</primary></indexterm>
-	Nevertheless, both NIS and NIS+ continue to hold ground in
-	business areas where UNIX still has major sway. Examples of
-	organizations that remain firmly attached to the use of NIS and
-	NIS+ include large government departments, education institutions,
-	and large corporations that have a scientific or engineering
-	focus.
-	</para>
-
-	<para>
-	<indexterm><primary>scalable</primary></indexterm>
-	<indexterm><primary>distributed</primary></indexterm>
-	Today's networking world needs a scalable, distributed Identity 
-	Management infrastructure, commonly called a directory. The most 
-	popular technologies today are Microsoft Active Directory service 
-	and a number of LDAP implementations.
-	</para>
-
-	<para>
-	<indexterm><primary>multiple directories</primary></indexterm>
-	The problem of managing multiple directories has become a focal
-	point over the past decade, creating a large market for
-	metadirectory products and services that allow organizations that
-	have multiple directories and multiple management and control
-	centers to provision information from one directory into
-	another. The attendant benefit to end users is the promise of
-	having to remember and deal with fewer login identities and
-	passwords.</para>
-
-	<para>
-	<indexterm><primary>network</primary><secondary>bandwidth</secondary></indexterm>
-	The challenge of every large network is to find the optimum
-	balance of internal systems and facilities for Identity
-	Management resources. How well the solution is chosen and
-	implemented has potentially significant impact on network bandwidth
-	and systems response needs.</para>
-
-	<para>
-	<indexterm><primary>LDAP server</primary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>master</secondary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>slave</secondary></indexterm>
-	In <link linkend="happy"/>, you implemented a single LDAP server for the
-	entire network. This may work for smaller networks, but almost
-	certainly fails to meet the needs of large and complex networks. The
-	following section documents how you may implement a single
-	master LDAP server with multiple slave servers.</para>
-
-	<para>
-	What is the best method for implementing master/slave LDAP
-	servers within the context of a distributed 2,000-user network is a
-	question that remains to be answered.</para>
-
-	<para>
-	<indexterm><primary>distributed domain</primary></indexterm>
-	<indexterm><primary>wide-area</primary></indexterm>
-	One possibility that has great appeal is to create a single,
-	large distributed domain. The practical implications of this
-	design (see <link linkend="chap7net"/>) demands the placement of
-	sufficient BDCs in each location. Additionally, network
-	administrators must make sure that profiles are not transferred
-	over the wide-area links, except as a totally unavoidable
-	measure. Network design must balance the risk of loss of user
-	productivity against the cost of network management and
-	maintenance.
-	</para>
-
-	<para>
-	<indexterm><primary>domain name space</primary></indexterm>
-	The network design in <link linkend="chap7net2"/> takes the approach
-	that management of networks that are too remote to be managed
-	effectively from New York ought to be given a certain degree of
-	autonomy. With this rationale, the Los Angeles and London networks,
-	though fully integrated with those on the East Coast, each have their
-	own domain name space and can be independently managed and controlled.
-	One of the key drawbacks of this design is that it flies in the face of
-	the ability for network users to roam globally without some compromise
-	in how they may access global resources.
-	</para>
-
-	<para>
-	<indexterm><primary>interdomain trusts</primary></indexterm>
-	Desk-bound users need not be negatively affected by this design, since
-	the use of interdomain trusts can be used to satisfy the need for global
-	data sharing.
-	</para>
-
-	<para>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>backend</secondary></indexterm>
-	<indexterm><primary>SID</primary></indexterm>
-	When Samba-3 is configured to use an LDAP backend, it stores the domain
-	account information in a directory entry. This account entry contains the
-	domain SID. An unintended but exploitable side effect is that this makes it
-	possible to operate with more than one PDC on a distributed network.
-	</para>
-
-	<para>
-	<indexterm><primary>WINS</primary></indexterm>
-	<indexterm><primary>wins.dat</primary></indexterm>
-	<indexterm><primary>SID</primary></indexterm>
-	How might this peculiar feature be exploited? The answer is simple. It is
-	imperative that each network segment have its own WINS server. Major
-	servers on remote network segments can be given a static WINS entry in
-	the <filename>wins.dat</filename> file on each WINS server. This allows
-	all essential data to be visible from all locations. Each location would,
-	however, function as if it is an independent domain, while all sharing the
-	same domain SID. Since all domain account information can be stored in a
-	single LDAP backend, users have unfettered ability to roam.
-	</para>
-
-	<para>
-	<indexterm><primary>NetBIOS name</primary><secondary>aliases</secondary></indexterm>
-	<indexterm><primary>fail-over</primary></indexterm>
-	This concept has not been exhaustively validated, though we can see no reason
-	why this should not work. The important facets are the following: The name of
-	the domain must be identical in all locations. Each network segment must have
-	its own WINS server. The name of the PDC must be the same in all locations; this
-	necessitates the use of NetBIOS name aliases for each PDC so that they can be
-	accessed globally using the alias and not the PDC's primary name. A single master
-	LDAP server can be based in New York, with multiple LDAP slave servers located
-	on every network segment. Finally, the BDCs should each use failover LDAP servers
-	that are in fact slave LDAP servers on the local segments.
-	</para>
-
-	<para>
-	<indexterm><primary>LDAP</primary><secondary>updates</secondary></indexterm>
-	<indexterm><primary>domain tree</primary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
-	With a single master LDAP server, all network updates are effected on a single
-	server. In the event that this should become excessively fragile or network
-	bandwidth limiting, one could implement a delegated LDAP domain. This is also
-	known as a partitioned (or multiple partition) LDAP database and as a distributed
-	LDAP directory.
-	</para>
-
-	<para>
-	As the LDAP directory grows, it becomes increasingly important
-	that its structure is implemented in a manner that mirrors
-	organizational needs, so as to limit network update and
-	referential traffic. It should be noted that all directory
-	administrators must of necessity follow the same standard
-	procedures for managing the directory, because retroactive correction of
-	inconsistent directory information can be exceedingly difficult.
-	</para>
-
-	</sect3>
-
-	</sect2>
-
-
-	<sect2>
-		<title>Political Issues</title>
-
-	<para>
-	As organizations grow, the number of points of control increases
-	also. In a large distributed organization, it is important that the
-	Identity Management system be capable of being updated from
-	many locations, and it is equally important that changes made should
-	become usable in a reasonable period, typically
-	minutes rather than days (the old limitation of highly manual
-	systems).
-	</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	<indexterm><primary>winbind</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>UID</primary></indexterm>
-	<indexterm><primary>GID</primary></indexterm>
-	Samba-3 has the ability to use multiple password (authentication and
-	identity resolution) backends. The diagram in <link linkend="chap7idres"/>
-	demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system
-	password database. The diagram only documents the mechanisms for
-	authentication and identity resolution (obtaining a UNIX UID/GID)
-	using the specific systems shown.
-	</para>
-
-	<figure id="chap7idres">
-		<title>Samba and Authentication Backend Search Pathways</title>
-		<imagefile scale="55">chap7-idresol</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>smbpasswd</primary></indexterm>
-	<indexterm><primary>xmlsam</primary></indexterm>
-	<indexterm><primary>SMB passwords</primary></indexterm>
-	<indexterm><primary>tdbsam</primary></indexterm>
-	<indexterm><primary>mysqlsam</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>distributed</primary></indexterm>
-	Samba is capable of using the <constant>smbpasswd</constant>,
-	<constant>tdbsam</constant>, <constant>xmlsam</constant>,
-	and <constant>mysqlsam</constant> authentication databases. The SMB
-	passwords can, of course, also be stored in an LDAP ldapsam
-	backend. LDAP is the preferred passdb backend for distributed network
-	operations.
-	</para>
-
-	<para>
-	<indexterm><primary>passdb backend</primary></indexterm>
-	Additionally, it is possible to use multiple passdb backends
-	concurrently as well as have multiple LDAP backends. As a result, you
-	can specify a failover LDAP backend. The syntax for specifying a
-	single LDAP backend in &smb.conf; is:
-<screen>
-...
-passdb backend = ldapsam:ldap://master.abmas.biz
-...
-</screen>
-	This configuration tells Samba to use a single LDAP server, as shown in <link linkend="ch7singleLDAP"/>.
-	<figure id="ch7singleLDAP">
-		<title>Samba Configuration to Use a Single LDAP Server</title>
-		<imagefile scale="65">ch7-singleLDAP</imagefile>
-	</figure>
-	<indexterm><primary>LDAP</primary><secondary>fail-over</secondary></indexterm>
-	<indexterm><primary>fail-over</primary></indexterm>
-	The addition of a failover LDAP server can simply be done by adding a
-	second entry for the failover server to the single <parameter>ldapsam</parameter>
-	entry, as shown here (note the particular use of the double quotes):
-<screen>
-...
-passdb backend = ldapsam:"ldap://master.abmas.biz \
-	                  ldap://slave.abmas.biz"
-...
-</screen>
-	This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary,
-	as shown in <link linkend="ch7dualLDAP"/>.
-	<figure id="ch7dualLDAP">
-		<title>Samba Configuration to Use a Dual (Fail-over) LDAP Server</title>
-		<imagefile scale="65">ch7-fail-overLDAP</imagefile>
-	</figure>
-	</para>
-
-	<para>
-	Some folks have tried to implement this without the use of double quotes. This is the type of entry they
-	created:
-<screen>
-...
-passdb backend = ldapsam:ldap://master.abmas.biz \
-                 ldapsam:ldap://slave.abmas.biz
-...
-</screen>
-	<indexterm><primary>contiguous directory</primary></indexterm>
-	The effect of this style of entry is that Samba lists the users
-	that are in both LDAP databases. If both contain the same information,
-	it results in each record being shown twice. This is, of course, not the
-	solution desired for a failover implementation. The net effect of this
-	configuration is shown in <link linkend="ch7dualadd"/>
-	</para>
-
-	<figure id="ch7dualadd">
-		<title>Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</title>
-		<imagefile scale="55">ch7-dual-additive-LDAP</imagefile>
-	</figure>
-
-	<para>
-	If, however, each LDAP database contains unique information, this may 
-	well be an advantageous way to effectively integrate multiple LDAP databases 
-	into one seemingly contiguous directory. Only the first database will be updated.
-	An example of this configuration is shown in <link linkend="ch7dualok"/>.
-	</para>
-
-	<figure id="ch7dualok">
-		<title>Samba Configuration to Use Two LDAP Databases - The result is additive.</title>
-		<imagefile scale="55">ch7-dual-additive-LDAP-Ok</imagefile>
-	</figure>
-
-	<note><para>
-	When the use of ldapsam is specified twice, as shown here, it is imperative
-	that the two LDAP directories must be disjoint. If the entries are for a
-	master LDAP server as well as its own slave server, updates to the LDAP
-	database may end up being lost or corrupted. You may safely use multiple
-	LDAP backends only if both are entirely separate from each other.
-	</para></note>
-
-    <para>
-	It is assumed that the network you are working with follows in a
-	pattern similar to what was covered in <link linkend="happy"/>. The following steps
-    permit the operation of a master/slave OpenLDAP arrangement.
-	</para>
-
-	<procedure>
-	<title>Implementation Steps for an LDAP Slave Server</title>
-
-		<step><para>
-	    <indexterm><primary>SUSE Linux</primary></indexterm>
-		<indexterm><primary>Red Hat Linux</primary></indexterm>
-		Log onto the master LDAP server as <constant>root</constant>.
-		You are about to change the configuration of the LDAP server, so it
-		makes sense to temporarily halt it. Stop OpenLDAP from running on 
-		SUSE Linux by executing:
-<screen>
-&rootprompt; rcldap stop
-</screen>
-		On Red Hat Linux, you can do this by executing:
-<screen>
-&rootprompt; service ldap stop
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
-		Edit the <filename>/etc/openldap/slapd.conf</filename> file so it
-		matches the content of <link linkend="ch7-LDAP-master"/>.
-		</para></step>
-
-		<step><para>
-		Create a file called <filename>admin-accts.ldif</filename> with the following contents:
-<screen>
-dn: cn=updateuser,dc=abmas,dc=biz
-objectClass: person
-cn: updateuser
-sn: updateuser
-userPassword: not24get
-
-dn: cn=sambaadmin,dc=abmas,dc=biz
-objectClass: person
-cn: sambaadmin
-sn: sambaadmin
-userPassword: buttercup
-</screen>
-		</para></step>
-
-		<step><para>
-		Add an account called <quote>updateuser</quote> to the master LDAP server as shown here:
-<screen>
-&rootprompt; slapadd -v -l admin-accts.ldif
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>LDIF</primary></indexterm>
-		<indexterm><primary>LDAP</primary><secondary>preload</secondary></indexterm>
-		Change directory to a suitable place to dump the contents of the
-		LDAP server. The dump file (and LDIF file) is used to preload
-		the slave LDAP server database. You can dump the database by executing:
-<screen>
-&rootprompt; slapcat -v -l LDAP-transfer-LDIF.txt
-</screen>
-		Each record is written to the file.	
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>LDAP-transfer-LDIF.txt</primary></indexterm>
-		Copy the file <filename>LDAP-transfer-LDIF.txt</filename> to the intended
-		slave LDAP server. A good location could be in the directory 
-		<filename>/etc/openldap/preload</filename>.
-		</para></step>
-
-		<step><para>
-		Log onto the slave LDAP server as <constant>root</constant>. You can
-		now configure this server so the <filename>/etc/openldap/slapd.conf</filename>
-		file matches the content of <link linkend="ch7-LDAP-slave"/>.
-		</para></step>
-
-		<step><para>
-		Change directory to the location in which you stored the 
-		<filename>LDAP-transfer-LDIF.txt</filename> file (<filename>/etc/openldap/preload</filename>).
-		While in this directory, execute:
-<screen>
-&rootprompt; slapadd -v -l LDAP-transfer-LDIF.txt
-</screen>
-		If all goes well, the following output confirms that the data is being loaded
-		as intended:
-<screen>
-added: "dc=abmas,dc=biz" (00000001)
-added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002)
-added: "cn=updateuser,dc=abmas,dc=biz" (00000003)
-added: "ou=People,dc=abmas,dc=biz" (00000004)
-added: "ou=Groups,dc=abmas,dc=biz" (00000005)
-added: "ou=Computers,dc=abmas,dc=biz" (00000006)
-added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007)
-added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008)
-added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009)
-added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a)
-added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b)
-added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c)
-added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d)
-added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e)
-added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f)
-added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010)
-added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011)
-added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012)
-added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
-</screen>
-		</para></step>
-
-		<step><para>
-		Now start the LDAP server and set it to run automatically on system reboot by executing:
-<screen>
-&rootprompt; rcldap start
-&rootprompt; chkconfig ldap on
-</screen>
-		On Red Hat Linux, execute the following:
-<screen>
-&rootprompt; service ldap start
-&rootprompt; chkconfig ldap on
-</screen>
-		</para></step>
-
-		<step><para>
-	    <indexterm><primary>chkconfig</primary></indexterm>
-		<indexterm><primary>service</primary></indexterm>
-		<indexterm><primary>rcldap</primary></indexterm>
-		Go back to the master LDAP server. Execute the following to start LDAP as well
-		as <command>slurpd</command>, the synchronization daemon, as shown here:
-<screen>
-&rootprompt; rcldap start
-&rootprompt; chkconfig ldap on
-&rootprompt; rcslurpd start
-&rootprompt; chkconfig slurpd on
-</screen>
-	    <indexterm><primary>slurpd</primary></indexterm>
-		On Red Hat Linux, check the equivalent command to start <command>slurpd</command>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbldap-useradd</primary></indexterm>
-		On the master LDAP server you may now add an account to validate that replication
-		is working. Assuming the configuration shown in <link linkend="happy"/>, execute:
-<screen>
-&rootprompt; /var/lib/samba/sbin/smbldap-useradd -a fruitloop
-</screen>
-		</para></step>
-
-		<step><para>
-		On the slave LDAP server, change to the directory <filename>/var/lib/ldap</filename>.
-		There should now be a file called <filename>replogfile</filename>. If replication worked
-		as expected, the content of this file should be:
-<screen>
-time: 1072486403
-dn: uid=fruitloop,ou=People,dc=abmas,dc=biz
-changetype: modify
-replace: sambaProfilePath
-sambaProfilePath: \\MASSIVE\profiles\fruitloop
--
-replace: sambaHomePath
-sambaHomePath: \\MASSIVE\homes
--
-replace: entryCSN
-entryCSN: 2003122700:43:38Z#0x0005#0#0000
--
-replace: modifiersName
-modifiersName: cn=Manager,dc=abmas,dc=biz
--
-replace: modifyTimestamp
-modifyTimestamp: 20031227004338Z
--
-</screen>
-		</para></step>
-
-		<step><para>
-		Given that this first slave LDAP server is now working correctly, you may now
-		implement additional slave LDAP servers as required.
-		</para></step>
-
-		<step><para>
-		On each machine (PDC and BDCs) after the respective &smb.conf; files have been created as shown in
-		<link linkend="ch7-massmbconfA">Primary Domain Controller &smb.conf; File &smbmdash; Part A + B + C</link> and
-		on BDCs the <link linkend="ch7-slvsmbocnfA">Backup Domain Controller &smb.conf; File &smbmdash; Part A
-		+ B + C</link> execute the following:
-<screen>
-&rootprompt; smbpasswd -w buttercup
-</screen>
-		This will install in the <filename>secrets.tdb</filename> file the password that Samba will need to
-		manage (write to) the LDAP Master server to perform account updates.
-		</para></step>
-
-	</procedure>
-
-<example id="ch7-LDAP-master">
-<title>LDAP Master Server Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
-<screen>
-include     /etc/openldap/schema/core.schema
-include     /etc/openldap/schema/cosine.schema
-include     /etc/openldap/schema/inetorgperson.schema
-include     /etc/openldap/schema/nis.schema
-include     /etc/openldap/schema/samba.schema
-
-pidfile     /var/run/slapd/slapd.pid
-argsfile    /var/run/slapd/slapd.args
-
-database    bdb
-suffix      "dc=abmas,dc=biz"
-rootdn      "cn=Manager,dc=abmas,dc=biz"
-
-# rootpw = not24get
-rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
-
-replica     host=lapdc.abmas.biz:389
-            suffix="dc=abmas,dc=biz"
-            binddn="cn=updateuser,dc=abmas,dc=biz"
-            bindmethod=simple credentials=not24get
-
-access to attrs=sambaLMPassword,sambaNTPassword
-           by dn="cn=sambaadmin,dc=abmas,dc=biz" write
-           by * none
-
-replogfile  /var/lib/ldap/replogfile
-
-directory   /var/lib/ldap
-
-# Indices to maintain
-index objectClass           eq
-index cn                    pres,sub,eq
-index sn                    pres,sub,eq
-index uid                   pres,sub,eq
-index displayName           pres,sub,eq
-index uidNumber             eq
-index gidNumber             eq
-index memberUID             eq
-index sambaSID              eq
-index sambaPrimaryGroupSID  eq
-index sambaDomainName       eq
-index default               sub
-</screen>
-</example>
-
-<example id="ch7-LDAP-slave">
-<title>LDAP Slave Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
-<screen>
-include     /etc/openldap/schema/core.schema
-include     /etc/openldap/schema/cosine.schema
-include     /etc/openldap/schema/inetorgperson.schema
-include     /etc/openldap/schema/nis.schema
-include     /etc/openldap/schema/samba.schema
-
-pidfile     /var/run/slapd/slapd.pid
-argsfile    /var/run/slapd/slapd.args
-
-database    bdb
-suffix      "dc=abmas,dc=biz"
-rootdn      "cn=Manager,dc=abmas,dc=biz"
-
-# rootpw = not24get
-rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
-
-access to *
-            by dn=cn=updateuser,dc=abmas,dc=biz write
-            by * read
-
-updatedn    cn=updateuser,dc=abmas,dc=biz
-updateref   ldap://massive.abmas.biz
-
-directory   /var/lib/ldap
-
-# Indices to maintain
-index objectClass           eq
-index cn                    pres,sub,eq
-index sn                    pres,sub,eq
-index uid                   pres,sub,eq
-index displayName           pres,sub,eq
-index uidNumber             eq
-index gidNumber             eq
-index memberUID             eq
-index sambaSID              eq
-index sambaPrimaryGroupSID  eq
-index sambaDomainName       eq
-index default               sub
-</screen>
-</example>
-
-<example id="ch7-massmbconfA">
-<title>Primary Domain Controller &smb.conf; File &smbmdash; Part A</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">0</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="time server">Yes</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m '%u'</smbconfoption>
-<smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel '%u'</smbconfoption>
-<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p '%g'</smbconfoption>
-<smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel '%g'</smbconfoption>
-<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</smbconfoption>
-<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</smbconfoption>
-<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption>
-<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w '%u'</smbconfoption>
-<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
-<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
-<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-<smbconfoption name="logon drive">X:</smbconfoption>
-<smbconfoption name="domain logons">Yes</smbconfoption>
-<smbconfoption name="domain master">Yes</smbconfoption>
-<smbconfoption name="wins support">Yes</smbconfoption>
-<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-<smbconfoption name="ldap admin dn">cn=sambaadmin,dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="idmap backend">ldap://massive.abmas.biz</smbconfoption>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch7-massmbconfB">
-<title>Primary Domain Controller &smb.conf; File &smbmdash; Part B</title>
-<smbconfblock>
-<smbconfsection name="[IPC$]"/>
-<smbconfoption name="path">/tmp</smbconfoption>
-
-<smbconfsection name="[accounts]"/>
-<smbconfoption name="comment">Accounting Files</smbconfoption>
-<smbconfoption name="path">/data/accounts</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[service]"/>
-<smbconfoption name="comment">Financial Services Files</smbconfoption>
-<smbconfoption name="path">/data/service</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[pidata]"/>
-<smbconfoption name="comment">Property Insurance Files</smbconfoption>
-<smbconfoption name="path">/data/pidata</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch7-massmbconfC">
-<title>Primary Domain Controller &smb.conf; File &smbmdash; Part C</title>
-<smbconfblock>
-<smbconfsection name="[apps]"/>
-<smbconfoption name="comment">Application Files</smbconfoption>
-<smbconfoption name="path">/apps</smbconfoption>
-<smbconfoption name="admin users">bjones</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[netlogon]"/>
-<smbconfoption name="comment">Network Logon Service</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="locking">No</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-<smbconfoption name="comment">Profile Share</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[profdata]"/>
-<smbconfoption name="comment">Profile Data Share</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch7-slvsmbocnfA">
-<title>Backup Domain Controller &smb.conf; File &smbmdash; Part A</title>
-<smbconfblock>
-<smbconfcomment># Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-<smbconfoption name="netbios name">BLDG1</smbconfoption>
-<smbconfoption name="passdb backend">ldapsam:ldap://lapdc.abmas.biz</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">50</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="show add printer wizard">No</smbconfoption>
-<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-<smbconfoption name="logon drive">X:</smbconfoption>
-<smbconfoption name="domain logons">Yes</smbconfoption>
-<smbconfoption name="os level">63</smbconfoption>
-<smbconfoption name="domain master">No</smbconfoption>
-<smbconfoption name="wins server">192.168.2.1</smbconfoption>
-<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-<smbconfoption name="ldap admin dn">cn=sambaadmin,dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="utmp">Yes</smbconfoption>
-<smbconfoption name="idmap backend">ldap://massive.abmas.biz</smbconfoption>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-
-<smbconfsection name="[accounts]"/>
-<smbconfoption name="comment">Accounting Files</smbconfoption>
-<smbconfoption name="path">/data/accounts</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[service]"/>
-<smbconfoption name="comment">Financial Services Files</smbconfoption>
-<smbconfoption name="path">/data/service</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch7-slvsmbocnfB">
-<title>Backup Domain Controller &smb.conf; File &smbmdash; Part B</title>
-<smbconfblock>
-<smbconfsection name="[pidata]"/>
-<smbconfoption name="comment">Property Insurance Files</smbconfoption>
-<smbconfoption name="path">/data/pidata</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[apps]"/>
-<smbconfoption name="comment">Application Files</smbconfoption>
-<smbconfoption name="path">/apps</smbconfoption>
-<smbconfoption name="admin users">bjones</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[netlogon]"/>
-<smbconfoption name="comment">Network Logon Service</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="locking">No</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-<smbconfoption name="comment">Profile Share</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[profdata]"/>
-<smbconfoption name="comment">Profile Data Share</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<itemizedlist>
-			<listitem><para>
-			<indexterm><primary>LDAP</primary></indexterm><indexterm><primary>BDC</primary></indexterm>
-			Where Samba-3 is used as a domain controller, the use of LDAP is an 
-			essential component to permit the use of BDCs.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>wide-area</primary></indexterm>
-			Replication of the LDAP master server to create a network of BDCs
-			is an important mechanism for limiting WAN traffic.
-			</para></listitem>
-
-			<listitem><para>
-			Network administration presents many complex challenges, most of which
-			can be satisfied by good design but that also require sound communication
-			and unification of management practices. This can be highly challenging in
-			a large, globally distributed network.
-			</para></listitem>
-
-			<listitem><para>
-			Roaming profiles must be contained to the local network segment. Any
-			departure from this may clog wide-area arteries and slow legitimate network
-			traffic to a crawl.
-			</para></listitem>
-		</itemizedlist>
-
-	</sect2>
-
-	<figure id="chap7net">
-		<title>Network Topology &smbmdash; 2000 User Complex Design A</title>
-		<imagefile scale="80">chap7-net-Ar</imagefile>
-	</figure>
-
-	<figure id="chap7net2">
-		<title>Network Topology &smbmdash; 2000 User Complex Design B</title>
-		<imagefile scale="80">chap7-net2-Br</imagefile>
-	</figure>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	There is much rumor and misinformation regarding the use of MS Windows networking protocols.
-	These questions are just a few of those frequently asked.
-	</para>
-
-	<qandaset defaultlabel="chap07qa" type="number">
-	<qandaentry>
-	<question>
-
-	    <para>
-		<indexterm><primary>DHCP</primary></indexterm>
-		<indexterm><primary>network</primary><secondary>bandwidth</secondary></indexterm>
-		Is it true that DHCP uses lots of WAN bandwidth?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>DHCP</primary><secondary>Relay Agent</secondary></indexterm>
-		<indexterm><primary>routers</primary></indexterm>
-		<indexterm><primary>DHCP</primary><secondary>servers</secondary></indexterm>
-		It is a smart practice to localize DHCP servers on each network segment. As a 
-		rule, there should be two DHCP servers per network segment. This means that if
-		one server fails, there is always another to service user needs. DHCP requests use
-		only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
-		routers. This makes it possible to run fewer DHCP servers.
-		</para>
-
-	    <para>
-		<indexterm><primary>DHCP</primary><secondary>request</secondary></indexterm>
-		<indexterm><primary>DHCP</primary><secondary>traffic</secondary></indexterm>
-		A DHCP network address request and confirmation usually results in about six UDP packets.
-		The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
-		clients and that uses a 24-hour IP address lease. This means that all clients renew
-		their IP address lease every 24 hours. If we assume an average packet length equal to the
-		maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, 
-		how significant would the DHCP traffic be if all of it were to use DHCP Relay?
-		</para>
-
-		<para>
-		I must stress that this is a bad design, but here is the calculation:
-<screen>
-Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) 
-                             x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day.
-
-DHCP traffic:          300 (clients) x 6 (packets) 
-                                       x 512 (bytes/packet) = 0.9 Mbytes/day.
-</screen>
-		From this can be seen that the traffic impact would be minimal.
-		</para>
-
-	    <para>
-		<indexterm><primary>DNS</primary><secondary>Dynamic</secondary></indexterm>
-		<indexterm><primary>DHCP</primary></indexterm>
-		Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link,
-		the impact of the update is no more than the DHCP IP address renewal traffic and thus
-		still insignificant for most practical purposes.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para>
-		<indexterm><primary>background communication</primary></indexterm>
-		<indexterm><primary>LDAP</primary><secondary>master/slave</secondary><tertiary>background communication</tertiary></indexterm>
-		How much background communication takes place between a master LDAP server and its slave LDAP servers?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>slurpd</primary></indexterm>
-		The process that controls the replication of data from the master LDAP server to the slave LDAP
-		servers is called <command>slurpd</command>. The <command>slurpd</command> remains nascent (quiet)
-		until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete)
-		two user accounts requires less than 10KB traffic.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		LDAP has a database. Is LDAP not just a fancy database front end?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>database</primary></indexterm>
-		<indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
-		<indexterm><primary>SQL</primary></indexterm>
-		<indexterm><primary>transactional</primary></indexterm>
-		LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific
-		data storage system. This type of database is indexed so that records can be rapidly located, but the
-		database is not generic and can be used only in particular pre-programmed ways. General external
-		applications do not gain access to the data. This type of database is used also by SQL servers. Both
-		an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional
-		orientation and typically allows external programs to perform ad hoc queries, even across data tables.
-		An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
-		simple queries. The term <constant>database</constant> is heavily overloaded and thus much misunderstood.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para>
-		<indexterm><primary>OpenLDAP</primary></indexterm>
-		Can Active Directory obtain account information from an OpenLDAP server?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>meta-directory</primary></indexterm>
-		No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP
-		database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface
-		to OpenLDAP using standard LDAP queries and updates. 
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What are the parts of a roaming profile? How large is each part?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>roaming profile</primary>
-	      </indexterm>
-		A roaming profile consists of
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			Desktop folders such as <constant>Desktop</constant>, <constant>My Documents</constant>,
-			<constant>My Pictures</constant>, <constant>My Music</constant>, <constant>Internet Files</constant>,
-			<constant>Cookies</constant>, <constant>Application Data</constant>,
-			<constant>Local Settings,</constant> and more. See <link linkend="happy"/>, <link linkend="XP-screen001"/>.
-			</para>
-
-			<para>
-			<indexterm><primary>folder redirection</primary></indexterm>
-			Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
-			such folders can be redirected to network drive resources. See <link linkend="redirfold"/>
-			for more information regarding folder redirection.
-			</para></listitem>
-
-			<listitem><para>
-			A static or rewritable portion that is typically only a few files (2-5 KB of information).
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>NTUSER.DAT</primary></indexterm>
-			<indexterm><primary>HKEY_LOCAL_USER</primary></indexterm>
-			The registry load file that modifies the <constant>HKEY_LOCAL_USER</constant> hive. This is
-			the <filename>NTUSER.DAT</filename> file. It can be from 0.4 to 1.5 MB.
-			</para></listitem>
-		</itemizedlist>
-
-	    <para>
-		<indexterm><primary>Microsoft Outlook</primary><secondary>PST files</secondary></indexterm>
-		Microsoft Outlook PST files may be stored in the <constant>Local Settings\Application Data</constant>
-		folder. It can be up to 2 GB in size per PST file.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Can the <constant>My Documents</constant> folder be stored on a network drive?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>UNC name</primary></indexterm>
-		<indexterm><primary>Universal Naming Convention</primary><see>UNC name</see></indexterm>
-		Yes. More correctly, such folders can be redirected to network shares. No specific network drive
-		connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
-		Naming Convention) resource, though it is possible to specify a network drive letter instead of a
-		UNC name. See <link linkend="redirfold"/>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para>
-		<indexterm><primary>wide-area</primary></indexterm>
-		<indexterm><primary>network</primary><secondary>bandwidth</secondary></indexterm>
-		<indexterm><primary>WINS</primary></indexterm>
-		How much WAN bandwidth does WINS consume?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>NetBIOS</primary><secondary>name cache</secondary></indexterm>
-		<indexterm><primary>WINS server</primary></indexterm>
-		<indexterm><primary>domain replication</primary></indexterm>
-		MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
-		This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
-		server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day,
-		was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total
-		of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links.
-		Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication
-		traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection
-		that aggregated the branch office connections plus an Internet connection.
-		</para>
-
-		<para>
-		In conclusion, the total load afforded through WINS traffic is again marginal to total operational
-		usage &smbmdash; as it should be.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		How many BDCs should I have? What is the right number of Windows clients per server?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		It is recommended to have at least one BDC per network segment, including the segment served
-		by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the
-		load demand pattern of client usage. I have seen sites that function without problem with 200
-		clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular
-		company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print
-		server; and an application server. While all three were BDCs, typically only the print server would
-		service network logon requests after the first 10 users had started to use the network. This was
-		a reflection of the service load placed on both the application server and the data server.
-		</para>
-
-		<para>
-		As unsatisfactory as the answer might sound, it all depends on network and server load
-		characteristics.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para>
-		<indexterm><primary>NIS server</primary></indexterm><indexterm><primary>LDAP</primary></indexterm>
-		I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
-		run an NIS server?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The correct answer to both questions is yes. But do understand that an LDAP server has
-		a configurable schema that can store far more information for many more purposes than
-		just NIS.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Can I use NIS in place of LDAP?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>NIS</primary></indexterm>
-		<indexterm><primary>NIS schema</primary></indexterm>
-		No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
-		with the types of data necessary for interoperability with Microsoft Windows networking. The use
-		of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
-		a Samba-specific schema extension.
-		</para>
-
-</answer>
-	</qandaentry>
-
-	</qandaset>
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-500UserNetwork.xml b/docs-xml/Samba3-ByExample/SBE-500UserNetwork.xml
deleted file mode 100644
index 64809c8..0000000
--- a/docs-xml/Samba3-ByExample/SBE-500UserNetwork.xml
+++ /dev/null
@@ -1,2012 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="Big500users">
-  <title>The 500-User Office</title>
-
-	<para>
-	The Samba-3 networking you explored in <link linkend="secure"/> covers the finer points of 
-	configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
-	implementation of a simple configuration of the services that are important adjuncts 
-	to successful deployment of Samba. 
-	</para>
-
-	<para>
-	An analysis of the history of postings to the Samba mailing list easily demonstrates 
-	that the two most prevalent Samba problem areas are
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		Defective resolution of a NetBIOS name to its IP address
-		</para></listitem>
-
-		<listitem><para>
-		Printing problems
-		</para></listitem>
-
-	</itemizedlist>
-
-	<para>
-	The exercises
-	so far in this book have focused on implementation of the simplest printing processes
-	involving  no print job processing intelligence. In this chapter, you maintain 
-	that same approach to printing, but <link linkend="happy"/> presents an opportunity 
-	to make printing more complex for the administrator while making it easier for the user.
-	</para>
-
-	<para>
-	<indexterm><primary>WINS server</primary></indexterm>
-	<indexterm><primary>tdbsam</primary></indexterm>
-	<indexterm><primary>passdb backend</primary></indexterm>
-	<link linkend="secure"/> demonstrates operation of a DHCP server and a DNS server 
-	as well as a central WINS server. You validated the operation of these services and
-	saw an effective implementation of a Samba domain controller using the 
-	<parameter>tdbsam</parameter> passdb backend.
-	</para>
-
-	<para>
-	The objective of this chapter is to introduce more complex techniques that can be used to
-	improve manageability of Samba as networking needs grow. In this chapter, you implement
-	a distributed DHCP server environment, a distributed DNS server arrangement, a centralized
-	WINS server, and a centralized Samba domain controller.
-	</para>
-
-	<para>
-	A note of caution is important regarding the Samba configuration that is used in this
-	chapter. The use of a single domain controller on a routed, multisegment network is 
-	a poor design choice that leads to potential network user complaints. 
-	This chapter demonstrates some successful 
-	techniques in deployment and configuration management. This should be viewed as a 
-	foundation chapter for complex Samba deployments.
-	</para>
-
-	<para>
-	As you master the techniques presented here, you may find much better methods to 
-	improve network management and control while reducing human resource overheads.
-	You should take the opportunity to innovate and expand on the methods presented 
-	here and explore them to the fullest.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	Business continues to go well for Abmas. Mr. Meany is driving your success and the
-	network continues to grow thanks to the hard work Christine has done. You recently
-	hired Stanley Soroka as manager of information systems. Christine recommended Stan
-	to the role. She told you Stan is so good at handling Samba that he can make a cast
-	iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You
-	need skills like his. Christine and Stan get along just fine. Let's see what 
-	you can get out of this pair as they plot the next-generation networks.
-	</para>
-
-	<para>
-	Ten months ago Abmas closed an acquisition of a property insurance business. The
-	founder lost interest in the business and decided to sell it to Mr. Meany.  Because
-	they were former university classmates, the purchase was concluded with mutual assent.
-	The acquired business is located at the other end of town in much larger facilities.
-	The old Abmas building has become too small. Located on the same campus as the newly
-	acquired business are two empty buildings that are ideal to provide Abmas with
-	opportunity for growth.
-	</para>
-
-	<para>
-	Abmas has now completed the purchase of the two empty buildings, and you are
-	to install a new network and relocate staff in nicely furnished new facilities.
-	The new network is to be used to fully integrate company operations. You have
-	decided to locate the new network operations control center in the larger building
-	in which the insurance group is located to take advantage of an ideal floor space
-	and to allow Stan and Christine to fully stage the new network and test it before
-	it is rolled out. Your strategy is to complete the new network so that it
-	is ready for operation when the old office moves into the new premises.
-	</para>
-
-	<sect2>
-		<title>Assignment Tasks</title>
-
-		<para>
-		The acquired business had 280 network users. The old Abmas building housed
-		220 network users in unbelievably cramped conditions. The network that
-		initially served 130 users now handles 220 users quite well.
-		</para>
-
-		<para>
-		The two businesses will be fully merged to create a single campus company.
-		The Property Insurance Group (PIG) houses 300 employees, the new Accounting
-		Services Group (ASG) will be in a small building (BLDG1) that houses 50 
-		employees, and the Financial Services Group (FSG) will be housed in a large
-		building that has capacity for growth (BLDG2). Building 2 houses 150 network
-		users.
-		</para>
-
-		<para>
-		You have decided to connect the building using fiber optic links between new
-		routers. As a backup, the buildings are interconnected using line-of-sight
-		high-speed infrared facilities. The infrared connection provides a
-		secondary route to be used during periods of high demand for network
-		bandwidth.
-		</para>
-
-		<para>
-		The Internet gateway is upgraded to 15 Mb/sec service. Your ISP
-		provides on your premises a fully managed Cisco PIX firewall. You no longer need
-		to worry about firewall facilities on your network.
-		</para>
-
-		<para>
-		Stanley and Christine have purchased new server hardware. Christine wants to
-		roll out a network that has whistles and bells. Stan wants to start off with
-		a simple to manage, not-too-complex network. He believes that network
-		users need to be gradually introduced to new features and capabilities and not
-		rushed into an environment that may cause disorientation and loss of productivity.
-		</para>
-
-		<para>
-		Your intrepid network team has decided to implement a network configuration
-		that closely mirrors the successful system you installed in the old Abmas building.
-		The new network infrastructure is owned by Abmas, but all desktop systems
-		are being procured through a new out-source services and leasing company. Under
-		the terms of a deal with Mr. M. Proper (CEO), DirectPointe, Inc., provides
-		all desktop systems and includes full level-one help desk support for 
-		a flat per-machine monthly fee. The deal allows you to add workstations on demand.
-		This frees Stan and Christine to deal with deeper issues as they emerge and 
-		permits Stan to work on creating new future value-added services.
-		</para>
-
-		<para>
-		DirectPointe Inc. receives from you a new standard desktop configuration
-		every four months. They automatically roll that out to each desktop system.
-		You must keep DirectPointe informed of all changes.
-		</para>
-
-	<para><indexterm>
-	    <primary>PDC</primary>
-	  </indexterm>
-		The new network has a single Samba Primary Domain Controller (PDC) located in the
-		Network Operation Center (NOC). Buildings 1 and 2 each have a local server
-		for local application servicing. It is a domain member. The new system
-		uses the <parameter>tdbsam</parameter> passdb backend.
-		</para>
-
-		<para>
-		Printing is based on raw pass-through facilities just as it has been used so far.
-		All printer drivers are installed on the desktop and notebook computers.
-		</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>network load factors</primary></indexterm>
-	The example you are building in this chapter is of a network design that works, but this
-	does not make it a design that is recommended. As a general rule, there should be at least
-	one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind
-	this recommendation is that correct operation of MS Windows clients requires rapid
-	network response to all SMB/CIFS requests. The same rule says that if there are more than
-	50 clients per domain controller, they are too busy to service requests. Let's put such
-	rules aside and recognize that network load affects the integrity of domain controller
-	responsiveness. This network will have 500 clients serviced by one central domain
-	controller. This is not a good omen for user satisfaction. You, of course, address this
-	very soon (see <link linkend="happy"/>).
-	</para>
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		Stan has talked you into a horrible compromise, but it is addressed. Just make
-		certain that the performance of this network is well validated before going live.
-		</para>
-
-		<para>
-		Design decisions made in this design include the following:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			<indexterm><primary>PDC</primary></indexterm>
-			<indexterm><primary>LDAP</primary></indexterm>
-			<indexterm><primary>identity management</primary></indexterm>
-			A single PDC is being implemented. This limitation is based on the choice not to
-			use LDAP. Many network administrators fear using LDAP because of the perceived
-			complexity of implementation and management of an LDAP-based backend for all user
-			identity management as well as to store network access credentials.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>BDC</primary></indexterm>
-			<indexterm><primary>machine secret password</primary></indexterm>
-			Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the
-			only choice that makes sense with 500 users is to use the tdbsam passwd backend. 
-			This type of backend is not receptive to replication to BDCs.  If the tdbsam
-			<filename>passdb.tdb</filename> file is replicated to BDCs using
-			<command>rsync</command>, there are two potential problems: (1) data that is in
-			memory but not yet written to disk will not be replicated, and (2) domain member
-			machines periodically change the secret machine password. When this happens, there
-			is no mechanism to return the changed password to the PDC.
-			</para></listitem>
-
-			<listitem><para>
-			All domain user, group, and machine accounts are managed on the PDC. This makes
-			for a simple mode of operation but has to be balanced with network performance and
-			integrity of operations considerations.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>WINS</primary></indexterm>
-			A single central WINS server is being used. The PDC is also the WINS server.
-			Any attempt to operate a routed network without a WINS server while using NetBIOS
-			over TCP/IP protocols does not work unless on each client the name resolution
-			entries for the PDC are added to the <filename>LMHOSTS</filename>. This file is
-			normally located on the Windows XP Professional client in the 
-			<filename>C:\WINDOWS\SYSTEM32\ETC\DRIVERS</filename> directory.
-			</para></listitem>
-
-			<listitem><para>
-			At this time the Samba WINS database cannot be replicated. That is
-			why a single WINS server is being implemented. This should work without a problem.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>winbindd</primary></indexterm>
-			BDCs make use of <command>winbindd</command> to provide
-			access to domain security credentials for file system access and object storage.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>DHCP</primary><secondary>relay</secondary></indexterm>
-			<indexterm><primary>DHCP</primary><secondary>requests</secondary></indexterm>
-			Configuration of Windows XP Professional clients is achieved using DHCP. Each
-			subnet has its own DHCP server. Backup DHCP serving is provided by one
-			alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
-			all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the
-			network directed at the backup DHCP server.
-			</para></listitem>
-
-			<listitem><para>
-			All network users are granted the ability to print to any printer that is
-			network-attached. All printers are available from each server. Print jobs that
-			are spooled to a printer that is not on the local network segment are automatically
-			routed to the print spooler that is in control of that printer. The specific details
-			of how this might be done are demonstrated for one example only.
-			</para></listitem>
-
-			<listitem><para>
-			The network address and subnetmask chosen provide 1022 usable IP addresses in
-			each subnet. If in the future more addresses are required, it would make sense
-			to add further subnets rather than change addressing.
-			</para></listitem>
-
-		</itemizedlist>
-
-	</sect2>
-
-
-	<sect2>
-		<title>Political Issues</title>
-
-		<para>
-		This case gets close to the real world. You and I know the right way to implement
-		domain control. Politically, we have to navigate a minefield. In this case, the need is to
-		get the PDC rolled out in compliance with expectations and also to be ready to save the day
-		by having the real solution ready before it is needed. That real solution is presented in
-		<link linkend="happy"/>.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	The following configuration process begins following installation of Red Hat Fedora Core2 on the
-	three servers shown in the network topology diagram in <link linkend="chap05net"/>. You have
-	selected hardware that is appropriate to the task.
-	</para>
-
-	<figure id="chap05net">
-		<title>Network Topology &smbmdash; 500 User Network Using tdbsam passdb backend.</title>
-		<imagefile scale="50">chap5-net</imagefile>
-	</figure>
-
-	<sect2 id="ch5-dnshcp-setup">
-	<title>Installation of DHCP, DNS, and Samba Control Files</title>
-
-	<para>
-	Carefully install the configuration files into the correct locations as shown in 
-	<link linkend="ch5-filelocations"/>. You should validate that the full file path is
-	correct as shown.
-	</para>
-
-	<para>
-	The abbreviation shown in this table as <constant>{VLN}</constant> refers to
-	the directory location beginning with <filename>/var/lib/named</filename>.
-	</para>
-
-
-	<table id="ch5-filelocations"><title>Domain: <constant>MEGANET</constant>, File Locations for Servers</title>
-		<tgroup cols="5">
-			<colspec colname='c1' align="left"/>
-			<colspec colname='c2' align="left"/>
-			<colspec colname='c3' align="center"/>
-			<colspec colname='c4' align="center"/>
-			<colspec colname='c5' align="center"/>
-			<thead>
-				<row>
-					<entry align="center" namest='c1' nameend='c2'>File Information</entry>
-					<entry align="center" namest="c3" nameend="c5">Server Name</entry>
-				</row>
-				<row>
-					<entry align="center">Source</entry>
-					<entry align="center">Target Location</entry>
-					<entry align="center">MASSIVE</entry>
-					<entry align="center">BLDG1</entry>
-					<entry align="center">BLDG2</entry>
-				</row>
-			</thead>
-			<tbody>
-				<row>
-					<entry><link linkend="ch5-massivesmb"/></entry>
-					<entry><filename>/etc/samba/smb.conf</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="ch5-dc-common"/></entry>
-					<entry><filename>/etc/samba/dc-common.conf</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="ch5-commonsmb"/></entry>
-					<entry><filename>/etc/samba/common.conf</filename></entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="ch5-bldg1-smb"/></entry>
-					<entry><filename>/etc/samba/smb.conf</filename></entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="ch5-bldg2-smb"/></entry>
-					<entry><filename>/etc/samba/smb.conf</filename></entry>
-					<entry>No</entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="ch5-dommem-smb"/></entry>
-					<entry><filename>/etc/samba/dommem.conf</filename></entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="massive-dhcp"/></entry>
-					<entry><filename>/etc/dhcpd.conf</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="bldg1dhcp"/></entry>
-					<entry><filename>/etc/dhcpd.conf</filename></entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="bldg2dhcp"/></entry>
-					<entry><filename>/etc/dhcpd.conf</filename></entry>
-					<entry>No</entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="massive-nameda"/></entry>
-					<entry><filename>/etc/named.conf (part A)</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="massive-namedb"/></entry>
-					<entry><filename>/etc/named.conf (part B)</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="massive-namedc"/></entry>
-					<entry><filename>/etc/named.conf (part C)</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="abmasbizdns"/></entry>
-					<entry><filename>{VLN}/master/abmas.biz.hosts</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="abmasusdns"/></entry>
-					<entry><filename>{VLN}/master/abmas.us.hosts</filename></entry>
-					<entry>Yes</entry>
-					<entry>No</entry>
-					<entry>No</entry>
-				</row>
-				<row>
-					<entry><link linkend="bldg12nameda"/></entry>
-					<entry><filename>/etc/named.conf (part A)</filename></entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="bldg12namedb"/></entry>
-					<entry><filename>/etc/named.conf (part B)</filename></entry>
-					<entry>No</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="loopback"/></entry>
-					<entry><filename>{VLN}/localhost.zone</filename></entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="dnsloopy"/></entry>
-					<entry><filename>{VLN}/127.0.0.zone</filename></entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-				<row>
-					<entry><link linkend="roothint"/></entry>
-					<entry><filename>{VLN}/root.hint</filename></entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-					<entry>Yes</entry>
-				</row>
-			</tbody>
-		</tgroup>
-	</table>
-
-	</sect2>
-
-	<sect2>
-	<title>Server Preparation: All Servers</title>
-
-	<para>
-	The following steps apply to all servers. Follow each step carefully.
-	</para>
-
-		<procedure>
-		<title>Server Preparation Steps</title>
-
-			<step><para>
-			Using the UNIX/Linux system tools, set the name of the server as shown in the network
-			topology diagram in <link linkend="chap05net"/>. For SUSE Linux products, the tool
-			that permits this is called <command>yast2</command>; for Red Hat Linux products,
-			you can use the <command>netcfg</command> tool.
-			Verify that your hostname is correctly set by running:
-<screen>
-&rootprompt; uname -n
-</screen>
-			An alternate method to verify the hostname is:
-<screen>
-&rootprompt; hostname -f
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>/etc/hosts</primary></indexterm>
-			<indexterm><primary>named</primary></indexterm>
-			Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
-			of all network interfaces that are on the host server. This is necessary so that during
-			startup the system is able to resolve all its own names to the IP address prior to
-			startup of the DNS server. You should check the startup order of your system. If the 
-			CUPS print server is started before the DNS server (<command>named</command>), you 
-			should also include an entry for the printers in the <filename>/etc/hosts</filename> file.
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>/etc/resolv.conf</primary></indexterm>
-			All DNS name resolution should be handled locally. To ensure that the server is configured
-			correctly to handle this, edit <filename>/etc/resolv.conf</filename> so it has the following
-			content:
-<screen>
-search abmas.us abmas.biz
-nameserver 127.0.0.1
-</screen>
-			This instructs the name resolver function (when configured correctly) to ask the DNS server
-			that is running locally to resolve names to addresses.
-			</para></step>
-
-
-			<step><para>
-			<indexterm><primary>administrator</primary></indexterm>
-			<indexterm><primary>smbpasswd</primary></indexterm>
-			Add the <constant>root</constant> user to the password backend:
-<screen>
-&rootprompt; smbpasswd -a root
-New SMB password: XXXXXXXX
-Retype new SMB password: XXXXXXXX
-&rootprompt;
-</screen>
-			The <constant>root</constant> account is the UNIX equivalent of the Windows domain administrator.
-			This account is essential in the regular maintenance of your Samba server. It must never be
-			deleted. If for any reason the account is deleted, you may not be able to recreate this account
-			without considerable trouble.
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>username map</primary></indexterm>
-			<indexterm><primary>/etc/samba/smbusers</primary></indexterm>
-			Create the username map file to permit the <constant>root</constant> account to be called
-			<constant>Administrator</constant> from the Windows network environment. To do this, create
-			the file <filename>/etc/samba/smbusers</filename> with the following contents:
-<screen>
-####
-# User mapping file
-####
-# File Format
-# -----------
-# Unix_ID = Windows_ID
-#
-# Examples:
-# root = Administrator
-# janes = "Jane Smith"
-# jimbo = Jim Bones
-#
-# Note: If the name contains a space it must be double quoted.
-#       In the example above the name 'jimbo' will be mapped to Windows
-#       user names 'Jim' and 'Bones' because the space was not quoted.
-#######################################################################
-root = Administrator
-####
-# End of File
-####
-</screen>
-			</para></step>
-
-			<step><para>
-			Configure all network-attached printers to have a fixed IP address.
-			</para></step>
-
-			<step><para>
-			Create an entry in the DNS database on the server <constant>MASSIVE</constant>
-			in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
-			and in the reverse lookup database for the network segment that the printer is
-			located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
-			<link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
-			</para></step>
-
-			<step><para>
-			Follow the instructions in the printer manufacturer's manuals to permit printing 
-			to port 9100.  Use any other port the manufacturer specifies for direct mode, 
-			raw printing.  This allows the CUPS spooler to print using raw mode protocols.
-			<indexterm><primary>CUPS</primary></indexterm>
-			<indexterm><primary>raw printing</primary></indexterm>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
-			Only on the server to which the printer is attached configure the CUPS Print 
-			Queues as follows:
-<screen>
-&rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
-</screen>
-			<indexterm><primary>print filter</primary></indexterm>
-			This step creates the necessary print queue to use no assigned print filter. This
-			is ideal for raw printing, that is, printing without use of filters.
-			The name <parameter>printque</parameter> is the name you have assigned for
-			the particular printer.
-			</para></step>
-
-			<step><para>
-			Print queues may not be enabled at creation. Make certain that the queues
-			you have just created are enabled by executing the following:
-<screen>
-&rootprompt; /usr/bin/enable <parameter>printque</parameter>
-</screen>
-			</para></step>
-
-			<step><para>
-			Even though your print queue may be enabled, it is still possible that it
-			does not accept print jobs. A print queue services incoming printing
-			requests only when configured to do so. Ensure that your print queue is
-			set to accept incoming jobs by executing the following command:
-<screen>
-&rootprompt; /usr/bin/accept <parameter>printque</parameter>
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>mime type</primary></indexterm>
-			<indexterm><primary>/etc/mime.convs</primary></indexterm>
-			<indexterm><primary>application/octet-stream</primary></indexterm>
-			This step, as well as the next one, may be omitted where CUPS version 1.1.18
-			or later is in use.  Although it does no harm to follow it anyway, and may
-			help to avoid time spent later trying to figure out why print jobs may be
-			disappearing without a trace. Look at these two steps as <emphasis>insurance</emphasis>
-			against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to 
-			uncomment the line:
-<screen>
-application/octet-stream     application/vnd.cups-raw      0     -
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>/etc/mime.types</primary></indexterm>
-			Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
-<screen>
-application/octet-stream
-</screen>
-			</para></step>
-
-			<step><para>
-			Refer to the CUPS printing manual for instructions regarding how to configure
-			CUPS so that print queues that reside on CUPS servers on remote networks
-			route print jobs to the print server that owns that queue. The default setting
-			on your CUPS server may automatically discover remotely installed printers and
-			may permit this functionality without requiring specific configuration.
-			</para></step>
-
-			<step><para>
-			As part of the roll-out program, you need to configure the application's
-			server shares. This can be done once on the central server and may then be
-			replicated using a tool such as <command>rsync</command>. Refer to the man
-			page for <command>rsync</command> for details regarding use. The notes in	
-			<link linkend="ch4appscfg"/> may help in your decisions to use an application
-			server facility.
-			</para></step>
-
-		</procedure>
-
-	<note><para>
-	Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent
-	processes to automap Windows client drives to an application server that is nearest to the client. This
-	is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
-	as elegantly as you see in the next chapter.
-	</para></note>
-
-	</sect2>
-
-	<sect2>
-	<title>Server-Specific Preparation</title>
-
-	<para>
-	There are some steps that apply to particular server functionality only. Each step is critical
-	to correct server operation. The following step-by-step installation guidance will assist you 
-	in working through the process of configuring the PDC and then both BDC's.
-	</para>
-
-		<sect3>
-		<title>Configuration for Server: <constant>MASSIVE</constant></title>
-
-		<para>
-		The steps presented here attempt to implement Samba installation in a generic manner. While
-		some steps are clearly specific to Linux, it should not be too difficult to apply them to
-		your platform of choice.
-		</para>
-
-		<procedure>
-		<title>Primary Domain Controller Preparation</title>
-
-			<step><para>
-			<indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
-			<indexterm><primary>IP forwarding</primary></indexterm>
-			The host server acts as a router between the two internal network segments as well
-			as for all Internet access. This necessitates that IP forwarding be enabled. This can be
-			achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
-<screen>
-echo 1 > /proc/sys/net/ipv4/ip_forward
-</screen>
-			To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute
-			that command manually also. This setting permits the Linux system to act as a router.
-			</para></step>
-
-			<step><para>
-			This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet
-			and the other to a local network that has a router that is the gateway to the remote networks.
-			You must therefore configure the server with route table entries so that it can find machines
-			on the remote networks. You can do this using the appropriate system tools for your Linux
-			server or using static entries that you place in one of the system startup files. It is best
-			to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the
-			best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat,
-			this is best done using the graphical system configuration tools (see the Red Hat documentation).
-			An example of how this may be done manually is as follows:
-<screen>
-&rootprompt; route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128
-&rootprompt; route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128
-</screen>
-			If you just execute these commands manually, the route table entries you have created are
-			not persistent across system reboots. You may add these commands directly to the local
-			startup files as follows: (SUSE) <filename>/etc/rc.d/boot.local</filename>, (Red Hat)
-			<filename>/etc/rc.d/init.d/rc.local</filename>.
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-			The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
-			This file controls the operation of the various resolver libraries that are part of the Linux
-			Glibc libraries. Edit this file so that it contains the following entries:
-<screen>
-hosts:      files dns wins
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>initGrps.sh</primary></indexterm>
-			Create and map Windows domain groups to UNIX groups. A sample script is provided in
-			<link linkend="ch5-initgrps"/>. Create a file containing this script. You called yours
-			<filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed
-			and then execute the script. An example of the execution of this script as well as its
-			validation are shown in Section 4.3.2, Step 5.
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>/etc/passwd</primary></indexterm>
-			<indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
-			<indexterm><primary>smbpasswd</primary></indexterm>
-			For each user who needs to be given a Windows domain account, make an entry in the
-			<filename>/etc/passwd</filename> file as well as in the Samba password backend.
-			Use the system tool of your choice to create the UNIX system account, and use the Samba
-			<command>smbpasswd</command> to create a domain user account.
-			</para>
-
-			<para>
-			<indexterm><primary>useradd</primary></indexterm>
-			<indexterm><primary>adduser</primary></indexterm>
-			<indexterm><primary>user</primary><secondary>management</secondary></indexterm>
-			There are a number of tools for user management under UNIX, such as
-			<command>useradd</command>, <command>adduser</command>, as well as a plethora of custom
-			tools. With the tool of your choice, create a home directory for each user.
-			</para></step>
-
-			<step><para>
-			Using the preferred tool for your UNIX system, add each user to the UNIX groups created
-			previously as necessary. File system access control is based on UNIX group membership.
-			</para></step>
-
-			<step><para>
-			Create the directory mount point for the disk subsystem that is to be mounted to provide
-			data storage for company files, in this case, the mount point indicated in the &smb.conf;
-			file is <filename>/data</filename>. Format the file system as required and mount the formatted
-			file system partition using appropriate system tools.
-			</para></step>
-
-			<step><para>
-		<indexterm><primary>file system</primary>
-		  <secondary>permissions</secondary></indexterm>
-			Create the top-level file storage directories for data and applications as follows:
-<screen>
-&rootprompt; mkdir -p /data/{accounts,finsvcs,pidata}
-&rootprompt; mkdir -p /apps
-&rootprompt; chown -R root:root /data
-&rootprompt; chown -R root:root /apps
-&rootprompt; chown -R bjordan:accounts /data/accounts
-&rootprompt; chown -R bjordan:finsvcs /data/finsvcs
-&rootprompt; chown -R bjordan:finsvcs /data/pidata
-&rootprompt; chmod -R ug+rwxs,o-rwx /data
-&rootprompt; chmod -R ug+rwx,o+rx-w /apps
-</screen>
-			Each department is responsible for creating its own directory structure within the departmental
-			share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
-			The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
-			The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
-			that provides the application server infrastructure.
-			</para></step>
-
-			<step><para>
-			The &smb.conf; file specifies an infrastructure to support roaming profiles and network
-			logon services. You can now create the file system infrastructure to provide the
-			locations on disk that these services require. Adequate planning is essential
-			because desktop profiles can grow to be quite large. For planning purposes, a minimum of
-			200 MB of storage should be allowed per user for profile storage. The following
-			commands create the directory infrastructure needed:
-<screen>
-&rootprompt; mkdir -p /var/spool/samba
-&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
-&rootprompt; chown -R root:root /var/spool/samba
-&rootprompt; chown -R root:root /var/lib/samba
-&rootprompt; chmod a+rwxt /var/spool/samba
-</screen>
-			For each user account that is created on the system, the following commands should be
-			executed:
-<screen>
-&rootprompt; mkdir /var/lib/samba/profiles/'username'
-&rootprompt; chown 'username':users /var/lib/samba/profiles/'username'
-&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>unix2dos</primary></indexterm>
-			<indexterm><primary>dos2unix</primary></indexterm>
-			Create a logon script. It is important that each line is correctly terminated with
-			a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
-			works if the right tools (<constant>unxi2dos</constant> and <constant>dos2unix</constant>) are installed.
-			First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
-			with the following contents:
-<screen>
-net time \\massive /set /yes
-net use h: /home
-</screen>
-			Convert the UNIX file to a DOS file:
-<screen>
-&rootprompt; dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \
-        > /var/lib/samba/netlogon/scripts/logon.bat
-</screen>
-			</para></step>
-
-			<step><para>
-			There is one preparatory step without which you cannot have a working Samba network
-			environment. You must add an account for each network user. You can do this by executing
-			the following steps for each user:
-<screen>
-&rootprompt; useradd -m <parameter>username</parameter>
-&rootprompt; passwd <parameter>username</parameter>
-Changing password for <parameter>username</parameter>.
-New password: XXXXXXXX
-Re-enter new password: XXXXXXXX
-Password changed
-&rootprompt; smbpasswd -a <parameter>username</parameter>
-New SMB password: XXXXXXXX
-Retype new SMB password: XXXXXXXX
-Added user <parameter>username</parameter>.
-</screen>
-			You do, of course, use a valid user login ID in place of <parameter>username</parameter>.
-			</para></step>
-
-			<step><para>
-			Follow the processes shown in <link linkend="ch5-procstart"/> to start all services.
-			</para></step>
-
-			<step><para>
-			Your server is ready for validation testing. Do not proceed with the steps in
-			<link linkend="ch5-domsvrspec"/> until after the operation of the server has been
-			validated following the same methods as outlined in <link linkend="secure"/>, <link linkend="ch4valid"/>.
-			</para></step>
-
-		</procedure>
-		
-		</sect3>
-
-		<sect3 id="ch5-domsvrspec">
-		<title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
-
-		<para>
-		The following steps will guide you through the nuances of implementing BDCs for the broadcast
-		isolated network segments. Remember that if the target installation platform is not Linux, it may
-		be necessary to adapt some commands to the equivalent on the target platform.
-		</para>
-
-		<procedure>
-		<title>Backup Domain Controller Configuration Steps</title>
-
-			<step><para>
-			<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-			The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
-			This file controls the operation of the various resolver libraries that are part of the Linux
-			Glibc libraries. Edit this file so that it contains the following entries:
-<screen>
-passwd:     files winbind
-group:      files winbind
-hosts:      files dns wins
-</screen>
-                        </para></step>
-
-			<step><para>
-			Follow the steps outlined in <link linkend="ch5-procstart"/> to start all services. Do not
-			start Samba at this time. Samba is controlled by the process called <command>smb</command>.
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
-			You must now attempt to join the domain member servers to the domain. The following
-			instructions should be executed to effect this:
-<screen>
-&rootprompt; net rpc join 
-</screen>
-			</para></step>
-
-			<step><para>
-			<indexterm><primary>service</primary><secondary>smb</secondary><tertiary>start</tertiary></indexterm>
-			You now start the Samba services by executing:
-<screen>
-&rootprompt; service smb start
-</screen>
-			</para></step>
-
-                        <step><para>
-                        Your server is ready for validation testing. Do not proceed with the steps in
-                        <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
-                        validated following the same methods as outlined in <link linkend="ch4valid"/>.
-                        </para></step>
-
-		</procedure>
-
-		</sect3>
-
-	</sect2>
-
-<!-- One -->
-<example id="ch5-massivesmb">
-<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/smb.conf</filename></title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">MEGANET</smbconfoption>
-<smbconfoption name="netbios name">MASSIVE</smbconfoption>
-<smbconfoption name="interfaces">eth1, lo</smbconfoption>
-<smbconfoption name="bind interfaces only">Yes</smbconfoption>
-<smbconfoption name="passdb backend">tdbsam</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
-<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
-<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
-<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
-<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
-<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
-<smbconfoption name="preferred master">Yes</smbconfoption>
-<smbconfoption name="wins support">Yes</smbconfoption>
-<smbconfoption name="include">/etc/samba/dc-common.conf</smbconfoption>
-
-<smbconfsection name="[accounts]"/>
-<smbconfoption name="comment">Accounting Files</smbconfoption>
-<smbconfoption name="path">/data/accounts</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[service]"/>
-<smbconfoption name="comment">Financial Services Files</smbconfoption>
-<smbconfoption name="path">/data/service</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[pidata]"/>
-<smbconfoption name="comment">Property Insurance Files</smbconfoption>
-<smbconfoption name="path">/data/pidata</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Two -->
-<example id="ch5-dc-common">
-<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/dc-common.conf</filename></title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
-<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
-<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-<smbconfoption name="logon path">\%L\profiles\%U</smbconfoption>
-<smbconfoption name="logon drive">X:</smbconfoption>
-<smbconfoption name="logon home">\%L\%U</smbconfoption>
-<smbconfoption name="domain logons">Yes</smbconfoption>
-<smbconfoption name="preferred master">Yes</smbconfoption>
-<smbconfoption name="include">/etc/samba/common.conf</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[netlogon]"/>
-<smbconfoption name="comment">Network Logon Service</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="locking">No</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-<smbconfoption name="comment">Profile Share</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Three -->
-<example id="ch5-commonsmb">
-<title>Common Samba Configuration File: <filename>/etc/samba/common.conf</filename></title>
-<smbconfblock>
-<smbconfsection name="[global]"/>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">50</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="time server">Yes</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="show add printer wizard">No</smbconfoption>
-<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
-<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
-<smbconfoption name="utmp">Yes</smbconfoption>
-<smbconfoption name="map acl inherit">Yes</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-<smbconfoption name="veto files">/*.eml/*.nws/*.{*}/</smbconfoption>
-<smbconfoption name="veto oplock files">/*.doc/*.xls/*.mdb/</smbconfoption>
-<smbconfoption name="include"> </smbconfoption>
-
-<smbconfcomment>Share and Service Definitions are common to all servers</smbconfcomment>
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="use client driver">Yes</smbconfoption>
-<smbconfoption name="default devmode">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[apps]"/>
-<smbconfoption name="comment">Application Files</smbconfoption>
-<smbconfoption name="path">/apps</smbconfoption>
-<smbconfoption name="admin users">bjordan</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Four -->
-<example id="ch5-bldg1-smb">
-<title>Server: BLDG1 (Member), File: smb.conf</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">MEGANET</smbconfoption>
-<smbconfoption name="netbios name">BLDG1</smbconfoption>
-<smbconfoption name="include">/etc/samba/dom-mem.conf</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Five -->
-<example id="ch5-bldg2-smb">
-<title>Server: BLDG2 (Member), File: smb.conf</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">MEGANET</smbconfoption>
-<smbconfoption name="netbios name">BLDG2</smbconfoption>
-<smbconfoption name="include">/etc/samba/dom-mem.conf</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Six -->
-<example id="ch5-dommem-smb">
-<title>Common Domain Member Include File: dom-mem.conf</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
-<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
-<smbconfoption name="preferred master">Yes</smbconfoption>
-<smbconfoption name="wins server">172.16.0.1</smbconfoption>
-<smbconfoption name="idmap uid">15000-20000</smbconfoption>
-<smbconfoption name="idmap gid">15000-20000</smbconfoption>
-<smbconfoption name="include">/etc/samba/common.conf</smbconfoption>
-</smbconfblock>
-</example>
-
-<!-- Seven -->
-<example id="massive-dhcp">
-<title>Server: MASSIVE, File: dhcpd.conf</title>
-<screen>
-# Abmas Accounting Inc.
-
-default-lease-time 86400;
-max-lease-time 172800;
-default-lease-time 86400;
-ddns-updates on;
-ddns-update-style interim;
-
-option ntp-servers 172.16.0.1;
-option domain-name "abmas.biz";
-option domain-name-servers 172.16.0.1, 172.16.4.1;
-option netbios-name-servers 172.16.0.1;
-option netbios-node-type 8;
-
-subnet 172.16.1.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.1.0 172.16.2.255;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.0.1, 172.16.0.128;
-        allow unknown-clients;
-	}
-subnet 172.16.4.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.7.0 172.16.7.254;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.4.128;
-        allow unknown-clients;
-	}
-subnet 172.16.8.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.11.0 172.16.11.254;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.4.128;
-        allow unknown-clients;
-	}
-subnet 127.0.0.0 netmask 255.0.0.0 {
-        }
-subnet 123.45.67.64 netmask 255.255.255.252 {
-        }
-</screen>
-</example>
-
-<!-- Eight -->
-<example id="bldg1dhcp">
-<title>Server: BLDG1, File: dhcpd.conf</title>
-<screen>
-# Abmas Accounting Inc.
-
-default-lease-time 86400;
-max-lease-time 172800;
-default-lease-time 86400;
-ddns-updates on;
-ddns-update-style ad-hoc;
-
-option ntp-servers 172.16.0.1;
-option domain-name "abmas.biz";
-option domain-name-servers 172.16.0.1, 172.16.4.1;
-option netbios-name-servers 172.16.0.1;
-option netbios-node-type 8;
-
-subnet 172.16.1.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.3.0 172.16.3.255;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.0.1, 172.16.0.128;
-        allow unknown-clients;
-	}
-subnet 172.16.4.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.5.0 172.16.6.255;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.4.128;
-        allow unknown-clients;
-	}
-subnet 127.0.0.0 netmask 255.0.0.0 {
-        }
-</screen>
-</example>
-
-<!-- Nine -->
-<example id="bldg2dhcp">
-<title>Server: BLDG2, File: dhcpd.conf</title>
-<screen>
-# Abmas Accounting Inc.
-
-default-lease-time 86400;
-max-lease-time 172800;
-default-lease-time 86400;
-ddns-updates on;
-ddns-update-style interim;
-
-option ntp-servers 172.16.0.1;
-option domain-name "abmas.biz";
-option domain-name-servers 172.16.0.1, 172.16.4.1;
-option netbios-name-servers 172.16.0.1;
-option netbios-node-type 8;
-
-subnet 172.16.8.0 netmask 255.255.252.0 {
-        range dynamic-bootp 172.16.9.0 172.16.10.255;
-        option subnet-mask 255.255.252.0;
-        option routers 172.16.8.128;
-        allow unknown-clients;
-	}
-subnet 127.0.0.0 netmask 255.0.0.0 {
-        }
-</screen>
-</example>
-
-<!-- Ten -->
-<example id="massive-nameda">
-<title>Server: MASSIVE, File: named.conf, Part: A</title>
-<screen>
-###
-# Abmas Biz DNS Control File
-###
-# Date: November 15, 2003
-###
-options {
-	directory "/var/lib/named";
-	forwarders {
-		123.45.12.23;
-		123.45.54.32;
-		};
-	forward first;
-	listen-on {
-		mynet;
-		};
-	auth-nxdomain yes;
-	multiple-cnames yes;
-	notify no;
-};
-
-zone "." in {
-	type hint;
-	file "root.hint";
-};
-
-zone "localhost" in {
-	type master;
-	file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.arpa" in {
-	type master;
-	file "127.0.0.zone";
-};
-
-acl mynet {
-	172.16.0.0/24;
-	172.16.4.0/24;
-	172.16.8.0/24;
-	127.0.0.1;
-};
-
-acl seconddns {
-        123.45.54.32;
-};
-</screen>
-</example>
-
-<!-- Eleven -->
-<example id="massive-namedb">
-<title>Server: MASSIVE, File: named.conf, Part: B</title>
-<screen>
-zone "abmas.biz" {
-	type master;
-	file "/var/lib/named/master/abmas.biz.hosts";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-	allow-update {
-		mynet;
-	};
-};
-
-zone "abmas.us" {
-        type master;
-        file "/var/lib/named/master/abmas.us.hosts";
-        allow-query {
-                all;
-        };
-        allow-transfer {
-                seconddns;
-        };
-};
-</screen>
-</example>
-
-<!-- Twelve -->
-<example id="massive-namedc">
-<title>Server: MASSIVE, File: named.conf, Part: C</title>
-<screen>
-zone "0.16.172.in-addr.arpa" {
-	type master;
-	file "/var/lib/named/master/172.16.0.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-	allow-update {
-		mynet;
-	};
-};
-
-zone "4.16.172.in-addr.arpa" {
-	type master;
-	file "/var/lib/named/master/172.16.4.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-	allow-update {
-		mynet;
-	};
-};
-
-zone "8.16.172.in-addr.arpa" {
-	type master;
-	file "/var/lib/named/master/172.16.8.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-	allow-update {
-		mynet;
-	};
-};
-</screen>
-</example>
-
-<!-- Thirteen -->
-<example id="abmasbizdns">
-<title>Forward Zone File: abmas.biz.hosts</title>
-<screen>
-$ORIGIN .
-$TTL 38400	; 10 hours 40 minutes
-abmas.biz	IN SOA	massive.abmas.biz. root.abmas.biz. (
-				2003021833 ; serial
-				10800      ; refresh (3 hours)
-				3600       ; retry (1 hour)
-				604800     ; expire (1 week)
-				38400      ; minimum (10 hours 40 minutes)
-				)
-			NS	massive.abmas.biz.
-			NS	bldg1.abmas.biz.
-			NS	bldg2.abmas.biz.
-			MX	10 massive.abmas.biz.
-$ORIGIN abmas.biz.
-massive			A	172.16.0.1
-router0                 A       172.16.0.128
-bldg1                   A       172.16.4.1
-router4                 A       172.16.4.128
-bldg2                   A       172.16.8.1
-router8                 A       172.16.8.128
-</screen>
-</example>
-
-<!-- Forteen -->
-<example id="abmasusdns">
-<title>Forward Zone File: abmas.biz.hosts</title>
-<screen>
-$ORIGIN .
-$TTL 38400	; 10 hours 40 minutes
-abmas.us	IN SOA	server.abmas.us. root.abmas.us. (
-				2003021833 ; serial
-				10800      ; refresh (3 hours)
-				3600       ; retry (1 hour)
-				604800     ; expire (1 week)
-				38400      ; minimum (10 hours 40 minutes)
-				)
-			NS	dns.abmas.us.
-			NS	dns2.abmas.us.
-			MX	10 mail.abmas.us.
-$ORIGIN abmas.us.
-server			A	123.45.67.66
-dns2			A	123.45.54.32
-gw			A	123.45.67.65
-www			CNAME	server
-mail			CNAME	server
-dns			CNAME	server
-</screen>
-</example>
-
-<!-- Fifteen -->
-<example id="bldg12nameda">
-<title>Servers: BLDG1/BLDG2, File: named.conf, Part: A</title>
-<screen>
-###
-# Abmas Biz DNS Control File
-###
-# Date: November 15, 2003
-###
-options {
-	directory "/var/lib/named";
-	forwarders {
-		172.16.0.1;
-		};
-	forward first;
-	listen-on {
-		mynet;
-		};
-	auth-nxdomain yes;
-	multiple-cnames yes;
-	notify no;
-};
-
-zone "." in {
-	type hint;
-	file "root.hint";
-};
-
-zone "localhost" in {
-	type master;
-	file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.arpa" in {
-	type master;
-	file "127.0.0.zone";
-};
-
-acl mynet {
-	172.16.0.0/24;
-	172.16.4.0/24;
-	172.16.8.0/24;
-	127.0.0.1;
-};
-
-acl seconddns {
-        123.45.54.32;
-};
-</screen>
-</example>
-
-<!-- Sixteen -->
-<example id="bldg12namedb">
-<title>Servers: BLDG1/BLDG2, File: named.conf, Part: B</title>
-<screen>
-zone "abmas.biz" {
-	type slave;
-	file "/var/lib/named/slave/abmas.biz.hosts";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-};
-
-zone "0.16.172.in-addr.arpa" {
-	type slave;
-	file "/var/lib/slave/master/172.16.0.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-};
-
-zone "4.16.172.in-addr.arpa" {
-	type slave;
-	file "/var/lib/named/slave/172.16.4.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-};
-
-zone "8.16.172.in-addr.arpa" {
-	type slave;
-	file "/var/lib/named/slave/172.16.8.0.rev";
-	allow-query {
-		mynet;
-	};
-	allow-transfer {
-		mynet;
-	};
-};
-</screen>
-</example>
-
-
-<!-- Seventeen -->
-<example id="ch5-initgrps">
-<title>Initialize Groups Script, File: /etc/samba/initGrps.sh</title>
-<screen>
-#!/bin/bash
-
-# Create UNIX groups
-groupadd acctsdep
-groupadd finsrvcs
-groupadd piops
-
-# Map Windows Domain Groups to UNIX groups
-net groupmap add ntgroup="Domain Admins"  unixgroup=root type=d
-net groupmap add ntgroup="Domain Users"   unixgroup=users type=d
-net groupmap add ntgroup="Domain Guests"  unixgroup=nobody type=d
-
-# Add Functional Domain Groups
-net groupmap add ntgroup="Accounts Dept"       unixgroup=acctsdep type=d
-net groupmap add ntgroup="Financial Services"  unixgroup=finsrvcs type=d
-net groupmap add ntgroup="Insurance Group"     unixgroup=piops type=d
-</screen>
-</example>
-
-<!-- End of Examples -->
-
-        <sect2 id="ch5-procstart">
-        <title>Process Startup Configuration</title>
-
-        <para>
-		<indexterm><primary>chkconfig</primary></indexterm>
-		<indexterm><primary>daemon control</primary></indexterm>
-        There are two essential steps to process startup configuration. A process
-        must be configured so that it is automatically restarted each time the server
-        is rebooted. This step involves use of the <command>chkconfig</command> tool that
-        created appropriate symbolic links from the master daemon control file that is
-        located in the <filename>/etc/rc.d</filename> directory to the <filename>/etc/rc'x'.d</filename>
-        directories. Links are created so that when the system run-level is changed, the
-        necessary start or kill script is run.
-        </para>
-
-        <para>
-        <indexterm><primary>/etc/xinetd.d</primary></indexterm>
-        In the event that a service is provided not as a daemon but via the internetworking
-        super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
-        tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
-        and sends a hang-up (HUP) signal to the super daemon, thus forcing it to
-        re-read its control files.
-        </para>
-
-        <para>
-        Last, each service must be started to permit system validation to proceed. The following steps
-		are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you 
-		are installing Samba.
-        </para>
-
-        <procedure>
-		<title>Process Startup Configuration Steps</title>
-
-                <step><para>
-                Use the standard system tool to configure each service to restart
-                automatically at every system reboot. For example,
-                <indexterm><primary>chkconfig</primary></indexterm>
-<screen>
-&rootprompt; chkconfig dhpc on
-&rootprompt; chkconfig named on
-&rootprompt; chkconfig cups on
-&rootprompt; chkconfig smb on
-&rootprompt; chkconfig swat on
-</screen>
-                </para></step>
-
-                <step><para>
-                <indexterm><primary>starting dhcpd</primary></indexterm>
-                <indexterm><primary>starting samba</primary></indexterm>
-                <indexterm><primary>starting CUPS</primary></indexterm>
-                Now start each service to permit the system to be validated.
-                Execute each of the following in the sequence shown:
-
-<screen>
-&rootprompt; service dhcp restart
-&rootprompt; service named restart
-&rootprompt; service cups restart
-&rootprompt; service smb restart
-&rootprompt; service swat restart
-</screen>
-                </para></step>
-        </procedure>
-
-        </sect2>
-
-	<sect2 id="ch5wincfg">
-	<title>Windows Client Configuration</title>
-
-	<para>
-	The procedure for desktop client configuration for the network in this chapter is similar to
-	that used for the previous one. There are a few subtle changes that should be noted.
-	</para>
-
-	<procedure>
-	<title>Windows Client Configuration Steps</title>
-
-		<step><para>
-		Install MS Windows XP Professional. During installation, configure the client to use DHCP for 
-		TCP/IP protocol configuration.
-		<indexterm><primary>WINS</primary></indexterm>
-		<indexterm><primary>DHCP</primary></indexterm>
-		DHCP configures all Windows clients to use the WINS Server address that has been defined
-		for the local subnet.
-		</para></step>
-
-		<step><para>
-		Join the Windows domain <constant>MEGANET</constant>. Use the domain administrator
-		username <constant>root</constant> and the SMB password you assigned to this account.
-		A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
-		a Windows domain is given in <link linkend="appendix"/>, <link linkend="domjoin"/>. 
-		Reboot the machine as prompted and then log on using the domain administrator account
-		(<constant>root</constant>).
-		</para></step>
-
-		<step><para>
-		Verify that the server called <constant>MEGANET</constant> is visible in <guimenu>My Network Places</guimenu>, 
-		that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
-		<guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
-		and that it is possible to open each share to reveal its contents.
-		</para></step>
-
-		<step><para>
-		Create a drive mapping to the <constant>apps</constant> share on a server. At this time, it does
-		not particularly matter which application server is used. It is necessary to manually
-		set a persistent drive mapping to the local applications server on each workstation at the time of 
-		installation. This step is avoided by the improvements to the design of the network configuration
-		in the next chapter.
-		</para></step>
-
-		<step><para>
-		Perform an administrative installation of each application to be used. Select the options
-		that you wish to use. Of course, you choose to run applications over the network, correct?
-		</para></step>
-
-		<step><para>
-		Now install all applications to be installed locally. Typical tools include Adobe Acrobat,
-		NTP-based time synchronization software, drivers for specific local devices such as fingerprint
-		scanners, and the like. Probably the most significant application to be locally installed
-		is antivirus software.
-		</para></step>
-
-		<step><para>
-		Now install all four printers onto the staging system. The printers you install
-		include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you
-		also configure use of the identical printers that are located in the financial services department.
-		Install printers on each machine using the following steps:
-	</para>
-
-			<procedure>
-			<title>Steps to Install Printer Drivers on Windows Clients</title>
-
-				<step><para>
-				Click <menuchoice>
-					<guimenu>Start</guimenu>
-					<guimenuitem>Settings</guimenuitem>
-					<guimenuitem>Printers</guimenuitem>
-					<guiicon>Add Printer</guiicon>
-					<guibutton>Next</guibutton>
-					</menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
-					Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
-				</para></step>
-
-				<step><para>
-				Click <guibutton>Next</guibutton>. In the
-				<guimenuitem>Manufacturer:</guimenuitem> panel, select <constant>HP</constant>.
-				In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
-				<constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
-				</para></step>
-
-				<step><para>
-				In the <guimenuitem>Available ports:</guimenuitem> panel, select
-				<constant>FILE:</constant>. Accept the default printer name by clicking
-				<guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
-				test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
-				<guibutton>Finish</guibutton>.
-				</para></step>
-
-				<step><para>
-				You may be prompted for the name of a file to print to. If so, close the
-				dialog panel. Right-click <menuchoice>
-					<guiicon>HP LaserJet 6</guiicon>
-					<guimenuitem>Properties</guimenuitem>
-					<guisubmenu>Details (Tab)</guisubmenu>
-					<guibutton>Add Port</guibutton>
-					</menuchoice>.
-				</para></step>
-
-				<step><para>
-				In the <guimenuitem>Network</guimenuitem> panel, enter the name of
-				the print queue on the Samba server as follows: <constant>\\BLDG1\hplj6a</constant>.
-				Click <menuchoice> 
-					<guibutton>OK</guibutton>
-					<guibutton>OK</guibutton>
-					</menuchoice> to complete the installation.
-				</para></step>
-
-				<step><para>
-				Repeat the printer installation steps above for both HP LaserJet 6 printers
-				as well as for both QMS Magicolor laser printers. Remember to install all
-				printers but to set the destination port for each to the server on the
-				local network. For example, a workstation in the accounting group should
-				have all printers directed at the server <constant>BLDG1</constant>.
-				You may elect to point all desktop workstation configurations at the
-				server called <constant>MASSIVE</constant> and then in your deployment	
-				procedures, it would be wise to document the need to redirect the printer
-				configuration (as well as the applications server drive mapping) to the
-				server on the network segment on which the workstation is to be located.
-				</para></step>
-			</procedure>
-		</step>
-
-		<step><para>
-		When you are satisfied that the staging systems are complete, use the appropriate procedure to
-		remove the client from the domain. Reboot the system, and then log on as the local administrator
-		and clean out all temporary files stored on the system. Before shutting down, use the disk
-		defragmentation tool so that the file system is in optimal condition before replication.
-		</para></step>
-
-		<step><para>
-		Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the
-		machine to a network share on the server.
-		</para></step>
-
-		<step><para>
-		You may now replicate the image using the appropriate Norton Ghost procedure to the target
-		machines. Make sure to use the procedure that ensures each machine has a unique
-		Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. 
-		</para></step>
-
-		<step><para>
-		Log onto the machine as the local Administrator (the only option), and join the machine to
-		the domain following the procedure set out in <link linkend="appendix"/>, <link linkend="domjoin"/>. You must now set the 
-		persistent drive mapping to the applications server that the user is to use. The system is now 
-		ready for the user to log on, provided you have created a network logon account for that 
-		user, of course.
-		</para></step>
-
-		<step><para>
-		Instruct all users to log onto the workstation using their assigned username and password.
-		</para></step>
-	</procedure>
-
-	</sect2>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<para>
-		The network you have just deployed has been a valuable exercise in forced constraint.
-		You have deployed a network that works well, although you may soon start to see
-		performance problems, at which time the modifications demonstrated in <link linkend="happy"/>
-		bring the network to life. The following key learning points were experienced:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			The power of using &smb.conf; include files
-			</para></listitem>
-
-			<listitem><para>
-			Use of a single PDC over a routed network
-			</para></listitem>
-
-			<listitem><para>
-			Joining a Samba-3 domain member server to a Samba-3 domain
-			</para></listitem>
-
-			<listitem><para>
-			Configuration of winbind to use domain users and groups for Samba access
-			to resources on the domain member servers
-			</para></listitem>
-
-			<listitem><para>
-			The introduction of roaming profiles
-			</para></listitem>
-
-		</itemizedlist>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	</para>
-
-	<qandaset defaultlabel="chap01qa" type="number">
-	<qandaentry>
-	<question>
-
-		<para>
-		The example &smb.conf; files in this chapter make use of the <parameter>include</parameter> facility.
-		How may I get to see what the actual working &smb.conf; settings are?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		You may readily see the net compound effect of the included files by running:
-<screen>
-&rootprompt; testparm -s | less
-</screen>
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Why does the include file <filename>common.conf</filename> have an empty include statement?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The use of the empty include statement nullifies further includes. For example, let's say you 
-		desire to have just an smb.conf file that is built from the array of include files of which the
-		master control file is called <filename>master.conf</filename>. The following command 
-		produces a compound &smb.conf; file.
-<screen>
-&rootprompt; testparm -s /etc/samba/master.conf > /etc/samba/smb.conf
-</screen>
-		If the include parameter was not in the common.conf file, the final &smb.conf; file leaves
-		the include in place, even though the file it points to has already been included. This is a bug
-		that will be fixed at a future date.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		I accept that the simplest configuration necessary to do the job is the best. The use of <parameter>tdbsam</parameter>
-		passdb backend is much simpler than having to manage an LDAP-based <parameter>ldapsam</parameter> passdb backend.
-		I tried using <command>rsync</command> to replicate the <filename>passdb.tdb</filename>, and it seems to work fine!
-		So what is the problem?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Replication of the <parameter>tdbsam</parameter> database file can result in loss of currency in its
-		contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
-		to log onto the network following a reboot and may have to rejoin the domain to recover network
-		access capability.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
-		offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many
-		offers are made. Under normal operation, the client accepts the first offer it receives.
-		</para>
-
-		<para>
-		The only exception to this rule is when the client makes a directed request from a specific DHCP server
-		for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		How does the Windows client find the PDC?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The Windows client obtains the WINS server address from the DHCP lease information. It also
-		obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
-		to register itself with the WINS server and to obtain enumeration of vital network information to 
-		enable it to operate successfully.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Why did you enable IP forwarding (routing) only on the server called <constant>MASSIVE</constant>?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The server called <constant>MASSIVE</constant> is acting as a router to the Internet. No other server
-		(BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network.
-		Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
-		segments to the router that is its gateway to them.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You did nothing special to implement roaming profiles. Why?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
-		clients is to use roaming profiles.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		On the domain member computers, you configured winbind in the <filename>/etc/nsswitch.conf</filename> file.
-		You did not configure any PAM settings. Is this an omission?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only
-		marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the domain
-		member servers using Windows networking usernames and passwords, it is necessary to configure PAM
-		to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
-		service switch (NSS).
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
-		in <emphasis>TOSHARG2</emphasis>, which has a full chapter dedicated to the subject. While we are on the 
-		subject, it should be noted that you should definitely not use SWAT on any system that makes use 
-		of &smb.conf; <parameter>include</parameter> files because SWAT optimizes them out into an aggregated 
-		file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to 
-		handle this functionality gracefully.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		The domain controller has an auto-shutdown script. Isn't that dangerous?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	</qandaset>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml b/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
deleted file mode 100644
index 45a09a8..0000000
--- a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
+++ /dev/null
@@ -1,2865 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="unixclients">
-  <title>Adding Domain Member Servers and Clients</title>
-
-    <para><indexterm>
-	<primary>Open Magazine</primary>
-      </indexterm><indexterm>
-	<primary>survey</primary>
-      </indexterm>
-	The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. 
-	It is well known that Samba is a file and print server. A recent survey conducted by <emphasis>Open Magazine</emphasis> found 
-	that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the 
-	<ulink url="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba">Open-Mag</ulink>
-	Web site for current information. The survey results as found on January 14, 2004, are shown in
-	<link linkend="ch09openmag"/>.
-	</para>
-
-	<figure id="ch09openmag">
-		<title>Open Magazine Samba Survey</title>
-		<imagefile scale="60">openmag</imagefile>
-	</figure>
-
-	<para>
-	While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter
-	function that Samba provides. Yet this book may give the appearance of having focused too much on more
-	exciting aspects of Samba deployment. This chapter directs your attention to provide important information on
-	the addition of Samba servers into your present Windows network &smbmdash; whatever the controlling technology
-	may be. So let's get back to our good friends at Abmas.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-      <para><indexterm>
-	  <primary>Linux desktop</primary>
-	</indexterm><indexterm>
-	  <primary>Domain Member</primary>
-	  <secondary>server</secondary>
-	</indexterm>
-	Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward
-	with not too many distractions or problems. Your team is doing well, but a number of employees
-	are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's
-	get on with this; Christine and Stan are ready to go.
-	</para>
-
-      <para><indexterm>
-	  <primary>Domain Member</primary>
-	  <secondary>desktop</secondary>
-	</indexterm>
-	Stan is firmly in control of the department of the future, while Christine is enjoying a stable and
-	predictable network environment. It is time to add more servers and to add Linux desktops. It is
-	time to meet the demands of future growth and endure trial by fire.
-	</para>
-
-	<sect2>
-	<title>Assignment Tasks</title>
-
-	<para><indexterm>
-	    <primary>Active Directory</primary>
-	  </indexterm>
-	You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003
-	Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him
-	out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use
-	her help to get validation that Samba really does live up to expectations.
-	</para>
-
-	<para>
-	Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate
-	these systems to make sure that Abmas is not building islands of technology. You ask Christine to
-	do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make
-	the right decision, don't you?
-	</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>winbind</primary></indexterm>
-	Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble
-	at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning
-	an inability to achieve identical user and group IDs between Windows and UNIX environments.
-	</para>
-
-	<para>
-	You provide step-by-step implementations of the various tools that can be used for identity
-	resolution. You also provide working examples of solutions for integrated authentication for
-	both UNIX/Linux and Windows environments.
-	</para>
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		One of the great challenges we face when people ask us, <quote>What is the best way to solve
-		this problem?</quote> is to get beyond the facts so we not only can clearly comprehend
-		the immediate technical problem, but also can understand how needs may change.
-		</para>
-
-		<para>
-		<indexterm><primary>integrate</primary></indexterm>
-		There are a few facts we should note when dealing with the question of how best to
-		integrate UNIX/Linux clients and servers into a Windows networking environment:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			<indexterm><primary>Domain Controller</primary></indexterm>
-			<indexterm><primary>authoritative</primary></indexterm>
-			<indexterm><primary>accounts</primary><secondary>authoritative</secondary></indexterm>
-			<indexterm><primary>PDC</primary></indexterm>
-			<indexterm><primary>BDC</primary></indexterm>
-			A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
-			This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
-			to the same values that the PDC resolved them to.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>local accounts</primary></indexterm>
-			<indexterm><primary>Domain Member</primary><secondary>authoritative</secondary><tertiary>local accounts</tertiary></indexterm>
-			<indexterm><primary>Domain accounts</primary></indexterm>
-			<indexterm><primary>winbindd</primary></indexterm>
-			A domain member can be authoritative for local accounts, but is never authoritative for
-			domain accounts. If a user is accessing a domain member server and that user's account
-			is not known locally, the domain member server must resolve the identity of that user
-			from the domain in which that user's account resides. It must then map that ID to a
-			UID/GID pair that it can use locally. This is handled by <command>winbindd</command>.
-			</para></listitem>
-
-			<listitem><para>
-			Samba, when running on a domain member server, can resolve user identities from a
-			number of sources:
-			</para>
-
-			<itemizedlist>
-				<listitem><para>
-				<indexterm><primary>getpwnam</primary></indexterm>
-				<indexterm><primary>getgrnam</primary></indexterm>
-				<indexterm><primary>NSS</primary></indexterm>
-				<indexterm><primary>LDAP</primary></indexterm>
-				<indexterm><primary>NIS</primary></indexterm>
-				By executing a system <command>getpwnam()</command> or <command>getgrnam()</command> call. 
-				On systems that support it, this utilizes the name service switch (NSS) facility to 
-				resolve names according to the configuration of the <filename>/etc/nsswitch.conf</filename> 
-				file. NSS can be configured to use LDAP, winbind, NIS, or local files.
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>passdb backend</primary></indexterm>
-				<indexterm><primary>PADL</primary></indexterm>
-				<indexterm><primary>nss_ldap</primary></indexterm>
-				Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured).
-				This requires the use of the PADL nss_ldap tool (or equivalent).
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>winbindd</primary></indexterm>
-				<indexterm><primary>SID</primary></indexterm>
-				<indexterm><primary>winbindd_idmap.tdb</primary></indexterm>
-				<indexterm><primary>winbindd_cache.tdb</primary></indexterm>
-				Directly by querying <command>winbindd</command>. The <command>winbindd</command>
-				contacts a domain controller to attempt to resolve the identity of the user or group. It
-				receives the Windows networking security identifier (SID) for that appropriate
-				account and then allocates a local UID or GID from the range of available IDs and
-				creates an entry in its <filename>winbindd_idmap.tdb</filename> and 
-				<filename>winbindd_cache.tdb</filename> files.
-				</para>
-
-				<para>
-				<indexterm><primary>idmap backend</primary></indexterm>
-				<indexterm><primary>mapping</primary></indexterm>
-				If the parameter <smbconfoption name="idmap backend">ldap:ldap://myserver.domain</smbconfoption>
-				was specified and the LDAP server has been configured with a container in which it may
-				store the IDMAP entries, all domain members may share a common mapping.
-				</para></listitem>
-			</itemizedlist>
-
-			<para>
-			Irrespective of how &smb.conf; is configured, winbind creates and caches a local copy of
-			the ID mapping database. It uses the <filename>winbindd_idmap.tdb</filename> and
-                                <filename>winbindd_cache.tdb</filename> files to do this.
-			</para>
-
-			<para>
-			Which of the resolver methods is chosen is determined by the way that Samba is configured 
-			in the &smb.conf; file. Some of the configuration options are rather less than obvious to the 
-			casual user.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>winbind trusted domains only</primary></indexterm>
-			<indexterm><primary>domain member</primary><secondary>servers</secondary></indexterm>
-			<indexterm><primary>domain controllers</primary></indexterm>
-			If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
-			of being resolved using) the NSS facility, it is possible to use the 
-			<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
-			in the &smb.conf; file. This parameter specifically applies to domain controllers, 
-			and to domain member servers.
-			</para></listitem>
-
-		</itemizedlist>
-
-		<para>
-		<indexterm><primary>Posix accounts</primary></indexterm>
-		<indexterm><primary>Samba accounts</primary></indexterm>
-		<indexterm><primary>LDAP</primary></indexterm>
-		For many administrators, it should be plain that the use of an LDAP-based repository for all network
-		accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
-		controllable facility. You eventually appreciate the decision to use LDAP.
-		</para>
-
-		<para>
-		<indexterm><primary>nss_ldap</primary></indexterm>
-		<indexterm><primary>identifiers</primary></indexterm>
-		<indexterm><primary>resolve</primary></indexterm>
-		If your network account information resides in an LDAP repository, you should use it ahead of any
-		alternative method. This means that if it is humanly possible to use the <command>nss_ldap</command>
-		tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides
-		a more readily controllable method for asserting the exact same user and group identifiers 
-		throughout the network.
-		</para>
-
-		<para>
-		<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
-		<indexterm><primary>winbind trusted domains only</primary></indexterm>
-		<indexterm><primary>getpwnam</primary></indexterm>
-		<indexterm><primary>smbd</primary></indexterm>
-		<indexterm><primary>Trusted Domains</primary></indexterm>
-		<indexterm><primary>External Domains</primary></indexterm>
-		In the situation where UNIX accounts are held on the domain member server itself, the only effective
-		way to use them involves the &smb.conf; entry 
-		<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>. This forces 
-		Samba (<command>smbd</command>) to perform a <command>getpwnam()</command> system call that can
-		then be controlled via <filename>/etc/nsswitch.conf</filename> file settings. The use of this parameter
-		disables the use of Samba with trusted domains (i.e., external domains).
-		</para>
-
-		<para>
-		<indexterm><primary>appliance mode</primary></indexterm>
-		<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
-		<indexterm><primary>winbindd</primary></indexterm>
-		<indexterm><primary>automatically allocate</primary></indexterm>
-		Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
-		is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation
-		is made for all accounts that connect to that domain member server, whether within its own domain or from
-		trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database.
-		This means that it is almost certain that a given user who accesses two domain member servers does not have the
-		same UID/GID on both servers &smbmdash; however, this is transparent to the Windows network user. This data
-		is stored in the <filename>winbindd_idmap.tdb</filename> and <filename>winbindd_cache.tdb</filename> files.
-		</para>
-	
-		<para>
-		<indexterm><primary>mapping</primary></indexterm>
-		The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
-		mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
-		servers so configured. This solves one of the major headaches for network administrators who need to copy
-		files between or across network file servers.
-		</para>
-
-	</sect2>
-
-	<sect2>
-		<title>Political Issues</title>
-
-		<para>
-		<indexterm><primary>OpenLDAP</primary></indexterm>
-		<indexterm><primary>NIS</primary></indexterm>
-		<indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
-		<indexterm><primary>identity management</primary></indexterm>
-		One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
-		particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
-		is different and requires a new approach to the need for a better identity management solution. The more
-		you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm.
-		</para>
-
-		<para>
-		LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. 
-		The reason these are preferable is because they are heterogenous. Windows solutions of this sort are <emphasis>not</emphasis> 
-		heterogenous by design. This is fundamental &smbmdash; it isn't religious or political. This also doesn't say that 
-		you can't use Windows Active Directory in a heterogenous environment &smbmdash; it can be done, it just requires 
-		commercial integration products. But it's not what Active Directory was designed for.
-		</para>
-
-		<para>
-		<indexterm><primary>directory</primary></indexterm>
-		<indexterm><primary>management</primary></indexterm>
-		A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
-		is the first application group to almost force network administrators to use LDAP. It should be pointed
-		out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has
-		finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total
-		organizational directory needs.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
-	<indexterm><primary>Domain Member</primary><secondary>client</secondary></indexterm>
-	<indexterm><primary>Domain Controller</primary></indexterm>
-	The domain member server and the domain member client are at the center of focus in this chapter.
-	Configuration of Samba-3 domain controller is covered in earlier chapters, so if your 
-	interest is in domain controller configuration, you will not find that here. You will find good
-	oil that helps you to add domain member servers and clients.
-	</para>
-
-	<para>
-	<indexterm><primary>Domain Member</primary><secondary>workstations</secondary></indexterm>
-	In practice, domain member servers and domain member workstations are very different entities, but in
-	terms of technology they share similar core infrastructure. A technologist would argue that servers
-	and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
-	environment a workstation (client) is a device from which a user creates documents and files that
-	are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item,
-	but a server is viewed as a core component of the business.
-	</para>
-
-	<para>
-	<indexterm><primary>workstation</primary></indexterm>
-	We can look at this another way. If a workstation breaks down, one user is affected, but if a
-	server breaks down, hundreds of users may not be able to work. The services that a workstation
-	must provide are document- and file-production oriented; a server provides information storage
-	and is distribution oriented.
-	</para>
-
-	<para>
-	<indexterm><primary>authentication process</primary></indexterm>
-	<indexterm><primary>logon process</primary></indexterm>
-	<indexterm><primary>user identities</primary></indexterm>
-	<emphasis>Why is this important?</emphasis> For starters, we must identify what
-	components of the operating system and its environment must be configured. Also, it is necessary
-	to recognize where the interdependencies between the various services to be used are.
-	In particular, it is important to understand the operation of each critical part of the
-	authentication process, the logon process, and how user identities get resolved and applied
-	within the operating system and applications (like Samba) that depend on this and may
-	actually contribute to it.
-	</para>
-
-	<para>
-	So, in this chapter we demonstrate how to implement the technology. It is done within a context of
-	what type of service need must be fulfilled.
-	</para>
-
-	<sect2 id="sdcsdmldap">
-	<title>Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP</title>
-
-	<para>
-	<indexterm><primary>ldapsam</primary></indexterm>
-	<indexterm><primary>ldapsam backend</primary></indexterm>
-	<indexterm><primary>IDMAP</primary></indexterm>
-	<indexterm><primary>mapping</primary><secondary>consistent</secondary></indexterm>
-	<indexterm><primary>winbindd</primary></indexterm>
-	<indexterm><primary>foreign SID</primary></indexterm>
-	In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
-	an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
-	containers for use by the IDMAP facility. This makes it possible to have globally consistent
-	mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run 
-	<command>winbindd</command> as part of your configuration. The primary purpose of running
-	<command>winbindd</command> (within this operational context) is to permit mapping of foreign
-	SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any
-	domain member client or server, or from Windows clients that do not belong to a domain. Another
-	way to explain the necessity to run <command>winbindd</command> is that Samba can locally
-	resolve only accounts that belong to the security context of its own machine SID. Winbind
-	handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated
-	from the parameter values set in the &smb.conf; file for the <parameter>idmap uid</parameter> and
-	<parameter>idmap gid</parameter> ranges. Where LDAP is used, the mappings can be stored in LDAP
-	so that all domain member servers can use a consistent mapping.
-	</para>
-
-	<para>
-	<indexterm><primary>winbindd</primary></indexterm>
-	<indexterm><primary>getpwnam</primary></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	If your installation is accessed only from clients that are members of your own domain, and all 
-	user accounts are present in a local passdb backend then it is not necessary to run
-	<command>winbindd</command>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam.
-	</para>
-
-	<para>
-	It is possible to use a local passdb backend with any convenient means of resolving the POSIX
-	user and group account information. The POSIX information is usually obtained using the
-	<command>getpwnam()</command> system call. On NSS-enabled systems, the actual POSIX account
-	source can be provided from
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		<indexterm><primary>/etc/passwd</primary></indexterm>
-		<indexterm><primary>/etc/group</primary></indexterm>
-		Accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>NSS</primary></indexterm>
-		<indexterm><primary>compat</primary></indexterm>
-		<indexterm><primary>ldap</primary></indexterm>
-		<indexterm><primary>nis</primary></indexterm>
-		<indexterm><primary>nisplus</primary></indexterm>
-		<indexterm><primary>hesiod</primary></indexterm>
-		<indexterm><primary>ldap</primary></indexterm>
-		<indexterm><primary>nss_ldap</primary></indexterm>
-		<indexterm><primary>PADL Software</primary></indexterm>
-		Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs
-		via multiple methods. The methods typically include <command>files</command>,
-		<command>compat</command>, <command>db</command>, <command>ldap</command>, 
-		<command>nis</command>, <command>nisplus</command>, <command>hesiod.</command>  When
-		correctly installed, Samba adds to this list the <command>winbindd</command> facility.
-		The ldap facility is frequently the nss_ldap tool provided by PADL Software.
-		</para></listitem>
-	</itemizedlist>
-
-	<note><para>
-	To advoid confusion the use of the term <literal>local passdb backend</literal> means that
-	the user account backend is not shared by any other Samba server &smbmdash; instead, it is
-	used only locally on the Samba domain member server under discussion.
-	</para></note>
-
-	<para>
-	<indexterm><primary>Identity resolution</primary></indexterm>
-	The diagram in <link linkend="ch9-sambadc"/> demonstrates the relationship of Samba and system 
-	components that are involved in the identity resolution process where Samba is used as a domain
-	member server within a Samba domain control network.
-	</para>
-
-<figure id="ch9-sambadc">
-	<title>Samba Domain: Samba Member Server</title>
-	<imagefile scale="60">chap9-SambaDC</imagefile>
-</figure>
-
-	<para>
-	<indexterm><primary>IDMAP</primary></indexterm>
-	<indexterm><primary>foreign</primary></indexterm>
-	In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
-	to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
-	backend so that it can be shared by all domain member servers so that every user will have a
-	consistent UID and GID across all of them. The IDMAP facility will be used for all foreign
-	(i.e., not having the same SID as the domain it is a member of) domains. The configuration of 
-	NSS will ensure that all UNIX processes will obtain a consistent UID/GID.
-	</para>
-
-	<para>
-	The instructions given here apply to the Samba environment shown in <link linkend="happy"/> and <link linkend="net2000users"/>.
-	If the network does not have an LDAP slave server (i.e., <link linkend="happy"/> configuration), 
-	change the target LDAP server from <constant>lapdc</constant> to <constant>massive.</constant>
-	</para>
-
-	<procedure>
-	<title>Configuration of NSS_LDAP-Based Identity Resolution</title>
-
-		<step><para>
-		Create the &smb.conf; file as shown in <link linkend="ch9-sdmsdc"/>. Locate
-		this file in the directory <filename>/etc/samba</filename>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>ldap.conf</primary></indexterm>
-		Configure the file that will be used by <constant>nss_ldap</constant> to
-		locate and communicate with the LDAP server. This file is called <filename>ldap.conf</filename>.
-		If your implementation of <constant>nss_ldap</constant> is consistent with
-		the defaults suggested by PADL (the authors), it will be located in the
-		<filename>/etc</filename> directory. On some systems, the default location is
-		the <filename>/etc/openldap</filename> directory, however this file is intended
-		for use by the OpenLDAP utilities and should not really be used by the nss_ldap
-		utility since its content and structure serves the specific purpose of enabling
-		the resolution of user and group IDs via NSS.
-		</para>
-
-		<para>
-		Change the parameters inside the file that is located on your OS so it matches
-		<link linkend="ch9-sdmlcnf"/>.  To find the correct location of this file, you
-		can obtain this from the library that will be used by executing the following:
-<screen>
-&rootprompt; strings /lib/libnss_ldap* | grep ldap.conf
-/etc/ldap.conf
-</screen>
-		</para></step>
-
-		<step><para>
-		Configure the NSS control file so it matches the one shown in
-		<link linkend="ch9-sdmnss"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Identity resolution</primary></indexterm>
-		<indexterm><primary>getent</primary></indexterm>
-		Before proceeding to configure Samba, validate the operation of the NSS identity 
-		resolution via LDAP by executing:
-<screen>
-&rootprompt; getent passwd
-...
-root:x:0:512:Netbios Domain Administrator:/root:/bin/false
-nobody:x:999:514:nobody:/dev/null:/bin/false
-bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash
-stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash
-chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash
-maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash
-jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash
-bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
-temptation$:x:1009:553:temptation$:/dev/null:/bin/false
-vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
-fran$:x:1008:553:fran$:/dev/null:/bin/false
-josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash
-</screen>
-		You should notice the location of the users' home directories. First, make certain that
-		the home directories exist on the domain member server; otherwise, the home directory
-		share is not available. The home directories could be mounted off a domain controller
-		using NFS or by any other suitable means. Second, the absence of the domain name in the
-		home directory path is indicative that identity resolution is not being done via winbind.
-<screen>
-&rootprompt; getent group
-...
-Domain Admins:x:512:root,jht
-Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj
-Domain Guests:x:514:
-Accounts:x:1000:
-Finances:x:1001:
-PIOps:x:1002:
-sammy:x:4321:
-</screen>
-		<indexterm><primary>secondary group</primary></indexterm>
-		<indexterm><primary>primary group</primary></indexterm>
-		<indexterm><primary>group membership</primary></indexterm>
-		This shows that all is working as it should be. Notice that in the LDAP database
-		the users' primary and secondary group memberships are identical. It is not
-		necessary to add secondary group memberships (in the group database) if the
-		user is already a member via primary group membership in the password database.
-		When using winbind, it is in fact undesirable to do this because it results in
-		doubling up of group memberships and may cause problems with winbind under certain 
-		conditions. It is intended that these limitations with winbind will be resolved soon
-		after Samba-3.0.20 has been released.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>slapcat</primary></indexterm>
-		The LDAP directory must have a container object for IDMAP data. There are several ways you can
-		check that your LDAP database is able to receive IDMAP information. One of the simplest is to
-		execute:
-<screen>
-&rootprompt; slapcat | grep -i idmap
-dn: ou=Idmap,dc=abmas,dc=biz
-ou: idmap
-</screen>
-		<indexterm><primary>ldapadd</primary></indexterm>
-		If the execution of this command does not return IDMAP entries, you need to create an LDIF
-		template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using
-		the following command:
-<screen>
-&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
-		-w not24get < /etc/openldap/idmap.LDIF
-</screen>
-		</para></step>
-
-		<step><para>
-		Samba automatically populates the LDAP directory container when it needs to. To permit Samba
-		write access to the LDAP directory it is necessary to set the LDAP administrative password
-		in the <filename>secrets.tdb</filename> file as shown here:
-<screen>
-&rootprompt; smbpasswd -w not24get
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
-		<indexterm><primary>Domain join</primary></indexterm>
-		The system is ready to join the domain. Execute the following:
-<screen>
-&rootprompt; net rpc join -U root%not24get
-Joined domain MEGANET2.
-</screen>
-		This indicates that the domain join succeeded.
-		</para>
-
-		<para>
-		Failure to join the domain could be caused by any number of variables. The most common
-		causes of failure to join are:
-		</para>
-
-		<para>
-		<itemizedlist>
-			<listitem><para>Broken resolution of NetBIOS names to the respective IP address.</para></listitem>
-			<listitem><para>Incorrect username and password credentials.</para></listitem>
-			<listitem><para>The NT4 <parameter>restrict anonymous</parameter> is set to exclude anonymous
-				connections.</para></listitem>
-		</itemizedlist> 
-		</para>
-
-		<para>
-		The connection setup can be diagnosed by executing:
-<screen>
-&rootprompt; net rpc join -S 'pdc-name' -U administrator%password -d 5
-</screen>
-		<indexterm><primary>failed</primary></indexterm>
-		<indexterm><primary>failed join</primary></indexterm>
-		<indexterm><primary>rejected</primary></indexterm>
-		<indexterm><primary>restrict anonymous</primary></indexterm>
-		Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
-		the failure appears to be related to a rejected or failed NT_SESSION_SETUP*  or an error message that
-		says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
-		<constant>restrict anonymous</constant> setting. Set this to the value 0 so that an anonymous connection
-		can be sustained, then try again.
-		</para>
-
-		<para>
-		It is possible (perhaps even recommended) to use the following to validate the ability to connect
-		to an NT4 PDC/BDC:
-<screen>
-&rootprompt; net rpc info -S 'pdc-name' -U Administrator%not24get
-Domain Name: MEGANET2
-Domain SID: S-1-5-21-422319763-4138913805-7168186429
-Sequence number: 1519909596
-Num users: 7003
-Num domain groups: 821
-Num local groups: 8
-
-&rootprompt; net rpc testjoin -S 'pdc-name' -U Administrator%not24get
-Join to 'MEGANET2' is OK
-</screen>
-		If for any reason the following response is obtained to the last command above,it is time to
-		call in the Networking Super-Snooper task force (i.e., start debugging):
-<screen>
-NT_STATUS_ACCESS_DENIED
-Join to 'MEGANET2' failed.
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>wbinfo</primary></indexterm>
-		Just joining the domain is not quite enough; you must now provide a privileged set
-		of credentials through which <command>winbindd</command> can interact with the 
-		domain servers. Execute the following to implant the necessary credentials:
-<screen>
-&rootprompt; wbinfo --set-auth-user=Administrator%not24get
-</screen>
-		The configuration is now ready to obtain the Samba domain user and group information.
-		</para></step>
-
-		<step><para>
-		You may now start Samba in the usual manner, and your Samba domain member server
-		is ready for use. Just add shares as required.
-		</para></step>
-
-	</procedure>
-
-<example id="ch9-sdmsdc">
-<title>Samba Domain Member in Samba Domain Using LDAP &smbmdash; &smb.conf; File</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-<smbconfoption name="security">DOMAIN</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">10</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">50</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="wins server">192.168.2.1</smbconfoption>
-<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="idmap backend">ldap:ldap://lapdc.abmas.biz</smbconfoption>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch9-ldifadd">
-<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
-<screen>
-dn: ou=Idmap,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: idmap
-structuralObjectClass: organizationalUnit
-</screen>
-</example>
-
-<example id="ch9-sdmlcnf">
-<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
-<screen>
-URI     ldap://massive.abmas.biz ldap://massive.abmas.biz:636
-host    192.168.2.1
-base    dc=abmas,dc=biz
-binddn  cn=Manager,dc=abmas,dc=biz
-bindpw  not24get
-
-pam_password exop
-
-nss_base_passwd ou=People,dc=abmas,dc=biz?one
-nss_base_shadow ou=People,dc=abmas,dc=biz?one
-nss_base_group  ou=Groups,dc=abmas,dc=biz?one
-ssl     no
-</screen>
-</example>
-
-<example id="ch9-sdmnss">
-<title>NSS using LDAP for Identity Resolution &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
-<screen>
-passwd:         files ldap
-shadow:         files ldap
-group:          files ldap
-
-hosts:          files dns wins
-networks:       files dns
-
-services:       files
-protocols:      files
-rpc:            files
-ethers:         files
-netmasks:       files
-netgroup:       files
-publickey:      files
-
-bootparams:     files
-automount:      files
-aliases:        files
-</screen>
-</example>
-
-	</sect2>
-
-	<sect2 id="wdcsdm">
-		<title>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</title>
-
-	<para>
-	You need to use this method for creating a Samba domain member server if any of the following conditions
-	prevail:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		LDAP support (client) is not installed on the system.
-		</para></listitem>
-
-		<listitem><para>
-		There are mitigating circumstances forcing a decision not to use LDAP.
-		</para></listitem>
-
-		<listitem><para>
-		The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	<indexterm><primary>Windows ADS Domain</primary></indexterm>
-	<indexterm><primary>Samba Domain</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
-	Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
-	domain and/or does not use LDAP.
-	</para>
-
-	<note><para>
-	<indexterm><primary>duplicate accounts</primary></indexterm>
-	If you use <command>winbind</command> for identity resolution, make sure that there are no
-	duplicate accounts.
-	</para>
-
-	<para>
-	<indexterm><primary>/etc/passwd</primary></indexterm>
-	For example, do not have more than one account that has UID=0 in the password database. If there 
-	is an account called <constant>root</constant> in the <filename>/etc/passwd</filename> database, 
-	it is okay to have an account called <constant>root</constant> in the LDAP ldapsam or in the 
-	tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will 
-	break. This means that the <constant>Administrator</constant> account must be called 
-	<constant>root</constant>.
-	</para>
-
-	<para>
-	<indexterm><primary>/etc/passwd</primary></indexterm>
-	<indexterm><primary>ldapsam</primary></indexterm>
-	<indexterm><primary>tdbsam</primary></indexterm>
-	Winbind will break if there is an account in <filename>/etc/passwd</filename> that has 
-	the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
-	</para></note>
-
-	<para>
-	<indexterm><primary>credentials</primary></indexterm>
-	<indexterm><primary>traverse</primary></indexterm>
-	<indexterm><primary>wide-area</primary></indexterm>
-	<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
-	<indexterm><primary>tdbdump</primary></indexterm>
-	The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
-	The winbind information is locally cached in the <filename>winbindd_cache.tdb winbindd_idmap.tdb</filename>
-	files. This provides considerable performance benefits compared with the LDAP solution, particularly
-	where the LDAP lookups must traverse WAN links. You may examine the contents of these
-	files using the tool <command>tdbdump</command>, though you may have to build this from the Samba
-	source code if it has not been supplied as part of a binary package distribution that you may be using.
-	</para>
-
-	<procedure>
-	<title>Configuration of Winbind-Based Identity Resolution</title>
-
-		<step><para>
-		Using your favorite text editor, create the &smb.conf; file so it has the contents
-		shown in <link linkend="ch0-NT4DSDM"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-		Edit the <filename>/etc/nsswitch.conf</filename> so it has the entries shown in
-		<link linkend="ch9-sdmnss"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
-		The system is ready to join the domain. Execute the following:
-<screen>
-net rpc join -U root%not2g4et
-Joined domain MEGANET2.
-</screen>
-		This indicates that the domain join succeed.
-
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>winbind</primary></indexterm>
-		<indexterm><primary>wbinfo</primary></indexterm>
-		Validate operation of <command>winbind</command> using the <command>wbinfo</command>
-		tool as follows:
-<screen>
-&rootprompt; wbinfo -u
-MEGANET2+root
-MEGANET2+nobody
-MEGANET2+jht
-MEGANET2+maryv
-MEGANET2+billr
-MEGANET2+jelliott
-MEGANET2+dbrady
-MEGANET2+joeg
-MEGANET2+balap
-</screen>
-		This shows that domain users have been listed correctly.
-<screen>
-&rootprompt; wbinfo -g
-MEGANET2+Domain Admins
-MEGANET2+Domain Users
-MEGANET2+Domain Guests
-MEGANET2+Accounts
-MEGANET2+Finances
-MEGANET2+PIOps
-</screen>
-		This shows that domain groups have been correctly obtained also.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>NSS</primary></indexterm>
-		<indexterm><primary>getent</primary></indexterm>
-		<indexterm><primary>winbind</primary></indexterm>
-		The next step verifies that NSS is able to obtain this information
-		correctly from <command>winbind</command> also.
-<screen>
-&rootprompt; getent passwd
-...
-MEGANET2+root:x:10000:10001:NetBIOS Domain Admin:
-                      /home/MEGANET2/root:/bin/bash
-MEGANET2+nobody:x:10001:10001:nobody:
-                      /home/MEGANET2/nobody:/bin/bash
-MEGANET2+jht:x:10002:10001:John H Terpstra:
-                      /home/MEGANET2/jht:/bin/bash
-MEGANET2+maryv:x:10003:10001:Mary Vortexis:
-                      /home/MEGANET2/maryv:/bin/bash
-MEGANET2+billr:x:10004:10001:William Randalph:
-                      /home/MEGANET2/billr:/bin/bash
-MEGANET2+jelliott:x:10005:10001:John G Elliott:
-                      /home/MEGANET2/jelliott:/bin/bash
-MEGANET2+dbrady:x:10006:10001:Darren Brady:
-                      /home/MEGANET2/dbrady:/bin/bash
-MEGANET2+joeg:x:10007:10001:Joe Green:
-                      /home/MEGANET2/joeg:/bin/bash
-MEGANET2+balap:x:10008:10001:Bala Pillay:
-                      /home/MEGANET2/balap:/bin/bash
-</screen>
-		The user account information has been correctly obtained. This information has
-		been merged with the winbind template information configured in the &smb.conf; file.
-<screen>
-&rootprompt;# getent group
-...
-MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht
-MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\
-        MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\
-        MEGANET2+joeg,MEGANET2+balap
-MEGANET2+Domain Guests:x:10002:MEGANET2+nobody
-MEGANET2+Accounts:x:10003:
-MEGANET2+Finances:x:10004:
-MEGANET2+PIOps:x:10005:
-</screen>
-		</para></step>
-
-		<step><para>
-		The Samba member server of a Windows NT4 domain is ready for use.
-		</para></step>
-
-	</procedure>
-
-<example id="ch0-NT4DSDM">
-<title>Samba Domain Member Server Using Winbind &smb.conf; File for NT4 Domain</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-<smbconfoption name="security">DOMAIN</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">0</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="wins server">192.168.2.1</smbconfoption>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-<smbconfoption name="template primary group">"Domain Users"</smbconfoption>
-<smbconfoption name="template shell">/bin/bash</smbconfoption>
-<smbconfoption name="winbind separator">+</smbconfoption>
-<smbconfoption name="hosts allow">192.168.2., 192.168.3., 127.</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-</smbconfblock>
-</example>
-
-	</sect2>
-
-	<sect2 id="dcwonss">
-	<title>NT4/Samba Domain with Samba Domain Member Server without NSS Support</title>
-
-	<para>
-	No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating
-	system that does not have NSS and PAM support to be outdated, the fact is there
-	are still many such systems in use today. Samba can be used without NSS support, but this
-	does limit it to the use of local user and group accounts only.
-	</para>
-
-	<para>
-	The following steps may be followed to implement Samba with support for local accounts.
-	In this configuration Samba is made a domain member server. All incoming connections
-	to the Samba server will cause the look-up of the incoming username. If the account
-	is found, it is used. If the account is not found, one will be automatically created
-	on the local machine so that it can then be used for all access controls.
-	</para>
-
-	<procedure>
-	<title>Configuration Using Local Accounts Only</title>
-
-		<step><para>
-		Using your favorite text editor, create the &smb.conf; file so it has the contents
-		shown in <link linkend="ch0-NT4DSCM"/>.
-		</para></step>
-
-		<step>
-		<para><indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
-		The system is ready to join the domain. Execute the following:
-<screen>
-net rpc join -U root%not24get
-Joined domain MEGANET2.
-</screen>
-		This indicates that the domain join succeed.
-		</para></step>
-
-		<step><para>
-		Be sure to run all three Samba daemons: <command>smbd</command>, <command>nmbd</command>, <command>winbindd</command>.
-		</para></step>
-
-		<step><para>
-		The Samba member server of a Windows NT4 domain is ready for use.
-		</para></step>
-	</procedure>
-
-<example id="ch0-NT4DSCM">
-<title>Samba Domain Member Server Using Local Accounts &smb.conf; File for NT4 Domain</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">MEGANET3</smbconfoption>
-<smbconfoption name="netbios name">BSDBOX</smbconfoption>
-<smbconfoption name="security">DOMAIN</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
-<smbconfoption name="add machine script">/usr/sbin/useradd -M '%u'</smbconfoption>
-<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">0</smbconfoption>
-<smbconfoption name="smb ports">139</smbconfoption>
-<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="wins server">192.168.2.1</smbconfoption>
-<smbconfoption name="hosts allow">192.168.2., 192.168.3., 127.</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-</smbconfblock>
-</example>
-	</sect2>
-
-	<sect2 id="adssdm">
-	<title>Active Directory Domain with Samba Domain Member Server</title>
-
-	<para>
-	<indexterm><primary>Active Directory</primary><secondary>join</secondary></indexterm>
-	<indexterm><primary>Kerberos</primary></indexterm>
-	<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
-	One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory
-	domain using Kerberos protocols. This makes it possible to operate an entire Windows network
-	without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An
-	exhaustively complete discussion of the protocols is not possible in this book; perhaps a
-	later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate
-	in. For now, we simply focus on how a Samba-3 server can be made a domain member server.
-	</para>
-
-	<para>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>Identity resolution</primary></indexterm>
-	<indexterm><primary>Kerberos</primary></indexterm>
-	The diagram in <link linkend="ch9-adsdc"/> demonstrates how Samba-3 interfaces with
-	Microsoft Active Directory components. It should be noted that if Microsoft Windows Services
-	for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP
-	for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend.
-	The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL
-	Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of 
-	LDAP-based identity resolution is a little less secure. In view of the fact that this solution
-	requires additional software to be installed on the Windows 200x ADS domain controllers,
-	and that means more management overhead, it is likely that most Samba-3 ADS client sites
-	may elect to use winbind.
-	</para>
-
-	<para>
-	Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3
-	you are using has been compiled and linked with all the tools necessary for this to work.
-	Given the importance of this step, you must first validate that the Samba-3 message block
-	daemon (<command>smbd</command>) has the necessary features.
-	</para>
-
-	<para>
-	The hypothetical domain you are using in this example assumes that the Abmas London office
-	decided to take its own lead (some would say this is a typical behavior in a global
-	corporate world; besides, a little divergence and conflict makes for an interesting life).
-	The Windows Server 2003 ADS domain is called <constant>london.abmas.biz</constant> and the
-	name of the server is <constant>W2K3S</constant>. In ADS realm terms, the domain controller
-	is known as <constant>w2k3s.london.abmas.biz</constant>. In NetBIOS nomenclature, the
-	domain name is <constant>LONDON</constant> and the server name is <constant>W2K3S</constant>.
-	</para>
-
-	<figure id="ch9-adsdc">
-		<title>Active Directory Domain: Samba Member Server</title>
-		<imagefile scale="60">chap9-ADSDC</imagefile>
-	</figure>
-
-	<procedure>
-	<title>Joining a Samba Server as an ADS Domain Member</title>
-
-		<step><para>
-		<indexterm><primary>smbd</primary></indexterm>
-		Before you try to use Samba-3, you want to know for certain that your executables have
-		support for Kerberos and for LDAP. Execute the following to identify whether or
-		not this build is perhaps suitable for use:
-<screen>
-&rootprompt; cd /usr/sbin
-&rootprompt; smbd -b | grep KRB
-   HAVE_KRB5_H
-   HAVE_ADDR_TYPE_IN_KRB5_ADDRESS
-   HAVE_KRB5
-   HAVE_KRB5_AUTH_CON_SETKEY
-   HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES
-   HAVE_KRB5_GET_PW_SALT
-   HAVE_KRB5_KEYBLOCK_KEYVALUE
-   HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
-   HAVE_KRB5_MK_REQ_EXTENDED
-   HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
-   HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES
-   HAVE_KRB5_STRING_TO_KEY
-   HAVE_KRB5_STRING_TO_KEY_SALT
-   HAVE_LIBKRB5
-</screen>
-		This output was obtained on a SUSE Linux system and shows the output for
-		Samba that has been compiled and linked with the Heimdal Kerberos libraries.
-		The following is a typical output that will be found on a Red Hat Linux system that
-		has been linked with the MIT Kerberos libraries:
-<screen>
-&rootprompt; cd /usr/sbin
-&rootprompt; smbd -b | grep KRB
-   HAVE_KRB5_H
-   HAVE_ADDRTYPE_IN_KRB5_ADDRESS
-   HAVE_KRB5
-   HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
-   HAVE_KRB5_ENCRYPT_DATA
-   HAVE_KRB5_FREE_DATA_CONTENTS
-   HAVE_KRB5_FREE_KTYPES
-   HAVE_KRB5_GET_PERMITTED_ENCTYPES
-   HAVE_KRB5_KEYTAB_ENTRY_KEY
-   HAVE_KRB5_LOCATE_KDC
-   HAVE_KRB5_MK_REQ_EXTENDED
-   HAVE_KRB5_PRINCIPAL2SALT
-   HAVE_KRB5_PRINC_COMPONENT
-   HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
-   HAVE_KRB5_SET_REAL_TIME
-   HAVE_KRB5_STRING_TO_KEY
-   HAVE_KRB5_TKT_ENC_PART2
-   HAVE_KRB5_USE_ENCTYPE
-   HAVE_LIBGSSAPI_KRB5
-   HAVE_LIBKRB5
-</screen>
-		You can validate that Samba has been compiled and linked with LDAP support
-		by executing:
-<screen>
-&rootprompt; smbd -b | grep LDAP
-massive:/usr/sbin # smbd -b | grep LDAP
-   HAVE_LDAP_H
-   HAVE_LDAP
-   HAVE_LDAP_DOMAIN2HOSTLIST
-   HAVE_LDAP_INIT
-   HAVE_LDAP_INITIALIZE
-   HAVE_LDAP_SET_REBIND_PROC
-   HAVE_LIBLDAP
-   LDAP_SET_REBIND_PROC_ARGS
-</screen>
-		This does look promising; <command>smbd</command> has been built with Kerberos and LDAP
-		support. You are relieved to know that it is safe to progress.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Kerberos</primary><secondary>libraries</secondary></indexterm>
-		<indexterm><primary>MIT Kerberos</primary></indexterm>
-		<indexterm><primary>Heimdal Kerberos</primary></indexterm>
-		<indexterm><primary>Kerberos</primary><secondary>MIT</secondary></indexterm>
-		<indexterm><primary>Kerberos</primary><secondary>Heimdal</secondary></indexterm>
-		<indexterm><primary>Red Hat Linux</primary></indexterm>
-		<indexterm><primary>SUSE Linux</primary></indexterm>
-		<indexterm><primary>SerNet</primary></indexterm>
-		<indexterm><primary>validated</primary></indexterm>
-		The next step is to identify which version of the Kerberos libraries have been used.
-		In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is
-		essential that it has been linked with either MIT Kerberos version 1.3.1 or later,
-		or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may
-		identify what version of the MIT Kerberos libraries are installed on your system by
-		executing (on Red Hat Linux):
-<screen>
-&rootprompt; rpm -q krb5
-</screen>
-		Or on SUSE Linux, execute:
-<screen>
-&rootprompt; rpm -q heimdal
-</screen>
-		Please note that the RPMs provided by the Samba-Team are known to be working and have
-		been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE
-		Linux RPMs may be obtained from <ulink url="ftp://ftp.sernet.de">Sernet</ulink> in
-		Germany.
-		</para>
-
-		<para>
-		From this point on, you are certain that the Samba-3 build you are using has the
-		necessary capabilities. You can now configure Samba-3 and the NSS. 
-		</para></step>
-
-		<step><para>
-		Using you favorite editor, configure the &smb.conf; file that is located in the 
-		<filename>/etc/samba</filename> directory so that it has the contents shown 
-		in <link linkend="ch9-adssdm"/>.
-		</para></step>
-
-		<step><para>
-		Edit or create the NSS control file so it has the contents shown in <link linkend="ch9-sdmnss"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>/etc/samba/secrets.tdb</primary></indexterm>
-		Delete the file <filename>/etc/samba/secrets.tdb</filename> if it exists. Of course, you
-		do keep a backup, don't you?
-		</para></step>
-
-		<step><para>
-		Delete the tdb files that cache Samba information. You keep a backup of the old
-		files, of course. You also remove all files to ensure that nothing can pollute your
-		nice, new configuration. Execute the following (example is for SUSE Linux):
-<screen>
-&rootprompt; rm /var/lib/samba/*tdb
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>testparm</primary></indexterm>
-		Validate your &smb.conf; file using <command>testparm</command> (as you have
-		done previously). Correct all errors reported before proceeding. The command you
-		execute is:
-<screen>
-&rootprompt; testparm -s | less
-</screen>
-		Now that you are satisfied that your Samba server is ready to join the Windows
-		ADS domain, let's move on.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>
-		<indexterm><primary>Kerberos</primary></indexterm>
-		This is a good time to double-check everything and then execute the following
-		command when everything you have done has checked out okay:
-<screen>
-&rootprompt; net ads join -UAdministrator%not24get
-Using short domain name -- LONDON
-Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ'
-</screen>
-		You have successfully made your Samba-3 server a member of the ADS domain
-		using Kerberos protocols.
-		</para>
-
-	    <para>
-		<indexterm><primary>silent return</primary></indexterm>
-		<indexterm><primary>failed join</primary></indexterm>
-		In the event that you receive no output messages, a silent return means that the
-		domain join failed. You should use <command>ethereal</command> to identify what
-		may be failing. Common causes of a failed join include:
-
-		<itemizedlist>
-			<listitem><para>
-			<indexterm><primary>name resolution</primary><secondary>Defective</secondary></indexterm>
-			Defective or misconfigured DNS name resolution.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>Restrictive security</primary></indexterm>
-			Restrictive security settings on the Windows 200x ADS domain controller
-			preventing needed communications protocols. You can check this by searching
-			the Windows Server 200x Event Viewer.
-			</para></listitem>
-
-			<listitem><para>
-			Incorrectly configured &smb.conf; file settings.
-			</para></listitem>
-
-			<listitem><para>
-			Lack of support of necessary Kerberos protocols because the version of MIT
-			Kerberos (or Heimdal) in use is not up to date enough to support the necessary
-			functionality.
-			</para></listitem>
-		</itemizedlist>
-
-		<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
-		<indexterm><primary>RPC</primary></indexterm>
-		<indexterm><primary>mixed mode</primary></indexterm>
-		In any case, never execute the <command>net rpc join</command> command in an attempt
-		to join the Samba server to the domain, unless you wish not to use the Kerberos
-		security protocols. Use of the older RPC-based domain join facility requires that
-		Windows Server 200x ADS has been configured appropriately for mixed mode operation.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>tdbdump</primary></indexterm>
-		<indexterm><primary>/etc/samba/secrets.tdb</primary></indexterm>
-		If the <command>tdbdump</command> is installed on your system (not essential),
-		you can look inside the <filename>/etc/samba/secrets.tdb</filename> file. If
-		you wish to do this, execute:
-<screen>
-&rootprompt; tdbdump secrets.tdb
-{
-key = "SECRETS/SID/LONDON"
-data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\
-   F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
-   00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
-   00\00\00\00\00\00\00\00"
-}
-{
-key = "SECRETS/MACHINE_PASSWORD/LONDON"
-data = "le3Q5FPnN5.ueC\00"
-}
-{
-key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON"
-data = "\02\00\00\00"
-}
-{
-key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON"
-data = "E\89\F6?"
-}
-</screen>
-		This is given to demonstrate to the skeptics that this process truly does work.
-		</para></step>
-
-		<step><para>
-		It is now time to start Samba in the usual way (as has been done many time before
-		in this book).	
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>wbinfo</primary></indexterm>
-		This is a good time to verify that everything is working. First, check that
-		winbind is able to obtain the list of users and groups from the ADS domain controller.
-		Execute the following:
-<screen>
-&rootprompt; wbinfo -u
-LONDON+Administrator
-LONDON+Guest
-LONDON+SUPPORT_388945a0
-LONDON+krbtgt
-LONDON+jht
-</screen>
-		Good, the list of users was obtained. Now do likewise for group accounts:
-<screen>
-&rootprompt; wbinfo -g
-LONDON+Domain Computers
-LONDON+Domain Controllers
-LONDON+Schema Admins
-LONDON+Enterprise Admins
-LONDON+Domain Admins
-LONDON+Domain Users
-LONDON+Domain Guests
-LONDON+Group Policy Creator Owners
-LONDON+DnsUpdateProxy
-</screen>
-		Excellent. That worked also, as expected.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>getent</primary>
-	      </indexterm>
-		Now repeat this via NSS to validate that full identity resolution is
-		functional as required. Execute:
-<screen>
-&rootprompt; getent passwd
-...
-LONDON+Administrator:x:10000:10000:Administrator:
-             /home/LONDON/administrator:/bin/bash
-LONDON+Guest:x:10001:10001:Guest:
-             /home/LONDON/guest:/bin/bash
-LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0:
-             /home/LONDON/support_388945a0:/bin/bash
-LONDON+krbtgt:x:10003:10000:krbtgt:
-             /home/LONDON/krbtgt:/bin/bash
-LONDON+jht:x:10004:10000:John H. Terpstra:
-             /home/LONDON/jht:/bin/bash
-</screen>
-		Okay, ADS user accounts are being resolved. Now you try group resolution:
-<screen>
-&rootprompt; getent group
-...
-LONDON+Domain Computers:x:10002:
-LONDON+Domain Controllers:x:10003:
-LONDON+Schema Admins:x:10004:LONDON+Administrator
-LONDON+Enterprise Admins:x:10005:LONDON+Administrator
-LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator
-LONDON+Domain Users:x:10000:
-LONDON+Domain Guests:x:10001:
-LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator
-LONDON+DnsUpdateProxy:x:10008:
-</screen>
-		This is very pleasing. Everything works as expected.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>info</tertiary></indexterm>
-		<indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
-		<indexterm><primary>Kerberos</primary></indexterm>
-		You may now perform final verification that communications between Samba-3 winbind and
-		the Active Directory server is using Kerberos protocols. Execute the following:
-<screen>
-&rootprompt; net ads info
-LDAP server: 192.168.2.123
-LDAP server name: w2k3s
-Realm: LONDON.ABMAS.BIZ
-Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ
-LDAP port: 389
-Server time: Sat, 03 Jan 2004 02:44:44 GMT
-KDC server: 192.168.2.123
-Server time offset: 2
-</screen>
-		It should be noted that Kerberos protocols are time-clock critical. You should
-		keep all server time clocks synchronized using the network time protocol (NTP).
-		In any case, the output we obtained confirms that all systems are operational.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>status</tertiary></indexterm>
-		There is one more action you elect to take, just because you are paranoid and disbelieving,
-		so you execute the following command:
-<programlisting>
-&rootprompt; net ads status -UAdministrator%not24get
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-objectClass: computer
-cn: fran
-distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz
-instanceType: 4
-whenCreated: 20040103092006.0Z
-whenChanged: 20040103092006.0Z
-uSNCreated: 28713
-uSNChanged: 28717
-name: fran
-objectGUID: 58f89519-c467-49b9-acb0-f099d73696e
-userAccountControl: 69632
-badPwdCount: 0
-codePage: 0
-countryCode: 0
-badPasswordTime: 0
-lastLogoff: 0
-lastLogon: 127175965783327936
-localPolicyFlags: 0
-pwdLastSet: 127175952062598496
-primaryGroupID: 515
-objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109
-accountExpires: 9223372036854775807
-logonCount: 13
-sAMAccountName: fran$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 3.0.20-SUSE
-dNSHostName: fran
-userPrincipalName: HOST/fran at LONDON.ABMAS.BIZ
-servicePrincipalName: CIFS/fran.london.abmas.biz
-servicePrincipalName: CIFS/fran
-servicePrincipalName: HOST/fran.london.abmas.biz
-servicePrincipalName: HOST/fran
-objectCategory: CN=Computer,CN=Schema,CN=Configuration,
-                              DC=london,DC=abmas,DC=biz
-isCriticalSystemObject: FALSE
--------------- Security Descriptor (revision: 1, type: 0x8c14)
-owner SID: S-1-5-21-4052121579-2079768045-1474639452-512
-group SID: S-1-5-21-4052121579-2079768045-1474639452-513
-------- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
-------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 
-               mask: 0x20, object flags: 0x3)
-access SID:  S-1-1-0
-access type: AUDIT OBJECT
-Permissions:
-        [Write All Properties]
-------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 
-               mask: 0x20, object flags: 0x3)
-access SID:  S-1-1-0
-access type: AUDIT OBJECT
-Permissions:
-        [Write All Properties]
-------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40)
-------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
-access SID:  S-1-5-21-4052121579-2079768045-1474639452-512
-access type: ALLOWED
-Permissions: [Full Control]
-------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
-access SID:  S-1-5-32-548
-...
-------- ACE (type: 0x05, flags: 0x12, size: 0x38, 
-                mask: 0x10, object flags: 0x3)
-access SID:  S-1-5-9
-access type: ALLOWED OBJECT
-Permissions:
-        [Read All Properties]
--------------- End Of Security Descriptor
-</programlisting>
-		And now you have conclusive proof that your Samba-3 ADS domain member server
-		called <constant>FRAN</constant> is able to communicate fully with the ADS
-		domain controllers.
-		</para></step>
-
-	</procedure>
-
-
-	<para>
-	Your Samba-3 ADS domain member server is ready for use. During training sessions,
-	you may be asked what is inside the <filename>winbindd_cache.tdb and winbindd_idmap.tdb</filename>
-	files. Since curiosity just took hold of you, execute the following:
-<programlisting>
-&rootprompt; tdbdump /var/lib/samba/winbindd_idmap.tdb
-{
-key = "S-1-5-21-4052121579-2079768045-1474639452-501\00"
-data = "UID 10001\00"
-}
-{
-key = "UID 10005\00"
-data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00"
-}
-{
-key = "GID 10004\00"
-data = "S-1-5-21-4052121579-2079768045-1474639452-518\00"
-}
-{
-key = "S-1-5-21-4052121579-2079768045-1474639452-502\00"
-data = "UID 10003\00"
-}
-...
-
-&rootprompt; tdbdump /var/lib/samba/winbindd_cache.tdb
-{
-key = "UL/LONDON"
-data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D
-   Administrator-S-1-5-21-4052121579-2079768045-1474639452-500-
-   S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05
-   Guest-S-1-5-21-4052121579-2079768045-1474639452-501-
-   S-1-5-21-4052121579-2079768045-1474639452-514\10
-   SUPPORT_388945a0\10SUPPORT_388945a0.
-   S-1-5-21-4052121579-2079768045-1474639452-1001-
-   S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06
-   krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502-
-   S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10
-   John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110-
-   S-1-5-21-4052121579-2079768045-1474639452-513"
-}
-{
-key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512"
-data = "\00\00\00\00bp\00\00\02\00\00\00.
-   S-1-5-21-4052121579-2079768045-1474639452-1110\03
-   jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D
-   Administrator\01\00\00\00"
-}
-{
-key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513"
-data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users"
-}
-{
-key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518"
-data = "\00\00\00\00bp\00\00\01\00\00\00-
-   S-1-5-21-4052121579-2079768045-1474639452-500\0D
-   Administrator\01\00\00\00"
-}
-{
-key = "SEQNUM/LONDON\00"
-data = "xp\00\00C\92\F6?"
-}
-{
-key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110"
-data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra.
-   S-1-5-21-4052121579-2079768045-1474639452-1110-
-   S-1-5-21-4052121579-2079768045-1474639452-513"
-}
-{
-key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502"
-data = "\00\00\00\00bp\00\00-
-   S-1-5-21-4052121579-2079768045-1474639452-502"
-}
-{
-key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001"
-data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0"
-}
-{
-key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500"
-data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator"
-}
-{
-key = "U/S-1-5-21-4052121579-2079768045-1474639452-502"
-data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt-
-   S-1-5-21-4052121579-2079768045-1474639452-502-
-   S-1-5-21-4052121579-2079768045-1474639452-513"
-}
-....
-</programlisting>
-	Now all is revealed. Your curiosity, as well as that of your team, has been put at ease.
-	May this server serve well all who happen upon it.
-	</para>
-
-<example id="ch9-adssdm">
-<title>Samba Domain Member &smb.conf; File for Active Directory Membership</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="unix charset">LOCALE</smbconfoption>
-<smbconfoption name="workgroup">LONDON</smbconfoption>
-<smbconfoption name="realm">LONDON.ABMAS.BIZ</smbconfoption>
-<smbconfoption name="server string">Samba 3.0.20</smbconfoption>
-<smbconfoption name="security">ADS</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="syslog">0</smbconfoption>
-<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-<smbconfoption name="max log size">50</smbconfoption>
-<smbconfoption name="printcap name">CUPS</smbconfoption>
-<smbconfoption name="ldap ssl">no</smbconfoption>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-<smbconfoption name="template primary group">"Domain Users"</smbconfoption>
-<smbconfoption name="template shell">/bin/bash</smbconfoption>
-<smbconfoption name="winbind separator">+</smbconfoption>
-<smbconfoption name="printing">cups</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-<smbconfoption name="path">/var/spool/samba</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers</smbconfoption>
-<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-<smbconfoption name="admin users">root, Administrator</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-</smbconfblock>
-</example>
-
-        <sect3>
-        <title>IDMAP_RID with Winbind</title>
-
-        <para>
-        <indexterm><primary>idmap_rid</primary></indexterm>
-        <indexterm><primary>SID</primary></indexterm>
-        <indexterm><primary>RID</primary></indexterm>
-        <indexterm><primary>IDMAP</primary></indexterm>
-        The <command>idmap_rid</command> facility is a new tool that, unlike native winbind, creates a
-        predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
-        of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
-        in a central place. The downside is that it can be used only within a single ADS domain and
-        is not compatible with trusted domain implementations.
-        </para>
-
-        <para>
-        <indexterm><primary>SID</primary></indexterm>
-        <indexterm><primary>allow trusted domains</primary></indexterm>
-        <indexterm><primary>idmap uid</primary></indexterm>
-        <indexterm><primary>idmap gid</primary></indexterm>
-        This alternate method of SID to UID/GID  mapping can be achieved with the idmap_rid
-        plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
-        RID to a base value specified. This utility requires that the parameter
-        <quote>allow trusted domains = No</quote> must be specified, as it is not compatible
-        with multiple domain environments. The <parameter>idmap uid</parameter> and
-        <parameter>idmap gid</parameter> ranges must be specified.
-        </para>
-
-        <para>
-        <indexterm><primary>idmap_rid</primary></indexterm>
-        <indexterm><primary>realm</primary></indexterm>
-        The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory.
-        To use this with an NT4 domain, the <parameter>realm</parameter> is not used. Additionally the
-        method used to join the domain uses the <constant>net rpc join</constant> process.
-        </para>
-
-        <para>
-        An example &smb.conf; file for an ADS domain environment is shown in <link linkend="sbe-idmapridex"/>.
-        </para>
-
-<example id="sbe-idmapridex">
-<title>Example &smb.conf; File Using <constant>idmap_rid</constant></title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">KPAK</smbconfoption>
-<smbconfoption name="netbios name">BIGJOE</smbconfoption>
-<smbconfoption name="realm">CORP.KPAK.COM</smbconfoption>
-<smbconfoption name="server string">Office Server</smbconfoption>
-<smbconfoption name="security">ADS</smbconfoption>
-<smbconfoption name="allow trusted domains">No</smbconfoption>
-<smbconfoption name="idmap backend">idmap_rid:KPAK=500-100000000</smbconfoption>
-<smbconfoption name="idmap uid">500-100000000</smbconfoption>
-<smbconfoption name="idmap gid">500-100000000</smbconfoption>
-<smbconfoption name="template shell">/bin/bash</smbconfoption>
-<smbconfoption name="winbind use default domain">Yes</smbconfoption>
-<smbconfoption name="winbind enum users">No</smbconfoption>
-<smbconfoption name="winbind enum groups">No</smbconfoption>
-<smbconfoption name="winbind nested groups">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-        <para>
-        <indexterm><primary>large domain</primary></indexterm>
-        <indexterm><primary>Active Directory</primary></indexterm>
-        <indexterm><primary>response</primary></indexterm>
-        <indexterm><primary>getent</primary></indexterm>
-        In a large domain with many users, it is imperative to disable enumeration of users and groups.
-        For example, at a site that has 22,000 users in Active Directory the winbind-based user and
-        group resolution is unavailable for nearly 12 minutes following first start-up of
-        <command>winbind</command>. Disabling of such enumeration results in instantaneous response.
-        The disabling of user and group enumeration means that it will not be possible to list users
-        or groups using the <command>getent passwd</command> and <command>getent group</command>
-        commands. It will be possible to perform the lookup for individual users, as shown in the procedure
-        below.
-        </para>
-
-        <para>
-        <indexterm><primary>NSS</primary></indexterm>
-        <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-        The use of this tool requires configuration of NSS as per the native use of winbind. Edit the
-        <filename>/etc/nsswitch.conf</filename> so it has the following parameters:
-<screen>
-...
-passwd: files winbind
-shadow: files winbind
-group:  files winbind
-...
-hosts:  files wins
-...
-</screen>
-        </para>
-
-        <para>
-        The following procedure can be used to utilize the idmap_rid facility:
-        </para>
-
-        <procedure>
-                <step><para>
-                Create or install and &smb.conf; file with the above configuration.
-                </para></step>
-
-                <step><para>
-                Edit the <filename>/etc/nsswitch.conf</filename> file as shown above.
-                </para></step>
-
-                <step><para>
-                Execute:
-<screen>
-&rootprompt; net ads join -UAdministrator%password
-Using short domain name -- KPAK
-Joined 'BIGJOE' to realm 'CORP.KPAK.COM'
-</screen>
-                </para>
-
-                <para>
-                <indexterm><primary>failed join</primary></indexterm>
-                An invalid or failed join can be detected by executing:
-<screen>
-&rootprompt; net ads testjoin
-BIGJOE$@'s password:
-[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
-  ads_connect: No results returned
-Join to domain is not valid
-</screen>
-                The specific error message may differ from the above because it depends on the type of failure that
-                may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the above test,
-                and then examine the log files produced to identify the nature of the failure.
-                </para></step>
-
-                <step><para>
-                Start the <command>nmbd</command>, <command>winbind,</command> and <command>smbd</command> daemons in the order shown.
-                </para></step>
-
-                <step><para>
-                Validate the operation of this configuration by executing:
-                <indexterm><primary></primary></indexterm>
-<screen>
-&rootprompt; getent passwd administrator
-administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
-</screen>
-                </para></step>
-        </procedure>
-
-        </sect3>
-
-        <sect3>
-        <title>IDMAP Storage in LDAP using Winbind</title>
-
-        <para>
-        <indexterm><primary>ADAM</primary></indexterm>
-        <indexterm><primary>ADS</primary></indexterm>
-        The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as
-        with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant
-        LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using
-        the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on.
-        </para>
-
-        <para>
-        The example in <link linkend="sbeunxa"/> is for an ADS-style domain.
-        </para>
-
-<example id="sbeunxa">
-<title>Typical ADS Style Domain &smb.conf; File</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">SNOWSHOW</smbconfoption>
-<smbconfoption name="netbios name">GOODELF</smbconfoption>
-<smbconfoption name="realm">SNOWSHOW.COM</smbconfoption>
-<smbconfoption name="server string">Samba Server</smbconfoption>
-<smbconfoption name="security">ADS</smbconfoption>
-<smbconfoption name="log level">1 ads:10 auth:10 sam:10 rpc:10</smbconfoption>
-<smbconfoption name="ldap admin dn">cn=Manager,dc=SNOWSHOW,dc=COM</smbconfoption>
-<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-<smbconfoption name="ldap suffix">dc=SNOWSHOW,dc=COM</smbconfoption>
-<smbconfoption name="idmap backend">ldap:ldap://ldap.snowshow.com</smbconfoption>
-<smbconfoption name="idmap uid">150000-550000</smbconfoption>
-<smbconfoption name="idmap gid">150000-550000</smbconfoption>
-<smbconfoption name="template shell">/bin/bash</smbconfoption>
-<smbconfoption name="winbind use default domain">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-        <para>
-        <indexterm><primary>realm</primary></indexterm>
-        In the case of an NT4 or Samba-3-style domain the <parameter>realm</parameter> is not used, and the
-        command used to join the domain is <command>net rpc join</command>. The above example also demonstrates
-        advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in
-	<quote>The Official Samba-3 HOWTO and Reference Guide, Second Edition</quote> (TOSHARG2).
-        </para>
-
-        <para>
-        <indexterm><primary>MIT kerberos</primary></indexterm>
-        <indexterm><primary>Heimdal kerberos</primary></indexterm>
-        <indexterm><primary>/etc/krb5.conf</primary></indexterm>
-        Where MIT kerberos is installed (version 1.3.4 or later), edit the <filename>/etc/krb5.conf</filename>
-        file so it has the following contents:
-<screen>
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- default_realm = SNOWSHOW.COM
- dns_lookup_realm = false
- dns_lookup_kdc = true
-
-[appdefaults]
- pam = {
-   debug = false
-   ticket_lifetime = 36000
-   renew_lifetime = 36000
-   forwardable = true
-   krb4_convert = false
- }
-</screen>
-        </para>
-
-        <para>
-        Where Heimdal kerberos is installed, edit the <filename>/etc/krb5.conf</filename>
-        file so it is either empty (i.e., no contents) or it has the following contents:
-<screen>
-[libdefaults]
-        default_realm = SNOWSHOW.COM
-        clockskew = 300
-
-[realms]
-        SNOWSHOW.COM = {
-                kdc = ADSDC.SHOWSHOW.COM
-        }
-
-[domain_realm]
-        .snowshow.com = SNOWSHOW.COM
-</screen>
-        </para>
-
-        <note><para>
-        Samba cannot use the Heimdal libraries if there is no <filename>/etc/krb5.conf</filename> file.
-        So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no
-        need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically.
-        </para></note>
-        <para>
-        Edit the NSS control file <filename>/etc/nsswitch.conf</filename> so it has the following entries:
-<screen>
-...
-passwd: files ldap
-shadow: files ldap
-group:  files ldap
-...
-hosts:  files wins
-...
-</screen>
-        </para>
-
-        <para>
-        <indexterm><primary>PADL</primary></indexterm>
-        <indexterm><primary>/etc/ldap.conf</primary></indexterm>
-        You will need the <ulink url="http://www.padl.com">PADL</ulink> <command>nss_ldap</command>
-        tool set for this solution. Configure the <filename>/etc/ldap.conf</filename> file so it has
-        the information needed. The following is an example of a working file:
-<screen>
-host    192.168.2.1
-base    dc=snowshow,dc=com
-binddn  cn=Manager,dc=snowshow,dc=com
-bindpw  not24get
-
-pam_password exop
-
-nss_base_passwd ou=People,dc=snowshow,dc=com?one
-nss_base_shadow ou=People,dc=snowshow,dc=com?one
-nss_base_group  ou=Groups,dc=snowshow,dc=com?one
-ssl     no
-</screen>
-        </para>
-
-        <para>
-        The following procedure may be followed to affect a working configuration:
-        </para>
-        <procedure>
-                <step><para>
-                Configure the &smb.conf; file as shown above.
-                </para></step>
-
-                <step><para>
-                Create the <filename>/etc/krb5.conf</filename> file following the indications above.
-                </para></step>
-
-                <step><para>
-                Configure the <filename>/etc/nsswitch.conf</filename> file as shown above.
-                </para></step>
-
-                <step><para>
-                Download, build, and install the PADL nss_ldap tool set. Configure the
-                <filename>/etc/ldap.conf</filename> file as shown above.
-                </para></step>
-
-                <step><para>
-                Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
-                as shown in the following LDIF file:
-<screen>
-dn: dc=snowshow,dc=com
-objectClass: dcObject
-objectClass: organization
-dc: snowshow
-o: The Greatest Snow Show in Singapore.
-description: Posix and Samba LDAP Identity Database
-
-dn: cn=Manager,dc=snowshow,dc=com
-objectClass: organizationalRole
-cn: Manager
-description: Directory Manager
-
-dn: ou=Idmap,dc=snowshow,dc=com
-objectClass: organizationalUnit
-ou: idmap
-</screen>
-                </para></step>
-
-                <step><para>
-                Execute the command to join the Samba domain member server to the ADS domain as shown here:
-<screen>
-&rootprompt; net ads testjoin
-Using short domain name -- SNOWSHOW
-Joined 'GOODELF' to realm 'SNOWSHOW.COM'
-</screen>
-                </para></step>
-
-                <step><para>
-                Store the LDAP server access password in the Samba <filename>secrets.tdb</filename> file as follows:
-<screen>
-&rootprompt; smbpasswd -w not24get
-</screen>
-                </para></step>
-
-                <step><para>
-                Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
-                </para></step>
-        </procedure>
-
-
-        <para>
-        <indexterm><primary>diagnostic</primary></indexterm>
-        Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join.
-        In many cases a failure is indicated by a silent return to the command prompt with no indication of the
-        reason for failure.
-        </para>
-
-        </sect3>
-
-        <sect3>
-        <title>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</title>
-
-        <para>
-        <indexterm><primary>rfc2307bis</primary></indexterm>
-        <indexterm><primary>schema</primary></indexterm>
-        The use of this method is messy. The information provided in this section is for guidance only
-        and is very definitely not complete. This method does work; it is used in a number of large sites
-        and has an acceptable level of performance.
-        </para>
-
-        <para>
-        An example &smb.conf; file is shown in <link linkend="sbewinbindex"/>.
-        </para>
-
-<example id="sbewinbindex">
-<title>ADS Membership Using RFC2307bis Identity Resolution &smb.conf; File</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">BUBBAH</smbconfoption>
-<smbconfoption name="netbios name">MADMAX</smbconfoption>
-<smbconfoption name="realm">BUBBAH.COM</smbconfoption>
-<smbconfoption name="server string">Samba Server</smbconfoption>
-<smbconfoption name="security">ADS</smbconfoption>
-<smbconfoption name="idmap uid">150000-550000</smbconfoption>
-<smbconfoption name="idmap gid">150000-550000</smbconfoption>
-<smbconfoption name="template shell">/bin/bash</smbconfoption>
-<smbconfoption name="winbind use default domain">Yes</smbconfoption>
-<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
-<smbconfoption name="winbind nested groups">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-        <para>
-        <indexterm><primary>nss_ldap</primary></indexterm>
-        The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary
-        to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the
-        following:
-<screen>
-./configure --enable-rfc2307bis --enable-schema-mapping
-make install
-</screen>
-        </para>
-
-        <para>
-        <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-        The following <filename>/etc/nsswitch.conf</filename> file contents are required:
-<screen>
-...
-passwd: files ldap
-shadow: files ldap
-group:  files ldap
-...
-hosts:  files wins
-...
-</screen>
-        </para>
-
-        <para>
-        <indexterm><primary>/etc/ldap.conf</primary></indexterm>
-        <indexterm><primary>nss_ldap</primary></indexterm>
-        The <filename>/etc/ldap.conf</filename> file must be configured also. Refer to the PADL documentation
-        and source code for nss_ldap instructions.
-        </para>
-
-        <para>
-        The next step involves preparation on the ADS schema. This is briefly discussed in the remaining
-        part of this chapter.
-        </para>
-
-                <sect4>
-                <title>IDMAP, Active Directory, and MS Services for UNIX 3.5</title>
-
-                <para>
-                <indexterm><primary>SFU</primary></indexterm>
-                The Microsoft Windows Service for UNIX version 3.5 is available for free
-                <ulink url="http://www.microsoft.com/windows/sfu/">download</ulink>
-                from the Microsoft Web site. You will need to download this tool and install it following
-                Microsoft instructions.
-                </para>
-
-                </sect4>
-
-                <sect4>
-                <title>IDMAP, Active Directory, and AD4UNIX</title>
-
-                <para>
-                Instructions for obtaining and installing the AD4UNIX tool set can be found from the
-                <ulink url="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach">
-                Geekcomix</ulink> Web site.
-                </para>
-
-                </sect4>
-
-        </sect3>
-
-        </sect2>
-
-	<sect2>
-	<title>UNIX/Linux Client Domain Member</title>
-
-	<para><indexterm>
-	    <primary>user credentials</primary>
-	  </indexterm>
-	So far this chapter has been mainly concerned with the provision of file and print
-	services for domain member servers. However, an increasing number of UNIX/Linux
-	workstations are being installed that do not act as file or print servers to anyone
-	other than a single desktop user. The key demand for desktop systems is to be able
-	to log onto any UNIX/Linux or Windows desktop using the same network user credentials.
-	</para>
-
-	<para><indexterm>
-	    <primary>Single Sign-On</primary>
-	    <see>SSO</see>
-	  </indexterm>
-	The ability to use a common set of user credential across a variety of network systems
-	is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a
-	large number of vendors and include a range of technologies such as:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		Proxy sign-on
-		</para></listitem>
-
-		<listitem><para>
-		Federated directory provisioning
-		</para></listitem>
-
-		<listitem><para>
-		Metadirectory server solutions
-		</para></listitem>
-
-		<listitem><para>
-		Replacement authentication systems
-		</para></listitem>
-	</itemizedlist>
-
-	<para><indexterm>
-	    <primary>Identity management</primary>
-	  </indexterm>
-	There are really four solutions that provide integrated authentication and
-	user identity management facilities:
-	</para>
-
-	<itemizedlist>
-                <listitem><para>
-		Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now
-		provides a greater level of scalability in large ADS environments.
-                </para></listitem>
-
-                <listitem><para>
-		<ulink url="http://www.padl.com">PADL</ulink> PAM and LDAP tools (free).
-                </para></listitem>
-
-                <listitem><para>
-		<ulink url="http://www.vintela.com">Vintela</ulink> Authentication Services (commercial).
-                </para></listitem>
-
-                <listitem><para>
-		<ulink url="http://www.centrify.com">Centrify</ulink> DirectControl (commercial). 
-		Centrify's commercial product allows UNIX and Linux systems to use Active Directory
-		security, directory and policy services.  Enhancements include a centralized ID mapping that 
-		allows Samba, DirectControl and Active Directory to seamlessly work together.
-                </para></listitem>
-        </itemizedlist>
-
-	<para>
-	The following guidelines are pertinent to the deployment of winbind-based authentication
-	and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops
-	using Windows network domain user credentials (username and password).
-	</para>
-
-	<para>
-	You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed
-	systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This
-	provides logon services for UNIX/Linux users, while Windows users obtain their sign-on
-	support via Samba-3.
-	</para>
-
-	<para>
-	<indexterm><primary>Windows Services for UNIX</primary><see>SUS</see></indexterm>
-	On the other hand, if the authentication and identity resolution backend must be provided by
-	a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft
-	Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these
-	situations now follows.
-	</para>
-
-	<para>
-	<indexterm><primary>PAM</primary></indexterm>
-	<indexterm><primary>Identity resolution</primary></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	To permit users to log on to a Linux system using Windows network credentials, you need to
-	configure identity resolution (NSS) and PAM. This means that the basic steps include those
-	outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
-	usually do not need to provide file and print services to a group of users, the configuration
-	of shares and printers is generally less important. Often this allows the share specifications
-	to be entirely removed from the &smb.conf; file. That is obviously an administrator decision.
-	</para>
-
-		<sect3>
-		<title>NT4 Domain Member</title>
-
-		<para>
-		The following steps provide a Linux system that users can log onto using
-		Windows NT4 (or Samba-3) domain network credentials:
-		</para>
-
-		<procedure>
-			<step><para>
-			Follow the steps outlined in <link linkend="wdcsdm"/> and ensure that
-			all validation tests function as shown.
-			</para></step>
-
-			<step><para>
-			Identify what services users must log on to. On Red Hat Linux, if it is
-			intended that the user shall be given access to all services, it may be
-			most expeditious to simply configure the file 
-			<filename>/etc/pam.d/system-auth</filename>.
-			</para></step>
-
-			<step><para>
-			Carefully make a backup copy of all PAM configuration files before you
-			begin making changes. If you break the PAM configuration, please note
-			that you may need to use an emergency boot process to recover your Linux
-			system. It is possible to break the ability to log into the system if
-			PAM files are incorrectly configured. The entire directory 
-			<filename>/etc/pam.d</filename> should be backed up to a safe location.
-			</para></step>
-
-			<step><para>
-			If you require only console login support, edit the <filename>/etc/pam.d/login</filename>
-			so it matches <link linkend="ch9-pamwnbdlogin"/>.
-			</para></step>
-
-			<step><para>
-			To provide the ability to log onto the graphical desktop interface, you must edit
-			the files <filename>gdm</filename> and <filename>xdm</filename> in the 
-			<filename>/etc/pam.d</filename> directory.
-			</para></step>
-
-			<step><para>
-			Edit only one file at a time. Carefully validate its operation before attempting
-			to reboot the machine.
-			</para></step>
-		</procedure>
-
-		</sect3>
-
-		<sect3>
-		<title>ADS Domain Member</title>
-
-		<para>
-		This procedure should be followed to permit a Linux network client (workstation/desktop)
-		to permit users to log on using Microsoft Active Directory-based user credentials.
-		</para>
-
-		<procedure>
-			<step><para>
-			Follow the steps outlined in <link linkend="adssdm"/> and ensure that
-			all validation tests function as shown.
-			</para></step>
-
-			<step><para>
-			Identify what services users must log on to. On Red Hat Linux, if it is
-			intended that the user shall be given access to all services, it may be
-			most expeditious to simply configure the file 
-			<filename>/etc/pam.d/system-auth</filename> as shown in <link linkend="ch9-rhsysauth"/>.
-			</para></step>
-
-			<step><para>
-			Carefully make a backup copy of all PAM configuration files before you
-			begin making changes. If you break the PAM configuration, please note
-			that you may need to use an emergency boot process to recover your Linux
-			system. It is possible to break the ability to log into the system if
-			PAM files are incorrectly configured. The entire directory 
-			<filename>/etc/pam.d</filename> should be backed up to a safe location.
-			</para></step>
-
-			<step><para>
-			If you require only console login support, edit the <filename>/etc/pam.d/login</filename>
-			so it matches <link linkend="ch9-pamwnbdlogin"/>.
-			</para></step>
-
-			<step><para>
-			To provide the ability to log onto the graphical desktop interface, you must edit
-			the files <filename>gdm</filename> and <filename>xdm</filename> in the 
-			<filename>/etc/pam.d</filename> directory.
-			</para></step>
-
-			<step><para>
-			Edit only one file at a time. Carefully validate its operation before attempting
-			to reboot the machine.
-			</para></step>
-		</procedure>
-
-		</sect3>
-
-<example id="ch9-pamwnbdlogin">
-<title>SUSE: PAM <filename>login</filename> Module Using Winbind</title>
-<screen>
-# /etc/pam.d/login
-
-#%PAM-1.0
-auth sufficient pam_unix2.so    nullok
-auth sufficient pam_winbind.so use_first_pass use_authtok
-auth required   pam_securetty.so
-auth required   pam_nologin.so
-auth required   pam_env.so
-auth required   pam_mail.so
-account sufficient      pam_unix2.so
-account sufficient      pam_winbind.so user_first_pass use_authtok
-password required       pam_pwcheck.so  nullok
-password sufficient     pam_unix2.so    nullok use_first_pass use_authtok
-password sufficient     pam_winbind.so  use_first_pass use_authtok
-session sufficient      pam_unix2.so    none
-session sufficient      pam_winbind.so  use_first_pass use_authtok
-session required        pam_limits.so
-</screen>
-</example>
-
-<example id="ch9-pamwbndxdm">
-<title>SUSE: PAM <filename>xdm</filename> Module Using Winbind</title>
-<screen>
-# /etc/pam.d/gdm (/etc/pam.d/xdm)
-
-#%PAM-1.0
-auth     sufficient     pam_unix2.so     nullok
-auth     sufficient     pam_winbind.so   use_first_pass use_authtok
-account  sufficient     pam_unix2.so
-account  sufficient     pam_winbind.so   use_first_pass use_authtok
-password sufficient     pam_unix2.so
-password sufficient     pam_winbind.so   use_first_pass use_authtok
-session  sufficient     pam_unix2.so
-session  sufficient     pam_winbind.so   use_first_pass use_authtok
-session  required       pam_dev perm.so
-session  required       pam_resmgr.so
-</screen>
-</example>
-
-<example id="ch9-rhsysauth">
-<title>Red Hat 9: PAM System Authentication File: <filename>/etc/pam.d/system-auth</filename> Module Using Winbind</title>
-<screen>
-#%PAM-1.0
-auth        required      /lib/security/$ISA/pam_env.so
-auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
-auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
-auth        required      /lib/security/$ISA/pam_deny.so
-
-account     required      /lib/security/$ISA/pam_unix.so
-account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
-
-password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
-# Note: The above line is complete. There is nothing following the '='
-password    sufficient    /lib/security/$ISA/pam_unix.so \
-                                             nullok use_authtok md5 shadow
-password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
-password    required      /lib/security/$ISA/pam_deny.so
-
-session     required      /lib/security/$ISA/pam_limits.so
-session     sufficient    /lib/security/$ISA/pam_unix.so
-session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
-</screen>
-</example>
-
-	</sect2>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<para>
-		The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
-		learned how to integrate such servers so that the UID/GID mappings they use can be consistent
-		across all domain member servers. You also discovered how to implement the ability to use Samba
-		or Windows domain account credentials to log on to a UNIX/Linux client.
-		</para>
-
-		<para>
-		The following are key points made in this chapter:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			Domain controllers are always authoritative for the domain.
-			</para></listitem>
-
-			<listitem><para>
-			Domain members may have local accounts and must be able to resolve the identity of 
-			domain user accounts. Domain user account identity must map to a local UID/GID. That 
-			local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data 
-			across all domain member machines.
-			</para></listitem>
-
-			<listitem><para>
-			Resolution of user and group identities on domain member machines may be implemented 
-			using direct LDAP services or using winbind.
-			</para></listitem>
-
-			<listitem><para>
-			On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management 
-			and PAM is responsible for authentication of logon credentials (username and password).
-			</para></listitem>
-		</itemizedlist>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	The following questions were obtained from the mailing list and also from private discussions
-	with Windows network administrators.
-	</para>
-
-	<qandaset defaultlabel="chap09qa" type="number">
-	<qandaentry>
-	<question>
-
-		<para>
-		We use NIS for all UNIX accounts. Why do we need winbind?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para>
-		<indexterm><primary>NIS</primary></indexterm>
-		<indexterm><primary>encrypted passwords</primary></indexterm>
-		<indexterm><primary>smbpasswd</primary></indexterm>
-		<indexterm><primary>tdbsam</primary></indexterm>
-		<indexterm><primary>passdb backend</primary></indexterm>
-		<indexterm><primary>Winbind</primary></indexterm>
-		You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted
-		passwords that need to be stored in one of the acceptable passdb backends.
-		Your choice of backend is limited to <parameter>smbpasswd</parameter> or
-		<parameter>tdbsam</parameter>. Winbind is needed to handle the resolution of
-		SIDs from trusted domains to local UID/GID values.
-		</para>
-
-	    <para>
-		<indexterm><primary>winbind trusted domains only</primary></indexterm>
-		<indexterm><primary>getpwnam()</primary></indexterm>
-		On a domain member server, you effectively map Windows domain users to local users
-		that are in your NIS database by specifying the <parameter>winbind trusted domains
-		only</parameter>. This causes user and group account lookups to be routed via
-		the <command>getpwnam()</command> family of systems calls. On an NIS-enabled client,
-		this pushes the resolution of users and groups out through NIS.
-		</para>
-
-		<para>
-		As a general rule, it is always a good idea to run winbind on all Samba servers.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Our IT management people do not like LDAP but are looking at Microsoft Active Directory. 
-	      Which is better?<indexterm>
-		<primary>Active Directory</primary>
-	      </indexterm>
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>LDAP</primary>
-		<secondary>server</secondary>
-	      </indexterm><indexterm>
-		<primary>Kerberos</primary>
-	      </indexterm><indexterm>
-		<primary>schema</primary>
-	      </indexterm>
-		Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos
-		infrastructure. Most IT managers who object to LDAP do so because
-		an LDAP server is most often supplied as a raw tool that needs to be configured and
-		for which the administrator must create the schema, create the administration tools, and
-		devise the backup and recovery facilities in a site-dependent manner. LDAP servers
-		in general are seen as a high-energy, high-risk facility.
-		</para>
-
-	    <para><indexterm>
-		<primary>management</primary>
-	      </indexterm>
-		Microsoft Active Directory by comparison is easy to install and configure and
-		is supplied with all tools necessary to implement and manage the directory. For sites
-		that lack a lot of technical competence, Active Directory is a good choice. For sites
-		that have the technical competence to handle Active Directory well, LDAP is a good
-		alternative. The real issue is, What type of solution does
-		the site want? If management wants a choice to use an alternative, they may want to
-		consider the options. On the other hand, if management just wants a solution that works,
-		Microsoft Active Directory is a good solution.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible 
-		to use NIS in place of LDAP?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>NIS</primary>
-	      </indexterm><indexterm>
-		<primary>LDAP</primary>
-	      </indexterm><indexterm>
-		<primary>encrypted passwords</primary>
-	      </indexterm><indexterm>
-		<primary>synchronized</primary>
-	      </indexterm><indexterm>
-		<primary>secure account password</primary>
-	      </indexterm><indexterm>
-		<primary>PDC</primary>
-	      </indexterm><indexterm>
-		<primary>BDC</primary>
-	      </indexterm>
-		Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping
-		the Windows (SMB) encrypted passwords database correctly synchronized across the entire
-		network. Workstations (Windows client machines) periodically change their domain
-		membership secure account password. How can you keep changes that are on remote BDCs
-		synchronized on the PDC?
-		</para>
-
-	    <para><indexterm>
-		<primary>centralized storage</primary>
-	      </indexterm><indexterm>
-		<primary>management</primary>
-	      </indexterm><indexterm>
-		<primary>network Identities</primary>
-	      </indexterm>
-		LDAP is a more elegant solution because it permits centralized storage and management
-		of all network identities (user, group, and machine accounts) together with all information
-		Samba needs to provide to network clients and their users.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Are you suggesting that users should not log on to a domain member server? If so, why?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>security</primary>
-	      </indexterm><indexterm>
-		<primary>data</primary>
-		<secondary>integrity</secondary>
-	      </indexterm><indexterm>
-		<primary>mapped drives</primary>
-	      </indexterm>
-		Many UNIX administrators mock the model that the personal computer industry has adopted
-		as normative since the early days of Novell NetWare. The old
-		perception of the necessity to keep users off file and print servers was a result of
-		fears concerning the security and integrity of data. It was a simple and generally
-		effective measure to keep users away from servers, except through mapped drives.
-		</para>
-
-	    <para><indexterm>
-		<primary>user logins</primary>
-	      </indexterm><indexterm>
-		<primary>risk</primary>
-	      </indexterm><indexterm>
-		<primary>user errors</primary>
-	      </indexterm><indexterm>
-		<primary>strategy</primary>
-	      </indexterm><indexterm>
-		<primary>policy</primary>
-	      </indexterm>
-		UNIX administrators are fully correct in asserting that UNIX servers and workstations
-		are identical in terms of the software that is installed. They correctly assert that
-		in a well-secured environment it is safe to store files on a system that has hundreds
-		of users. But all network administrators must factor into the decision to allow or
-		reject general user logins to a UNIX system that is principally a file and print
-		server the risk to operations through simple user errors.
-		Only then can one begin to appraise the best strategy and adopt a site-specific
-		policy that best protects the needs of users and of the organization alike.
-		</para>
-
-	    <para><indexterm>
-		<primary>system level logins</primary>
-	      </indexterm>
-		From experience, it is my recommendation to keep general system-level logins to a
-		practical minimum and to eliminate them if possible. This should not be taken as a
-		hard rule, though. The better question is, what works best for the site?
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>trusted domains</primary>
-	      </indexterm><indexterm>
-		<primary>domain</primary>
-		<secondary>trusted</secondary>
-	      </indexterm><indexterm>
-		<primary>winbind trusted domains only</primary>
-	      </indexterm><indexterm>
-		<primary>domain members</primary>
-	      </indexterm>
-		We want to ensure that only users from our own domain plus from trusted domains can use our
-		Samba servers. In the &smb.conf; file on all servers, we have enabled the <parameter>winbind
-		trusted domains only</parameter> parameter. We now find that users from trusted domains 
-		cannot access our servers, and users from Windows clients that are not domain members
-		can also access our servers. Is this a Samba bug?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>distributed</primary>
-	      </indexterm><indexterm>
-		<primary>NIS</primary>
-	      </indexterm><indexterm>
-		<primary>rsync</primary>
-	      </indexterm><indexterm>
-		<primary>LDAP</primary>
-	      </indexterm><indexterm>
-		<primary>winbindd</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm>
-		The manual page for this <parameter>winbind trusted domains only</parameter> parameter says,
-		<quote>This parameter is designed to allow Samba servers that are members of a Samba-controlled 
-		domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users 
-		in the hosts primary domain. Therefore,  the user <constant>SAMBA\user1</constant> would be 
-		mapped to the account <constant>user1</constant> in <filename>/etc/passwd</filename> instead 
-		of allocating a new UID for him or her.</quote> This clearly suggests that you are trying
-		to use this parameter inappropriately.
-		</para>
-
-	    <para><indexterm>
-		<primary>valid users</primary>
-	      </indexterm>
-		A far better solution is to use the <parameter>valid users</parameter> by specifying
-		precisely the domain users and groups that should be permitted access to the shares. You could, 
-		for example, set the following parameters:
-<screen>
-[demoshare]
-	path = /export/demodata
-	valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"
-</screen>
-		</para>
-
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What are the benefits of using LDAP for my domain member servers?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>LDAP</primary>
-	      </indexterm><indexterm>
-		<primary>benefit</primary>
-	      </indexterm><indexterm>
-		<primary>UID</primary>
-	      </indexterm><indexterm>
-		<primary>GID</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Controllers</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Member servers</primary>
-	      </indexterm><indexterm>
-		<primary>copy</primary>
-	      </indexterm><indexterm>
-		<primary>replicate</primary>
-	      </indexterm><indexterm>
-		<primary>identity</primary>
-	      </indexterm>
-		The key benefit of using LDAP is that the UID of all users and the GID of all groups
-		are globally consistent on domain controllers as well as on domain member servers.
-		This means that it is possible to copy/replicate files across servers without
-		loss of identity.
-		</para>
-
-	    <para><indexterm>
-		<primary>Identity resolution</primary>
-	      </indexterm><indexterm>
-		<primary>winbind</primary>
-	      </indexterm><indexterm>
-		<primary>IDMAP backend</primary>
-	      </indexterm><indexterm>
-		<primary>LDAP</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Controllers</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Member</primary>
-		<secondary>servers</secondary>
-	      </indexterm><indexterm>
-		<primary>Posix</primary>
-	      </indexterm><indexterm>
-		<primary>account information</primary>
-	      </indexterm>
-		When use is made of account identity resolution via winbind, even when an IDMAP backend
-		is stored in LDAP, the UID/GID on domain member servers is consistent, but differs
-		from the ID that the user/group has on domain controllers. The winbind allocated UID/GID
-		that is stored in LDAP (or locally) will be in the numeric range specified in the <parameter>
-		idmap uid/gid</parameter> in the &smb.conf; file. On domain controllers, the UID/GID is
-		that of the POSIX value assigned in the LDAP directory as part of the POSIX account information.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
-		my DNS configuration?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>DNS</primary>
-		<secondary>configuration</secondary>
-	      </indexterm><indexterm>
-		<primary>DNS</primary>
-		<secondary>lookup</secondary>
-	      </indexterm><indexterm>
-		<primary>hosts</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/nsswitch.conf</primary>
-	      </indexterm><indexterm>
-		<primary>NSS</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/hosts</primary>
-	      </indexterm><indexterm>
-		<primary>WINS</primary>
-		<secondary>lookup</secondary>
-	      </indexterm>
-		Samba depends on correctly functioning resolution of hostnames to their IP address. Samba
-		makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the
-		<command>getXXXbyXXX()</command> function calls. The configuration of the <constant>hosts</constant>
-		entry in the NSS <filename>/etc/nsswitch.conf</filename> file determines how the underlying
-		resolution process is implemented. If the <constant>hosts</constant> entry in your NSS
-		control file says:
-<screen>
-hosts: files dns wins
-</screen>
-		this means that a hostname lookup first tries the <filename>/etc/hosts</filename>.
-		If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a
-		WINS lookup.
-		</para>
-
-	    <para><indexterm>
-		<primary>NetBIOS</primary>
-	      </indexterm><indexterm>
-		<primary>TCP/IP</primary>
-	      </indexterm><indexterm>
-		<primary>name resolution</primary>
-	      </indexterm>
-		The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has
-		been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS
-		is the preferred name resolution technology. This usually makes most sense when Samba
-		is a client of an Active Directory domain, where NetBIOS use has been disabled. In this
-		case, the Windows 200x autoregisters all locator records it needs with its own DNS
-		server or servers.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we
-		use Samba-3 with that configuration?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>net</primary>
-		<secondary>ads</secondary>
-		<tertiary>join</tertiary>
-	      </indexterm><indexterm>
-		<primary>net</primary>
-		<secondary>rpc</secondary>
-		<tertiary>join</tertiary>
-	      </indexterm>
-		When I tried to execute net ads join, I got no output. It did not work, so
-		I think that it failed. I then executed net rpc join and that worked fine.
-		That is okay, isn't it?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>Kerberos</primary>
-	      </indexterm><indexterm>
-		<primary>authentication</primary>
-	      </indexterm>
-		No. This is not okay. It means that your Samba-3 client has joined the ADS domain as
-		a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	</qandaset>
-
-</sect1>
-
-</chapter>
diff --git a/docs-xml/Samba3-ByExample/SBE-Appendix1.xml b/docs-xml/Samba3-ByExample/SBE-Appendix1.xml
deleted file mode 100644
index 1b958b3..0000000
--- a/docs-xml/Samba3-ByExample/SBE-Appendix1.xml
+++ /dev/null
@@ -1,1622 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE appendix PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-
-<chapter id="appendix">
-  <title>A Collection of Useful Tidbits</title>
-
-	<para>
-	<indexterm><primary>material</primary></indexterm>
-	<indexterm><primary>domain</primary><secondary>joining</secondary></indexterm>
-	Information presented here is considered to be either basic or well-known material that is informative
-	yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
-	the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
-	different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
-	as shown in the example given below.
-	</para>
-
-<sect1 id="domjoin">
-<title>Joining a Domain: Windows 200x/XP Professional</title>
-
-	<para>
-	<indexterm><primary>joining a domain</primary></indexterm>
-	Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
-	This section steps through the process for making a Windows 200x/XP Professional machine a
-	member of a Domain Security environment. It should be noted that this process is identical
-	when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
-	</para>
-
-	<procedure>
-	<title>Steps to Join a Domain</title>
-
-		<step><para>
-		Click <guimenu>Start</guimenu>.
-		</para></step>
-
-		<step><para>
-		Right-click <guimenu>My Computer</guimenu>, and then select <guimenuitem>Properties</guimenuitem>.
-		</para></step>
-
-		<step><para>
-		The opening panel is the same one that can be reached by clicking <guimenu>System</guimenu> on the Control Panel.
-		See <link linkend="swxpp001"></link>.
-		<figure id="swxpp001"><title>The General Panel.</title><imagefile>wxpp001</imagefile></figure>
-		</para></step>
-
-		<step><para>
-		Click the <guimenu>Computer Name</guimenu> tab.
-		This panel shows the <guimenuitem>Computer Description</guimenuitem>, the <guimenuitem>Full computer name</guimenuitem>,
-		and the <guimenuitem>Workgroup</guimenuitem> or <guimenuitem>Domain name</guimenuitem>.
-		</para>
-
-		<para>
-		Clicking the <guimenu>Network ID</guimenu> button launches the configuration wizard. Do not use this with
-		Samba-3. If you wish to change the computer name, or join or leave the domain, click the <guimenu>Change</guimenu> button.
-		See <link linkend="swxpp004"></link>.
-		<figure id="swxpp004"><title>The Computer Name Panel.</title><imagefile>wxpp004</imagefile></figure>
-		</para></step>
-
-		<step><para>
-		Click on <guimenu>Change</guimenu>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP.
-		We join the domain called MIDEARTH. See <link linkend="swxpp006"></link>.
-		<figure id="swxpp006"><title>The Computer Name Changes Panel</title><imagefile>wxpp006</imagefile></figure>
-		</para></step>
-
-		<step><para>
-		Enter the name <guimenu>MIDEARTH</guimenu> in the field below the Domain radio button.
-		</para>
-
-		<para>
-		This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <link linkend="swxpp007"></link>.
-		<figure id="swxpp007"><title>The Computer Name Changes Panel &smbmdash; Domain MIDEARTH</title><imagefile>wxpp007</imagefile></figure>
-		</para></step>
-
-		<step><para>
-		Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
-		of a domain administrative account that has the rights to add machines to the domain.
-		</para>
-
-		<para>
-		Enter the name <quote>root</quote> and the root password from your Samba-3 server. See <link linkend="swxpp008"></link>.
-		<figure id="swxpp008"><title>Computer Name Changes &smbmdash; User name and Password Panel</title><imagefile>wxpp008</imagefile></figure>
-		</para></step>
-
-		<step><para>
-		Click <guimenu>OK</guimenu>.
-		</para>
-
-		<para>
-		The <quote>Welcome to the MIDEARTH domain</quote> dialog box should appear. At this point, the machine must be rebooted.
-		Joining the domain is now complete.
-		</para></step>
-
-	</procedure>
-
-	<para>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	<indexterm><primary>DNS</primary></indexterm>
-	The screen capture shown in <link linkend="swxpp007"/> has a button labeled <guimenu>More...</guimenu>. This button opens a
-	panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
-	of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
-	</para>
-
-	<para>
-	<indexterm><primary>Netlogon</primary></indexterm>
-	<indexterm><primary>DNS</primary><secondary>dynamic</secondary></indexterm>
-	Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
-	register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
-	to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
-	</para>
-
-	<para>
-	<indexterm><primary>DNS</primary><secondary>suffix</secondary></indexterm>
-	The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
-	this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
-	a valid IP address.
-	</para>
-
-	<para>
-	The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
-	Where the client is a member of a Samba domain, it is preferable to leave this field blank.
-	</para>
-
-	<para>
-	<indexterm><primary>Group Policy</primary></indexterm>
-	According to Microsoft documentation, <quote>If this computer belongs to a group with <constant>Group Policy</constant>
-	enabled on <command>Primary DNS suffice of this computer</command>, the string specified in the Group Policy is used
-	as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
-	used only if Group Policy is disabled or unspecified.</quote>
-	</para>
-
-</sect1>
-
-<sect1>
-	<title>Samba System File Location</title>
-
-      <para><indexterm>
-	  <primary>default installation</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/local/samba</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/local</primary>
-	</indexterm>
-	One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
-	build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
-	in the <filename>/usr/local/samba</filename> directory. This is a perfectly reasonable location, particularly given all the other
-	Open Source software that installs into the <filename>/usr/local</filename> subdirectories.
-	</para>
-
-	<para>
-	Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
-	default. 
-	</para>
-
-      <para><indexterm>
-	  <primary>Free Standards Group</primary>
-	  <see>FSG</see>
-	</indexterm><indexterm>
-	  <primary>FSG</primary>
-	</indexterm><indexterm>
-	  <primary>Linux Standards Base</primary>
-	  <see>LSB</see>
-	</indexterm><indexterm>
-	  <primary>LSB</primary>
-	</indexterm><indexterm>
-	  <primary>File Hierarchy System</primary>
-	  <see>FHS</see>
-	</indexterm><indexterm>
-	  <primary>FHS</primary>
-	</indexterm><indexterm>
-	  <primary>file locations</primary>
-	</indexterm><indexterm>
-	  <primary>/etc/samba</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/sbin</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/bin</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/share</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/share/swat</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/lib/samba</primary>
-	</indexterm><indexterm>
-	  <primary>/usr/share/samba/swat</primary>
-	</indexterm><indexterm>
-	  <primary>SWAT</primary>
-	</indexterm><indexterm>
-	  <primary>VFS modules</primary>
-	</indexterm>
-	Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy	
-	System (FHS), have elected to locate the configuration files under the <filename>/etc/samba</filename> directory, common binary
-	files (those used by users) in the <filename>/usr/bin</filename> directory, and the administrative files (daemons) in the
-	<filename>/usr/sbin</filename> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the
-	<filename>/usr/share</filename> directory, either in <filename>/usr/share/samba/swat</filename> or in
-	<filename>/usr/share/swat</filename>. There are additional support files for <command>smbd</command> in the
-	<filename>/usr/lib/samba</filename> directory tree. The files located there include the dynamically loadable modules for the
-	passdb backend as well as for the VFS modules.
-	</para>
-
-      <para><indexterm>
-	  <primary>/var/lib/samba</primary>
-	</indexterm><indexterm>
-	  <primary>/var/log/samba</primary>
-	</indexterm><indexterm>
-	  <primary>run-time control files</primary>
-	</indexterm>
-	Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
-	the <filename>/var/lib/samba</filename> directory. Log files are created in <filename>/var/log/samba.</filename>
-	</para>
-
-	<para>
-	When Samba is built and installed using the default Samba Team process, all files are located under the 
-	<filename>/usr/local/samba</filename> directory tree. This makes it simple to find the files that Samba owns.
-	</para>
-
-      <para><indexterm>
-	  <primary>smbd</primary>
-	  <secondary>location of files</secondary>
-	</indexterm>
-	One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
-	of all files called <command>smbd</command>. Here is an example:
-<screen>
-&rootprompt; find / -name smbd -print
-</screen>
-	You can find the location of the configuration files by running:
-<screen>
-&rootprompt; /path-to-binary-file/smbd -b | more
-...
-Paths:
-   SBINDIR: /usr/sbin
-   BINDIR: /usr/bin
-   SWATDIR: /usr/share/samba/swat
-   CONFIGFILE: /etc/samba/smb.conf
-   LOGFILEBASE: /var/log/samba
-   LMHOSTSFILE: /etc/samba/lmhosts
-   LIBDIR: /usr/lib/samba
-   SHLIBEXT: so
-   LOCKDIR: /var/lib/samba
-   PIDDIR: /var/run/samba
-   SMB_PASSWD_FILE: /etc/samba/smbpasswd
-   PRIVATE_DIR: /etc/samba
-...
-</screen>
-	If you wish to locate the Samba version, just run:
-<screen>
-&rootprompt; /path-to-binary-file/smbd -V
-Version 3.0.20-SUSE
-</screen>
-	</para>
-
-	<para>
-	Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
-	by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
-	executing:<indexterm>
-	  <primary>rpm</primary>
-	</indexterm>
-<screen>
-&rootprompt; rpm -qa | grep samba
-samba3-pdb-3.0.20-1
-samba3-vscan-0.3.6-0
-samba3-winbind-3.0.20-1
-samba3-3.0.20-1
-samba3-python-3.0.20-1
-samba3-utils-3.0.20-1
-samba3-doc-3.0.20-1
-samba3-client-3.0.20-1
-samba3-cifsmount-3.0.20-1
-	</screen><indexterm>
-	  <primary>package names</primary>
-	</indexterm>
-	The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
-	</para>
-
-</sect1>
-
-<sect1>
-	<title>Starting Samba</title>
-
-      <para><indexterm>
-	  <primary>daemon</primary>
-	</indexterm>
-	Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
-	An example of a service is the Apache Web server for which the daemon is called <command>httpd</command>. In the case of Samba, there
-	are three daemons, two of which are needed as a minimum.
-	</para>
-
-	<para>
-	The Samba server is made up of the following daemons:
-	</para>
-
-<example id="ch12SL">
-<title>A Useful Samba Control Script for SUSE Linux</title>
-<screen>
-#!/bin/bash
-#
-# Script to start/stop samba
-# Locate this in /sbin as a file called 'samba'
-
-RCD=/etc/rc.d
-
-if [ z$1 == 'z' ]; then
-        echo $0 - No arguments given; must be start or stop.
-        exit
-fi
-
-if [ $1 == 'start' ]; then
-        ${RCD}/nmb start
-        ${RCD}/smb start
-        ${RCD}/winbind start
-
-fi
-if [ $1 == 'stop' ]; then
-        ${RCD}/smb stop
-        ${RCD}/winbind stop
-        ${RCD}/nmb stop
-fi
-if [ $1 == 'restart' ]; then
-        ${RCD}/smb stop
-        ${RCD}/winbind stop
-        ${RCD}/nmb stop
-        sleep 5
-        ${RCD}/nmb start
-        ${RCD}/smb start
-        ${RCD}/winbind start
-fi
-exit 0
-</screen>
-</example>
-
-	<variablelist>
-		<varlistentry><term>nmbd</term>
-			<listitem><para>
-			<indexterm><primary>smbd</primary></indexterm>
-			<indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
-			This daemon handles all name registration and resolution requests. It is the primary vehicle involved
-			in network browsing. It handles all UDP-based protocols. The <command>nmbd</command> daemon should
-			be the first command started as part of the Samba startup process.
-			</para></listitem>
-		</varlistentry>
-
-		<varlistentry><term>smbd</term>
-			<listitem><para>
-			<indexterm><primary>nmbd</primary></indexterm>
-			<indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
-			This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
-			manages local authentication. It should be started immediately following the startup of <command>nmbd</command>.
-			</para></listitem>
-		</varlistentry>
-
-		<varlistentry><term>winbindd</term>
-			<listitem><para>
-			<indexterm><primary>winbindd</primary></indexterm>
-			<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
-			This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
-			Samba has trust relationships with another domain. The <command>winbindd</command> daemon will check the
-			&smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
-			parameters. If they are not found, <command>winbindd</command> bails out and refuses to start.
-			</para></listitem>
-		</varlistentry>
-	</variablelist>
-
-	<para>
-	When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
-	integration into the platform as a whole. Please refer to your operating system platform administration manuals for
-	specific information pertaining to correct management of Samba startup.
-	</para>
-
-<example id="ch12RHscript">
-<title>A Sample Samba Control Script for Red Hat Linux</title>
-<screen>
-#!/bin/sh
-#
-# chkconfig: 345 81 35
-# description: Starts and stops the Samba smbd and nmbd daemons \
-#              used to provide SMB network services.
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-# Source networking configuration.
-. /etc/sysconfig/network
-# Check that networking is up.
-[ ${NETWORKING} = "no" ] && exit 0
-CONFIG=/etc/samba/smb.conf
-# Check that smb.conf exists.
-[ -f $CONFIG ] || exit 0
-
-# See how we were called.
-case "$1" in
-  start)
-        echo -n "Starting SMB services: "
-        daemon smbd -D; daemon nmbd -D; echo;
-        touch /var/lock/subsys/smb
-        ;;
-  stop)
-        echo -n "Shutting down SMB services: "
-        smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'`
-        for pid in $smbdpids; do
-                kill -TERM $pid
-        done
-        killproc nmbd -TERM; rm -f /var/lock/subsys/smb
-        echo ""
-        ;;
-  status)
-        status smbd; status nmbd;
-        ;;
-  restart)
-        echo -n "Restarting SMB services: "
-        $0 stop; $0 start;
-        echo "done."
-        ;;
-  *)
-        echo "Usage: smb {start|stop|restart|status}"
-        exit 1
-esac
-</screen>
-</example>
-
-      <para><indexterm>
-	  <primary>samba control script</primary>
-	</indexterm>
-	SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
-	executed from the command line is shown in <link linkend="ch12SL"/>. This can be located in the directory
-	<filename>/sbin</filename> in a file called <filename>samba</filename>. This type of control script should be
-	owned by user root and group root, and set so that only root can execute it.
-	</para>
-
-      <para><indexterm>
-	  <primary>startup script</primary>
-	</indexterm>
-	A sample startup script for a Red Hat Linux system is shown in <link linkend="ch12RHscript"/>.
-	This file could be located in the directory <filename>/etc/rc.d</filename> and can be called
-	<filename>samba</filename>. A similar startup script is required to control <command>winbind</command>.
-	If you want to find more information regarding startup scripts please refer to the packaging section of
-	the Samba source code distribution tarball. The packaging files for each platform include a
-	startup control file.
-	</para>
-
-</sect1>
-
-<sect1>
-	<title>DNS Configuration Files</title>
-
-	<para>
-	The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
-	are presented here for general reference.
-	</para>
-
-	<sect2>
-	<title>The Forward Zone File for the Loopback Adaptor</title>
-
-	<para>
-	The forward zone file for the loopback address never changes. An example file is shown
-	in <link linkend="loopback"/>. All traffic destined for an IP address that is hosted on a
-	physical interface on the machine itself is routed to the loopback adaptor. This is
-	a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor
-	is called <constant>localhost</constant>.
-	</para>
-
-<example id="loopback">
-<title>DNS Localhost Forward Zone File: <filename>/var/lib/named/localhost.zone</filename></title>
-<screen>
-$TTL 1W
-@		IN SOA	@   root (
-				42		; serial
-				2D		; refresh
-				4H		; retry
-				6W		; expiry
-				1W )		; minimum
-
-		IN NS		@
-		IN A		127.0.0.1
-</screen>
-</example>
-
-	</sect2>
-
-	<sect2>
-	<title>The Reverse Zone File for the Loopback Adaptor</title>
-
-	<para>
-	The reverse zone file for the loopback address as shown in <link linkend="dnsloopy"/>
-	is necessary so that references to the address <constant>127.0.0.1</constant> can be
-	resolved to the correct name of the interface. 
-	</para>
-
-<example id="dnsloopy">
-<title>DNS Localhost Reverse Zone File: <filename>/var/lib/named/127.0.0.zone</filename></title>
-<screen>
-$TTL 1W
-@		IN SOA		localhost.   root.localhost. (
-				42		; serial
-				2D		; refresh
-				4H		; retry
-				6W		; expiry
-				1W )		; minimum
-
-		IN NS		localhost.
-1		IN PTR		localhost.
-</screen>
-</example>
-
-<example id="roothint">
-<title>DNS Root Name Server Hint File: <filename>/var/lib/named/root.hint</filename></title>
-<screen>
-; This file is made available by InterNIC under anonymous FTP as
-;       file                /domain/named.root
-;       on server           FTP.INTERNIC.NET
-; last update: Nov 5, 2002. Related version of root zone: 2002110501
-; formerly NS.INTERNIC.NET
-.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
-A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
-; formerly NS1.ISI.EDU
-.                        3600000      NS    B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
-; formerly C.PSI.NET
-.                        3600000      NS    C.ROOT-SERVERS.NET.
-C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
-; formerly TERP.UMD.EDU
-.                        3600000      NS    D.ROOT-SERVERS.NET.
-D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
-; formerly NS.NASA.GOV
-.                        3600000      NS    E.ROOT-SERVERS.NET.
-E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
-; formerly NS.ISC.ORG
-.                        3600000      NS    F.ROOT-SERVERS.NET.
-F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
-; formerly NS.NIC.DDN.MIL
-.                        3600000      NS    G.ROOT-SERVERS.NET.
-G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
-; formerly AOS.ARL.ARMY.MIL
-.                        3600000      NS    H.ROOT-SERVERS.NET.
-H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
-; formerly NIC.NORDU.NET
-.                        3600000      NS    I.ROOT-SERVERS.NET.
-I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
-; operated by VeriSign, Inc. 
-.                        3600000      NS    J.ROOT-SERVERS.NET.
-J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
-; housed in LINX, operated by RIPE NCC
-.                        3600000      NS    K.ROOT-SERVERS.NET.
-K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 
-; operated by IANA
-.                        3600000      NS    L.ROOT-SERVERS.NET.
-L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
-; housed in Japan, operated by WIDE
-.                        3600000      NS    M.ROOT-SERVERS.NET.
-M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
-; End of File
-</screen>
-</example>
-	</sect2>
-
-	<sect2>
-	<title>DNS Root Server Hint File</title>
-
-	<para>
-	The content of the root hints file as shown in <link linkend="roothint"/>  changes slowly over time. 
-	Periodically this file should be updated from the source shown. Because
-	  of its size, this file is located at the end of this chapter.
-	</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1 id="altldapcfg">
-	<title>Alternative LDAP Database Initialization</title>
-
-      <para><indexterm>
-	  <primary>LDAP</primary>
-	  <secondary>database</secondary>
-	</indexterm><indexterm>
-	  <primary>LDAP</primary>
-	  <secondary>initial configuration</secondary>
-	</indexterm>
-	The following procedure may be used as an alternative means of configuring
-	the initial LDAP database. Many administrators prefer to have greater control
-	over how system files get configured.
-	</para>
-
-	<sect2>
-	<title>Initialization of the LDAP Database</title>
-
-	<para><indexterm>
-	    <primary>LDIF</primary>
-	  </indexterm><indexterm>
-	    <primary>Domain Groups</primary>
-	    <secondary>well-known</secondary>
-	  </indexterm><indexterm>
-	    <primary>SID</primary>
-	  </indexterm>
-	The first step to get the LDAP server ready for action is to create the LDIF file from
-	which the LDAP database will be preloaded. This is necessary to create the containers
-	into which the user, group, and other accounts are written. It is also necessary to
-	preload the well-known Windows NT Domain Groups, as they must have the correct SID so
-	that they can be recognized as special NT Groups by the MS Windows clients.
-	</para>
-
-	<procedure id="ldapinit">
-	<title>LDAP Directory Pre-Load Steps</title>
-
-		<step><para>
-		Create a directory in which to store the files you use to generate
-		the LDAP LDIF file for your system. Execute the following:
-<screen>
-&rootprompt; mkdir /etc/openldap/SambaInit
-&rootprompt; chown root:root /etc/openldap/SambaInit
-&rootprompt; chmod 700 /etc/openldap/SambaInit
-</screen>
-		</para></step>
-
-		<step><para>
-		Install the files shown in <link linkend="sbehap-ldapreconfa"/>, <link linkend="sbehap-ldapreconfb"/>,
-		and <link linkend="sbehap-ldapreconfc"/> into the directory 
-		<filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
-		respectively, parts A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
-		</para></step>
-
-		<step><para>
-		Install the files shown in <link linkend="sbehap-ldifpata"/> and <link linkend="sbehap-ldifpatb"/> into the directory
-		<filename>/etc/openldap/SambaInit/.</filename> These two files are
-                parts A and B, respectively, of the <filename>init-ldif.pat</filename> file.
-		</para></step>
-
-		<step><para>
-		Change to the <filename>/etc/openldap/SambaInit</filename> directory. Execute the following:
-<screen>
-&rootprompt; sh SMBLDAP-ldif-preconfig.sh
-
-How do you wish to refer to your organization?
-Suggestions:
-        Black Tire Company, Inc.
-        Cat With Hat Ltd.
-How would you like your organization name to appear?
-Your organization name is: My Organization
-Enter a new name is this is not what you want, press Enter to Continue.
-Name [My Organization]: Abmas Inc.
-
-Samba Config File Location [/etc/samba/smb.conf]:
-Enter a new full path or press Enter to continue.
-Samba Config File Location [/etc/samba/smb.conf]:
-Domain Name: MEGANET2
-Domain SID: S-1-5-21-3504140859-1010554828-2431957765
-
-The name of your Internet domain is now needed in a special format
-as follows, if your domain name is mydomain.org, what we need is
-the information in the form of:
-        Domain ID: mydomain
-        Top level: org
-If your fully qualified hostname is: snoopy.bazaar.garagesale.net
-where "snoopy" is the name of the machine,
-Then the information needed is:
-        Domain ID: garagesale
-        Top Level: net
-
-Found the following domain name: abmas.biz
-I think the bit we are looking for might be: abmas
-Enter the domain name or press Enter to continue:
-
-The top level organization name I will use is: biz
-Enter the top level org name or press Enter to continue:
-&rootprompt;
-</screen>
-		This creates a file called <filename>MEGANET2.ldif</filename>.
-		</para></step>
-
-		<step><para>
-		It is now time to preload the LDAP database with the following
-		command:
-<screen>
-&rootprompt; slapadd -v -l MEGANET2.ldif
-added: "dc=abmas,dc=biz" (00000001)
-added: "cn=Manager,dc=abmas,dc=biz" (00000002)
-added: "ou=People,dc=abmas,dc=biz" (00000003)
-added: "ou=Computers,dc=abmas,dc=biz" (00000004)
-added: "ou=Groups,dc=abmas,dc=biz" (00000005)
-added: "ou=Domains,dc=abmas,dc=biz" (00000006)
-added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007)
-added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008)
-added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009)
-added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a)
-</screen>
-		You should verify that the account information was correctly loaded by executing:
-<screen>
-&rootprompt; slapcat
-dn: dc=abmas,dc=biz
-objectClass: dcObject
-objectClass: organization
-dc: abmas
-o: Abmas Inc.
-description: Posix and Samba LDAP Identity Database
-structuralObjectClass: organization
-entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474
-creatorsName: cn=manager,dc=abmas,dc=biz
-modifiersName: cn=manager,dc=abmas,dc=biz
-createTimestamp: 20031217055747Z
-modifyTimestamp: 20031217055747Z
-entryCSN: 2003121705:57:47Z#0x0001#0#0000
-...
-
-dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 513
-cn: domusers
-sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
-sambaGroupType: 2
-displayName: Domain Users
-description: Domain Users
-structuralObjectClass: posixGroup
-entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474
-creatorsName: cn=manager,dc=abmas,dc=biz
-modifiersName: cn=manager,dc=abmas,dc=biz
-createTimestamp: 20031217055747Z
-modifyTimestamp: 20031217055747Z
-entryCSN: 2003121705:57:47Z#0x000a#0#0000
-</screen>
-		</para></step>
-
-		<step><para>
-		Your LDAP database is ready for testing. You can now start the LDAP server
-		using the system tool for your Linux operating system. For SUSE Linux, you can
-		do this as follows:
-<screen>
-&rootprompt; rcldap start
-</screen>
-		</para></step>
-
-		<step><para>
-		It is now a good idea to validate that the LDAP server is running correctly.
-		Execute the following:
-<screen>
-&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
-# extended LDIF
-#
-# LDAPv3
-# base <dc=abmas,dc=biz> with scope sub
-# filter: (ObjectClass=*)
-# requesting: ALL
-#
-
-# abmas.biz
-dn: dc=abmas,dc=biz
-objectClass: dcObject
-objectClass: organization
-dc: abmas
-o: Abmas Inc.
-description: Posix and Samba LDAP Identity Database
-...
-# domusers, Groups, abmas.biz
-dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 513
-cn: domusers
-sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
-sambaGroupType: 2
-displayName: Domain Users
-description: Domain Users
-
-# search result
-search: 2
-result: 0 Success
-
-# numResponses: 11
-# numEntries: 10
-</screen>
-		Your LDAP server is ready for creation of additional accounts.
-		</para></step>
-	</procedure>
-
-	</sect2>
-
-<example id="sbehap-ldapreconfa">
-<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part A</title>
-<screen>
-#!/bin/bash
-#
-# This script prepares the ldif LDAP load file only
-#
-
-# Pattern File Name
-file=init-ldif.pat
-
-# The name of my organization
-ORGNAME="My Organization"
-
-# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets"
-INETDOMAIN="my-domain"
-
-# In the above case, md domain is: buckets.org, TLDORG="org"
-TLDORG="org"
-
-# This is the Samba Domain/Workgroup Name
-DOMNAME="MYWORKGROUP"
-
-#
-# Here We Go ...
-#
-
-cat <<EOF
-
-How do you wish to refer to your organization?
-
-Suggestions:
-	Black Tire Company, Inc.
-	Cat With Hat Ltd.
-
-How would you like your organization name to appear?
-
-EOF
-
-echo "Your organization name is: $ORGNAME"
-echo
-echo "Enter a new name or, press Enter to Continue."
-echo
-</screen>
-</example>
-
-<example id="sbehap-ldapreconfb">
-<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part B</title>
-<screen>
-echo -e -n "Name [$ORGNAME]: "
-	read name
-
-if [ ! -z "$name" ]; then 
-	ORGNAME=${name}
-fi
-echo
-sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1
-
-# Try to find smb.conf
-
-if [ -e /usr/local/samba/lib/smb.conf ]; then
-	CONF=/usr/local/samba/lib/smb.conf
-elif [ -e /etc/samba/smb.conf ]; then
-	CONF=/etc/samba/smb.conf
-fi
-
-echo "Samba Config File Location [$CONF]: "
-echo
-echo "Enter a new full path or press Enter to continue."
-echo
-echo -n "Samba Config File Location [$CONF]: "
-	read name
-if [ ! -z "$name" ]; then
-	CONF=$name
-fi
-echo
-
-# Find the name of our Domain/Workgroup
-DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=`
-echo Domain Name: $DOMNAME
-echo
-
-sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2
-
-DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"`
-echo Domain SID: $DOMSID
-
-sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1
-</screen>
-</example>
-
-<example id="sbehap-ldapreconfc">
-<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part C</title>
-<screen>
-cat <<EOL
-The name of your Internet domain is now needed in a special format
-as follows, if your domain name is mydomain.org, what we need is
-the information in the form of:
-	Domain ID: mydomain
-	Top level: org
-
-If your fully qualified hostname is: snoopy.bazaar.garagesale.net
-where "snoopy" is the name of the machine,
-Then the information needed is:
-	Domain ID: garagesale
-	Top Level: net
-
-EOL
-INETDOMAIN=`hostname -d | cut -f1 -d.`
-echo Found the following domain name: `hostname -d`
-echo "I think the bit we are looking for might be: $INETDOMAIN"
-echo
-echo -n "Enter the domain name or press Enter to continue: "
-	read domnam
-if [ ! -z $domnam ]; then
-	INETDOMAIN=$domnam
-fi
-echo
-sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2
-TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"`
-echo "The top level organization name I will use is: ${TLDORG}"
-echo
-echo -n "Enter the top level org name or press Enter to continue: "
-	read domnam
-if [ ! -z $domnam ]; then
-        TLDORG=$domnam
-fi
-sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif
-rm $file.tmp*
-exit 0
-</screen>
-</example>
-
-<example id="sbehap-ldifpata">
-<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part A</title>
-<screen>
-dn: dc=INETDOMAIN,dc=TLDORG
-objectClass: dcObject
-objectClass: organization
-dc: INETDOMAIN
-o: ORGNAME
-description: Posix and Samba LDAP Identity Database
-
-dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
-objectClass: organizationalRole
-cn: Manager
-description: Directory Manager
-
-dn: ou=People,dc=INETDOMAIN,dc=TLDORG
-objectClass: top
-objectClass: organizationalUnit
-ou: People
-
-dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
-objectClass: top
-objectClass: organizationalUnit
-ou: Computers
-
-dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
-objectClass: top
-objectClass: organizationalUnit
-ou: Groups
-
-dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
-objectClass: top
-objectClass: organizationalUnit
-ou: Idmap
-
-dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG
-objectClass: top
-objectClass: organizationalUnit
-ou: Domains
-
-dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
-objectClass: sambaDomain
-sambaDomainName: DOMNAME
-sambaSID: DOMSID
-sambaAlgorithmicRidBase: 1000
-structuralObjectClass: sambaDomain
-</screen>
-</example>
-
-<example id="sbehap-ldifpatb">
-<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part B</title>
-<screen>
-dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 512
-cn: domadmins
-sambaSID: DOMSID-512
-sambaGroupType: 2
-displayName: Domain Admins
-description: Domain Administrators
-
-dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 514
-cn: domguests
-sambaSID: DOMSID-514
-sambaGroupType: 2
-displayName: Domain Guests
-description: Domain Guests Users
-
-dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 513
-cn: domusers
-sambaSID: DOMSID-513
-sambaGroupType: 2
-displayName: Domain Users
-description: Domain Users
-</screen>
-</example>
-
-</sect1>
-
-<sect1>
-<title>The LDAP Account Manager</title>
-
-<para>
-<indexterm><primary>LAM</primary></indexterm>
-<indexterm><primary>LDAP Account Manager</primary><see>LAM</see></indexterm>
-<indexterm><primary>PHP</primary></indexterm>
-<indexterm><primary>unencrypted</primary></indexterm>
-<indexterm><primary>SSL</primary></indexterm>
-<indexterm><primary>Posix</primary></indexterm>
-<indexterm><primary>accounts</primary><secondary>manage</secondary></indexterm>
-The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
-LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
-server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
-Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
-(hosts).
-</para>
-
-<para>
-LAM is available from the <ulink url="http://sourceforge.net/projects/lam/">LAM</ulink>
-home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
-The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
-of 2005.
-</para>
-
-<para>
-<indexterm><primary>PHP4</primary></indexterm>
-<indexterm><primary>OpenLDAP</primary></indexterm>
-<indexterm><primary>Perl</primary></indexterm>
-Requirements:
-</para>
-
-<itemizedlist>
-	<listitem><para>A web server that will work with PHP4.</para></listitem>
-	<listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">PHP</ulink> home page.)</para></listitem>
-	<listitem><para>OpenLDAP 2.0 or later.</para></listitem>
-	<listitem><para>A Web browser that supports CSS.</para></listitem>
-	<listitem><para>Perl.</para></listitem>
-	<listitem><para>The gettext package.</para></listitem>
-	<listitem><para>mcrypt + mhash (optional).</para></listitem>
-	<listitem><para>It is also a good idea to install SSL support.</para></listitem>
-</itemizedlist>
-
-<para>
-LAM is a useful tool that provides a simple Web-based device that can be used to
-manage the contents of the LDAP directory to:
-<indexterm><primary>organizational units</primary></indexterm>
-<indexterm><primary>operating profiles</primary></indexterm>
-<indexterm><primary>account policies</primary></indexterm>
-</para>
-
-<itemizedlist>
-	<listitem><para>Display user/group/host and Domain entries.</para></listitem>
-	<listitem><para>Manage entries (Add/Delete/Edit).</para></listitem>
-	<listitem><para>Filter and sort entries.</para></listitem>
-	<listitem><para>Store and use multiple operating profiles.</para></listitem>
-	<listitem><para>Edit organizational units (OUs).</para></listitem>
-	<listitem><para>Upload accounts from a file.</para></listitem>
-	<listitem><para>Is compatible with Samba-2.2.x and Samba-3.</para></listitem>
-</itemizedlist>
-
-<para>
-When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
-user, group, and windows domain member machine accounts.
-</para>
-
-<para>
-<indexterm><primary>default password</primary></indexterm>
-<indexterm><primary>secure connections</primary></indexterm>
-<indexterm><primary>LAM</primary></indexterm>
-<indexterm><primary>SSL</primary></indexterm>
-The default password is <quote>lam.</quote> It is highly recommended that you use only 
-an SSL connection to your Web server for all remote operations involving LAM. If you 
-want secure connections, you must configure your Apache Web server to permit connections 
-to LAM using only SSL.
-</para>
-
-<procedure id="sbehap-laminst">
-<title>Apache Configuration Steps for LAM</title>
-
-	<step><para>
-	Extract the LAM package by untarring it as shown here:
-<screen>
-&rootprompt; tar xzf ldap-account-manager_0.4.9.tar.gz
-</screen>
-	Alternatively, install the LAM DEB for your system using the following command:
-<screen>
-&rootprompt; dpkg -i ldap-account-manager_0.4.9.all.deb
-</screen>
-	</para></step>
-	
-	<step><para>
-	Copy the extracted files to the document root directory of your Web server.
-	For example, on SUSE Linux Enterprise Server 9, copy to the 
-	<filename>/srv/www/htdocs</filename> directory.
-	</para></step>
-
-	<step><para>
-	<indexterm><primary>file permissions</primary></indexterm>
-	Set file permissions using the following commands:
-<screen>
-&rootprompt; chown -R wwwrun:www /srv/www/htdocs/lam
-&rootprompt; chmod 755 /srv/www/htdocs/lam/sess
-&rootprompt; chmod 755 /srv/www/htdocs/lam/tmp
-&rootprompt; chmod 755 /srv/www/htdocs/lam/config
-&rootprompt; chmod 755 /srv/www/htdocs/lam/lib/*pl
-</screen>
-	</para></step>
-
-	<step><para>
-	<indexterm><primary>LAM</primary><secondary>configuration file</secondary></indexterm>
-       Using your favorite editor create the following <filename>config.cfg</filename>
-       LAM configuration file:
-<screen>
-&rootprompt; cd /srv/www/htdocs/lam/config
-&rootprompt; cp config.cfg_sample config.cfg
-&rootprompt; vi config.cfg
-</screen>
-	<indexterm><primary>LAM</primary><secondary>profile</secondary></indexterm>
-	<indexterm><primary>LAM</primary><secondary>wizard</secondary></indexterm>
-	An example file is shown in <link linkend="lamcfg"/>.
-	This is the minimum configuration that must be completed. The LAM profile
-	file can be created using a convenient wizard that is part of the LAM
-	configuration suite.
-	</para></step>
-
-	<step><para>
-	Start your Web server then, using your Web browser, connect to 
-	<ulink url="http://localhost/lam">LAM</ulink> URL. Click on the
-	the <parameter>Configuration Login</parameter> link then click on the
-	Configuration Wizard link to begin creation of the default profile so that 
-	LAM can connect to your LDAP server. Alternately, copy the 
-	<filename>lam.conf_sample</filename> file to a file called 
-	<filename>lam.conf</filename> then, using your favorite editor, 
-	change the settings to match local site needs.
-	</para></step>
-</procedure>
-
-	<para>
-	<indexterm><primary>pitfalls</primary></indexterm>
-	An example of a working file is shown here in <link linkend="lamconf"/>.
-	This file has been stripped of comments to keep the size small. The comments
-	and help information provided in the profile file that the wizard creates
-	is very useful and will help many administrators to avoid pitfalls.
-	Your configuration file obviously reflects the configuration options that
-	are preferred at your site.
-	</para>
-
-	<para>
-	<indexterm><primary>LAM</primary><secondary>login screen</secondary></indexterm>
-	It is important that your LDAP server is running at the time that LAM is 
-	being configured. This permits you to validate correct operation.
-	An example of the LAM login screen is provided in <link linkend="lam-login"/>.
-	</para>
-
-	<figure id="lam-login">
-		<title>The LDAP Account Manager Login Screen</title>
-		<imagefile scale="50">lam-login</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>LAM</primary><secondary>configuration editor</secondary></indexterm>
-	The LAM configuration editor has a number of options that must be managed correctly.
-	An example of use of the LAM configuration editor is shown in <link linkend="lam-config"/>.
-	It is important that you correctly set the minimum and maximum UID/GID values that are
-	permitted for use at your site. The default values may not be compatible with a need to
-	modify initial default account values for well-known Windows network users and groups.
-	The best work-around is to temporarily set the minimum values to zero (0) to permit
-	the initial settings to be made. Do not forget to reset these to sensible values before
-	using LAM to add additional users and groups.
-	</para>
-
-	<figure id="lam-config">
-		<title>The LDAP Account Manager Configuration Screen</title>
-		<imagefile scale="50">lam-config</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>PDF</primary></indexterm>
-	LAM has some nice, but unusual features. For example, one unexpected feature in most application
-	screens permits the generation of a PDF file that lists configuration information. This is a well
-	thought out facility. This option has been edited out of the following screen shots to conserve
-	space.
-	</para>
-
-	<para>
-	<indexterm><primary>LAM</primary><secondary>opening screen</secondary></indexterm>
-	When you log onto LAM the opening screen drops you right into the user manager as shown in
-	<link linkend="lam-user"/>. This is a logical action as it permits the most-needed facility
-	to be used immediately. The editing of an existing user, as with the addition of a new user,
-	is easy to follow and very clear in both layout and intent. It is a simple matter to edit
-	generic settings, UNIX specific parameters, and then Samba account requirements. Each step
-	involves clicking a button that intuitively drives you through the process. When you have
-	finished editing simply press the <guimenu>Final</guimenu> button.
-	</para>
-
-	<figure id="lam-user">
-		<title>The LDAP Account Manager User Edit Screen</title>
-		<imagefile scale="50">lam-users</imagefile>
-	</figure>
-
-	<para>
-	The edit screen for groups is shown in <link linkend="lam-group"/>. As with the edit screen
-	for user accounts, group accounts may be rapidly dealt with. <link linkend="lam-group-mem"/>
-	shows a sub-screen from the group editor that permits users to be assigned secondary group
-	memberships. 
-	</para>
-
-	<figure id="lam-group">
-		<title>The LDAP Account Manager Group Edit Screen</title>
-		<imagefile scale="50">lam-groups</imagefile>
-	</figure>
-
-	<figure id="lam-group-mem">
-		<title>The LDAP Account Manager Group Membership Edit Screen</title>
-		<imagefile scale="50">lam-group-members</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>smbldap-tools</primary></indexterm><indexterm><primary>scripts</primary></indexterm>
-	The final screen presented here is one that you should not normally need to use. Host accounts will
-	be automatically managed using the smbldap-tools scripts. This means that the screen <link linkend="lam-host"/>
-	will, in most cases, not be used.
-	</para>
-
-	<figure id="lam-host">
-		<title>The LDAP Account Manager Host Edit Screen</title>
-		<imagefile scale="50">lam-hosts</imagefile>
-	</figure>
-
-	<para>
-	One aspect of LAM that may annoy some users is the way it forces certain conventions on
-	the administrator. For example, LAM does not permit the creation of Windows user and group
-	accounts that contain spaces even though the underlying UNIX/Linux
-	operating system may exhibit no problems with them. Given the propensity for using upper-case
-	characters and spaces (particularly in the default Windows account names) this may cause
-	some annoyance. For the rest, LAM is a very useful administrative tool.
-	</para>
-	
-	<para>
-	The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features
-	(e.g., logon hours). The new plugin-based architecture also allows management of much more different
-	account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another
-	important point is the tree view which allows browsing and editing LDAP objects directly.
-	</para>
-
-<example id="lamcfg">
-<title>Example LAM Configuration File &smbmdash; <filename>config.cfg</filename></title>
-<screen>
-# password to add/delete/rename configuration profiles
-password: not24get
-
-# default profile, without ".conf"
-default: lam
-</screen>
-</example>
-
-<example id="lamconf">
-<title>LAM Profile Control File &smbmdash; <filename>lam.conf</filename></title>
-<screen>
-ServerURL: ldap://massive.abmas.org:389
-Admins: cn=Manager,dc=abmas,dc=biz
-Passwd: not24get
-usersuffix: ou=People,dc=abmas,dc=biz
-groupsuffix: ou=Groups,dc=abmas,dc=biz
-hostsuffix: ou=Computers,dc=abmas,dc=biz
-domainsuffix: ou=Domains,dc=abmas,dc=biz
-MinUID: 0
-MaxUID: 65535
-MinGID: 0
-MaxGID: 65535
-MinMachine: 20000
-MaxMachine: 25000
-userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
-grouplistAttributes: #cn;#gidNumber;#memberUID;#description
-hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
-maxlistentries: 30
-defaultLanguage: en_GB:ISO-8859-1:English (Great Britain)
-scriptPath: 
-scriptServer: 
-samba3: yes
-cachetimeout: 5
-pwdhash: SSHA
-</screen>
-</example>
-
-</sect1>
-
-<sect1>
-	<title>IDEALX Management Console</title>
-
-	<para>
-	IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive
-	web-based management interface for UNIX and Linux systems.
-	</para>
-
-	<para>
-	The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic
-	interface for managing a Samba domain controler. The goal is to give Linux administrators who
-	need to manage production Samba servers an effective, intuitive and consistent management 
-	experience. An IMC screenshot of the user management tool is shown in <link linkend="imcidealx"/>.
-	</para>
-
-	<figure id="imcidealx">
-        <title>The IMC Samba User Account Screen</title>
-        <imagefile scale="40">imc-usermanager2</imagefile>
-    </figure>
-
-	<para>
-	IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC,
-	but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language.
-	</para>
-
-	<para>
-	For further information regarding IMC refer to the web <ulink url="http://imc.sourceforge.net/">site.</ulink>
-	Prebuilt RPM packages are also <ulink url="http://imc.sourceforge.net/download.html">available.</ulink>
-	</para>
-
-</sect1>
-
-<sect1 id="ch12-SUIDSGID">
-	<title>Effect of Setting File and Directory SUID/SGID Permissions Explained</title>
-
-	<indexterm><primary>SUID</primary></indexterm>
-	<indexterm><primary>SGID</primary></indexterm>
-	<para>
-	The setting of the SUID/SGID bits on the file or directory permissions flag has particular
-	consequences. If the file is executable and the SUID bit is set, it executes with the privilege
-	of (with the UID of) the owner of the file. For example, if you are logged onto a system as
-	a normal user (let's say as the user <constant>bobj</constant>), and you execute a file that is owned
-	by the user <constant>root</constant> (uid = 0), and the file has the SUID bit set, then the file is
-	executed as if you had logged in as the user <constant>root</constant> and then executed the file.
-	The SUID bit effectively gives you (as <constant>bobj</constant>) administrative privilege for the
-	use of that executable file.
-	</para>
-
-	<para>
-	The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it
-	applies the privilege to the UNIX group setting. In other words, the file executes with the force
-	of capability of the group.
-	</para>
-
-	<para>
-	When the SUID/SGID permissions are set on a directory, all files that are created within that directory
-	are automatically given the ownership of the SUID user and the SGID group, as per the ownership
-	of the directory in which the file is created. This means that the system level <command>create()</command>
-	function executes with the SUID user and/or SGID group of the directory in which the file is
-	created.
-	</para>
-
-	<para>
-	If you want to obtain the SUID behavior, simply execute the following command:
-<screen>
-&rootprompt; chmod u+s file-or-directory
-</screen>
-	To set the SGID properties on a file or a directory, execute this command:
-<screen>
-&rootprompt; chmod g+s file-or-directory
-</screen>
-	And to set both SUID and SGID properties, execute the following:
-<screen>
-&rootprompt; chmod ug+s file-or-directory
-</screen>
-	</para>
-
-	<para>
-	Let's consider the example of a directory <filename>/data/accounts</filename>. The permissions on this
-	directory before setting both SUID and SGID on this directory are:
-<screen>
-&rootprompt; ls -al /data/accounts
-total 1
-drwxr-xr-x   10 root     root          232 Dec 18 17:08 .
-drwxr-xr-x   21 root     root          600 Dec 17 23:15 ..
-drwxrwxrwx    2 bobj     Domain Users  48 Dec 18 17:08 accounts/
-drwx------    2 root     root           48 Jan 26  2002 lost+found
-</screen>
-	In this example, if the user <constant>maryv</constant> creates a file, it is owned by her.
-	If <constant>maryv</constant> has the primary group of <constant>Accounts</constant>, the file is
-	owned by the group <constant>Accounts</constant>, as shown in this listing:
-<screen>
-&rootprompt; ls -al /data/accounts/maryvfile.txt
-drw-rw-r--    2 maryv    Accounts     12346 Dec 18 17:53
-</screen>
-	</para>
-
-	<para>
-	Now you set the SUID and SGID and check the result as follows:
-<screen>
-&rootprompt; chmod ug+s /data/accounts
-&rootprompt; ls -al /data/accounts
-total 1
-drwxr-xr-x   10 root     root          232 Dec 18 17:08 .
-drwxr-xr-x   21 root     root          600 Dec 17 23:15 ..
-drwsrwsr-x    2 bobj     Domain Users  48 Dec 18 17:08 accounts
-drwx------    2 root     root           48 Jan 26  2002 lost+found
-</screen>
-	If <constant>maryv</constant> creates a file in this directory after this change has been made, the
-	file is owned by the user <constant>bobj</constant>, and the group is set to the group
-	<constant>Domain Users</constant>, as shown here:
-<screen>
-&rootprompt; chmod ug+s /data/accounts
-&rootprompt; ls -al /data/accounts/maryvfile.txt
-total 1
-drw-rw-r--    2 bobj     Domain Users  12346 Dec 18 18:11 maryvfile.txt
-</screen>
-	</para>
-
-</sect1>
-
-<sect1 id="ch12dblck">
-	<title>Shared Data Integrity</title>
-
-      <para><indexterm>
-	  <primary>data integrity</primary>
-	</indexterm><indexterm>
-	  <primary>multi-user</primary>
-	  <secondary>data access</secondary>
-	</indexterm>
-	The integrity of shared data is often viewed as a particularly emotional issue, especially where
-	there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
-	experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
-	</para>
-
-	<para>
-	The solution to concurrent multiuser data access problems must consider three separate areas
-	from which the problem may stem:<indexterm>
-	  <primary>locking</primary>
-	  <secondary>Application level</secondary>
-	</indexterm><indexterm>
-	  <primary>locking</primary>
-	  <secondary>Client side</secondary>
-	</indexterm><indexterm>
-	  <primary>locking</primary>
-	  <secondary>Server side</secondary>
-	</indexterm>
-	</para>
-
-	<itemizedlist>
-		<listitem><para>application-level locking controls</para></listitem>
-		<listitem><para>client-side locking controls</para></listitem>
-		<listitem><para>server-side locking controls</para></listitem>
-	</itemizedlist>
-
-      <para><indexterm>
-	  <primary>database applications</primary>
-	</indexterm><indexterm>
-	  <primary>Microsoft Access</primary>
-	</indexterm>
-	Many database applications use some form of application-level access control. An example of one
-	well-known application that uses application-level locking is Microsoft Access. Detailed guidance
-	is provided here because this is the most common application for which problems have been reported.
-	</para>
-
-      <para><indexterm>
-	  <primary>Microsoft Excel</primary>
-	</indexterm><indexterm>
-	  <primary>Act!</primary>
-	</indexterm>
-	Common applications that are affected by client- and server-side locking controls include MS
-	Excel and Act!. Important locking guidance is provided here.
-	</para>
-
-
-	<sect2>
-	<title>Microsoft Access</title>
-
-	<para>
-	The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
-	cover this area. Examples of relevant documents include:
-	</para>
-
-	<itemizedlist>
-	<listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</para></listitem>
-	<listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</para></listitem>
-	</itemizedlist>
-
-
-	<para><indexterm>
-	    <primary>multi-user</primary>
-	    <secondary>access</secondary>
-	  </indexterm><indexterm>
-	    <primary>exclusive open</primary>
-	  </indexterm>
-	Make sure that your MS Access database file is configured for multiuser access (not set for 
-	exclusive open). Open MS Access on each client workstation, then set the following: <menuchoice>
-	<guimenu>(Menu bar) Tools</guimenu><guimenu>Options</guimenu><guimenu>[tab] General</guimenu>
-	</menuchoice>.  Set network path to Default database folder: <filename>\\server\share\folder</filename>.
-	</para>
-
-	<para>
-        You can configure MS Access file sharing behavior as follows: click <guimenu>[tab] Advanced</guimenu>.
-	  Set:<indexterm>
-	    <primary>record locking</primary>
-	  </indexterm>
-	</para>
-
-	<itemizedlist>
-                <listitem><para>Default open mode: Shared</para></listitem>
-                <listitem><para>Default Record Locking: Edited Record</para></listitem>
-                <listitem><para>Open databases using record_level locking</para></listitem>
-	</itemizedlist>
-
-	<para><indexterm>
-	    <primary>MS Access</primary>
-	    <secondary>validate</secondary>
-	  </indexterm>
-        You must now commit the changes so that they will take effect. To do so, click 
-	<guimenu>Apply</guimenu><guimenu>Ok</guimenu>. At this point, you should exit MS Access, restart 
-	it, and then validate that these settings have not changed.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Act! Database Sharing</title>
-
-	<para><indexterm>
-	    <primary>ACT! database</primary>
-	  </indexterm><indexterm>
-	    <primary>data corruption</primary>
-	  </indexterm>
-	Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you 
-	must disable opportunistic locking on the server and all workstations. Failure to do so
-	results in data corruption. This information is available from the Act! Web site
-	knowledgebase articles 
-	<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925">1998223162925</ulink>
-	as well as from article
-	<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/200110485036">200110485036</ulink>.
-	</para>
-
-	<para><indexterm>
-	    <primary>opportunistic locking</primary>
-	  </indexterm><indexterm>
-	    <primary>Act!Diag</primary>
-	  </indexterm>
-	These documents clearly state that opportunistic locking must be disabled on both
-	the server (Samba in the case we are interested in here), as well as on every workstation
-	from which the centrally shared Act! database will be accessed. Act! provides
-	a tool called <command>Act!Diag</command> that may be used to disable all workstation
-	registry settings that may otherwise interfere with the operation of Act! 
-	Registered Act! users may download this utility from the Act! Web 
-	<ulink url="http://www.act.com/support/updates/index.cfm">site.</ulink>
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Opportunistic Locking Controls</title>
-
-	<para><indexterm>
-	    <primary>file caching</primary>
-	  </indexterm>
-	Third-party Windows applications may not be compatible with the use of opportunistic file
-	and record locking. For applications that are known not to be compatible,<footnote><para>Refer to
-	the application manufacturer's installation guidelines and knowledge base for specific
-	information regarding compatibility. It is often safe to assume that if the software
-	manufacturer does not specifically mention incompatibilities with opportunistic file
-	and record locking, or with Windows client file caching, the application is probably
-	compatible with Windows (as well as Samba) default settings.</para></footnote> oplock
-	support may need to be disabled both on the Samba server and on the Windows workstations.
-	</para>
-
-	<para><indexterm>
-	    <primary>cache</primary>
-	  </indexterm><indexterm>
-	    <primary>write lock</primary>
-	  </indexterm><indexterm>
-	    <primary>flush</primary>
-	    <secondary>cache memory</secondary>
-	  </indexterm>
-	Oplocks enable a Windows client to cache parts of a file that are being
-	edited. Another windows client may then request to open the file with the
-	ability to write to it. The server will then ask the original workstation
-	that had the file open with a write lock to release its lock. Before
-	doing so, that workstation must flush the file from cache memory to the
-	disk or network drive.
-	</para>
-
-	<para><indexterm>
-	    <primary>Oplocks</primary>
-	    <secondary>disabled</secondary>
-	  </indexterm>
-	Disabling of Oplocks usage may require server and client changes.
-	Oplocks may be disabled by file, by file pattern, on the share, or on the
-	Samba server.
-	</para>
-
-	<para>
-	The following are examples showing how Oplock support may be managed using
-	Samba &smb.conf; file settings:
-<screen>
-By file:        veto oplock files = myfile.mdb
-
-By Pattern:     veto oplock files = /*.mdb/
-
-On the Share:   oplocks = No
-                level2 oplocks = No
-
-On the server:
-(in [global])   oplocks = No
-                level2 oplocks = No
-</screen>
-	</para>
-
-	<para>
-	The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4
-	workstation clients must be configured as shown here:
-<screen>
-REGEDIT4
-
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
-            Services\LanmanServer\Parameters]
-      "EnableOplocks"=dword:00000000
-
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
-            Services\LanmanWorkstation\Parameters]
-      "UseOpportunisticLocking"=dword:00000000
-</screen>
-	</para>
-
-	<para>
-	Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13.
-	The information in that chapter was obtained from a wide variety of sources.
-	</para>
-
-	</sect2>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-Appendix2.xml b/docs-xml/Samba3-ByExample/SBE-Appendix2.xml
deleted file mode 100644
index 51d2488..0000000
--- a/docs-xml/Samba3-ByExample/SBE-Appendix2.xml
+++ /dev/null
@@ -1,1283 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="primer">
-  <title>Networking Primer</title>
-
-	<para>
-	You are about to use the equivalent of a microscope to look at the information
-	that runs through the veins of a Windows network. We do more to observe the information than
-	to interrogate it. When you are done with this primer, you should have a good understanding
-	of the types of information that flow over the network. Do not worry, this is not
-	a biology lesson. We won't lose you in unnecessary detail. Think to yourself, <quote>This
-	is easy,</quote> then tackle each exercise without fear.
-	</para>
-
-	<para>
-	Samba can be configured with a minimum of complexity. Simplicity should be mastered
-	before you get too deeply into complexities. Let's get moving: we have work to do.
-	</para>
-
-<sect1>
-	<title>Requirements and Notes</title>
-	<para>
-	Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
-	as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
-	card connected using a hub. Also required is one additional server (either Windows
-	NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
-	sniffer and analysis application (Wireshark is a good choice). All work should be undertaken
-	on a quiet network where there is no other traffic. It is best to use a dedicated hub
-	with only the machines under test connected at the time of the exercises.
-	</para>
-
-      <para><indexterm>
-	  <primary>Wireshark</primary>
-	</indexterm>
-	Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators.
-	You may find more information regarding this tool from the
-	<ulink url="http://www.wireshark.org">Wireshark</ulink> Web site. Wireshark installation
-	files for Windows may be obtained from the Wireshark Web site. Wireshark is provided with
-	SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
-	not be installed on your system by default. If it is not installed, you may also need
-	to install the <command>libpcap</command> software before you can install or use Wireshark.
-	Please refer to the instructions for your operating system or to the Wireshark Web site
-	for information regarding the installation and operation of Wireshark.
-	</para>
-
-	<para>
-	To obtain <command>Wireshark</command> for your system, please visit the Wireshark
-	<ulink url="http://www.wireshark.org/download.html">download site</ulink>.
-	</para>
-
-	<note><para>
-	The successful completion of this chapter requires that you capture network traffic
-	using <command>Wireshark</command>. It is recommended that you use a hub, not an
-	Ethernet switch. It is necessary for the device used to act as a repeater, not as a
-	filter. Ethernet switches may filter out traffic that is not directed at the machine
-	that is used to monitor traffic; this would not allow you to complete the projects.
-	</para></note>
-
-	<para>
-	<indexterm><primary>network</primary><secondary>captures</secondary></indexterm>
-	Do not worry too much if you do not have access to all this equipment; network captures
-	from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly
-	into the analytical part of the exercises if you so desire.
-	</para>
-
-      <para><indexterm>
-	  <primary>network</primary>
-	  <secondary>sniffer</secondary>
-	</indexterm><indexterm>
-	  <primary>protocol analysis</primary>
-	</indexterm>
-	Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this
-	primer.  We expose you only to a minimum of detail necessary to complete
-	the exercises. If you choose to use any other network sniffer and protocol
-	analysis tool, be advised that it may not allow you to examine the contents of
-	recently added security protocols used by Windows 200x/XP.
-	</para>
-
-	<para>
-	You could just skim through the exercises and try to absorb the key points made.
-	The exercises provide all the information necessary to convince the die-hard network
-	engineer. You possibly do not require so much convincing and may just want to move on,
-	in which case you should at least read <link linkend="chap01conc"/>.
-	</para>
-
-	<para>
-	<link linkend="chap01qa"/> also provides useful information
-	that may help you to avoid significantly time-consuming networking problems.
-	</para>
-</sect1>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
-	network computing. If you want a solid technical grounding, do not gloss over these exercises.
-	The points covered are recurrent issues on the Samba mailing lists.
-	</para>
-
-      <para><indexterm>
-	  <primary>network</primary>
-	  <secondary>broadcast</secondary>
-	</indexterm>
-	You can see from these exercises that Windows networking involves quite a lot of network
-	broadcast traffic. You can look into the contents of some packets, but only to see
-	some particular information that the Windows client sends to a server in the course of
-	establishing a network connection.
-	</para>
-
-	<para>
-	To many people, browsing is everything that happens when one uses Microsoft Internet Explorer.
-	It is only when you start looking at network traffic and noting the protocols
-	and types of information that are used that you can begin to appreciate the complexities of
-	Windows networking and, more importantly, what needs to be configured so that it can work.
-	Detailed information regarding browsing is provided in the recommended
-	preparatory reading.
-	</para>
-
-	<para>
-	Recommended preparatory reading: <emphasis>The Official Samba-3 HOWTO and Reference Guide, Second
-	Edition</emphasis> (TOSHARG2) Chapter 9, <quote>Network Browsing,</quote> and Chapter 3,
-	<quote>Server Types and Security Modes.</quote>
-	</para>
-
-	<sect2>
-	<title>Assignment Tasks</title>
-
-	<para><indexterm>
-	    <primary>browsing</primary>
-	  </indexterm>
-		You are about to witness how Microsoft Windows computer networking functions. The
-		exercises step through identification of how a client machine establishes a
-		connection to a remote Windows server. You observe how Windows machines find
-		each other (i.e., how browsing works) and how the two key types of user identification
-		(share mode security and user mode security) are affected.
-		</para>
-
-	<para><indexterm>
-	    <primary>network</primary>
-	    <secondary>analyzer</secondary>
-	  </indexterm>
-		The networking protocols used by MS Windows networking when working with Samba
-		use TCP/IP as the transport protocol. The protocols that are specific to Windows
-		networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark)
-		is able to show you the contents of the TCP/IP packets (or messages).
-		</para>
-
-		<procedure id="chap01tasks">
-		<title>Diagnostic Tasks</title>
-
-	  <step><para><indexterm>
-		<primary>network</primary>
-		<secondary>trace</secondary>
-	      </indexterm><indexterm>
-		<primary>host announcement</primary>
-	      </indexterm><indexterm>
-		<primary>name resolution</primary>
-	      </indexterm>
-			Examine network traces to witness SMB broadcasts, host announcements,
-			and name resolution processes.
-			</para></step>
-
-			<step><para>
-			Examine network traces to witness how share mode security functions.
-			</para></step>
-
-			<step><para>
-			Examine network traces to witness the use of user mode security.
-			</para></step>
-
-			<step><para>
-			Review traces of network logons for a Windows 9x/Me client as well as
-			a domain logon for a Windows XP Professional client.
-			</para></step>
-		</procedure>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Exercises</title>
-
-	<para>
-	<indexterm><primary>wireshark</primary></indexterm>
-	You are embarking on a course of discovery. The first part of the exercise requires
-	two MS Windows 9x/Me systems. We called one machine <constant>WINEPRESSME</constant> and the
-	other <constant>MILGATE98</constant>. Each needs an IP address; we used <literal>10.1.1.10</literal>
-	and <literal>10.1.1.11</literal>. The test machines need to be networked via a <emphasis>hub</emphasis>. A UNIX/Linux
-	machine is required to run <command>Wireshark</command> to enable the network activity to be captured.
-	It is important that the machine from which network activity is captured must not interfere with
-	the operation of the Windows workstations. It is helpful for this machine to be passive (does not
-	send broadcast information) to the network.
-	</para>
-
-	<para>
-	For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running
-	VMWare 4.5. The following VMWare images were prepared:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>Windows 98 &smbmdash; name: MILGATE98</para></listitem>
-		<listitem><para>Windows Me &smbmdash; name: WINEPRESSME</para></listitem>
-		<listitem><para>Windows XP Professional &smbmdash; name: LightrayXP</para></listitem>
-		<listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9</para></listitem>
-	</itemizedlist>
-
-	<para>
-	Choose a workgroup name (MIDEARTH) for each exercise.
-	</para>
-
-	<para>
-	<indexterm><primary>ethereal</primary></indexterm>
-	The network captures provided on the CD-ROM included with this book were captured using <constant>Ethereal</constant>
-	version <literal>0.10.6</literal>. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not
-	expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
-	packets has also been included. This makes it possible for you to do all the studying you like without the need to
-	perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
-	that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
-	care and attention to detail.
-	</para>
-
-	<sect2>
-	<title>Single-Machine Broadcast Activity</title>
-
-	<para>
-	In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
-	</para>
-
-	<procedure>
-	<title>Monitoring Windows 9x Steps</title>
-
-		<step><para>
-		Start the machine from which network activity will be monitored (using <command>Wireshark</command>).
-		Launch <command>Wireshark</command>, click
-			<menuchoice>
-				<guimenu>Capture</guimenu>
-				<guimenuitem>Start</guimenuitem>
-			</menuchoice>.
-		</para>
-
-		<para>
-		Click the following:
-		<orderedlist>
-		<listitem><para>Update list of packets in real time</para></listitem>
-		<listitem><para>Automatic scrolling in live capture</para></listitem>
-		<listitem><para>Enable MAC name resolution</para></listitem>
-		<listitem><para>Enable network name resolution</para></listitem>
-		<listitem><para>Enable transport name resolution</para></listitem>
-		</orderedlist>
-		Click <guibutton>OK</guibutton>.
-		</para></step>
-
-		<step><para>
-		Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
-		do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
-		</para></step>
-
-		<step><para>
-		At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later.
-		Leave this machine running in preparation for the task in <link linkend="secondmachine"/>.
-		</para></step>
-
-		<step><para>
-		Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol
-		was used. Identify the timing between messages of identical types.
-		</para></step>
-
-	</procedure>
-
-		<sect3>
-		<title>Findings</title>
-
-		<para>
-		The summary of the first 10 minutes of the packet capture should look like <link linkend="pktcap01"/>.
-		A screenshot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
-		</para>
-
-		<figure id="pktcap01">
-			<title>Windows Me &smbmdash; Broadcasts &smbmdash; The First 10 Minutes</title>
-			<imagefile scale="40">WINREPRESSME-Capture</imagefile>
-		</figure>
-
-		<figure id="pktcap02">
-			<title>Windows Me &smbmdash; Later Broadcast Sample</title>
-			<imagefile scale="42">WINREPRESSME-Capture2</imagefile>
-		</figure>
-
-	  <para><indexterm>
-	      <primary>Local Master Browser</primary>
-	      <see>LMB</see>
-	    </indexterm><indexterm>
-	      <primary>LMB</primary>
-	    </indexterm>
-		Broadcast messages observed are shown in <link linkend="capsstats01"/>.
-		Actual observations vary a little, but not by much.
-		Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
-		first to ensure that its name would not result in a name clash, and second to establish its
-		presence with the Local Master Browser (LMB).
-		</para>
-
-		<table id="capsstats01">
-			<title>Windows Me &smbmdash; Startup Broadcast Capture Statistics</title>
-			<tgroup cols="4">
-				<colspec align="left" colwidth="3*"/>
-				<colspec align="center"/>
-				<colspec align="center"/>
-				<colspec align="left" colwidth="3*"/>
-				<thead>
-					<row>
-						<entry>Message</entry>
-						<entry>Type</entry>
-						<entry>Num</entry>
-						<entry>Notes</entry>
-					</row>
-				</thead>
-				<tbody>
-					<row>
-						<entry>WINEPRESSME<00></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.6 sec apart</entry>
-					</row>
-					<row>
-						<entry>WINEPRESSME<03></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.6 sec apart</entry>
-					</row>
-					<row>
-						<entry>WINEPRESSME<20></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.75 sec apart</entry>
-					</row>
-					<row>
-						<entry>MIDEARTH<00></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.75 sec apart</entry>
-					</row>
-					<row>
-						<entry>MIDEARTH<1d></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.75 sec apart</entry>
-					</row>
-					<row>
-						<entry>MIDEARTH<1e></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 lots of 2, 0.75 sec apart</entry>
-					</row>
-					<row>
-						<entry>MIDEARTH<1b></entry>
-						<entry>Qry</entry>
-						<entry>84</entry>
-						<entry>300 sec apart at stable operation</entry>
-					</row>
-					<row>
-						<entry>__MSBROWSE__</entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>Registered after winning election to Browse Master</entry>
-					</row>
-					<row>
-						<entry>JHT<03></entry>
-						<entry>Reg</entry>
-						<entry>8</entry>
-						<entry>4 x 2. This is the name of the user that logged onto Windows</entry>
-					</row>
-					<row>
-						<entry>Host Announcement WINEPRESSME</entry>
-						<entry>Ann</entry>
-						<entry>2</entry>
-						<entry>Observed at 10 sec</entry>
-					</row>
-					<row>
-						<entry>Domain/Workgroup Announcement MIDEARTH</entry>
-						<entry>Ann</entry>
-						<entry>18</entry>
-						<entry>300 sec apart at stable operation</entry>
-					</row>
-					<row>
-						<entry>Local Master Announcement WINEPRESSME</entry>
-						<entry>Ann</entry>
-						<entry>18</entry>
-						<entry>300 sec apart at stable operation</entry>
-					</row>
-					<row>
-						<entry>Get Backup List Request</entry>
-						<entry>Qry</entry>
-						<entry>12</entry>
-						<entry>6 x 2 early in startup, 0.5 sec apart</entry>
-					</row>
-					<row>
-						<entry>Browser Election Request</entry>
-						<entry>Ann</entry>
-						<entry>10</entry>
-						<entry>5 x 2 early in startup</entry>
-					</row>
-					<row>
-						<entry>Request Announcement WINEPRESSME</entry>
-						<entry>Ann</entry>
-						<entry>4</entry>
-						<entry>Early in startup</entry>
-					</row>
-				</tbody>
-			</tgroup>
-		</table>
-
-	  <para><indexterm>
-	      <primary>election</primary>
-	    </indexterm><indexterm>
-	      <primary>browse master</primary>
-	    </indexterm>
-		From the packet trace, it should be noted that no messages were propagated over TCP/IP;
-		all messages employed UDP/IP.  When steady-state operation has been achieved, there is a cycle
-		of various announcements, re-election of a browse master, and name queries. These create
-		the symphony of announcements by which network browsing is made possible.
-		</para>
-
-	  <para><indexterm>
-	      <primary>CIFS</primary>
-	    </indexterm>
-		For detailed information regarding the precise behavior of the CIFS/SMB protocols,
-		refer to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
-		by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
-		</para>
-
-		</sect3>
-
-	</sect2>
-
-	<sect2 id="secondmachine">
-	<title>Second Machine Startup Broadcast Interaction</title>
-
-	<para>
-	At this time, the machine you used to capture the single-system startup trace should still be running.
-	The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
-	</para>
-
-	<procedure>
-	<title>Monitoring of Second Machine Activity</title>
-
-		<step><para>
-		On the machine from which network activity will be monitored (using <command>Wireshark</command>),
-		launch <command>Wireshark</command> and click
-			<menuchoice>
-				<guimenu>Capture</guimenu>
-				<guimenuitem>Start</guimenuitem>
-			</menuchoice>.
-		</para>
-
-		<para>
-		Click:
-		<orderedlist>
-			<listitem><para>Update list of packets in real time</para></listitem>
-			<listitem><para>Automatic scrolling in live capture</para></listitem>
-			<listitem><para>Enable MAC name resolution</para></listitem>
-			<listitem><para>Enable network name resolution</para></listitem>
-			<listitem><para>Enable transport name resolution</para></listitem>
-		</orderedlist>
-		Click <guibutton>OK</guibutton>.
-		</para></step>
-
-		<step><para>
-		Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
-		any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
-		</para></step>
-
-		<step><para>
-		At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you
-		can examine the network data capture again at a later date should that be necessary.
-		</para></step>
-
-		<step><para>
-		Analyze the capture trace, taking note of the transport protocols used, the types of messages observed,
-		and what interaction took place between the two machines. Leave both machines running for the next task.
-		</para></step>
-	</procedure>
-
-		<sect3>
-		<title>Findings</title>
-
-		<para>
-		<link linkend="capsstats02"/> summarizes capture statistics observed. As in the previous case,
-		all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second
-		Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
-		(i.e., the name is already registered by another machine) on the network segment. Those wishing
-		to explore the inner details of the precise mechanism of how this functions should refer to
-		<quote>Implementing CIFS: The Common Internet File System.</quote>
-		</para>
-
-		<table id="capsstats02">
-                        <title>Second Machine (Windows 98) &smbmdash; Capture Statistics</title>
-                        <tgroup cols="4">
-                                <colspec align="left" colwidth="3*"/>
-                                <colspec align="center"/>
-                                <colspec align="center"/>
-                                <colspec align="left" colwidth="3*"/>
-                                <thead>
-                                        <row>
-                                                <entry>Message</entry>
-                                                <entry>Type</entry>
-                                                <entry>Num</entry>
-                                                <entry>Notes</entry>
-                                        </row>
-                                </thead>
-                                <tbody>
-                                        <row>
-                                                <entry>MILGATE98<00></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.6 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MILGATE98<03></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.6 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MILGATE98<20></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.75 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MIDEARTH<00></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.75 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MIDEARTH<1d></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.75 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MIDEARTH<1e></entry>
-                                                <entry>Reg</entry>
-                                                <entry>8</entry>
-                                                <entry>4 lots of 2, 0.75 sec apart</entry>
-                                        </row>
-                                        <row>
-                                                <entry>MIDEARTH<1b></entry>
-                                                <entry>Qry</entry>
-                                                <entry>18</entry>
-                                                <entry>900 sec apart at stable operation</entry>
-                                        </row>
-                                        <row>
-                                                <entry>JHT<03></entry>
-                                                <entry>Reg</entry>
-                                                <entry>2</entry>
-                                                <entry>This is the name of the user that logged onto Windows</entry>
-                                        </row>
-                                        <row>
-                                                <entry>Host Announcement MILGATE98</entry>
-                                                <entry>Ann</entry>
-                                                <entry>14</entry>
-                                                <entry>Every 120 sec</entry>
-                                        </row>
-                                        <row>
-                                                <entry>Domain/Workgroup Announcement MIDEARTH</entry>
-                                                <entry>Ann</entry>
-                                                <entry>6</entry>
-                                                <entry>900 sec apart at stable operation</entry>
-                                        </row>
-                                        <row>
-                                                <entry>Local Master Announcement WINEPRESSME</entry>
-                                                <entry>Ann</entry>
-                                                <entry>6</entry>
-                                                <entry>Insufficient detail to determine frequency</entry>
-                                        </row>
-				</tbody>
-			</tgroup>
-		</table>
-
-		<para>
-	    	<indexterm><primary>host announcement</primary></indexterm>
-		<indexterm><primary>Local Master Announcement</primary></indexterm>
-		<indexterm><primary>Workgroup Announcement</primary></indexterm>
-		Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
-		and Local Master Announcements is instructive. These messages convey a significant
-		level of detail regarding the nature of each machine that is on the network. An example
-		dissection of a Host Announcement is given in <link linkend="hostannounce"/>.
-		</para>
-
-
-		<figure id="hostannounce">
-			<title>Typical Windows 9x/Me Host Announcement</title>
-			<imagefile scale="41">HostAnnouncment</imagefile>
-		</figure>
-		</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Simple Windows Client Connection Characteristics</title>
-
-	<para>
-	The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
-	connections with remote servers. The methodology involves analysis of a key aspect of how
-	Windows clients access remote servers: the session setup protocol.
-	</para>
-
-	<procedure>
-	<title>Client Connection Exploration Steps</title>
-
-		<step><para>
-		Configure a Windows 9x/Me machine (MILGATE98) with a share called <constant>Stuff</constant>.
-		Create a <parameter>Full Access</parameter> control password on this share.
-		</para></step>
-
-		<step><para>
-		Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports
-		no shared resources.
-		</para></step>
-
-		<step><para>
-		Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
-		machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
-		</para></step>
-
-		<step><para>
-		Start Wireshark (or the network sniffer of your choice).
-		</para></step>
-
-		<step><para>
-		From the WINEPRESSME machine, right-click <guimenu>Network Neighborhood</guimenu>, select
-		<guimenuitem>Explore</guimenuitem>, select
-		<menuchoice>
-			<guimenuitem>My Network Places</guimenuitem>
-			<guimenuitem>Entire Network</guimenuitem>
-			<guimenuitem>MIDEARTH</guimenuitem>
-			<guimenuitem>MILGATE98</guimenuitem>
-			<guimenuitem>Stuff</guimenuitem>
-		</menuchoice>.
-		Enter the password you set for the <constant>Full Control</constant> mode for the
-		<constant>Stuff</constant> share.
-		</para></step>
-
-		<step><para>
-		When the share called <constant>Stuff</constant> is being displayed, stop the capture.
-		Save the captured data in case it is needed for later analysis.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>session setup</primary></indexterm>
-		From the top of the packets captured, scan down to locate the first packet that has
-		interpreted as <constant>Session Setup AndX, User: anonymous; Tree Connect AndX,
-		Path: \\MILGATE98\IPC$</constant>.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>Session Setup</primary>
-	      </indexterm><indexterm>
-		<primary>Tree Connect</primary>
-	      </indexterm>
-		In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request,
-		and Tree Connect AndX Request</constant>. Examine both operations. Identify the name of
-		the user Account and what password was used. The Account name should be empty.
-		This is a <constant>NULL</constant> session setup packet.
-		</para></step>
-
-		<step><para>
-		Return to the packet capture sequence. There will be a number of packets that have been
-		decoded of the type <constant>Session Setup AndX</constant>. Locate the last such packet
-		that was targeted at the <constant>\\MILGATE98\IPC$</constant> service.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>password length</primary></indexterm>
-		<indexterm><primary>User Mode</primary></indexterm>
-		Dissect this packet as per the previous one. This packet should have a password length
-		of 24 (characters) and should have a password field, the contents of which is a
-		long hexadecimal number. Observe the name in the Account field. This is a User Mode
-		session setup packet.
-		</para></step>
-	</procedure>
-
-		<sect3>
-		<title>Findings and Comments</title>
-
-	  	<para>
-		<indexterm><primary>IPC$</primary></indexterm>
-		The <constant>IPC$</constant> share serves a vital purpose<footnote><para>TOSHARG2, Sect 4.5.1</para></footnote>
-		in SMB/CIFS-based networking.  A Windows client connects to this resource to obtain the list of
-		resources that are available on the server. The server responds with the shares and print queues that
-		are available. In most but not all cases, the connection is made with a <constant>NULL</constant>
-		username and a <constant>NULL</constant> password.
-		</para>
-
-	  	<para>
-		<indexterm><primary>account credentials</primary></indexterm>
-		The two packets examined are material evidence of how Windows clients may
-		interoperate with Samba. Samba requires every connection setup to be authenticated using
-		valid UNIX account credentials (UID/GID). This means that even a <constant>NULL</constant>
-		session setup can be established only by automatically mapping it to a valid UNIX
-		account.
-		</para>
-
-		<para>
-	    <indexterm><primary>NULL session</primary></indexterm><indexterm>
-	      <primary>guest account</primary>
-	    </indexterm>
-	    <indexterm><primary>nobody</primary></indexterm>
-		Samba has a special name for the <constant>NULL</constant>, or empty, user account:
-		it calls it the <smbconfoption name="guest account"/>. The
-		default value of this parameter is <constant>nobody</constant>; however, this can be
-		changed to map the function of the guest account to any other UNIX identity. Some
-		UNIX administrators prefer to map this account to the system default anonymous
-		FTP account. A sample NULL Session Setup AndX packet dissection is shown in
-		<link linkend="nullconnect"/>.
-		</para>
-
-		<figure id="nullconnect">
-			<title>Typical Windows 9x/Me NULL SessionSetUp AndX Request</title>
-
-			<imagefile scale="41">NullConnect</imagefile>
-		</figure>
-
-		<para>
-	    	<indexterm><primary>nobody</primary></indexterm>
-		<indexterm><primary>/etc/passwd</primary></indexterm>
-		<indexterm><primary>guest account</primary></indexterm>
-		When a UNIX/Linux system does not have a <constant>nobody</constant> user account
-		(<filename>/etc/passwd</filename>), the operation of the <constant>NULL</constant>
-		account cannot validate and thus connections that utilize the guest account
-		fail. This breaks all ability to browse the Samba server and is a common
-		problem reported on the Samba mailing list. A sample User Mode session setup AndX
-		is shown in <link linkend="userconnect"/>.
-		</para>
-
-		<figure id="userconnect">
-			<title>Typical Windows 9x/Me User SessionSetUp AndX Request</title>
-			<imagefile scale="41">UserConnect</imagefile>
-		</figure>
-
-	 	<para>
-		<indexterm><primary>encrypted</primary></indexterm>
-		The User Mode connection packet contains the account name and the domain name.
-		The password is provided in Microsoft encrypted form, and its length is shown
-		as 24 characters. This is the length of Microsoft encrypted passwords.
-		</para>
-
-		</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Windows 200x/XP Client Interaction with Samba-3</title>
-
-	<para>
-	By now you may be asking, <quote>Why did you choose to work with Windows 9x/Me?</quote>
-	</para>
-
-	<para>
-	First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise
-	on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba.
-	Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly
-	follows the same principles.
-	</para>
-
-	<para>
-	The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service
-	updates also uses the <constant>NULL</constant> account, as well as user accounts. Simply follow the procedure
-	to complete this exercise.
-	</para>
-
-	<para>
-	To complete this exercise, you need a Windows XP Professional client that has been configured as
-	a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
-	Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
-	</para>
-
-	<procedure>
-	<title>Steps to Explore Windows XP Pro Connection Set-up</title>
-
-		<step><para>
-		Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark,
-		and then wait for the next step to complete.
-		</para></step>
-
-		<step><para>
-		Start the Windows XP Client and wait 5 minutes before proceeding.
-		</para></step>
-
-		<step><para>
-		On the machine from which network activity will be monitored (using <command>Wireshark</command>),
-                launch <command>Wireshark</command> and click
-                        <menuchoice>
-                                <guimenu>Capture</guimenu>
-                                <guimenuitem>Start</guimenuitem>
-                        </menuchoice>.
-                </para>
-
-                <para>
-                Click:
-                <orderedlist>
-				<listitem><para>Update list of packets in real time</para></listitem>
-				<listitem><para>Automatic scrolling in live capture</para></listitem>
-				<listitem><para>Enable MAC name resolution</para></listitem>
-				<listitem><para>Enable network name resolution</para></listitem>
-				<listitem><para>Enable transport name resolution</para></listitem>
-                </orderedlist>
-                Click <guibutton>OK</guibutton>.
-		</para></step>
-
-		<step><para>
-		On the Windows XP Professional client, press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
-		up the domain logon screen. Log in using valid credentials for a domain user account.
-		</para></step>
-
-		<step><para>
-		Now proceed to connect to the domain controller as follows:
-		<menuchoice>
-			<guimenu>Start</guimenu>
-			<guimenuitem>(right-click) My Network Places</guimenuitem>
-			<guimenuitem>Explore</guimenuitem>
-			<guimenuitem>{Left Panel} [+] Entire Network</guimenuitem>
-			<guimenuitem>{Left Panel} [+] Microsoft Windows Network</guimenuitem>
-			<guimenuitem>{Left Panel} [+] Midearth</guimenuitem>
-			<guimenuitem>{Left Panel} [+] Frodo</guimenuitem>
-			<guimenuitem>{Left Panel} [+] data</guimenuitem>
-		</menuchoice>. Close the explorer window.
-		</para>
-
-		<para>
-		In this step, our domain name is <constant>Midearth</constant>, the domain controller is called
-		<constant>Frodo</constant>, and we have connected to a share called <constant>data</constant>.
-		</para></step>
-
-		<step><para>
-		Stop the capture on the <command>Wireshark</command> monitoring machine. Be sure to save the captured data
-		to a file so that you can refer to it again later.
-		</para></step>
-
-		<step><para>
-		If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
-		in this chapter.
-		</para></step>
-
-		 <step><para>
-		<indexterm><primary>NTLMSSP_AUTH</primary></indexterm>
-                <indexterm><primary>session setup</primary></indexterm>
-                From the top of the packets captured, scan down to locate the first packet that has
-                interpreted as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
-                </para></step>
-
-                <step><para>
-		<indexterm><primary>GSS-API</primary></indexterm>
-		<indexterm><primary>SPNEGO</primary></indexterm>
-		<indexterm><primary>NTLMSSP</primary></indexterm>
-                In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
-		Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
-		entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
-		keys.  This should reveal that this is a <constant>NULL</constant> session setup packet.
-		The <constant>User name: NULL</constant> so indicates. An example decode is shown in
-		<link linkend="XPCap01"/>.
-                </para></step>
-
-                <step><para>
-                Return to the packet capture sequence. There will be a number of packets that have been
-                decoded of the type <constant>Session Setup AndX Request</constant>. Click the last such packet that
-		has been decoded as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
-                </para></step>
-
-                <step><para>
-		<indexterm><primary>encrypted password</primary></indexterm>
-                In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
-                Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
-                entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
-                keys.  This should reveal that this is a <constant>User Mode</constant> session setup packet.
-                The <constant>User name: jht</constant> so indicates. An example decode is shown in
-                <link linkend="XPCap02"/>. In this case the user name was <constant>jht</constant>. This packet
-		decode includes the <constant>Lan Manager Response:</constant> and the <constant>NTLM Response:</constant>.
-		The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
-		password and then the NT (case-preserving) password hash.
-                </para></step>
-
-                <step><para>
-                <indexterm><primary>password length</primary></indexterm>
-                <indexterm><primary>User Mode</primary></indexterm>
-                The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
-		session setup packet.
-                </para></step>
-
-	</procedure>
-
-	<figure id="XPCap01">
-        <title>Typical Windows XP NULL Session Setup AndX Request</title>
-		<imagefile scale="50">WindowsXP-NullConnection</imagefile>
-	</figure>
-
-	<figure id="XPCap02">
-        <title>Typical Windows XP User Session Setup AndX Request</title>
-		<imagefile scale="50">WindowsXP-UserConnection</imagefile>
-	</figure>
-
-		<sect3>
-		<title>Discussion</title>
-
-	  <para><indexterm>
-	      <primary>NULL-Session</primary>
-	    </indexterm>
-		This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled
-		in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles
-		remain the same. Thus it is demonstrated  that MS Windows XP Professional clients still use a
-		<constant>NULL-Session</constant> connection to query and locate resources on an advanced network
-		technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated
-		connection must be made before resources can be used.
-		</para>
-
-		</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Conclusions to Exercises</title>
-
-	<para>
-	In summary, the following points have been established in this chapter:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
-		</para></listitem>
-
-		<listitem><para>
-		Network browsing protocols query information stored on browse masters that manage
-		information provided by NetBIOS Name Registrations and by way of ongoing host
-		announcements and workgroup announcements.
-		</para></listitem>
-
-		<listitem><para>
-		All Samba servers must be configured with a mechanism for mapping the <constant>NULL-Session</constant>
-		to a valid but nonprivileged UNIX system account.
-		</para></listitem>
-
-		<listitem><para>
-		The use of Microsoft encrypted passwords is built right into the fabric of Windows
-		networking operations. Such passwords cannot be provided from the UNIX <filename>/etc/passwd</filename>
-		database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
-		use. Samba-2.x permitted such encrypted passwords to be stored in the <constant>smbpasswd</constant>
-		file or in an LDAP database. Samba-3 permits use of multiple <parameter>passdb backend</parameter>
-		databases in concurrent deployment. Refer to <emphasis>TOSHARG2</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
-		</para></listitem>
-	</itemizedlist>
-
-	</sect2>
-
-</sect1>
-
-<sect1 id="chap01conc">
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>guest account</primary></indexterm>
-	The exercises demonstrate the use of the <constant>guest</constant> account, the way that
-	MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections
-	between a client and a server are established.
-	</para>
-
-	<para>
-	Those wishing background information regarding NetBIOS name types should refer to
-	the Microsoft knowledgebase article
-	<ulink url="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp">Q102878.</ulink>
-	</para>
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		<indexterm><primary>guest account</primary></indexterm>
-		Network browsing involves SMB broadcast announcements, SMB enumeration requests,
-		connections to the <constant>IPC$</constant> share, share enumerations, and SMB connection
-		setup processes. The use of anonymous connections to a Samba server involve the use of
-		the <parameter>guest account</parameter> that must map to a valid UNIX UID.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1 id="chap01qa">
-	<title>Questions and Answers</title>
-
-	<para>
-	The questions and answers given in this section are designed to highlight important aspects of Microsoft
-	Windows networking.
-	</para>
-
-	<qandaset defaultlabel="chap01qa" type="number">
-	<qandaentry>
-	<question>
-
-		<para>
-		What is the significance of the MIDEARTH<1b> type query?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><primary>Domain Master Browser</primary><see>DMB</see></indexterm>
-		<indexterm><primary>DMB</primary></indexterm>
-		This is a broadcast announcement by which the Windows machine is attempting to
-		locate a Domain Master Browser (DMB) in the event that it might exist on the network.
-		Refer to <emphasis>TOSHARG2,</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing,</quote>
-		for details regarding the function of the DMB and its role in network browsing.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What is the significance of the MIDEARTH<1d> type name registration?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><primary>Local Master Browser</primary><see>LMB</see></indexterm>
-		<indexterm><primary>LMB</primary></indexterm>
-		This name registration records the machine IP addresses of the LMBs.
-		Network clients can query this name type to obtain a list of browser servers from the
-		master browser.
-		</para>
-
-		<para>
-		The LMB is responsible for monitoring all host announcements on the local network and for
-		collating the information contained within them. Using this information, it can provide answers to other Windows
-		network clients that request information such as:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			The list of machines known to the LMB (i.e., the browse list)
-			</para></listitem>
-
-			<listitem><para>
-			The IP addresses of all domain controllers known for the domain
-			</para></listitem>
-
-			<listitem><para>
-			The IP addresses of LMBs
-			</para></listitem>
-
-			<listitem><para>
-			The IP address of the DMB (if one exists)
-			</para></listitem>
-
-			<listitem><para>
-			The IP address of the LMB on the local segment
-			</para></listitem>
-		</itemizedlist>
-
-        </answer>
-        </qandaentry>
-
-        <qandaentry>
-        <question>
-
-                <para>
-		What is the role and significance of the <01><02>__MSBROWSE__<02><01>
-		name registration?
-                </para>
-
-        </question>
-        <answer>
-
-                <para>
-		<indexterm><primary>Browse Master</primary></indexterm>
-		This name is registered by the browse master to broadcast and receive domain announcements.
-		Its scope is limited to the local network segment, or subnet. By querying this name type,
-		master browsers on networks that have multiple domains can find the names of master browsers
-		for each domain.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What is the significance of the MIDEARTH<1e> type name registration?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><primary>Browser Election Service</primary></indexterm>
-		This name is registered by all browse masters in a domain or workgroup. The registration
-		name type is known as the Browser Election Service. Master browsers register themselves
-		with this name type so that DMBs can locate them to perform cross-subnet
-		browse list updates. This name type is also used to initiate elections for Master Browsers.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		<indexterm><primary>guest account</primary></indexterm>
-		What is the significance of the <parameter>guest account</parameter> in smb.conf?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		This parameter specifies the default UNIX account to which MS Windows networking
-		NULL session connections are mapped. The default name for the UNIX account used for
-		this mapping is called <constant>nobody</constant>. If the UNIX/Linux system that
-		is hosting Samba does not have a <constant>nobody</constant> account and an alternate
-		mapping has not been specified, network browsing will not work at all.
-		</para>
-
-		<para>
-		It should be noted that the <parameter>guest account</parameter> is essential to
-		Samba operation. Either the operating system must have an account called <constant>nobody</constant>
-		or there must be an entry in the &smb.conf; file with a valid UNIX account, such as
-		<smbconfoption name="guest account">ftp</smbconfoption>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is it possible to reduce network broadcast activity with Samba-3?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><primary>WINS</primary></indexterm>
-		<indexterm><primary>NetBIOS</primary></indexterm>
-		Yes, there are two ways to do this. The first involves use of WINS (See <emphasis>TOSHARG2</emphasis>, Chapter 9,
-		Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>); the
-		alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
-		a correctly configured DNS server (see <emphasis>TOSHARG2</emphasis>, Chapter 9, Section 9.3, <quote>Discussion</quote>).
-		</para>
-
-		<para>
-		<indexterm><primary>broadcast</primary></indexterm>
-		<indexterm><primary>NetBIOS</primary><secondary>Node Type</secondary></indexterm>
-		<indexterm><primary>Hybrid</primary></indexterm>
-		The use of WINS reduces network broadcast traffic. The reduction is greatest when all network
-		clients are configured to operate in <parameter>Hybrid Mode</parameter>. This can be effected through
-		use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
-		beneficial to configure Samba to use <smbconfoption name="name resolve order">wins host cast</smbconfoption>.
-		</para>
-
-		<note><para>
-		Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as
-		well as with Samba-3.
-		</para></note>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Can I just use plain-text passwords with Samba?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes, you can configure Samba to use plain-text passwords, though this does create a few problems.
-		</para>
-
-		<para>
-		First, the use of <filename>/etc/passwd</filename>-based plain-text passwords requires that registry
-		modifications be made on all MS Windows client machines to enable plain-text passwords support. This
-		significantly diminishes the security of MS Windows client operation. Many network administrators
-		are bitterly opposed to doing this.
-		</para>
-
-		<para>
-		Second, Microsoft has not maintained plain-text password support since the default setting was made
-		disabling this. When network connections are dropped by the client, it is not possible to re-establish
-		the connection automatically. Users need to log off and then log on again. Plain-text password support
-		may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
-		environment.
-		</para>
-
-		<para>
-		Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
-		Just create user accounts by running <command>smbpasswd -a 'username'</command>
-		</para>
-
-		<para>
-		It is not possible to add a user to the <parameter>passdb backend</parameter> database unless there is
-		a UNIX system account for that user. On systems that run <command>winbindd</command> to access the Samba
-		PDC/BDC to provide Windows user and group accounts, the <parameter>idmap uid, idmap gid</parameter> ranges
-		set in the &smb.conf; file provide the local UID/GIDs needed for local identity management purposes.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What parameter in the &smb.conf; file is used to enable the use of encrypted passwords?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The parameter in the &smb.conf; file that controls this behavior is known as <parameter>encrypt
-		passwords</parameter>. The default setting for this in Samba-3 is <constant>Yes (Enabled)</constant>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is it necessary to specify <smbconfoption name="encrypt passwords">Yes</smbconfoption>
-		when Samba-3 is configured as a domain member?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		No. This is the default behavior.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is it necessary to specify a <parameter>guest account</parameter> when Samba-3 is configured
-		as a domain member server?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes. This is a local function on the server. The default setting is to use the UNIX account
-		<constant>nobody</constant>. If this account does not exist on the UNIX server, then it is
-		necessary to provide a <smbconfoption name="guest account">an_account</smbconfoption>,
-		where <constant>an_account</constant> is a valid local UNIX user account.
-		</para>
-
-	</answer>
-	</qandaentry>
-	</qandaset>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-DomainAppsSupport.xml b/docs-xml/Samba3-ByExample/SBE-DomainAppsSupport.xml
deleted file mode 100644
index c9ccd43..0000000
--- a/docs-xml/Samba3-ByExample/SBE-DomainAppsSupport.xml
+++ /dev/null
@@ -1,918 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-
-<chapter id="DomApps">
-<title>Integrating Additional Services</title>
-
-	<para>
-	<indexterm><primary>authentication</primary></indexterm>
-	<indexterm><primary>backends</primary></indexterm>
-	<indexterm><primary>smbpasswd</primary></indexterm>
-	<indexterm><primary>ldapsam</primary></indexterm>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	You've come a long way now. You have pretty much mastered Samba-3 for 
-	most uses it can be put to. Up until now, you have cast Samba-3 in the leading 
-	role, and where authentication was required, you have used one or another of 
-	Samba's many authentication backends (from flat text files with smbpasswd 
-	to LDAP directory integration with ldapsam). Now you can design a 
-	solution for a new Abmas business. This business is running Windows Server 
-	2003 and Active Directory, and these are to stay. It's time to master 
-	implementing Samba and Samba-supported services in a domain controlled by 
-	the latest Windows authentication technologies. Let's get started &smbmdash; this is 
-	leading edge.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	Abmas has continued its miraculous growth; indeed, nothing seems to be able 
-	to stop its diversification into multiple (and seemingly unrelated) fields. 
-	Its latest acquisition is Abmas Snack Foods, a big player in the snack-food 
-	business.
-	</para>
-
-	<para>
-	With this acquisition comes new challenges for you and your team. Abmas Snack 
-	Foods is a well-developed business with a huge and heterogeneous network. It 
-	already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. 
-	The network is mature and well-established, and there is no question of its chosen 
-	user authentication scheme being changed for now. You need to take a wise new 
-	approach.
-	</para>
-
-	<para>
-	You have decided to set the ball rolling by introducing Samba-3 into the network 
-	gradually, taking over key services and easing the way to a full migration and, 
-	therefore, integration into Abmas's existing business later.
-	</para>
-
-	<sect2>
-	<title>Assignment Tasks</title>
-
-		<para>
-		<indexterm><primary>web</primary><secondary>proxying</secondary></indexterm>
-		<indexterm><primary>web</primary><secondary>caching</secondary></indexterm>
-	        You've promised the skeptical Abmas Snack Foods management team 
-		that you can show them how Samba can ease itself and other Open Source 
-		technologies into their existing infrastructure and deliver sound business 
-		advantages. Cost cutting is high on their agenda (a major promise of the 
-		acquisition). You have chosen Web proxying and caching as your proving ground.
-		</para>
-
-		<para>
-		<indexterm><primary>bandwidth</primary></indexterm>
-		<indexterm><primary>Microsoft ISA</primary></indexterm>
-		Abmas Snack Foods has several thousand users housed at its head office 
-		and multiple regional offices, plants, and warehouses. A high proportion of 
-		the business's work is done online, so Internet access for most of these 
-		users is essential. All Internet access, including for all regional offices, 
-		is funneled through the head office and is the job of the (now your) networking 
-		team. The bandwidth requirements were horrific (comparable to a small ISP), and 
-		the team soon discovered proxying and caching. In fact, they became one of 
-		the earliest commercial users of Microsoft ISA.
-		</para>
-
-		<para>
-		<indexterm><primary>Active Directory</primary></indexterm>
-		<indexterm><primary>authenticated</primary></indexterm>
-		<indexterm><primary>proxy</primary></indexterm>
-		The team is not happy with ISA. Because it never lived up to its marketing promises, 
-		it underperformed and had reliability problems. You have pounced on the opportunity 
-		to show what Open Source can do. The one thing they do like, however, is ISA's 
-		integration with Active Directory. They like that their users, once logged on, 
-		are automatically authenticated against the proxy. If your alternative to ISA 
-		can operate completely seamlessly in their Active Directory domain, it will be
-		approved.
-		</para>
-
-		<para>
-		This is a hands-on exercise. You build software applications so
-		that you obtain the functionality Abmas needs.
-		</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-<title>Dissection and Discussion</title>
-
-	<para>
-	The key requirements in this business example are straightforward. You are not required 
-	to do anything new, just to replicate an existing system, not lose any existing features, 
-	and improve performance. The key points are:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		Internet access for most employees
-		</para></listitem>
-		<listitem><para>
-		Distributed system to accommodate load and geographical distribution of users
-		</para></listitem>
-		<listitem><para>
-		Seamless and transparent interoperability with the existing Active Directory domain
-		</para></listitem>
-	</itemizedlist>
-
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		<indexterm><primary>browsing</primary></indexterm>
-		<indexterm><primary>Squid proxy</primary></indexterm>
-		<indexterm><primary>proxy</primary></indexterm>
-		<indexterm><primary>authentication</primary></indexterm>
-		<indexterm><primary>Internet Explorer</primary></indexterm>
-		<indexterm><primary>winbind</primary></indexterm>
-		<indexterm><primary>NTLM</primary></indexterm>
-		<indexterm><primary>NTLM authentication daemon</primary></indexterm>
-		<indexterm><primary>authentication</primary></indexterm>
-		<indexterm><primary>daemon</primary></indexterm>
-		<indexterm><primary>Active Directory</primary></indexterm>
-		<indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm>
-		<indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm>
-		Functionally, the user's Internet Explorer requests a browsing session with the 
-		Squid proxy, for which it offers its AD authentication token. Squid hands off 
-		the authentication request to the Samba-3 authentication helper application
-		called <command>ntlm_auth</command>. This helper is a hook into winbind, the 
-		Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate 
-		against Microsoft Windows domains, including Active Directory domains. As Active 
-		Directory authentication is a modified Kerberos authentication, winbind is assisted 
-		in this by local Kerberos 5 libraries configured to check passwords with the Active 
-		Directory server. Once the token has been checked, a browsing session is established. 
-		This process is entirely transparent and seamless to the user.
-		</para>
-
-		<para>
-		Enabling this consists of:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			Preparing the necessary environment using preconfigured packages
-			</para></listitem>
-
-			<listitem><para>
-			Setting up raw Kerberos authentication against the Active Directory domain
-			</para></listitem>
-
-			<listitem><para>
-			Configuring, compiling, and then installing the supporting Samba-3 components
-			</para></listitem>
-
-			<listitem><para>
-			Tying it all together
-			</para></listitem>
-		</itemizedlist>
-
-	</sect2>
-
-
-	<sect2>
-		<title>Political Issues</title>
-
-		<para>
-		You are a stranger in a strange land, and all eyes are upon you. Some would even like to see 
-		you fail. For you to gain the trust of your newly acquired IT people, it is essential that your 
-		solution does everything the old one did, but does it better in every way. Only then 
-		will the entrenched positions consider taking up your new way of doing things on a 
-		wider scale.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	<indexterm><primary>Squid</primary></indexterm>
-	First, your system needs to be prepared and in a known good state to proceed. This consists 
-	of making sure that everything the system depends on is present and that everything that could 
-	interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 
-	packages and updating them if necessary. If conflicting packages of these programs are installed, 
-	they must be removed.
-	</para>
-
-	<para>
-	<indexterm><primary>Red Hat Linux</primary></indexterm>
-	The following packages should be available on your Red Hat Linux system:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		<indexterm><primary>krb5</primary></indexterm>
-		<indexterm><primary>Kerberos</primary></indexterm>
-		krb5-libs
-		</para></listitem>
-
-		<listitem><para>
-		krb5-devel
-		</para></listitem>
-
-		<listitem><para>
-		krb5-workstation
-		</para></listitem>
-
-		<listitem><para>
-		krb5-server
-		</para></listitem>
-
-		<listitem><para>
-		pam_krb5
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	<indexterm><primary>SUSE Linux</primary></indexterm>
-	In the case of SUSE Linux, these packages are called:
-	</para>
-
-        <itemizedlist>
-                <listitem><para>
-                heimdal-lib
-                </para></listitem>
-
-                <listitem><para>
-                heimdal-devel
-                </para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>Heimdal</primary></indexterm>
-                heimdal
-                </para></listitem>
-
-                <listitem><para>
-                pam_krb5
-                </para></listitem>
-        </itemizedlist>
-
-	<para>
-	If the required packages are not present on your system, you must install
-	them from the vendor's installation media. Follow the administrative guide
-	for your Linux system to ensure that the packages are correctly updated.
-	</para>
-
-	<note><para>
-	<indexterm><primary>MS Windows Server 2003</primary></indexterm>
-	<indexterm><primary>Kerberos</primary></indexterm>
-	<indexterm><primary>MIT</primary></indexterm>
-	If the requirement is for interoperation with MS Windows Server 2003, it
-	will be necessary to ensure that you are using MIT Kerberos version 1.3.1
-	or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
-	updating.
-	</para>
-
-	<para>
-	<indexterm><primary>Heimdal</primary></indexterm>
-	<indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
-	Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
-	Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
-	</para></note>
-
-	<sect2 id="ch10-one">
-	<title>Removal of Pre-Existing Conflicting RPMs</title>
-
-	<para>
-	<indexterm><primary>Squid</primary></indexterm>
-	If Samba and/or Squid RPMs are installed, they should be updated. You can 
-	build both from source.
-	</para>
-
-	<para>
-	<indexterm><primary>rpm</primary></indexterm>
-	<indexterm><primary>samba</primary></indexterm>
-	<indexterm><primary>squid</primary></indexterm>
-	Locating the packages to be un-installed can be achieved by running:
-<screen>
-&rootprompt; rpm -qa | grep -i samba
-&rootprompt; rpm -qa | grep -i squid
-</screen>
-	The identified packages may be removed using:
-<screen>
-&rootprompt; rpm -e samba-common
-</screen>
-	</para>
-
-	<sect2>
-	<title>Kerberos Configuration</title>
-
-	<para>
-	<indexterm><primary>Kerberos</primary></indexterm>
-	<indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
-	<indexterm><primary>ADS</primary></indexterm>
-	<indexterm><primary>KDC</primary></indexterm>
-	The systems Kerberos installation must be configured to communicate with 
-	your primary Active Directory server (ADS KDC).
-	</para>
-
-	<para>
-	Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, 
-	although the current default Red Hat MIT version 1.2.7 gives acceptable results 
-	unless you are using Windows 2003 servers.
-	</para>
-
-	<para>
-	<indexterm><primary>MIT</primary></indexterm>
-	<indexterm><primary>Heimdal</primary></indexterm>
-	<indexterm><primary>Kerberos</primary></indexterm>
-	<indexterm><primary>/etc/krb5.conf</primary></indexterm>
-	<indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm>
-	<indexterm><primary>KDC</primary></indexterm>
-	<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
-	Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename> 
-	file in order to work correctly. All ADS domains automatically create SRV records in the 
-	DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both 
-	MIT and Heimdal, KRB5 libraries default to checking for these records, so they 
-	automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows 
-	specifying only a single KDC, even if there is more than one. Using the DNS lookup 
-	allows the KRB5 libraries to use whichever KDCs are available.
-	</para>
-
-	<procedure>
-	<title>Kerberos Configuration Steps</title>
-
-		<step><para>
-		<indexterm><primary>krb5.conf</primary></indexterm>
-		If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
-		to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file 
-		should be <filename>/etc/krb5.conf</filename>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Kerberos</primary></indexterm>
-		<indexterm><primary>realm</primary></indexterm>
-		<indexterm><primary>case-sensitive</primary></indexterm>
-		<indexterm><primary>KDC</primary></indexterm>
-		<indexterm><primary>synchronization</primary></indexterm>
-		<indexterm><primary>initial credentials</primary></indexterm>
-		<indexterm><primary>Clock skew</primary></indexterm>
-		<indexterm><primary>NTP</primary></indexterm>
-		<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
-		<indexterm><primary>reverse DNS</primary></indexterm>
-		<indexterm><primary>NetBIOS name </primary></indexterm>
-		<indexterm><primary>/etc/hosts</primary></indexterm>
-		<indexterm><primary>mapping</primary></indexterm>
-		The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
-		be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
-		initial credentials</quote>.  Kerberos is picky about time synchronization. The time
-		according to your participating servers must be within 5 minutes or you get an error:
-		<quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
-		Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
-		5 minutes). A better solution is to implement NTP throughout your server network.
-		Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
-		Also, the name that this reverse lookup maps to must either be the NetBIOS name of
-		the KDC (i.e., the hostname with no domain attached) or the
-		NetBIOS name followed by the realm. If all else fails, you can add a
-		<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
-		NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
-		when you try to join the realm.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>kinit</primary></indexterm>
-		You are now ready to test your installation by issuing the command:
-<screen>
-&rootprompt; kinit [USERNAME at REALM]
-</screen> 
-		You are asked for your password, which you should enter. The following
-		is a typical console sequence:
-<screen>
-&rootprompt; kinit ADMINISTRATOR at LONDON.ABMAS.BIZ
-Password for ADMINISTRATOR at LONDON.ABMAS.BIZ: 
-</screen>
-		Make sure that your password is accepted by the Active Directory KDC.
-		</para></step>
-	</procedure>
-
-<example id="ch10-krb5conf">
-<title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title>
-<screen>
-[libdefaults]
-	default_realm = LONDON.ABMAS.BIZ
-
-[realms] 
-	LONDON.ABMAS.BIZ = {
-	kdc = w2k3s.london.abmas.biz
-	}
-</screen>
-</example>
-
-	<para><indexterm>
-	    <primary>klist</primary>
-	  </indexterm>
-	The command
-<screen>
-&rootprompt; klist -e 
-</screen>
-	shows the Kerberos tickets cached by the system.
-	</para>
-
-	<sect3>
-	<title>Samba Configuration</title>
-
-	<para>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it 
-	has the necessary components to interface with Active Directory.
-	</para>
-
-	<procedure>
-	<title>Securing Samba-3 With ADS Support Steps</title>
-
-		<step><para>
-		<indexterm><primary>Red Hat Linux</primary></indexterm>
-		<indexterm><primary>Samba Tea</primary></indexterm>
-		<indexterm><primary>Red Hat Fedora Linux</primary></indexterm>
-		<indexterm><primary>MIT KRB5</primary></indexterm>
-		<indexterm><primary>ntlm_auth</primary></indexterm>
-		Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
-		<ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
-		RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
-		needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
-		</para>
-
-		<para>
-		<indexterm><primary>SerNet</primary></indexterm>
-		<indexterm><primary>RPMs</primary></indexterm>
-		The necessary, validated RPM packages for SUSE Linux may be obtained from
-		the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
-		is located in Germany. All SerNet RPMs are validated, have the necessary
-		<command>ntlm_auth</command> tool, and are statically linked 
-		against suitably patched Heimdal 0.6 libraries.
-		</para></step>
-
-		<step><para>
-		Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename>
-		file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>computer account</primary></indexterm>
-		<indexterm><primary>Active Directory</primary></indexterm>
-		<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i
-		<indexterm><primary>Kerberos ticket</primary></indexterm>
-		<indexterm><primary>ticket</primary></indexterm>
-		Next you need to create a computer account in the Active Directory. 
-		This sets up the trust relationship needed for other clients to 
-		authenticate to the Samba server with an Active Directory Kerberos ticket. 
-		This is done with the <quote>net ads join -U [Administrator%Password]</quote>
-		command, as follows:
-<screen>
-&rootprompt; net ads join -U administrator%vulcon
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbd</primary></indexterm>
-		<indexterm><primary>nmbd</primary></indexterm>
-		<indexterm><primary>winbindd</primary></indexterm>
-		<indexterm><primary>Active Directory</primary></indexterm>
-		<indexterm><primary>Samba</primary></indexterm>
-		Your new Samba binaries must be started in the standard manner as is applicable
-		to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
-<screen>
-&rootprompt; smbd -D
-&rootprompt; nmbd -D
-&rootprompt; winbindd -D
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>winbind</primary></indexterm>
-		<indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm>
-		<indexterm><primary>wbinfo</primary></indexterm>
-		<indexterm><primary>enumerating</primary></indexterm>
-		<indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm>
-		We now need to test that Samba is communicating with the Active 
-		Directory domain; most specifically, we want to see whether winbind 
-		is enumerating users and groups. Issue the following commands:
-<screen>
-&rootprompt; wbinfo -t
-checking the trust secret via RPC calls succeeded
-</screen>
-		This tests whether we are authenticating against Active Directory:
-<screen>
-&rootprompt; wbinfo -u
-LONDON+Administrator
-LONDON+Guest
-LONDON+SUPPORT_388945a0
-LONDON+krbtgt
-LONDON+jht
-LONDON+xjht
-</screen>
-		This enumerates all the users in your Active Directory tree:
-<screen>
-&rootprompt; wbinfo -g
-LONDON+Domain Computers
-LONDON+Domain Controllers
-LONDON+Schema Admins
-LONDON+Enterprise Admins
-LONDON+Domain Admins
-LONDON+Domain Users
-LONDON+Domain Guests
-LONDON+Group Policy Creator Owners
-LONDON+DnsUpdateProxy
-</screen>
-		This enumerates all the groups in your Active Directory tree.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Squid</primary></indexterm>
-		<indexterm><primary>ntlm_auth</primary></indexterm>
-		Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
-		You may test <command>ntlm_auth</command> with the command:
-<screen>
-&rootprompt; /usr/bin/ntlm_auth --username=jht
-password: XXXXXXXX
-</screen>
-		You are asked for your password, which you should enter. You are rewarded with:
-<screen>
-&rootprompt; NT_STATUS_OK: Success (0x0)
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>ntlm_auth</primary></indexterm>
-		<indexterm><primary>authenticate</primary></indexterm>
-		<indexterm><primary>winbind</primary></indexterm>
-		<indexterm><primary>privileged pipe</primary></indexterm>
-		<indexterm><primary>squid</primary></indexterm>
-		<indexterm><primary>chgrp</primary></indexterm>
-		<indexterm><primary>chmod</primary></indexterm>
-		<indexterm><primary>failure</primary></indexterm>
-		The <command>ntlm_auth</command> helper, when run from a command line as the user 
-		<quote>root</quote>, authenticates against your Active Directory domain (with 
-		the aid of winbind). It manages this by reading from the winbind privileged pipe. 
-		Squid is running with the permissions of user <quote>squid</quote> and group 
-		<quote>squid</quote> and is not able to do this unless we make a vital change. 
-		Squid cannot read from the winbind privilege pipe unless you change the 
-		permissions of its directory. This is the single biggest cause of failure in the 
-		whole process. Remember to issue the following command (for Red Hat Linux):
-<screen>
-&rootprompt; chgrp squid /var/cache/samba/winbindd_privileged
-&rootprompt; chmod 750 /var/cache/samba/winbindd_privileged
-</screen>
-		For SUSE Linux 9, execute the following:
-<screen>
-&rootprompt; chgrp squid /var/lib/samba/winbindd_privileged
-&rootprompt; chmod 750 /var/lib/samba/winbindd_privileged
-</screen>
-		</para></step>
-
-	</procedure>
-	</sect3>
-
-	<sect3>
-	<title>NSS Configuration</title>
-
-	<para>
-	<indexterm><primary>NSS</primary></indexterm>
-	<indexterm><primary>winbind</primary></indexterm>
-	<indexterm><primary>authentication</primary></indexterm>
-	For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
-	</para>
-
-	<para>
-	Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown
-	in <link linkend="ch10-etcnsscfg"/>.
-	</para>
-
-<example id="ch10-smbconf">
-<title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title>
-<smbconfblock>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">LONDON</smbconfoption>
-<smbconfoption name="netbios name">W2K3S</smbconfoption>
-<smbconfoption name="realm">LONDON.ABMAS.BIZ</smbconfoption>
-<smbconfoption name="security">ads</smbconfoption>
-<smbconfoption name="encrypt passwords">yes</smbconfoption>
-<smbconfoption name="password server">w2k3s.london.abmas.biz</smbconfoption>
-
-<smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment>
-<smbconfoption name="winbind separator">/</smbconfoption>
-
-<smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment>
-<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-<smbconfcomment>use GIDs from 10000 to 20000 for domain groups</smbconfcomment>
-<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-
-<smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment>
-<smbconfoption name="winbind enum users">yes</smbconfoption>
-<smbconfoption name="winbind enum groups">yes</smbconfoption>
-<smbconfoption name="winbind user default domain">yes</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch10-etcnsscfg">
-<title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
-<screen>
-passwd: files winbind
-shadow: files
-group: files winbind
-</screen>
-</example>
-
-	</sect3>
-
-	<sect3>
-	<title>Squid Configuration</title>
-
-	<para>
-	<indexterm><primary>Squid</primary></indexterm>
-	<indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm>
-	Squid must be configured correctly to interact with the Samba-3 
-	components that handle Active Directory authentication.
-	</para>
-
-	</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Configuration</title></sect2>
-
-	<procedure>
-	<title>Squid Configuration Steps</title>
-
-		<step><para>
-		<indexterm><primary>SUSE Linux</primary></indexterm>
-		<indexterm><primary>Squid</primary> </indexterm>
-		<indexterm><primary>helper agent</primary></indexterm>
-		If your Linux distribution is SUSE Linux 9, the version of Squid 
-		supplied is already enabled to use the winbind helper agent. You
-		can therefore omit the steps that would build the Squid binary
-		programs.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>nobody</primary></indexterm>
-		<indexterm><primary>squid</primary></indexterm>
-		<indexterm><primary>rpms</primary></indexterm>
-		<indexterm><primary>/etc/passwd</primary></indexterm>
-		<indexterm><primary>/etc/group</primary></indexterm>
-		Squid, by default, runs as the user <constant>nobody</constant>. You need to 
-		add a system user <constant>squid</constant> and a system group 
-		<constant>squid</constant> if they are not set up already (if the default 
-		Red Hat squid rpms were installed, they will be).  Set up a 
-		<constant>squid</constant> user in <filename>/etc/passwd</filename> 
-		and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>permissions</primary></indexterm>
-		<indexterm><primary>chown</primary></indexterm>
-		You now need to change the permissions on Squid's <constant>var</constant>
-		directory.  Enter the following command:
-<screen>
-&rootprompt; chown -R squid /var/cache/squid
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>logging</primary></indexterm>
-		<indexterm><primary>Squid</primary></indexterm>
-		Squid must also have control over its logging. Enter the following commands:
-<screen>
-&rootprompt; chown -R chown squid:squid /var/log/squid
-&rootprompt; chmod 770 /var/log/squid
-</screen>
-		</para></step>
-
-		<step><para>
-		Finally, Squid must be able to write to its disk cache!
-		Enter the following commands:
-<screen>
-&rootprompt; chown -R chown squid:squid /var/cache/squid
-&rootprompt; chmod 770 /var/cache/squid
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>/etc/squid/squid.conf</primary></indexterm>
-		The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from 
-		<link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>cache directories</primary></indexterm>
-		You must create Squid's cache directories before it may be run.  Enter the following command: 
-<screen>
-&rootprompt; squid -z
-</screen>
-		</para></step>
-
-		<step><para>
-		Finally, start Squid and enjoy transparent Active Directory authentication.
-		Enter the following command:
-<screen>
-&rootprompt; squid
-</screen>
-		</para></step>
-	</procedure>
-
-<example id="etcsquidcfg">
-<title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title>
-<screen>
-	cache_effective_user squid
-	cache_effective_group squid
-</screen>
-</example>
-
-<example id="etcsquid2">
-<title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title>
-<screen>
-	auth_param ntlm program /usr/bin/ntlm_auth \
-                                --helper-protocol=squid-2.5-ntlmssp
-	auth_param ntlm children 5
-	auth_param ntlm max_challenge_reuses 0
-	auth_param ntlm max_challenge_lifetime 2 minutes
-	auth_param basic program /usr/bin/ntlm_auth \
-                                --helper-protocol=squid-2.5-basic
-	auth_param basic children 5
-	auth_param basic realm Squid proxy-caching web server
-	auth_param basic credentialsttl 2 hours
-	acl AuthorizedUsers proxy_auth REQUIRED
-	http_access allow all AuthorizedUsers
-</screen>
-</example>
-
-	</sect2>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<para>
-		<indexterm><primary>Web browsers</primary></indexterm>
-		<indexterm><primary>services</primary></indexterm>
-		<indexterm><primary>authentication protocols</primary></indexterm>
-		<indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm>
-		<indexterm><primary>NTLMSSP</primary></indexterm>
-		Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
-		Windows clients use, even when accessing traditional services such as Web browsers. Depending 
-		on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
-		the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
-		the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
-		of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	<indexterm><primary>ntlm_auth</primary></indexterm>
-	<indexterm><primary>SambaXP conference</primary></indexterm>
-	<indexterm><primary>Goettingen</primary></indexterm>
-	<indexterm><primary>Italian</primary></indexterm>
-	The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
-	in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of 
-	<command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the 
-	adoption of <command>ntlm_auth</command> has spread considerably.
-	</para>
-
-	<para>
-	The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
-	support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
-	users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
-	wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
-	comments were made with respect to questions regarding the performance of this installation:
-	</para>
-
-	<blockquote><para>
-	[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote> 
-	part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case 
-	scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
-	</para></blockquote>
-
-	<para>
-	You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
-	Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run 
-	out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
-	</para>
-
-	<qandaset defaultlabel="chap10bqa" type="number">
-	<qandaentry>
-	<question>
-
-		<para>
-		What does Samba have to do with Web proxy serving?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><secondary>transparent inter-operability</secondary></indexterm>
-		<indexterm><primary>Windows clients</primary></indexterm>
-		<indexterm><primary>network</primary><secondary>services</secondary></indexterm>
-		<indexterm><primary>authentication</primary></indexterm>
-		<indexterm><primary>wrapper</primary></indexterm>
-		To provide transparent interoperability between Windows clients and the network services
-		that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
-		of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
-		module is basically a wrapper around authentication code from the core of the Samba project.
-		</para>
-
-		<para>
-		<indexterm><primary>plain-text</primary></indexterm>
-		<indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm>
-		<indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm>
-		<indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm>
-		<indexterm><primary>NTLMSSP</primary></indexterm>
-		<indexterm><primary>logon credentials</primary></indexterm>
-		<indexterm><primary>Windows explorer</primary></indexterm>
-		<indexterm><primary>Internet Information Server</primary></indexterm>
-		<indexterm><primary>Apache Web server</primary></indexterm>
-		The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP 
-		protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
-		the user being interrupted via his or her Windows logon credentials. This facility is available with
-		MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
-		There are a few open source initiatives to provide support for these protocols in the Apache Web server
-		also.
-		</para>
-
-		<para>
-		<indexterm><primary>wrapper</primary></indexterm>
-		The short answer is that by adding a wrapper around key authentication components of Samba, other
-		projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		What other services does Samba provide?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		<indexterm><primary>winbindd</primary></indexterm>
-		<indexterm><primary>Identity resolver</primary></indexterm>
-		<indexterm><primary>daemon</primary></indexterm>
-		<indexterm><primary>smbd</primary></indexterm>
-		<indexterm><primary>file and print server</primary></indexterm>
-		Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
-		<command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>.
-		</para>
-
-		<para>
-		<indexterm><primary>SMB/CIFS</primary></indexterm>
-		<indexterm><primary>smbclient</primary></indexterm>
-		Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
-		</para>
-
-		<para>
-		<indexterm><primary>modules</primary></indexterm>
-		<indexterm><primary>utilities</primary></indexterm>
-		<indexterm><primary>validation</primary></indexterm>
-		<indexterm><primary>inter-operability</primary></indexterm>
-		<indexterm><primary>authentication</primary></indexterm>
-		Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
-		Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
-		servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
-		as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
-		to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
-		server products).
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
-		Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a
-		little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
-		Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
-		sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
-		</para>
-
-	</answer>
-	</qandaentry>
-	</qandaset>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-HighAvailability.xml b/docs-xml/Samba3-ByExample/SBE-HighAvailability.xml
deleted file mode 100644
index eb203f0..0000000
--- a/docs-xml/Samba3-ByExample/SBE-HighAvailability.xml
+++ /dev/null
@@ -1,701 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-
-<chapter id="HA">
-<title>Performance, Reliability, and Availability</title>
-
-	<para>
-	<indexterm><primary>performance</primary></indexterm>
-	<indexterm><primary>reliability</primary></indexterm>
-	<indexterm><primary>availability</primary></indexterm>
-	Well, you have reached one of the last chapters of this book. It is customary to attempt
-	to wrap up the theme and contents of a book in what is generally regarded as the
-	chapter that should draw conclusions. This book is a suspense thriller, and since
-	the plot of the stories told mostly lead you to bigger, better Samba-3 networking
-	solutions, it is perhaps appropriate to close this book with a few pertinent comments
-	regarding some of the things everyone can do to deliver a reliable Samba-3 network.
-	</para>
-
-	<blockquote><attribution>Anonymous</attribution><para>
-	In a world so full of noise, how can the sparrow be heard?
-	</para></blockquote>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	<indexterm><primary>clustering</primary></indexterm>
-	The sparrow is a small bird whose sounds are drowned out by the noise of the busy
-	world it lives in. Likewise, the simple steps that can be taken to improve the
-	reliability and availability of a Samba network are often drowned out by the volume
-	of discussions about grandiose Samba clustering designs. This is not intended to
-	suggest that clustering is not important, because clearly it is. This chapter does not devote
-	itself to discussion of clustering because each clustering methodology uses its own
-	custom tools and methods. Only passing comments are offered concerning these methods.
-	</para>
-
-	<para>
-	<indexterm><primary>cluster</primary></indexterm>
-	<indexterm><primary>samba cluster</primary></indexterm>
-	<indexterm><primary>scalability</primary></indexterm>
-<ulink url="http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=samba+cluster&btnG=Google+Search">A search</ulink> 
-	for <quote>samba cluster</quote> produced 71,600 hits. And a search for <quote>highly available samba</quote>
-	and <quote>highly available windows</quote> produced an amazing number of references.
-	It is clear from the resources on the Internet that Windows file and print services 
-	availability, reliability, and scalability are of vital interest to corporate network users.
-	</para>
-
-	<para>
-	<indexterm><primary>performance</primary></indexterm>
-	So without further background, you can review a checklist of simple steps that
-	can be taken to ensure acceptable network performance while keeping costs of ownership
-	well under control.
-	</para>
-
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>simple</primary></indexterm>
-	<indexterm><primary>complexities</primary></indexterm>
-	If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
-	must be obeyed. If you want the best, keep your implementation as simple as possible. You may
-	well be forced to introduce some complexities, but you should do so only as a last resort.
-	</para>
-
-	<para>
-	Simple solutions are likely to be easier to get right than are complex ones. They certainly
-	make life easier for your successor. Simple implementations can be more readily audited than can
-	complex ones. 
-	</para>
-
-	<para>
-	<indexterm><primary>broken behavior</primary></indexterm>
-	<indexterm><primary>poor performance</primary></indexterm>
-	Problems reported by users fall into three categories: configurations that do not work, those 
-	that have broken behavior, and poor performance. The term <emphasis>broken behavior</emphasis>
-	means that the function of a particular Samba component appears to work sometimes, but not at
-	others. The resulting intermittent operation is clearly unacceptable. An example of 
-	<emphasis>broken behavior</emphasis> known to many Windows networking users occurs when the
-	list of Windows machines in MS Explorer changes, sometimes listing machines that are running
-	and at other times not listing them even though the machines are in use on the network.
-	</para>
-
-	<para>
-	<indexterm><primary>smbfs</primary></indexterm>
-	<indexterm><primary>smbmnt</primary></indexterm>
-	<indexterm><primary>smbmount</primary></indexterm>
-	<indexterm><primary>smbumnt</primary></indexterm>
-	<indexterm><primary>smbumount</primary></indexterm>
-	<indexterm><primary>front-end</primary></indexterm>
-	A significant number of reports concern problems with the <command>smbfs</command> file system
-	driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
-	<command>smbfs</command> is part of Samba, simply because Samba includes the front-end tools
-	that are used to manage <command>smbfs</command>-based file service connections. So, just
-	for the record, the tools <command>smbmnt</command>, <command>smbmount</command>,
-	<command>smbumount</command>, and <command>smbumnt</command> are front-end
-	facilities to core drivers that are supplied as part of the Linux kernel. These tools share a
-	common infrastructure with some Samba components, but they are not maintained as part of
-	Samba and are really foreign to it.
-	</para>
-
-	<para>
-	<indexterm><primary>cifsfs</primary></indexterm>
-	The new project, <command>cifsfs</command>, is destined to replace <command>smbfs</command>.
-	It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
-	this project.
-	</para>
-
-	<para>
-	Table 13.1 lists typical causes of:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>Not Working (NW)</para></listitem>
-		<listitem><para>Broken Behavior (BB)</para></listitem>
-		<listitem><para>Poor Performance (PP)</para></listitem>
-	</itemizedlist>
-
-
-	<table id="ProbList">
-		<title>Effect of Common Problems</title>
-		<tgroup cols="4">
-			<colspec align="left"/>
-			<colspec align="center"/>
-			<colspec align="center"/>
-			<colspec align="center"/>
-			<thead>
-				<row>
-					<entry><para>Problem</para></entry>
-					<entry><para>NW</para></entry>
-					<entry><para>BB</para></entry>
-					<entry><para>PP</para></entry>
-				</row>
-			</thead>
-			<tbody>
-				<row>
-					<entry><para>File locking</para></entry>
-					<entry><para>-</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>-</para></entry>
-				</row>
-				<row>
-					<entry><para>Hardware problems</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-				</row>
-				<row>
-					<entry><para>Incorrect authentication</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>-</para></entry>
-				</row>
-				<row>
-					<entry><para>Incorrect configuration</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-				</row>
-				<row>
-					<entry><para>LDAP problems</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>-</para></entry>
-				</row>
-				<row>
-					<entry><para>Name resolution</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-				</row>
-				<row>
-					<entry><para>Printing problems</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>-</para></entry>
-				</row>
-				<row>
-					<entry><para>Slow file transfer</para></entry>
-					<entry><para>-</para></entry>
-					<entry><para>-</para></entry>
-					<entry><para>X</para></entry>
-				</row>
-				<row>
-					<entry><para>Winbind problems</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>X</para></entry>
-					<entry><para>-</para></entry>
-				</row>
-			</tbody>
-		</tgroup>
-	</table>
-
-	<para>
-	<indexterm><primary>network hygiene</primary></indexterm>
-	It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
-	problems that affect basic network operation. This book has provided sufficient working examples
-	to help you to avoid all these problems.
-	</para>
-
-</sect1>
-
-<sect1>
-	<title>Guidelines for Reliable Samba Operation</title>
-
-	<para>
-	<indexterm><primary>resilient</primary></indexterm>
-	<indexterm><primary>extreme demand</primary></indexterm>
-	Your objective is to provide a network that works correctly, can grow at all times, is resilient
-	at times of extreme demand, and can scale to meet future needs. The following subject areas provide
-	pointers that can help you today.
-	</para>
-
-	<sect2>
-	<title>Name Resolution</title>
-
-	<para>
-	There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
-	These are covered in the following discussion.
-	</para>
-
-		<sect3>
-		<title>Bad Hostnames</title>
-
-		<para>
-		<indexterm><primary>DHCP</primary><secondary>client</secondary></indexterm>
-		<indexterm><primary>netbios name</primary></indexterm>
-		<indexterm><primary>localhost</primary></indexterm>
-		<indexterm><primary>/etc/hosts</primary></indexterm>
-		<indexterm><primary>NetBIOS</primary></indexterm>
-		When configured as a DHCP client, a number of Linux distributions set the system hostname
-		to <constant>localhost</constant>. If the parameter <parameter>netbios name</parameter> is not
-		specified to something other than <constant>localhost</constant>, the Samba server appears
-		in the Windows Explorer as <constant>LOCALHOST</constant>. Moreover, the entry in the <filename>/etc/hosts</filename>
-		on the Linux server points to IP address <constant>127.0.0.1</constant>. This means that
-		when the Windows client obtains the IP address of the Samba server called <constant>LOCALHOST</constant>,
-		it obtains the IP address <constant>127.0.0.1</constant> and then proceeds to attempt to
-		set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is
-		the local Windows machine itself. Hostnames must be valid for Windows networking to function
-		correctly.
-		</para>
-
-		<para>
-		<indexterm><primary>digits</primary></indexterm>
-		A few sites have tried to name Windows clients and Samba servers with a name that begins
-		with the digits 1-9. This does not work either because it may result in the client or
-		server attempting to use that name as an IP address.
-		</para>
-
-		<para>
-		<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
-		<indexterm><primary>resolve</primary></indexterm>
-		A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
-		in a network environment that is part of the fully-qualified Internet domain namespace known
-		as <constant>parrots.com</constant>, results in DNS name lookups for <constant>fred.parrots.com</constant>
-		and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
-		(workgroup) <constant>collision.parrots.com</constant>, since this results in DNS lookup
-		attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
-		fails given that you probably do not have this in your DNS namespace.
-		</para>
-
-		<note><para>
-		<indexterm><primary>Active Directory</primary><secondary>realm</secondary></indexterm>
-		<indexterm><primary>ADS</primary></indexterm>
-		<indexterm><primary>DNS</primary></indexterm>
-		An Active Directory realm called <constant>collision.parrots.com</constant> is perfectly okay,
-		although it too must be capable of being resolved via DNS, something that functions correctly
-		if Windows 200x ADS has been properly installed and configured.
-		</para></note>
-
-		</sect3>
-
-		<sect3>
-		<title>Routed Networks</title>
-
-		<para>
-		<indexterm><primary>NetBIOS</primary></indexterm>
-		<indexterm><primary>UDP</primary><secondary>broadcast</secondary></indexterm>
-		<indexterm><primary>broadcast</primary></indexterm>
-		NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
-		of UDP-based broadcast traffic, as you saw during the exercises in <link linkend="primer"/>.
-		</para>
-
-		<para>
-		<indexterm><primary>routers</primary></indexterm>
-		<indexterm><primary>forwarded</primary></indexterm>
-		<indexterm><primary>multi-subnet</primary></indexterm>
-		UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
-		networking cannot function across routed networks (i.e., multi-subnet networks) unless
-		special provisions are made:
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			<indexterm><primary>LMHOSTS</primary></indexterm>
-			<indexterm><primary>remote announce</primary></indexterm>
-			<indexterm><primary>remote browse sync</primary></indexterm>
-			Either install on every Windows client an LMHOSTS file (located in the directory
-			<filename>C:\windows\system32\drivers\etc</filename>). It is also necessary to
-			add to the Samba server &smb.conf; file the parameters <parameter>remote announce</parameter>
-			and <parameter>remote browse sync</parameter>. For more information, refer to the online
-			manual page for the &smb.conf; file.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
-			Or configure Samba as a WINS server, and configure all network clients to use that
-			WINS server in their TCP/IP configuration.
-			</para></listitem>
-		</itemizedlist>
-
-		<note><para>
-		<indexterm><primary>WINS</primary><secondary>name resolution</secondary></indexterm>
-		<indexterm><primary>DNS</primary></indexterm>
-		The use of DNS is not an acceptable substitute for WINS. DNS does not store specific
-		information regarding NetBIOS networking particulars that get stored in the WINS
-		name resolution database and that Windows clients require and depend on.
-		</para></note>
-
-		</sect3>
-
-		<sect3>
-		<title>Network Collisions</title>
-
-		<para>
-		<indexterm><primary>network</primary><secondary>collisions</secondary></indexterm>
-		<indexterm><primary>network</primary><secondary>timeouts</secondary></indexterm>
-		<indexterm><primary>collision rates</primary></indexterm>
-		<indexterm><primary>network</primary><secondary>load</secondary></indexterm>
-		Excessive network activity causes NetBIOS network timeouts. Timeouts may result in
-		blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
-		UDP broadcast activity, by defective networking hardware, or through excessive network
-		loads (another way of saying that the network is poorly designed).
-		</para>
-
-		<para>
-		The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
-		in <link linkend="primer"/>.
-		</para>
-
-		<para>
-		<indexterm><primary>netbios forwarding</primary></indexterm>
-		<indexterm><primary>broadcast storms</primary></indexterm>
-		<indexterm><primary>performance</primary></indexterm>
-		Under no circumstances should the facility be supported by many routers, known as <constant>NetBIOS
-		forwarding</constant>, unless you know exactly what you are doing. Inappropriate use of this
-		facility can result in UDP broadcast storms. In one case in 1999, a university network became
-		unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance
-		testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was
-		less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance
-		immediately returned to 11 MB/sec.
-		</para>
-
-		</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Samba Configuration</title>
-
-	<para>
-	As a general rule, the contents of the &smb.conf; file should be kept as simple as possible.
-	No parameter should be specified unless you know it is essential to operation.
-	</para>
-
-	<para>
-	<indexterm><primary>document the settings</primary></indexterm>
-	<indexterm><primary>documented</primary></indexterm>
-	<indexterm><primary>optimized</primary></indexterm>
-	Many UNIX administrators like to fully document the settings in the &smb.conf; file. This is a
-	bad idea because it adds content to the file. The &smb.conf; file is re-read by every <command>smbd</command>
-	process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so).
-	</para>
-
-	<para>
-	As the size of the &smb.conf; file grows, the risk of introducing parsing errors also increases.
-	It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
-	with an optimized file.
-	</para>
-
-	<para><indexterm>
-	    <primary>testparm</primary>
-	  </indexterm>
-	The preferred way to maintain a documented file is to call it something like <filename>smb.conf.master</filename>.
-	You can generate the optimized file by executing:
-<screen>
-&rootprompt; testparm -s smb.conf.master > smb.conf
-</screen>
-	You should carefully observe all warnings issued. It is also a good practice to execute the following
-	command to confirm correct interpretation of the &smb.conf; file contents:
-<screen>
-&rootprompt; testparm
-Load smb config files from /etc/samba/smb.conf
-Can't find include file /etc/samba/machine.
-Processing section "[homes]"
-Processing section "[print$]"
-Processing section "[netlogon]"
-Processing section "[Profiles]"
-Processing section "[printers]"
-Processing section "[media]"
-Processing section "[data]"
-Processing section "[cdr]"
-Processing section "[apps]"
-Loaded services file OK.
-'winbind separator = +' might cause problems with group membership.
-Server role: ROLE_DOMAIN_PDC
-Press enter to see a dump of your service definitions
-</screen>
-	<indexterm><primary>fatal problem</primary></indexterm>
-	You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
-	The important thing to note is the noted Server role, as well as warning messages. Noted configuration
-	conflicts must be remedied before proceeding. For example, the following error message represents a
-	common fatal problem:
-<screen>
-ERROR: both 'wins support = true' and 'wins server = <server list>' 
-cannot be set in the smb.conf file. nmbd will abort with this setting.
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>performance degradation</primary></indexterm>
-	<indexterm><primary>socket options</primary></indexterm>
-	<indexterm><primary>socket address</primary></indexterm>
-	There are two parameters that can cause severe network performance degradation: <parameter>socket options</parameter>
-	and <parameter>socket address</parameter>. The <parameter>socket options</parameter> parameter was often necessary
-	when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
-	this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
-	</para>
-
-	<para>
-	<indexterm><primary>strict sync</primary></indexterm>
-	<indexterm><primary>sync always</primary></indexterm>
-	<indexterm><primary>severely degrade</primary></indexterm>
-	<indexterm><primary>network</primary><secondary>performance</secondary></indexterm>
-	Another &smb.conf; parameter that may cause severe network performance degradation is the 
-	<parameter>strict sync</parameter> parameter. Do not use this at all. There is no good reason
-	to use this with any modern Windows client. The <parameter>strict sync</parameter> is often
-	used with the <parameter>sync always</parameter> parameter. This, too, can severely	
-	degrade network performance, so do not set it; if you must, do so with caution.
-	</para>
-
-	<para>
-	<indexterm><primary>opportunistic locking</primary></indexterm>
-	<indexterm><primary>file caching</primary></indexterm>
-	<indexterm><primary>caching</primary></indexterm>
-	<indexterm><primary>oplocks</primary></indexterm>
-	Finally, many network administrators deliberately disable opportunistic locking support. While this
-	does not degrade Samba performance, it significantly degrades Windows client performance because
-	this disables local file caching on Windows clients and forces every file read and written to
-	invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking)
-	support, do so only on the share on which it is required. That way, all other shares can provide
-	oplock support for operations that are tolerant of it. See <link linkend="ch12dblck"/> for more
-	information.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Use and Location of BDCs</title>
-
-	<para>
-	<indexterm><primary>BDC</primary></indexterm>
-	<indexterm><primary>PDC</primary></indexterm>
-	<indexterm><primary>routed network</primary></indexterm>
-	<indexterm><primary>wide-area network</primary></indexterm>
-	<indexterm><primary>network segment</primary></indexterm>
-	On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
-	processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
-	authentication and logon processing. When a sole BDC on a routed network segment gets heavily
-	loaded, it is possible that network logon requests and authentication requests may be directed
-	to a BDC on a distant network segment. This significantly hinders WAN operations
-	and is undesirable.
-	</para>
-
-	<para>
-	<indexterm><primary>Domain Member</primary></indexterm>
-	<indexterm><primary>Domain Controller</primary></indexterm>
-	As a general guide, instead of adding domain member servers to a network, you would be better advised
-	to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
-	domain member servers. This practice ensures that there are always sufficient domain controllers
-	to handle logon requests and authentication traffic.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Use One Consistent Version of MS Windows Client</title>
-
-	<para>
-	Every network client has its own peculiarities. From a management perspective, it is easier to deal
-	with one version of MS Windows that is maintained to a consistent update level than it is to deal
-	with a mixture of clients.
-	</para>
-
-	<para>
-	On a number of occasions, particular Microsoft service pack updates of a Windows server or client
-	have necessitated special handling from the Samba server end. If you want to remain sane, keep you
-	client workstation configurations consistent.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>For Scalability, Use SAN-Based Storage on Samba Servers</title>
-
-	<para>
-	<indexterm><primary>SAN</primary></indexterm>
-	<indexterm><primary>synchronization</primary></indexterm>
-	Many SAN-based storage systems permit more than one server to share a common data store.
-	Use of a shared SAN data store means that you do not need to use time- and resource-hungry data 
-	synchronization techniques.
-	</para>
-
-	<para>
-	<indexterm><primary>load distribution</primary></indexterm>
-	<indexterm><primary>clustering</primary></indexterm>
-	The use of a collection of relatively low-cost front-end Samba servers that are coupled to
-	a shared backend SAN data store permits load distribution while containing costs below that
-	of installing and managing a complex clustering facility.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Distribute Network Load with MSDFS</title>
-
-	<para>
-	<indexterm><primary>MSDFS</primary></indexterm>
-	<indexterm><primary>distributed</primary></indexterm>
-	Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
-	data to be accessed from a single share and yet to actually be distributed across multiple actual
-	servers. Refer to <emphasis>TOSHARG2</emphasis>, Chapter 19, for information regarding
-	implementation of an MSDFS installation.
-	</para>
-
-	<para>
-	<indexterm><primary>front-end</primary><secondary>server</secondary></indexterm>
-	<indexterm><primary>MSDFS</primary></indexterm>
-	The combination of multiple backend servers together with a front-end server and use of MSDFS
-	can achieve almost the same as you would obtain with a clustered Samba server.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</title>
-
-	<para>
-	<indexterm><primary>replicate</primary></indexterm>
-	<indexterm><primary>rsync</primary></indexterm>
-	<indexterm><primary>wide-area network</primary></indexterm>
-	Consider using <command>rsync</command> to replicate data across the WAN during times
-	of low utilization. Users can then access the replicated data store rather than needing to do so
-	across the WAN. This works best for read-only data, but with careful planning can be
-	implemented so that modified files get replicated back to the point of origin. Be careful with your
-	implementation if you choose to permit modification and return replication of the modified file;
-	otherwise, you may inadvertently overwrite important data.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Hardware Problems</title>
-
-	<para>
-	<indexterm><primary>hardware prices</primary></indexterm>
-	<indexterm><primary>hardware problems</primary></indexterm>
-	<indexterm><primary>NICs</primary></indexterm>
-	<indexterm><primary>defective</primary><secondary>HUBs</secondary></indexterm>
-	<indexterm><primary>defective</primary><secondary>switches</secondary></indexterm>
-	<indexterm><primary>defective</primary><secondary>cables</secondary></indexterm>
-	Networking hardware prices have fallen sharply over the past 5 years. A surprising number
-	of Samba networking problems over this time have been traced to defective network interface
-	cards (NICs) or defective HUBs, switches, and cables.
-	</para>
-
-	<para>
-	<indexterm><primary>corrective action</primary></indexterm>
-	Not surprising is the fact that network administrators do not like to be shown to have made
-	a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
-	in corrective action.
-	</para>
-
-	<para>
-	<indexterm><primary>intermittent</primary></indexterm>
-	<indexterm><primary>data corruption</primary></indexterm>
-	<indexterm><primary>slow network</primary></indexterm>
-	<indexterm><primary>low performance</primary></indexterm>
-	<indexterm><primary>data integrity</primary></indexterm>
-	Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent
-	or persistent data corruption, slow network throughput, low performance, or even as BSOD
-	problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
-	Windows client machines that triggered problems during logon as well as data integrity problems on
-	an older PC that was unaffected so long as the new machines were kept shut down.
-	</para>
-
-	<para>
-	Defective hardware problems may take patience and persistence before the real cause can be discovered.
-	</para>
-
-	<para>
-	<indexterm><primary>RAID controllers</primary></indexterm>
-	Networking hardware defects can significantly impact perceived Samba performance, but defective
-	RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
-	operations. One business came to this realization only after replacing a Samba installation with MS 
-	Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network
-	administrator until the entire server was replaced. While you may well think that this would never
-	happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Large Directories</title>
-
-	<para>
-	There exist applications that create or manage directories containing many thousands of files. Such
-	applications typically generate many small files (less than 100 KB). At the best of times, under UNIX,
-	listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, 
-	and XP Pro cause network file system directory lookups on a Samba server to be performed for both 
-	the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead
-	on the Samba server that may slow down the system dramatically.
-	</para>
-
-	<para>
-	In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows
-	XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately
-	30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the
-	transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was
-	on the order of a factor of 20-fold slower.
-	</para>
-
-	<para>
-	The symptoms that will be observed on the Samba server when a large directory is accessed will be that
-	aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly
-	long while at the same time the read queue is large. Close observation will show that the hard drive
-	that the file system is on will be thrashing wildly.
-	</para>
-
-	<para>
-	Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is
-	really in the <smbconfoption name="case sensitive">True</smbconfoption> line. This tells smbd never to scan
-	for case-insensitive versions of names. So if an application asks for a file called <filename>FOO</filename>,
-	and it can not be found by a simple stat call, then smbd will return "file not found" immediately without
-	scanning the containing directory for a version of a different case.
-	</para>
-
-	<para>
-	Canonicalize all the files in the directory to have one case, upper or lower - either will do. Then set up 
-	a new custom share for the application as follows:
-	<screen>
-	[bigshare]
-			path = /data/xrayfiles/neurosurgeons/
-			read only = no
-			case sensitive = True
-			default case = upper
-			preserve case = no
-			short preserve case = no
-	</screen>
-	</para>
-
-	<para>
-	All files and directories under the <parameter>path</parameter> directory must be in the same case
-	as specified in the &smb.conf; stanza. This means that smbd will not be able to find lower case 
-	filenames with these settings.  Note, this is done on a per-share basis.
-	</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Key Points Learned</title>
-
-	<para>
-	This chapter has touched in broad sweeps on a number of simple steps that can be taken
-	to ensure that your Samba network is resilient, scalable, and reliable, and that it
-	performs well.
-	</para>
-
-	<para>
-	Always keep in mind that someone is responsible to maintain and manage your design.
-	In the long term, that may not be you. Spare a thought for your successor and give him or
-	her an even break.
-	</para>
-
-	<para>
-	<indexterm><primary>assumptions</primary></indexterm>
-	Last, but not least, you should not only keep the network design simple, but also be sure it is
-	well documented. This book may serve as your pattern for documenting every
-	aspect of your design, its implementation, and particularly the objects and assumptions
-	that underlie it.
-	</para>
-
-</sect1>
-
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-KerberosFastStart.xml b/docs-xml/Samba3-ByExample/SBE-KerberosFastStart.xml
deleted file mode 100644
index 8f3fc9a..0000000
--- a/docs-xml/Samba3-ByExample/SBE-KerberosFastStart.xml
+++ /dev/null
@@ -1,2073 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="kerberos">
-  <title>Active Directory, Kerberos, and Security</title>
-
-    <para><indexterm>
-	<primary>experiment</primary>
-      </indexterm>
-	By this point in the book, you have been exposed to many Samba-3 features and capabilities.
-	More importantly, if you have implemented the examples given, you are well on your way to becoming 
-	a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to 
-	practice, you likely have thought of improvements and scenarios with which you can experiment. You 
-	are rather well plugged in to the many flexible ways Samba can be used.
-	</para>
-
-    <para><indexterm>
-	<primary>criticism</primary>
-      </indexterm>
-	This is a book about Samba-3. Understandably, its intent is to present it in a positive light. 
-	The casual observer might conclude that this book is one-eyed about Samba. It is &smbmdash; what 
-	would you expect? This chapter exposes some criticisms that have been raised concerning 
-	the use of Samba. For each criticism, there are good answers and appropriate solutions.
-	</para>
-
-	<para>
-	Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular 
-	decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of 
-	criticism develops with respect to Abmas.
-	</para>
-
-    <para><indexterm>
-	<primary>straw-man</primary>
-      </indexterm>
-	This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled
-	out of thin air. They were drawn from comments made by Samba users and from criticism during 
-	discussions with Windows network administrators. The tone of the objections reflects as closely 
-	as possible that of the original. The case presented is a straw-man example that is designed to 
-	permit each objection to be answered as it might occur in real life.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-      <para><indexterm>
-	  <primary>acquisitions</primary>
-	</indexterm><indexterm>
-	  <primary>risk</primary>
-	</indexterm><indexterm>
-	  <primary>assessment</primary>
-	</indexterm><indexterm>
-	  <primary>Active Directory</primary>
-	</indexterm><indexterm>
-	  <primary>Windows 2003 Serve</primary>
-	</indexterm>
-	Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took
-	note of the spectacular projection of Abmas onto the global business stage. Abmas is building an
-	interesting portfolio of companies that includes accounting services, financial advice, investment
-	portfolio management, property insurance, risk assessment, and the recent addition of a a video rental
-	business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an 
-	interesting business growth and development plan. Abmas Video Rentals was recently acquired. 
-	During the time that the acquisition was closing, the Video Rentals business upgraded its Windows 
-	NT4-based network to Windows 2003 Server and Active Directory.
-	</para>
-
-      <para><indexterm>
-	  <primary>Active Directory</primary>
-	</indexterm>
-	You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
-	The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. 
-	Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to 
-	operate with a solution that is viewed by Christine and her group as <quote>an island of broken 
-	technologies.</quote> This comment was made by one of Christine's staff as they were installing a new 
-	Samba-3 server at the new business.
-	</para>
-
-
-      <para><indexterm>
-	  <primary>consultant</primary>
-	</indexterm><indexterm>
-	  <primary>hypothetical</primary>
-	</indexterm>
-	Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer
-	should make such a comment. He felt that he had to prepare in case he might be criticized for his 
-	decision to use Active Directory. He decided he would defend his decision by hiring the services 
-	of an outside security systems consultant to report<footnote><para>This report is entirely fictitious. 
-			Any resemblance to a factual report is purely coincidental.</para></footnote> on his unit's operations 
-	and to investigate the role of Samba at his site. Here are key extracts from this hypothetical 
-	report:
-	</para>
-
-      <blockquote><para><indexterm>
-	    <primary>vulnerabilities</primary>
-	  </indexterm><indexterm>
-	    <primary>integrity</primary>
-	  </indexterm><indexterm>
-	    <primary>practices</primary>
-	  </indexterm><indexterm>
-	    <primary>Active Directory</primary>
-	  </indexterm>
-	... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site,
-	 has been examined. We find no evidence to support a notion that vulnerabilities exist at your site.  
-	... we took additional steps to validate the integrity of the installation and operation of Active 
-	Directory and are pleased that your staff are following sound practices.
-	</para>
-
-	<para>
-	...
-	</para>
-
-	<para><indexterm>
-	    <primary>accounts</primary>
-	    <secondary>user</secondary>
-	  </indexterm><indexterm>
-	    <primary>accounts</primary>
-	    <secondary>group</secondary>
-	  </indexterm><indexterm>
-	    <primary>Backup</primary>
-	  </indexterm><indexterm>
-	    <primary>disaster recovery</primary>
-	  </indexterm><indexterm>
-	    <primary>validated</primary>
-	  </indexterm><indexterm>
-	    <primary>off-site storage</primary>
-	  </indexterm>
-	User and group accounts, and respective privileges, have been well thought out. File system shares are
-	appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
-	effective off-site storage practices are considered to exceed industry norms.
-	</para>
-
-	<para><indexterm>
-	    <primary>compromise</primary>
-	  </indexterm><indexterm>
-	    <primary>secure</primary>
-	  </indexterm><indexterm>
-	    <primary>network</primary>
-	    <secondary>secure</secondary>
-	  </indexterm>
-	Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain
-	a secure network. 
-	</para>
-
-	<para><indexterm>
-	    <primary>winbind</primary>
-	  </indexterm><indexterm>
-	    <primary>security</primary>
-	  </indexterm><indexterm>
-	    <primary>secure</primary>
-	  </indexterm><indexterm>
-	    <primary>network</primary>
-	    <secondary>management</secondary>
-	  </indexterm>
-	The recently installed Linux file and application server uses a tool called <command>winbind</command> 
-	that is indiscriminate about security. All user accounts in Active Directory can be used to access data 
-	stored on the Linux system. We are alarmed that secure information is accessible to staff who should 
-	not even be aware that it exists. We share the concerns of your network management staff who have gone 
-	to great lengths to set fine-grained controls that limit information access to those who need access. 
-	It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
-	</para>
-
-	<para><indexterm>
-	    <primary>isolated</primary>
-	  </indexterm><indexterm>
-	    <primary>firewall</primary>
-	  </indexterm><indexterm>
-	    <primary>best practices</primary>
-	  </indexterm>
-	Graham Judd [head of network administration] has locked down the security of all systems and is following 
-	the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network 
-	is isolated from the outside world, the [product name removed] firewall is under current contract 
-	maintenance support from [the manufacturer].  ... our attempts to penetrate security of your systems 
-	failed to find problems common to Windows networking sites. We commend your staff on their attention to 
-	detail and for following Microsoft recommended best practices.
-	</para>
-
-	<para>
-	...
-	</para>
-
-	<para><indexterm>
-	    <primary>security</primary>
-	  </indexterm><indexterm>
-	    <primary>disable</primary>
-	  </indexterm><indexterm>
-	    <primary>essential</primary>
-	  </indexterm><indexterm>
-	    <primary>trusted computing</primary>
-	  </indexterm>
-	Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of
-	all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
-	... what worries us regarding Samba is the need to disable essential Windows security features such as
-	secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in
-	mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that
-	Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that
-	with trusted computing initiatives that the Samba developers do not participate in.
-	</para>
-
-	<para><indexterm>
-	    <primary>integrity</primary>
-	  </indexterm><indexterm>
-	    <primary>hackers</primary>
-	  </indexterm><indexterm>
-	    <primary>accountable</primary>
-	  </indexterm><indexterm>
-	    <primary>flaws</primary>
-	  </indexterm><indexterm>
-	    <primary>updates</primary>
-	  </indexterm><indexterm>
-	    <primary>bug fixes</primary>
-	  </indexterm><indexterm>
-	    <primary>alarm</primary>
-	  </indexterm>
-	One wonders about the integrity of an open source program that is developed by a team of hackers 
-	who cannot be held accountable for the flaws in their code. The sheer number of updates and bug
-	fixes they have released should ring alarm bells in any business.
-	</para>
-
-	<para><indexterm>
-	    <primary>employment</primary>
-	  </indexterm><indexterm>
-	    <primary>jobs</primary>
-	  </indexterm><indexterm>
-	    <primary>risk</primary>
-	  </indexterm>
-	Another factor that should be considered is that buying Microsoft products and services helps to 
-	provide employment in the IT industry. Samba and Open Source software place those jobs at risk.
-	</para></blockquote>
-
-      <para><indexterm>
-	  <primary>Active Directory</primary>
-	</indexterm><indexterm>
-	  <primary>independent expert</primary>
-	</indexterm>
-	This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple 
-	discussion, but it gets further out of hand.  When you return to your office, you find the following 
-	email in your in-box:
-	</para>
-
-	<para>
-	Good afternoon,
-	</para>
-
-	<blockquote><attribution>Stan</attribution><para>
-	I apologize for the leak of internal discussions to the new business. It reflects poorly on our 
-	professionalism and has put you in an unpleasant position. I regret the incident.
-	</para>
-
-	<para>
-	I also wish to advise that two of the recent recruits want to implement Kerberos authentication 
-	across all systems. I concur with the desire to improve security. One of the new guys who is championing
-	the move to Kerberos was responsible for the comment that caused the embarrassment.
-	</para>
-
-	<para><indexterm>
-	    <primary>Kerberos</primary>
-	  </indexterm><indexterm>
-	    <primary>OpenLDAP</primary>
-	  </indexterm><indexterm>
-	    <primary>Active Directory</primary>
-	  </indexterm><indexterm>
-	    <primary>consultant</primary>
-	  </indexterm>
-	I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, 
-	plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect 
-	to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, 
-	I would like to hire the services of a well-known Samba consultant to set the record straight.
-	</para>
-
-	<para><indexterm>
-	    <primary>criticism</primary>
-	  </indexterm><indexterm>
-	    <primary>policy</primary>
-	  </indexterm><indexterm>
-	    <primary>Windows Servers</primary>
-	  </indexterm><indexterm>
-	    <primary>Active Directory</primary>
-	  </indexterm><indexterm>
-	    <primary>budgetted</primary>
-	  </indexterm><indexterm>
-	    <primary>financial responsibility</primary>
-	  </indexterm>
-	I intend to use this report to answer the criticism raised and would like to establish a policy that we
-	will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered 
-	out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
-	responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce 
-	use of any centrally proposed standards, but make all noncompliance the financial responsibility of the 
-	out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
-	</para></blockquote>
-
-	<sect2>
-		<title>Assignment Tasks</title>
-
-		<para>
-		You agreed with Stan's recommendations and hired a consultant to help defuse the powder
-		keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
-		to support his or her claims, keep emotions to the side, and answer technically.
-		</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-      <para><indexterm>
-	  <primary>tool</primary>
-	</indexterm><indexterm>
-	  <primary>benefit</primary>
-	</indexterm><indexterm>
-	  <primary>choice</primary>
-	</indexterm><indexterm>
-	  <primary>consultant</primary>
-	</indexterm><indexterm>
-	  <primary>installation</primary>
-	</indexterm><indexterm>
-	  <primary>income</primary>
-	</indexterm><indexterm>
-	  <primary>employment</primary>
-	</indexterm>
-	Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to 
-	make or reject. It is likely that your decision to use Samba can greatly benefit your company. 
-	The Samba Team obviously believes that the Samba software is a worthy choice. 
-	If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire 
-	someone to help manage your Samba installation, you can create income and employment. Alternately, 
-	money saved by not spending in the IT area can be spent elsewhere in the business. All money saved 
-	or spent creates employment.
-	</para>
-
-      <para><indexterm>
-	  <primary>economically sustainable</primary>
-	</indexterm><indexterm>
-	  <primary>inter-operability</primary>
-	</indexterm><indexterm>
-	  <primary>file and print service</primary>
-	</indexterm><indexterm>
-	  <primary>cost</primary>
-	</indexterm><indexterm>
-	  <primary>alternative</primary>
-	</indexterm>
-	In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted
-	purely to provide file and print service interoperability on platforms that otherwise cannot provide 
-	access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to
-	effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an 
-	alternative to the use of a Microsoft file and print serving platforms with no consideration of costs.
-	</para>
-
-      <para><indexterm>
-	  <primary>documentation</primary>
-	</indexterm><indexterm>
-	  <primary>responsibility</primary>
-	</indexterm><indexterm>
-	  <primary>fix</primary>
-	</indexterm><indexterm>
-	  <primary>broken</primary>
-	</indexterm>
-	It would be foolish to adopt a technology that might put any data or users at risk. Security affects 
-	everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. 
-	The Samba documentation clearly reveals that full responsibility is accepted to fix anything 
-	that is broken.
-	</para>
-
-      <para><indexterm>
-	  <primary>commercial</primary>
-	</indexterm><indexterm>
-	  <primary>software</primary>
-	</indexterm><indexterm>
-	  <primary>commercial software</primary>
-	</indexterm><indexterm>
-	  <primary>End User License Agreement</primary>
-	  <see>EULA</see>
-	</indexterm><indexterm>
-	  <primary>accountable</primary>
-	</indexterm><indexterm>
-	  <secondary>liability</secondary>
-	</indexterm><indexterm>
-	  <primary>accepts liability</primary>
-	</indexterm><indexterm>
-	  <primary>price paid</primary>
-	</indexterm><indexterm>
-	  <primary>product defects</primary>
-	</indexterm><indexterm>
-	  <primary>reimburse</primary>
-	</indexterm><indexterm>
-	  <primary>extent</primary>
-	</indexterm>
-	There is a mistaken perception in the IT industry that commercial software providers are fully 
-	accountable for the defects in products. Open Source software comes with no warranty, so it is 
-	often assumed that its use confers a higher degree of risk. Everyone should read commercial software 
-	End User License Agreements (EULAs). You should determine what real warranty is offered and the 
-	extent of liability that is accepted. Doing so soon dispels the popular notion that
-	commercial software vendors are willingly accountable for product defects. In many cases, the
-	commercial vendor accepts liability only to reimburse the price paid for the software. 
-	</para>
-
-      <para><indexterm>
-	  <primary>consumer</primary>
-	</indexterm><indexterm>
-	  <primary>EULA</primary>
-	</indexterm><indexterm>
-	  <primary>track record</primary>
-	</indexterm><indexterm>
-	  <primary>commercial software</primary>
-	</indexterm><indexterm>
-	  <primary>support</primary>
-	</indexterm><indexterm>
-	  <primary>vendor</primary>
-	</indexterm>
-	The real issues that a consumer (like you) needs answered are What is the way of escape from technical 
-	problems, and how long will it take? The average problem turnaround time in the Open Source community is 
-	approximately 48 hours. What does the EULA offer? What is the track record in the commercial software 
-	industry? What happens when your commercial vendor decides to cease providing support?
-	</para>
-
-      <para><indexterm>
-	  <primary>source code</primary>
-	</indexterm><indexterm>
-	  <primary>Open Source</primary>
-	</indexterm><indexterm>
-	  <primary>hire</primary>
-	</indexterm><indexterm>
-	  <primary>programmer</primary>
-	</indexterm><indexterm>
-	  <primary>solve</primary>
-	</indexterm><indexterm>
-	  <primary>fix</primary>
-	</indexterm><indexterm>
-	  <secondary>problem</secondary>
-	</indexterm>
-	Open Source software at least puts you in possession of the source code. This means that when
-	all else fails, you can hire a programmer to solve the problem.
-	</para>
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		Each issue is now discussed and, where appropriate, example implementation steps are
-		provided.
-		</para>
-
-	<variablelist>
-		<varlistentry>
-			<term>Winbind and Security</term>
-	    <listitem><para><indexterm>
-		  <primary>Winbind</primary>
-		</indexterm><indexterm>
-		  <primary>Security</primary>
-		</indexterm><indexterm>
-		  <primary>network</primary>
-		  <secondary>administrators</secondary>
-		</indexterm><indexterm>
-		  <primary>Domain users</primary>
-		</indexterm><indexterm>
-		  <secondary>Domain account</secondary>
-		</indexterm><indexterm>
-		  <primary>credentials</primary>
-		</indexterm><indexterm>
-		  <primary>Network Neighborhood</primary>
-		</indexterm><indexterm>
-		  <primary>UNIX/Linux server</primary>
-		</indexterm><indexterm>
-		  <primary>browse</primary>
-		</indexterm><indexterm>
-		  <primary>shares</primary>
-		</indexterm>
-				Windows network administrators may be dismayed to find that <command>winbind</command> 
-				exposes all domain users so that they may use their domain account credentials to 
-				log on to a UNIX/Linux system. The fact that all users in the domain can see the 
-				UNIX/Linux server in their Network Neighborhood and can browse the shares on the 
-				server seems to excite them further.
-				</para>
-
-	      <para><indexterm>
-		  <primary>Domain Member server</primary>
-		</indexterm><indexterm>
-		  <primary>familiar</primary>
-		</indexterm><indexterm>
-		  <primary>fear</primary>
-		</indexterm><indexterm>
-		  <primary>unknown</primary>
-		</indexterm>
-				<command>winbind</command> provides for the UNIX/Linux domain member server or 
-				client, the same as one would obtain by adding a Microsoft Windows server or 
-				client to the domain. The real objection is the fact that Samba is not MS Windows 
-				and therefore requires handling a little differently from the familiar Windows systems.
-				One must recognize fear of the unknown.
-				</para>
-
-	      <para><indexterm>
-		  <primary>network administrators</primary>
-		</indexterm><indexterm>
-		  <primary>recognize</primary>
-		</indexterm><indexterm>
-		  <primary>winbind</primary>
-		</indexterm><indexterm>
-		  <primary>over-ride</primary>
-		</indexterm><indexterm>
-		  <primary>Active Directory</primary>
-		  <secondary>management tools</secondary>
-		</indexterm><indexterm>
-		  <primary>fears</primary>
-		</indexterm>
-				Windows network administrators need to recognize that <command>winbind</command> does
-				not, and cannot, override account controls set using the Active Directory management
-				tools. The control is the same. Have no fear.
-				</para>
-
-	      <para><indexterm>
-		  <primary>ADS Domain</primary>
-		</indexterm><indexterm>
-		  <primary>account</primary>
-		  <secondary>ADS Domain</secondary>
-		</indexterm><indexterm>
-		  <primary>winbind</primary>
-		</indexterm><indexterm>
-		  <primary>browsing</primary>
-		</indexterm><indexterm>
-		  <primary>permits</primary>
-		</indexterm><indexterm>
-		  <primary>access</primary>
-		</indexterm><indexterm>
-		  <primary>drive mapping</primary>
-		</indexterm><indexterm>
-		  <primary>protected</primary>
-		</indexterm><indexterm>
-		  <primary>security controls</primary>
-		</indexterm><indexterm>
-		  <primary>access controls</primary>
-		</indexterm>
-				Where Samba and the ADS domain account information obtained through the use of
-				<command>winbind</command> permits access, by browsing or by the drive mapping to
-				a share, to data that should be better protected. This can only happen when security
-				controls have not been properly implemented. Samba permits access controls to be set
-				on:
-				</para>
-
-				<itemizedlist>
-					<listitem><para>Shares themselves (i.e., the logical share itself)</para></listitem>
-					<listitem><para>The share definition in &smb.conf;</para></listitem>
-					<listitem><para>The shared directories and files using UNIX permissions</para></listitem>
-                                        <listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is POSIX enabled</para></listitem>
-				</itemizedlist>
-
-				<para>
-				Examples of each are given in <link linkend="ch10expl"/>.
-				</para>
-				</listitem>
-		</varlistentry>
-
-		<varlistentry>
-			<term>User and Group Controls</term>
-	    <listitem><para><indexterm>
-		  <primary>User and Group Controls</primary>
-		</indexterm><indexterm>
-		  <primary>management</primary>
-		  <secondary>User</secondary>
-		</indexterm><indexterm>
-		  <primary>management</primary>
-		  <secondary>group</secondary>
-		</indexterm><indexterm>
-		  <primary>ADS</primary>
-		</indexterm><indexterm>
-		  <primary>permissions</primary>
-		</indexterm><indexterm>
-		  <primary>privileges</primary>
-		</indexterm><indexterm>
-		  <primary>flexibility</primary>
-		</indexterm><indexterm>
-		  <primary>access controls</primary>
-		</indexterm><indexterm>
-		  <primary>share definition</primary>
-		</indexterm>
-				User and group management facilities as known in the Windows ADS environment may be
-				used to provide equivalent access control constraints or to provide equivalent
-				permissions and privileges on Samba servers. Samba offers greater flexibility in the
-				use of user and group controls because it has additional layers of control compared to
-				Windows 200x/XP. For example, access controls on a Samba server may be set within
-				the share definition in a manner for which Windows has no equivalent.
-				</para>
-
-	      <para><indexterm>
-		  <primary>analysis</primary>
-		</indexterm><indexterm>
-		  <primary>system security</primary>
-		</indexterm><indexterm>
-		  <primary>safe-guards</primary>
-		</indexterm><indexterm>
-		  <primary>permissions</primary>
-		  <secondary>excessive</secondary>
-		</indexterm><indexterm>
-		  <primary>file system</primary>
-		</indexterm><indexterm>
-		  <primary>shared resource</primary>
-		</indexterm><indexterm>
-		  <primary>share definition</primary>
-		</indexterm>
-				In any serious analysis of system security, it is important to examine the safeguards
-				that remain when all other protective measures fail. An administrator may inadvertently
-				set excessive permissions on the file system of a shared resource, or he may set excessive
-				privileges on the share itself. If that were to happen in a Windows 2003 Server environment,
-				the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is
-				possible to guard against that by enforcing controls on the share definition itself. You
-				see a practical example of this a little later in this chapter.
-				</para>
-
-	      <para><indexterm>
-		  <primary>diligence</primary>
-		</indexterm><indexterm>
-		  <primary>weakness</primary>
-		</indexterm>
-				The report that is critical of Samba really ought to have exercised greater due
-				diligence: the real weakness is on the side of a Microsoft Windows environment.
-				</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-			<term>Security Overall</term>
-	    <listitem><para><indexterm>
-		  <primary>defects</primary>
-		</indexterm>
-				Samba is designed in such a manner that weaknesses inherent in the design of
-				Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
-				system in any way. All software has potential defects, and Samba is no exception.
-				What matters more is how defects that are discovered get dealt with.
-				</para>
-
-	      <para><indexterm>
-		  <primary>security</primary>
-		</indexterm><indexterm>
-		  <primary>protection</primary>
-		</indexterm><indexterm>
-		  <primary>compromise</primary>
-		</indexterm><indexterm>
-		  <primary>consequential risk</primary>
-		</indexterm>
-				The Samba Team totally agrees with the necessity to observe and fully implement
-				every security facility to provide a level of protection and security that is necessary
-				and that the end user (or network administrator) needs. Never would the Samba Team
-				recommend a compromise to system security, nor would deliberate defoliation of
-				security be publicly condoned; yet this is the practice by many Windows network
-				administrators just to make happy users who have no notion of consequential risk.
-				</para>
-
-	      <para><indexterm>
-		  <primary>condemns</primary>
-		</indexterm><indexterm>
-		  <primary>security fixes</primary>
-		</indexterm><indexterm>
-		  <primary>updates</primary>
-		</indexterm><indexterm>
-		  <primary>development</primary>
-		</indexterm><indexterm>
-		  <primary>documentation</primary>
-		</indexterm><indexterm>
-		  <primary>security updates</primary>
-		</indexterm><indexterm>
-		  <primary>turn-around time</primary>
-		</indexterm>
-				The report condemns Samba for releasing updates and security fixes, yet Microsoft
-				online updates need to be applied almost weekly. The answer to the criticism 
-				lies in the fact that Samba development is continuing, documentation is improving, 
-				user needs are being increasingly met or exceeded, and security updates are issued 
-				with a short turnaround time.
-				</para>
-
-	      <para><indexterm>
-		  <primary>modularization</primary>
-		</indexterm><indexterm>
-		  <primary>next generation</primary>
-		</indexterm><indexterm>
-		  <primary>responsible</primary>
-		</indexterm><indexterm>
-		  <primary>dependability</primary>
-		</indexterm><indexterm>
-		  <primary>road-map</primary>
-		  <secondary>published</secondary>
-		</indexterm>
-				The release of Samba-4 is expected around late 2004 to early 2005 and involves a near 
-				complete rewrite to permit extensive modularization and to prepare Samba for new 
-				functionality planned for addition during the next-generation series. The Samba Team 
-				is responsible and can be depended upon; the history to date suggests a high 
-				degree of dependability and on charter development consistent with published 
-				roadmap projections.
-				</para>
-
-	      <para><indexterm>
-		  <primary>foundation members</primary>
-		</indexterm><indexterm>
-		  <primary>Common Internet File System</primary>
-		  <see>CIFS</see>
-		</indexterm><indexterm>
-		  <primary>network attached storage</primary>
-		  <see>NAS</see>
-		</indexterm><indexterm>
-		  <primary>conferences</primary>
-		</indexterm><indexterm>
-		  <primary>presence and leadership</primary>
-		</indexterm><indexterm>
-		  <primary>leadership</primary>
-		</indexterm><indexterm>
-		  <primary>inter-operability</primary>
-		</indexterm>
-				Not well published is the fact that Microsoft was a foundation member of
-				the Common Internet File System (CIFS) initiative, together with the participation 
-				of the network attached storage (NAS) industry. Unfortunately, for the past few years,
-				Microsoft has been absent from active involvement at CIFS conferences and has
-				not exercised the leadership expected of a major force in the networking technology
-				space. The Samba Team has maintained consistent presence and leadership at all
-				CIFS conferences and at the interoperability laboratories run concurrently with
-				them.
-				</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-			<term>Cryptographic Controls (schannel, sign'n'seal)</term>
-	    <listitem><para><indexterm>
-		  <primary>Cryptographic</primary>
-		</indexterm><indexterm>
-		  <primary>schannel</primary>
-		</indexterm><indexterm>
-		  <primary>digital sign'n'seal</primary>
-		</indexterm>
-				The report correctly mentions that Samba did not support the most recent
-				<constant>schannel</constant> and <constant>digital sign'n'seal</constant> features
-				of Microsoft Windows NT/200x/XPPro products. This is one of the key features 
-				of the Samba-3 release. Market research reports take so long to generate that they are
-				seldom a reflection of current practice, and in many respects reports are like a
-				pathology report &smbmdash; they reflect accurately (at best) status at a snapshot in time.
-				Meanwhile, the world moves on.
-				</para>
-
-	      <para><indexterm>
-		  <primary>public specifications</primary>
-		</indexterm><indexterm>
-		  <primary>protocols</primary>
-		</indexterm><indexterm>
-		  <primary>algorithm</primary>
-		</indexterm><indexterm>
-		  <primary>compatible</primary>
-		</indexterm><indexterm>
-		  <primary>network</primary>
-		  <secondary>traffic</secondary>
-		  <tertiary>observation</tertiary>
-		</indexterm><indexterm>
-		  <primary>defensible standards</primary>
-		</indexterm><indexterm>
-		  <primary>secure networking</primary>
-		</indexterm>
-				It should be pointed out that had clear public specifications for the protocols
-				been published, it would have been much easier to implement these features and would have
-				taken less time to do. The sole mechanism used to find an algorithm that is compatible
-				with the methods used by Microsoft has been based on observation of network traffic
-				and trial-and-error implementation of potential techniques. The real value of public
-				and defensible standards is obvious to all and would have enabled more secure networking
-				for everyone.
-				</para>
-
-	      <para><indexterm>
-		  <primary>Critics</primary>
-		</indexterm><indexterm>
-		  <primary>digital sign'n'seal</primary>
-		</indexterm>
-				Critics of Samba often ignore fundamental problems that may plague (or may have plagued)
-				the users of Microsoft's products also. Those who are first to criticize Samba
-				for not rushing into release of <constant>digital sign'n'seal</constant> support
-				often dismiss the problems that Microsoft has 
-				<ulink url="http://support.microsoft.com/default.aspx?kbid=321733">acknowledged</ulink>
-				and for which a fix was provided. In fact,
-				<ulink url="http://www.tangent-systems.com/support/delayedwrite.html">Tangent Systems</ulink> 
-				have documented a significant problem with delays writes that can be connected with the
-				implementation of sign'n'seal. They provide a work-around that is not trivial for many
-				Windows networking sites. From notes such as this it is clear that there are benefits
-				from not rushing new technology out of the door too soon.
-				</para>
-
-	      <para><indexterm>
-		  <primary>secure networking protocols</primary>
-		</indexterm><indexterm>
-		  <primary>refereed standards</primary>
-		</indexterm><indexterm>
-		  <primary>proprietary</primary>
-		</indexterm><indexterm>
-		  <primary>digital rights</primary>
-		</indexterm><indexterm>
-		  <primary>protection</primary>
-		</indexterm><indexterm>
-		  <primary>networking protocols</primary>
-		</indexterm><indexterm>
-		  <primary>diffusion</primary>
-		</indexterm><indexterm>
-		  <primary>consumer</primary>
-		</indexterm><indexterm>
-		  <primary>choice</primary>
-		</indexterm>
-				One final comment is warranted. If companies want more secure networking protocols,
-				the most effective method by which this can be achieved is by users seeking
-				and working together to help define open and publicly refereed standards. The
-				development of closed source, proprietary methods that are developed in a
-				clandestine framework of secrecy, under claims of digital rights protection, does
-				not favor the diffusion of safe networking protocols and certainly does not
-				help the consumer to make a better choice.
-				</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-			<term>Active Directory Replacement with Kerberos, LDAP, and Samba
-				        <indexterm>
-		  <primary>Active Directory</primary>
-		  <secondary>Replacement</secondary>
-		</indexterm><indexterm>
-		  <primary>Kerberos</primary>
-		</indexterm><indexterm>
-		  <primary>LDAP</primary>
-		</indexterm><indexterm>
-		  <primary>remote procedure call</primary>
-		  <see>RPC</see>
-		</indexterm>
-
-			</term>
-				<listitem><para>
-				<literallayout>    </literallayout>
-				The Microsoft networking protocols extensively make use of remote procedure call (RPC)
-				technology. Active Directory is not a simple mixture of LDAP and Kerberos together
-				with file and print services, but rather is a complex, intertwined implementation
-				of them that uses RPCs that are not supported by any of these component technologies
-				and yet by which they are made to interoperate in ways that the components do not
-				support.
-				</para>
-
-	      <para><indexterm>
-		  <primary>Active Directory</primary>
-		  <secondary>Server</secondary>
-		</indexterm><indexterm>
-		  <primary>OpenLDAP</primary>
-		</indexterm><indexterm>
-		  <primary>Kerberos</primary>
-		</indexterm><indexterm>
-		  <primary>project maintainers</primary>
-		</indexterm><indexterm>
-		  <primary>LDAP</primary>
-		</indexterm>
-				In order to make the popular request for Samba to be an Active Directory Server a
-				reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls
-				that are not presently supported. The Samba Team has not been able to gain critical
-				overall support for all project maintainers to work together on the complex
-				challenge of developing and integrating the necessary technologies. Therefore, if
-				the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
-				into the Samba project, this dream request cannot become a reality.
-				</para>
-
-	      <para><indexterm>
-		  <primary>missing RPC's</primary>
-		</indexterm><indexterm>
-		  <primary>road-map</primary>
-		</indexterm><indexterm>
-		  <primary>ADS</primary>
-		  <secondary>server</secondary>
-		</indexterm><indexterm>
-		  <primary>MMC</primary>
-		</indexterm><indexterm>
-		  <primary>managed</primary>
-		</indexterm>
-				At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
-				Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
-				anytime soon. Ergo, ADS server support is not a current goal for Samba development.
-				The Samba Team is most committed to permitting Samba to be a full ADS domain member
-				that is increasingly capable of being managed using Microsoft Windows MMC tools.
-				</para></listitem>
-		</varlistentry>
-	</variablelist>
-
-	<sect3>
-	<title>Kerberos Exposed</title>
-
-	  <para><indexterm>
-	      <primary>kerberos</primary>
-	    </indexterm><indexterm>
-	      <primary>unauthorized activities</primary>
-	    </indexterm><indexterm>
-	      <primary>authorized location</primary>
-	    </indexterm>
-	Kerberos is a network authentication protocol that provides secure authentication for 
-	client-server applications by using secret-key cryptography. Firewalls are an insufficient 
-	barrier mechanism in today's networking world; at best they only restrict incoming network 
-	traffic but cannot prevent network traffic that comes from authorized locations from 
-	performing unauthorized activities.
-	</para>
-
-	  <para><indexterm>
-	      <primary>strong cryptography</primary>
-	    </indexterm><indexterm>
-	      <primary>identity</primary>
-	    </indexterm><indexterm>
-	      <primary>integrity</primary>
-	    </indexterm>
-	Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses 
-	strong cryptography so that a client can prove its identity to a server (and vice versa) across an 
-	insecure network connection. After a client and server has used Kerberos to prove their identity, 
-	they can also encrypt all of their communications to assure privacy and data integrity as they go 
-	about their business.
-	</para>
-
-	  <para><indexterm>
-	      <primary>trusted third-party</primary>
-	    </indexterm><indexterm>
-	      <primary>principals</primary>
-	    </indexterm><indexterm>
-	      <primary>trusting</primary>
-	    </indexterm><indexterm>
-	      <primary>kerberos</primary>
-	      <secondary>server</secondary>
-	    </indexterm><indexterm>
-	      <primary>secret</primary>
-	    </indexterm>
-	Kerberos is a trusted third-party service. That means that there is a third party (the kerberos 
-	server) that is trusted by all the entities on the network (users and services, usually called 
-	principals). All principals share a secret password (or key) with the kerberos server and this 
-	enables principals to verify that the messages from the kerberos server are authentic. Therefore, 
-	trusting the kerberos server, users and services can authenticate each other.
-	</para>
-
-	<para>
-	<indexterm><primary>restricted export</primary></indexterm>
-	<indexterm><primary>MIT Kerberos</primary></indexterm>
-	<indexterm><primary>Heimdal Kerberos</primary></indexterm>
-	Kerberos was, until recently, a technology that was restricted from being exported from the United States.
-	For many years that hindered global adoption of more secure networking technologies both within the United States
-	and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
-	and is available from the <ulink url="http://www.pdc.kth.se/heimdal/">Royal Institute</ulink> of
-	Technology (KTH), Sweden. It is known as the Heimdal Kerberos project.  In recent times the U.S. government
-	has removed sanctions affecting the global distribution of MIT Kerberos.  It is likely that there will be a
-	significant surge forward in the development of Kerberos-enabled applications and in the general deployment
-	and use of Kerberos across the spectrum of the information technology industry.
-	</para>
-
-	<para>
-	<indexterm><primary>Kerberos</primary><secondary>interoperability</secondary></indexterm>
-	A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
-	of it. For example, a 2002
-	<ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
-	report<footnote><para>Note: This link is no longer active. The same article is still
-			available from <ulink url="http://199.105.191.226/Man/2699/020430msdoj/">ITWorld.com</ulink> (July 5, 2005)</para></footnote> by
-	states:
-	</para>
-
-	<blockquote><para>
-	A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to 
-	great lengths to disclose interfaces and protocols that allow third-party software products to interact 
-	with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's 
-	use of the Kerberos authentication specification, not everyone agrees.
-	</para>
-
-	<para>
-	<indexterm><primary>Kerberos</primary><secondary>unspecified fields</secondary></indexterm>
-	Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared 
-	before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version 
-	5 specification that Windows clients use for proprietary purposes and still achieve interoperability with 
-	the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing 
-	Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so 
-	that software developers could add their own authorization information, he said.
-	</para></blockquote>
-
-	<para>
-	<indexterm><primary>DCE</primary></indexterm>
-	<indexterm><primary>RPC</primary></indexterm>
-	It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
-	fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
-	particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability
-	issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
-	there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
-	(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
-	Microsoft.
-	</para>
-
-	<para>
-	Microsoft makes the following comment in a reference in a
-	<ulink url="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp">
-	technet</ulink> article:
-	</para>
-
-	  <blockquote><para><indexterm>
-		<primary>Privilege Attribute Certificates</primary>
-		<see>PAC</see>
-	      </indexterm><indexterm>
-		<primary>access control</primary>
-	      </indexterm>
-	The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC 
-	representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos 
-	tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. 
-	The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control. 
-	Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This 
-	is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and 
-	Windows NT access control information.
-	</para></blockquote>
-
-	</sect3>
-
-	</sect2>
-
-</sect1>
-
-<sect1 id="ch10expl">
-	<title>Implementation</title>
-
-	<para>
-	The following procedures outline the implementation of the security measures discussed so far.
-	</para>
-
-	<sect2>
-	<title>Share Access Controls</title>
-
-	<para><indexterm>
-	    <primary>Share Access Controls</primary>
-	  </indexterm><indexterm>
-	    <primary>filter</primary>
-	  </indexterm><indexterm>
-	    <primary>connection</primary>
-	  </indexterm>
-	Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as
-	Windows XP Pro) attempts to make a connection to the Samba server.
-	</para>
-
-	<procedure>
-	<title>Create/Edit/Delete Share ACLs</title>
-	  <step><para><indexterm>
-		<primary>Domain Administrator</primary>
-	      </indexterm><indexterm>
-		<primary>account</primary>
-	      </indexterm>
-		From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 
-		account (on Samba domains, this is usually the account called <constant>root</constant>).
-		</para></step>
-
-		<step><para>
-		Click 
-		<menuchoice>
-			<guimenu>Start</guimenu>
-			<guimenuitem>Settings</guimenuitem>
-			<guimenuitem>Control Panel</guimenuitem>
-			<guimenuitem>Administrative Tools</guimenuitem>
-			<guimenuitem>Computer Management</guimenuitem>
-		</menuchoice>.
-		</para></step>
-
-		<step><para>
-		In the left panel,
-		<menuchoice>
-			<guimenu>[Right mouse menu item] Computer Management (Local)</guimenu>
-			<guimenuitem>Connect to another computer ...</guimenuitem>
-			<guimenuitem>Browse...</guimenuitem>
-			<guimenuitem>Advanced</guimenuitem>
-			<guimenuitem>Find Now</guimenuitem>
-		</menuchoice>. In the lower panel, click on the name of the server you wish to
-		administer. Click <menuchoice>
-				<guimenu>OK</guimenu>
-				<guimenuitem>OK</guimenuitem>
-				<guimenuitem>OK</guimenuitem>
-	      </menuchoice>.<indexterm>
-		<primary>Computer Management</primary>
-	      </indexterm>
-		In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
-		the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
-		the Computer Management entry should now say <guimenu>Computer Management (FRODO)</guimenu>.
-		</para></step>
-
-		<step><para>
-		In the left panel, click <menuchoice>
-			<guimenu>Computer Management (FRODO)</guimenu>
-			<guimenuitem>[+] Shared Folders</guimenuitem>
-			<guimenuitem>Shares</guimenuitem>
-		</menuchoice>.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>ACLs</primary>
-	      </indexterm><indexterm>
-		<primary>Share Permissions</primary>
-	      </indexterm>
-		In the right panel, double-click on the share on which you wish to set/edit ACLs. This
-		will bring up the Properties panel. Click the <guimenu>Share Permissions</guimenu> tab.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>access control settings</primary>
-	      </indexterm><indexterm>
-		<primary>Everyone</primary>
-	      </indexterm><indexterm>
-		<primary>full control</primary>
-	      </indexterm><indexterm>
-		<primary>over-rule</primary>
-	      </indexterm><indexterm>
-		<primary>permissions</primary>
-	      </indexterm><indexterm>
-		<primary>rejected</primary>
-	      </indexterm>
-		You may now edit/add/remove access control settings. Be very careful. Many problems have been
-		created by people who decided that everyone should be rejected but one particular group should
-		have full control. This is a catch-22 situation because members of that particular group also
-		belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
-		set for the permitted group.
-		</para></step>
-
-		<step><para>
-		When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
-		buttons.
-		</para></step>
-	</procedure>
-
-	</sect2>
-
-	<sect2>
-	<title>Share Definition Controls</title>
-
-	<para><indexterm>
-	    <primary>Share Definition</primary>
-	    <secondary>Controls</secondary>
-	  </indexterm><indexterm>
-	    <primary>check-point</primary>
-	  </indexterm><indexterm>
-	    <primary>pile-driver</primary>
-	  </indexterm><indexterm>
-	    <primary>credential</primary>
-	  </indexterm><indexterm>
-	    <primary>powers</primary>
-	  </indexterm><indexterm>
-	    <primary>privileges</primary>
-	  </indexterm>
-	Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
-	checkpoint can be used to require someone who wants to get through to meet certain requirements, so
-	it is possible to require the user (or group the user belongs to) to meet specified credential-related 
-	objectives. It can be likened to a pile-driver by overriding default controls in that having met the 
-	credential-related objectives, the user can be granted powers and privileges that would not normally be 
-	available under default settings.
-	</para>
-
-	<para><indexterm>
-	    <primary>access controls</primary>
-	  </indexterm><indexterm>
-	    <primary>ACLs</primary>
-	  </indexterm><indexterm>
-	    <primary>share definition controls</primary>
-	  </indexterm><indexterm>
-	    <primary>hierarchy of control</primary>
-	  </indexterm>
-	It must be emphasized that the controls discussed here can act as a filter or give rights of passage
-	that act as a superstructure over normal directory and file access controls. However, share-level
-	ACLs act at a higher level than do share definition controls because the user must filter through the
-	share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
-	by Samba and Windows networking consists of:
-	</para>
-
-	<orderedlist>
-		<listitem><para>Share-level ACLs</para></listitem>
-		<listitem><para>Share-definition controls</para></listitem>
-		<listitem><para>Directory and file permissions</para></listitem>
-		<listitem><para>Directory and file POSIX ACLs</para></listitem>
-	</orderedlist>
-
-	<sect3>
-	<title>Checkpoint Controls</title>
-
-	  <para><indexterm>
-	      <primary>Checkpoint Controls</primary>
-	    </indexterm>
-	Consider the following extract from a &smb.conf; file defining the share called <constant>Apps</constant>:
-<screen>
-[Apps]
-	comment = Application Share
-	path = /data/apps
-	read only = Yes
-	valid users = @Employees
-</screen>
-	This definition permits only those who are members of the group called <constant>Employees</constant> to 
-	access the share.
-	</para>
-
-	  <note><para><indexterm>
-		<primary>Domain Member</primary>
-		<secondary>servers</secondary>
-	      </indexterm><indexterm>
-		<primary>winbind use default domain</primary>
-	      </indexterm><indexterm>
-		<primary>fully qualified</primary>
-	      </indexterm><indexterm>
-		<primary>valid users</primary>
-	      </indexterm><indexterm>
-		<primary>delimiter</primary>
-	      </indexterm>
-	On domain member servers and clients, even when the <parameter>winbind use default domain</parameter> has
-	been specified, the use of domain accounts in security controls requires fully qualified domain specification,
-	for example, <smbconfoption name="valid users">@"MEGANET\Northern Engineers"</smbconfoption>. 
-	Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
-	delimiter. 
-	</para></note>
-
-	  <para><indexterm>
-	      <primary>ACL</primary>
-	    </indexterm><indexterm>
-	      <primary>access</primary>
-	    </indexterm><indexterm>
-	      <primary>validate</primary>
-	    </indexterm>
-	If there is an ACL on the share itself to permit read/write access for all <constant>Employees</constant>
-	as well as read/write for the group <constant>Doctors</constant>, both groups are permitted through
-	to the share. However, at the moment an attempt is made to set up a connection to the share, a member of
-	the group <constant>Doctors</constant>, who is not also a member of the group <constant>Employees</constant>,
-	would immediately fail to validate.
-	</para>
-
-	  <para><indexterm>
-	      <primary>share definition controls</primary>
-	    </indexterm>
-	Consider another example. In this case, you want to permit all members of the group <constant>Employees</constant>
-	except the user <constant>patrickj</constant> to access the <constant>Apps</constant> share. This can be
-	easily achieved by setting a share-level ACL permitting only <constant>Employees</constant> to access the share,
-	and then in the share definition controls excluding just <constant>patrickj</constant>. Here is how that might
-	be done:
-<screen>
-[Apps]
-        comment = Application Share
-        path = /data/apps
-        read only = Yes
-        invalid users = patrickj
-</screen>
-	    <indexterm>
-	      <primary>permissions</primary>
-	    </indexterm>
-	Let us assume that you want to permit the user <constant>gbshaw</constant> to manage any file in the
-	UNIX/Linux file system directory <filename>/data/apps</filename>, but you do not want to grant any write
-	permissions beyond that directory tree. Here is one way this can be done:
-<screen>
-[Apps]
-        comment = Application Share
-        path = /data/apps
-        read only = Yes
-        invalid users = patrickj
-        admin users = gbshaw
-</screen>
-	    <indexterm>
-	      <primary>administrative rights</primary>
-	    </indexterm>
-	Now we have a set of controls that permits only <constant>Employees</constant> who are also members of
-	the group <constant>Doctors</constant>, excluding the user <constant>patrickj</constant>, to have 
-	read-only privilege, but the user <constant>gbshaw</constant> is granted administrative rights.
-	The administrative rights conferred upon the user <constant>gbshaw</constant> permit operation as
-	if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system and thus,
-	for access to the directory tree that has been shared (exported), permit the user to override controls
-	that apply to all other users on that resource.
-	</para>
-
-	<para>
-	There are additional checkpoint controls that may be used. For example, if for the same share we now
-	want to provide the user <constant>peters</constant> with the ability to write to one directory to
-	which he has write privilege in the UNIX file system, you can specifically permit that with the
-	following settings:
-<screen>
-[Apps]
-        comment = Application Share
-        path = /data/apps
-        read only = Yes
-        invalid users = patrickj
-        admin users = gbshaw
-        write list = peters
-</screen>
-	    <indexterm>
-	      <primary>check-point controls</primary>
-	    </indexterm>
-	This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
-	You should refer to the online manual page for the &smb.conf; file for more information regarding
-	the checkpoint controls that Samba implements.
-	</para>
-
-	</sect3>
-
-	<sect3>
-	<title>Override Controls</title>
-
-	  <para><indexterm>
-	      <primary>over-ride controls</primary>
-	    </indexterm>
-	Override controls implemented by Samba permit actions like the adoption of a different identity 
-	during file system operations, the forced overwriting of normal file and directory permissions,
-	and so on. You should refer to the online manual page for the &smb.conf; file for more information regarding
-        the override controls that Samba implements.
-	</para>
-
-	<para>
-	In the following example, you want to create a Windows networking share that any user can access.
-	However, you want all read and write operations to be performed as if the user <constant>billc</constant>
-	and member of the group <constant>Mentors</constant> read/write the files. Here is one way this
-	can be done:
-<screen>
-[someshare]
-	comment = Some Files Everyone May Overwrite
-	path = /data/somestuff
-	read only = No
-	force user = billc
-	force group = Mentors
-</screen>
-	    <indexterm>
-	      <primary>forced settings</primary>
-	    </indexterm><indexterm>
-	      <primary>overheads</primary>
-	    </indexterm>
-	That is all there is to it. Well, it is almost that simple. The downside of this method is that
-	users are logged onto the Windows client as themselves, and then immediately before accessing the
-	file, Samba makes system calls to change the effective user and group to the forced settings
-	specified, completes the file transaction, and then reverts to the actually logged-on identity.
-	This imposes significant overhead on Samba. The alternative way to effectively achieve the same result
-	(but with lower system CPU overheads) is described next.
-	</para>
-
-	  <para><indexterm>
-	      <primary>force user</primary>
-	    </indexterm><indexterm>
-	      <primary>force group</primary>
-	    </indexterm><indexterm>
-	      <primary>opportunistic</primary>
-	      <secondary>locking</secondary>
-	    </indexterm><indexterm>
-	      <primary>oplock break</primary>
-	    </indexterm><indexterm>
-	      <primary>performance degradation</primary>
-	    </indexterm>
-	The use of the <parameter>force user</parameter> or the <parameter>force group</parameter> may
-	also have a severe impact on system (particularly on Windows client) performance. If opportunistic
-	locking is enabled on the share (the default), it causes an <constant>oplock break</constant> to be
-	sent to the client even if the client has not opened the file. On networks that have high traffic
-	density, or on links that are routed to a remote network segment, <constant>oplock breaks</constant>
-	can be lost. This results in possible retransmission of the request, or the client may time-out while
-	waiting for the file system transaction (read or write) to complete. The result can be a profound
-	apparent performance degradation as the client continually attempts to reconnect to overcome the
-	effect of the lost <constant>oplock break</constant>, or time-out.
-	</para>
-	
-	</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>Share Point Directory and File Permissions</title>
-
-	<para><indexterm>
-	    <primary>security</primary>
-	  </indexterm><indexterm>
-	    <primary>privilege controls</primary>
-	  </indexterm><indexterm>
-	    <primary>permission</primary>
-	  </indexterm><indexterm>
-	    <primary>share definition controls</primary>
-	  </indexterm>
-	Samba has been designed and implemented so that it respects as far as is feasible the security and
-	user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing
-	with respect to file system access that violates file system permission settings, unless it is
-	explicitly instructed to do otherwise through share definition controls. Given that Samba obeys
-	UNIX file system controls, this chapter does not document simple information that can be obtained
-	from a basic UNIX training guide. Instead, one common example of a typical problem is used
-	to demonstrate the most effective solution referred to in the immediately preceding paragraph.
-	</para>
-
-	<para><indexterm>
-	    <primary>Microsoft Office</primary>
-	  </indexterm><indexterm>
-	    <primary>Word</primary>
-	  </indexterm><indexterm>
-	    <primary>Excel</primary>
-	  </indexterm>
-	One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of
-	Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:
-	</para>
-
-	<orderedlist>
-		<listitem><para>
-		A user opens a Word document from a network drive. The file was owned by user <constant>janetp</constant>
-		and <constant>users</constant>, and was set read/write-enabled for everyone.
-		</para></listitem>
-
-		<listitem><para>
-		File changes and edits are made.
-		</para></listitem>
-
-		<listitem><para>
-		The file is saved, and MS Word is closed.
-		</para></listitem>
-
-		<listitem><para>
-		The file is now owned by the user <constant>billc</constant> and group <constant>doctors</constant>,
-		and is set read/write by <constant>billc</constant>, read-only by <constant>doctors</constant>, and
-		no access by everyone.
-		</para></listitem>
-
-		<listitem><para>
-		The original owner cannot now access her own file and is <quote>justifiably</quote> upset.
-		</para></listitem>
-	</orderedlist>
-
-	<para>
-	There have been many postings over the years that report the same basic problem. Frequently Samba users
-	want to know when this <quote>bug</quote> will be fixed. The fact is, this is not a bug in Samba at all.
-	Here is the real sequence of what happens in this case.
-	</para>
-
-	<para><indexterm>
-	    <primary>MS Word</primary>
-	  </indexterm><indexterm>
-	    <primary>ownership</primary>
-	  </indexterm><indexterm>
-	    <primary>permissions</primary>
-	  </indexterm>
-	When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned
-	by the user who creates the file (<constant>billc</constant>) and has the permissions that follow
-	that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing
-	the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not
-	change the ownership or permissions to what they were on the original file. The file is thus a totally
-	new file, and the old one has been deleted in the process.
-	</para>
-
-	<para>
-	Samba received a request to create a new file, and then to rename the file to a new name. The old file that
-	has the same name is now automatically deleted. Samba has no way of knowing that the new file should
-	perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent
-	operations.
-	</para>
-
-	<para>
-	The question is, <quote>How can we solve the problem?</quote>
-	</para>
-
-	<para>
-	The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these
-	simple steps to create a share in which all files will consistently be owned by the same user and the
-	same group:
-	</para>
-
-
-	<procedure>
-	<title>Using Directory Permissions to Force File User and Group Ownership</title>
-		<step><para>
-		Change your share definition so that it matches this pattern:
-<screen>
-[finance]
-        path = /usr/data/finance
-        browseable = Yes
-        read only = No
-</screen>
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>permissions</primary>
-		<secondary>user</secondary>
-	      </indexterm><indexterm>
-		<primary>permissions</primary>
-		<secondary>group</secondary>
-	      </indexterm>
-		Set consistent user and group permissions recursively down the directory tree as shown here:
-<screen>
-&rootprompt; chown -R janetp.users /usr/data/finance
-</screen>
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>accessible</primary>
-	      </indexterm>
-		Set the files and directory permissions to be read/write for owner and group, and not accessible
-		to others (everyone), using the following command:
-<screen>
-&rootprompt; chmod ug+rwx,o-rwx /usr/data/finance
-</screen>
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>SGID</primary>
-	      </indexterm>
-		Set the SGID (supergroup) bit on all directories from the top down. This means all files 
-		can be created with the permissions of the group set on the directory. It means all users 
-		who are members of the group <constant>finance</constant> can read and write all files in 
-		the directory. The directory is not readable or writable by anyone who is not in the 
-		<constant>finance</constant> group. Simply follow this example:
-<screen>
-&rootprompt; find /usr/data/finance -type d -exec chmod ug+s {}\;
-</screen>
-
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>group membership</primary>
-	      </indexterm><indexterm>
-		<primary>primary group</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm>
-		Make sure all users that must have read/write access to the directory have 
-		<constant>finance</constant> group membership as their primary group, 
-		for example, the group they belong to in <filename>/etc/passwd</filename>.
-		</para></step>
-	</procedure>
-
-	</sect2>
-
-	<sect2>
-	<title>Managing Windows 200x ACLs</title>
-
-	<para><indexterm>
-	    <primary>translate</primary>
-	  </indexterm><indexterm>
-	    <primary>Windows 2000 ACLs</primary>
-	  </indexterm><indexterm>
-	    <primary>Posix ACLs</primary>
-	  </indexterm><indexterm>
-	    <primary>side effects</primary>
-	  </indexterm>
-	Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because
-	there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means
-	that some transactions are not possible from MS Windows clients. One of these is to reset the ownership
-	of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login.
-	</para>
-
-	<para>
-	There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation,
-	either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface.
-	</para>
-
-	<sect3>
-	<title>Using the MMC Computer Management Interface</title>
-
-	<procedure>
-		<step><para>
-		From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 
-		account (on Samba domains, this is usually the account called <constant>root</constant>).
-		</para></step>
-
-		<step><para>
-		Click 
-		<menuchoice>
-			<guimenu>Start</guimenu>
-			<guimenuitem>Settings</guimenuitem>
-			<guimenuitem>Control Panel</guimenuitem>
-			<guimenuitem>Administrative Tools</guimenuitem>
-			<guimenuitem>Computer Management</guimenuitem>
-		</menuchoice>.
-		</para></step>
-
-		<step><para>
-		In the left panel,
-		<menuchoice>
-			<guimenu>[Right mouse menu item] Computer Management (Local)</guimenu>
-			<guimenuitem>Connect to another computer ...</guimenuitem>
-			<guimenuitem>Browse...</guimenuitem>
-			<guimenuitem>Advanced</guimenuitem>
-			<guimenuitem>Find Now</guimenuitem>
-		</menuchoice>. In the lower panel, click on the name of the server you wish to
-		administer. Click <menuchoice>
-				<guimenu>OK</guimenu>
-				<guimenuitem>OK</guimenuitem>
-				<guimenuitem>OK</guimenuitem>
-		</menuchoice>.
-		In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
-		the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
-		the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>.
-		</para></step>
-
-		<step><para>
-		In the left panel, click <menuchoice>
-			<guimenu>Computer Management (FRODO)</guimenu>
-			<guimenuitem>[+] Shared Folders</guimenuitem>
-			<guimenuitem>Shares</guimenuitem>
-		</menuchoice>.
-		</para></step>
-
-	    <step><para><indexterm>
-		  <primary>Security</primary>
-		</indexterm><indexterm>
-		  <primary>Properties</primary>
-		</indexterm><indexterm>
-		  <primary>Permissions</primary>
-		</indexterm><indexterm>
-		  <primary>Samba Domain server</primary>
-		</indexterm>
-		In the right panel, double-click on the share on which you wish to set/edit ACLs. This
-		brings up the Properties panel. Click the <guimenu>Security</guimenu> tab. It is best
-		to edit ACLs using the <constant>Advanced</constant> editing features. Click the 
-		<guimenu>Advanced</guimenu> button. This opens a panel that has four tabs. Only the 
-		functionality under the <constant>Permissions</constant> tab can be utilized with respect 
-		to a Samba domain server.
-		</para></step>
-
-	    <step><para><indexterm>
-		  <primary>access control</primary>
-		</indexterm><indexterm>
-		  <primary>permitted group</primary>
-		</indexterm>
-		You may now edit/add/remove access control settings. Be very careful. Many problems have been
-		created by people who decided that everyone should be rejected but one particular group should
-		have full control. This is a catch-22 situation because members of that particular group also
-		belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
-		set for the permitted group.
-		</para></step>
-
-		<step><para>
-		When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
-		buttons until the last panel closes.
-		</para></step>
-	</procedure>
-	
-	</sect3>
-
-	<sect3>
-	<title>Using MS Windows Explorer (File Manager)</title>
-
-	<para>
-	The following alternative method may be used from a Windows workstation. In this example we work
-	with a domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
-	share called <constant>Apps</constant>. The underlying UNIX/Linux share point for this share is
-	<filename>/data/apps</filename>.
-	</para>
-
-	<procedure>
-		<step><para>
-		Click <menuchoice>
-			<guimenu>Start</guimenu>
-			<guimenuitem>[right-click] My Computer</guimenuitem>
-			<guimenuitem>Explore</guimenuitem>
-			<guimenuitem>[left panel] [+] My Network Places</guimenuitem>
-			<guimenuitem>[+] Entire Network</guimenuitem>
-			<guimenuitem>[+] Microsoft Windows Network</guimenuitem>
-			<guimenuitem>[+] Meganet</guimenuitem>
-			<guimenuitem>[+] Massive</guimenuitem>
-			<guimenuitem>[right-click] Apps</guimenuitem>
-			<guimenuitem>Properties</guimenuitem>
-			<guimenuitem>Security</guimenuitem>
-			<guimenuitem>Advanced</guimenuitem>
-		</menuchoice>. This opens a panel that has four tabs. Only the functionality under the 
-		<constant>Permissions</constant> tab can be utilized for a Samba domain server.
-		</para></step>
-
-	    <step><para><indexterm>
-		  <primary>full control</primary>
-		</indexterm><indexterm>
-		  <primary>over-rule</primary>
-		</indexterm>
-                You may now edit/add/remove access control settings. Be very careful. Many problems have been
-                created by people who decided that everyone should be rejected but one particular group should
-                have full control. This is a catch-22 situation because members of that particular group also
-                belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
-                set for the permitted group.
-                </para></step>
-
-                <step><para>
-                When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
-                buttons until the last panel closes.
-                </para></step>
-	</procedure>
-
-	</sect3>
-
-	<sect3>
-	<title>Setting Posix ACLs in UNIX/Linux</title>
-
-	  <para><indexterm>
-	      <primary>desired security setting</primary>
-	    </indexterm><indexterm>
-	      <primary>shared resource</primary>
-	    </indexterm>
-	Yet another alternative method for setting desired security settings on the shared resource files and
-	directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line
-	tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
-	Linux system:
-	</para>
-
-	<procedure>
-		<step><para>
-		Log into the Linux system as the user <constant>root</constant>.
-		</para></step>
-
-		<step><para>
-		Change directory to the location of the exported (shared) Windows file share (Apps), which is in
-		the directory <filename>/data</filename>. Execute the following:
-<screen>
-&rootprompt; cd /data
-</screen>
-		Retrieve the existing POSIX ACLs entry by executing:
-<screen>
-&rootprompt; getfacl apps
-# file: apps
-# owner: root
-# group: root
-user::rwx
-group::rwx
-other::r-x
-</screen>
-		</para></step>
-
-	    <step><para><indexterm>
-		  <primary>recursively</primary>
-		</indexterm>
-		You want to add permission for <constant>AppsMgrs</constant> to enable them to
-		manage the applications (apps) share. It is important to set the ACL recursively
-		so that the AppsMgrs have this capability throughout the directory tree that is 
-		being shared. This is done using the <constant>-R</constant> option as shown.
-		Execute the following:
-<screen>
-&rootprompt; setfacl -m -R group:AppsMgrs:rwx /data/apps
-</screen>
-		Because setting an ACL does not provide a response, you immediately validate the command executed
-		as follows:
-<screen>
-&rootprompt; getfacl /data/apps
-# file: apps
-# owner: root
-# group: root
-user::rwx
-group::rwx
-group:AppsMgrs:rwx
-mask::rwx
-other::r-x
-</screen>
-		This confirms that the change of POSIX ACL permissions has been effective.
-		</para></step>
-
-	    <step><para><indexterm>
-		  <primary>setfacl</primary>
-		</indexterm><indexterm>
-		  <primary>getfacl</primary>
-		</indexterm><indexterm>
-		  <primary>directory tree</primary>
-		</indexterm><indexterm>
-		  <primary>Windows ACLs</primary>
-		</indexterm><indexterm>
-		  <primary>inheritance</primary>
-		</indexterm>
-		It is highly recommended that you read the online manual page for the <command>setfacl</command>
-		and <command>getfacl</command> commands. This provides information regarding how to set/read the default
-		ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
-		of setting <constant>inheritance</constant> properties.
-		</para></step>
-	</procedure>
-
-	</sect3>
-
-	</sect2>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<para>
-		The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
-		Looking back, this chapter could be broken into two, but it's too late now. It has been done.
-		The highlights covered are as follows:
-		</para>
-
-		<itemizedlist>
-	  <listitem><para><indexterm>
-		<primary>Winbind</primary>
-	      </indexterm><indexterm>
-		<primary>Active Directory</primary>
-	      </indexterm><indexterm>
-		<primary>password change</primary>
-	      </indexterm><indexterm>
-		<primary>logon hours</primary>
-	      </indexterm>
-			Winbind honors and does not override account controls set in Active Directory.
-			This means that password change, logon hours, and so on, are (or soon will be) enforced
-			by Samba winbind. At this time, an out-of-hours login is denied and password
-			change is enforced. At this time, if logon hours expire, the user is not forcibly
-			logged off. That may be implemented at some later date.
-			</para></listitem>
-
-	  <listitem><para><indexterm>
-		<primary>Sign'n'seal</primary>
-	      </indexterm><indexterm>
-		<primary>schannel</primary>
-	      </indexterm>
-			Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
-			problems acknowledged by Microsoft as having been fixed but reported by some as still
-			possibly an open issue.
-			</para></listitem>
-
-	  <listitem><para><indexterm>
-		<primary>Kerberos</primary>
-	      </indexterm><indexterm>
-		<primary>OpenLDAP</primary>
-	      </indexterm><indexterm>
-		<primary>Active Directory</primary>
-	      </indexterm><indexterm>
-		<primary>inter-operability</primary>
-	      </indexterm>
-			The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
-			Active Directory. The possibility to do this is not planned in the current Samba-3
-			roadmap. Samba-3 does aim to provide further improvements in interoperability so that
-			UNIX/Linux systems may be fully integrated into Active Directory domains.
-			</para></listitem>
-
-			<listitem><para>
-			This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of
-			the four key methodologies was reviewed with specific reference to example deployment
-			techniques.
-			</para></listitem>
-		</itemizedlist>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	</para>
-
-	<qandaset defaultlabel="chap10qa" type="number">
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>Sign'n'seal</primary>
-	      </indexterm><indexterm>
-		<primary>registry hacks</primary>
-	      </indexterm>
-		Does Samba-3 require the <constant>Sign'n'seal</constant> registry hacks needed by Samba-2?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>schannel</primary>
-	      </indexterm><indexterm>
-		<primary>Sign'n'seal</primary>
-	      </indexterm><indexterm>
-		<primary>registry change</primary>
-	      </indexterm>
-		No. Samba-3 fully supports <constant>Sign'n'seal</constant> as well as <constant>schannel</constant>
-		operation. The registry change should not be applied when Samba-3 is used as a domain controller.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Does Samba-3 support Active Directory?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>Active Directory</primary>
-	      </indexterm>
-		Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
-		provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
-		server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
-		and it can function as an Active Directory domain member server.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>mixed-mode</primary>
-	      </indexterm>
-		When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
-		necessary with Samba-2?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>native</primary>
-	      </indexterm>
-		No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
-		Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
-		because Samba-3 can join a native Windows 2003 Server ADS domain.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>share level access controls</primary>
-	      </indexterm>
-		Is it safe to set share-level access controls in Samba?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes. Share-level access controls have been supported since early versions of Samba-2. This is
-		very mature technology. Not enough sites make use of this powerful capability, neither on
-		Windows server or with Samba servers.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>share ACLs</primary>
-	      </indexterm>
-		Is it mandatory to set share ACLs to get a secure Samba-3 server?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>file system security</primary>
-	      </indexterm><indexterm>
-		<primary>Windows 200x ACLs</primary>
-	      </indexterm><indexterm>
-		<primary>share definition controls</primary>
-	      </indexterm><indexterm>
-		<primary>share level ACL</primary>
-	      </indexterm><indexterm>
-		<primary>security</primary>
-	      </indexterm>
-		No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides 
-		means of securing shares through share definition controls in the &smb.conf; file. The additional
-		support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
-		to it.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>valid users</primary>
-	      </indexterm>
-		The <parameter>valid users</parameter> did not work on the <smbconfsection name="[homes]"/>.
-		Has this functionality been restored yet?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>meta-service</primary>
-	      </indexterm>
-		Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard
-		on the <smbconfsection name="[homes]"/> meta-service. The correct way to specify this is:
-		<smbconfoption name="valid users">%S</smbconfoption>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>force user</primary>
-	      </indexterm><indexterm>
-		<primary>force group</primary>
-	      </indexterm><indexterm>
-		<primary>bias</primary>
-	      </indexterm>
-		Is the bias against use of the <parameter>force user</parameter> and <parameter>force group</parameter>
-		really warranted?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>performance</primary>
-	      </indexterm>
-		There is no bias. There is a determination to recommend the right tool for the task at hand.
-		After all, it is better than putting users through performance problems, isn't it?
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		The example given for file and directory access control forces all files to be owned by one
-		particular user. I do not like that. Is there any way I can see who created the file?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>SUID</primary>
-	      </indexterm>
-		Sure. You do not have to set the SUID bit on the directory. Simply execute the following command
-		to permit file ownership to be retained by the user who created it:
-<screen>
-&rootprompt; find /usr/data/finance -type d -exec chmod g+s {}\;
-</screen>
-		Note that this required no more than removing the <constant>u</constant> argument so that the
-		SUID bit is not set for the owner.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>Computer Management</primary>
-	      </indexterm>
-		In the book, <quote>The Official Samba-3 HOWTO and Reference Guide</quote>, you recommended use
-		of the Windows NT4 Server Manager (part of the <filename>SRVTOOLS.EXE</filename>) utility. Why
-		have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>MMC</primary>
-	      </indexterm><indexterm>
-		<primary>SRVTOOLS.EXE</primary>
-	      </indexterm>
-		Either tool can be used with equal effect. There is no benefit of one over the other, except that
-		the MMC utility is present on all Windows 200x/XP systems and does not require additional software
-		to be downloaded and installed. Note that if you want to manage user and group accounts in your
-		Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
-		is provided as part of the <filename>SRVTOOLS.EXE</filename> utility.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>valid users</primary>
-	      </indexterm><indexterm>
-		<primary>Active Directory</primary>
-	      </indexterm><indexterm>
-		<primary>Domain Member server</primary>
-	      </indexterm>
-		I tried to set <parameter>valid users = @Engineers</parameter>, but it does not work. My Samba
-		server is an Active Directory domain member server. Has this been fixed now?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The use of this parameter has always required the full specification of the domain account, for
-		example, <parameter>valid users = @"MEGANET2\Domain Admins"</parameter>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	</qandaset>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-MakingHappyUsers.xml b/docs-xml/Samba3-ByExample/SBE-MakingHappyUsers.xml
deleted file mode 100644
index 3cacc71..0000000
--- a/docs-xml/Samba3-ByExample/SBE-MakingHappyUsers.xml
+++ /dev/null
@@ -1,4518 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="happy">
-  <title>Making Happy Users</title>
-
-	<para>
-	It is said that <quote>a day that is without troubles is not fulfilling.  Rather, give 
-	me a day of troubles well handled so that I can be content with my achievements.</quote>
-	</para>
-
-	<para>
-	In the world of computer networks, problems are as varied as the people who create them
-	or experience them. The design of the network implemented in <link linkend="Big500users"/>
-	may create problems for some network users. The following lists some of the problems that
-	may occur:
-	</para>
-
-	<indexterm><primary>PDC</primary></indexterm>
-	<indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm>
-	<indexterm><primary>BDC</primary></indexterm>
-	<indexterm><primary>user account</primary></indexterm>
-	<indexterm><primary>PDC/BDC ratio</primary></indexterm>
-<caution><para>
-A significant number of network administrators have responded to the guidance given
-here. It should be noted that there are sites that have a single PDC for many hundreds of
-concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
-are among the factors that determine the maximum number of Windows clients that
-can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
-to operate with only a single PDC over a routed network. What is possible is not necessarily
-<emphasis>best practice</emphasis>. When Windows client network logons begin to fail with
-the message that the domain controller cannot be found or that the user account cannot
-be found (when you know it exists), that may be an indication that the domain controller is
-overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
-clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute.
-</para></caution>
-
-	<variablelist>
-		<varlistentry>
-		<term>Users experiencing difficulty logging onto the network</term>
-		<listitem><para>
-		<indexterm><primary>network</primary><secondary>logon</secondary></indexterm>
-		<indexterm><primary>multiple domain controllers</primary></indexterm>
-		When a Windows client logs onto the network, many data packets are exchanged
-		between the client and the server that is providing the network logon services.
-		Each request between the client and the server must complete within a specific
-		time limit. This is one of the primary factors that govern the installation of
-		multiple domain controllers (usually called secondary or backup controllers).
-		As a rough rule, there should be one such backup controller for every
-		30 to 150 clients. The actual limits are determined by network operational
-		characteristics. 
-		</para>
-
-		<para>
-		<indexterm><primary>PDC</primary></indexterm>
-		<indexterm><primary>BDC</primary></indexterm>
-		<indexterm><primary>clients per DC</primary></indexterm>
-		If the domain controller provides only network logon services
-		and all file and print activity is handled by domain member servers, one domain	
-		controller per 150 clients on a single network segment may suffice. In any
-		case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
-		per network segment. It is better to have at least one BDC on the network
-		segment that has a PDC. If the domain controller is also used as a file and
-		print server, the number of clients it can service reliably is reduced,
-		and generally for low powered hardware should not exceed 30 machines (Windows 
-		workstations plus domain member servers) per domain controller. Many sites are
-		able to operate with more clients per domain controller, the number of clients
-		that can be supported is limited by the CPU speed, memory and the workload on
-		the Samba server as well as network bandwidth utilization.
-		</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>Slow logons and log-offs</term>
-		<listitem><para>
-		<indexterm><primary>slow logon</primary></indexterm>
-		Slow logons and log-offs may be caused by many factors that include:
-
-			<itemizedlist>
-				<listitem><para>
-				<indexterm><primary>NetBIOS</primary><secondary>name resolution</secondary><tertiary>delays</tertiary></indexterm>
-				<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
-				Excessive delays in the resolution of a NetBIOS name to its IP
-				address. This may be observed when an overloaded domain controller 
-				is also the WINS server. Another cause may be the failure to use
-				a WINS server (this assumes that there is a single network segment).
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>traffic collisions</primary></indexterm>
-				<indexterm><primary>HUB</primary></indexterm>
-				<indexterm><primary>ethernet switch</primary></indexterm>
-				Network traffic collisions due to overloading of the network
-				segment. One short-term workaround to this may be to replace
-				network HUBs with Ethernet switches.
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>networking hardware</primary><secondary>defective</secondary></indexterm>
-				Defective networking hardware. Over the past few years, we have seen
-				on the Samba mailing list a significant increase in the number of
-				problems that were traced to a defective network interface controller,
-				a defective HUB or Ethernet switch, or defective cabling. In most cases,
-				it was the erratic nature of the problem that ultimately pointed to
-				the cause of the problem.
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>profile</primary><secondary>roaming</secondary></indexterm>
-				<indexterm><primary>MS Outlook</primary><secondary>PST file</secondary></indexterm>
-				Excessively large roaming profiles. This type of problem is typically
-				the result of poor user education as well as poor network management.
-				It can be avoided by users not storing huge quantities of email in
-				MS Outlook PST files as well as by not storing files on the desktop.
-				These are old bad habits that require much discipline and vigilance
-				on the part of network management.
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>WebClient</primary></indexterm>
-				You should verify that the Windows XP WebClient service is not running.
-				The use of the WebClient service has been implicated in many Windows
-				networking-related problems.
-				</para></listitem>
-			</itemizedlist>
-			</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>Loss of access to network drives and printer resources</term>
-		<listitem><para>
-		Loss of access to network resources during client operation may be caused by a number
-		of factors, including:
-		</para>
-
-			<itemizedlist>
-				<listitem><para>
-				<indexterm><primary>network</primary><secondary>overload</secondary></indexterm>
-				Network overload (typically indicated by a high network collision rate)
-				</para></listitem>
-
-				<listitem><para>
-				Server overload
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>network</primary><secondary>timeout</secondary></indexterm>
-				Timeout causing the client to close a connection that is in use but has
-				been latent (no traffic) for some time (5 minutes or more)
-				</para></listitem>
-
-				<listitem><para>
-				<indexterm><primary>network hardware</primary><secondary>defective</secondary></indexterm>
-				Defective networking hardware
-				</para></listitem>
-			</itemizedlist>
-
-		<para>
-		<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
-		No matter what the cause, a sudden loss of access to network resources can
-		result in BSOD (blue screen of death) situations that necessitate rebooting of the client
-		workstation. In the case of a mild problem, retrying to access the network drive of the printer
-		may restore operations, but in any case this is a serious problem that may lead to the next
-		problem, data corruption.
-		</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>Potential data corruption</term>
-		<listitem><para>
-		<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
-		Data corruption is one of the most serious problems. It leads to uncertainty, anger, and 
-		frustration, and generally precipitates immediate corrective demands. Management response
-		to this type of problem may be rational, as well as highly irrational. There have been
-		cases where management has fired network staff for permitting this situation to occur without 
-		immediate correction. There have been situations where perfectly functional hardware was thrown 
-		out and replaced, only to find the problem caused by a low-cost network hardware item. There 
-		have been cases where server operating systems were replaced, or where Samba was updated, 
-		only to later isolate the problem due to defective client software.
-		</para></listitem>
-		</varlistentry>
-	</variablelist>
-
-	<para>
-	In this chapter, you can work through a number of measures that significantly arm you to
-	anticipate and combat network performance issues. You can work through complex and thorny
-	methods to improve the reliability of your network environment, but be warned that all such steps
-	demand the price of complexity.
-	</para>
-
-<sect1>
-<title>Regarding LDAP Directories and Windows Computer Accounts</title>
-
-	<para>
-	<indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
-	Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some 
-	constraints that are described in this section.
-	</para>
-
-	<para>
-	<indexterm><primary>POSIX</primary></indexterm>
-	<indexterm><primary>SambaSAMAccount</primary></indexterm>
-	<indexterm><primary>machine account</primary></indexterm>
-	<indexterm><primary>trust account</primary></indexterm>
-	The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. 
-	That is, machine  accounts are treated inside Samba in the same way that Windows NT4/200X treats 
-	them. A user account and a machine account are indistinguishable from each other, except that
-	the machine account ends in a $ character, as do trust accounts.
-	</para>
-
-	<para>
-	<indexterm><primary>account</primary></indexterm>
-	<indexterm><primary>UID</primary></indexterm>
-	The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
-	is a design decision that was made a long way back in the history of Samba development. It is 
-	unlikely that this decision will be reversed or changed during the remaining life of the 
-	Samba-3.x series. 
-	</para>
-
-	<para>
-	<indexterm><primary>SID</primary></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
-	must refer back to the host operating system on which Samba is running. The name service
-	switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
-	need to know everything about every host OS it runs on.
-	</para>
-
-	<para>
-	Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
-	and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
-	for achieving this is left up to the UNIX administrator to determine. It is not imposed by
-	Samba. Samba provides winbindd together with its support libraries as one method. It is
-	possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
-	all account entities can be located in an LDAP directory.
-	</para>
-
-	<para>
-	<indexterm><primary>nss_ldap</primary></indexterm>
-	For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
-	be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
-	is fundamentally an LDAP design question.  The information provided on the Samba list and
-	in the documentation is directed at providing working examples only. The design
-	of an LDAP directory is a complex subject that is beyond the scope of this documentation.
-	</para>
-
-</sect1>
-
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	You just opened an email from Christine that reads:
-	</para>
-
-	<para>
-	Good morning,
-	<blockquote><attribution>Christine</attribution><para>
-	A few months ago we sat down to design the network. We discussed the challenges ahead and we all
-	agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
-	that we would have some time to resolve any issues that might be encountered.
-	</para>
-
-	<para>
-	As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
-	resigned yesterday afternoon because she was under duress to complete some critical projects. She
-	suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
-	of which was lost. She has a unique requirement that involves storing large files on her desktop.
-	Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
-	takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
-	network logon traffic passes over the network links between our buildings, logging on may take
-	three or four attempts due to blue screen problems associated with network timeouts.
-	</para>
-
-	<para>
-	A few of us worked to help her out of trouble. We convinced her to stay and promised to fully 
-	resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard 
-	limits on what our users can do with their desktops. Otherwise, we face staff losses 
-	that can surely do harm to our growth as well as to staff morale. I am sure we can better deal 
-	with the consequences of what we know we must do than we can with the unrest we have now.
-	</para>
-
-	<para>
-	Stan and I have discussed the current situation. We are resolved to help our users and protect
-	the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
-	regain control of our vital IT operations.
-	</para></blockquote>
-	</para>
-
-	<para>
-	<indexterm><primary>compromise</primary></indexterm>	
-	<indexterm><primary>network</primary><secondary>multi-segment</secondary></indexterm>
-	Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
-	single domain controller is a poor design that has obvious operational effects that may
-	frustrate users. Here is your reply:
-	</para>
-
-	<blockquote><attribution>Bob</attribution><para>
-	Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
-	proposals to resolve the issues. I am confident that your plans fully realized will significantly
-	boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
-	Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
-	for approval; I appreciate the urgency.
-	</para></blockquote>
-
-	<sect2>
-		<title>Assignment Tasks</title>
-
-		<para>
-		The priority of assigned tasks in this chapter is:
-		</para>
-
-		<orderedlist>
-			<listitem><para>
-			<indexterm><primary>Backup Domain Controller</primary><see>BDC</see></indexterm>
-			<indexterm><primary>BDC</primary></indexterm>
-			<indexterm><primary>tdbsam</primary></indexterm>
-			<indexterm><primary>LDAP</primary></indexterm><indexterm><primary>migration</primary></indexterm>
-			Implement Backup Domain Controllers (BDCs) in each building. This involves
-			a change from a <emphasis>tdbsam</emphasis> backend that was used in the previous
-			chapter to an LDAP-based backend.
-			</para>
-
-			<para>
-			You can implement a single central LDAP server for this purpose.
-			</para></listitem>
-
-			<listitem><para>
-			<indexterm><primary>logon time</primary></indexterm>
-			<indexterm><primary>network share</primary></indexterm>
-			<indexterm><primary>default profile</primary></indexterm>
-			<indexterm><primary>profile</primary><secondary>default</secondary></indexterm>
-			Rectify the problem of excessive logon times. This involves redirection of
-			folders to network shares as well as modification of all user desktops to
-			exclude the redirected folders from being loaded at login time. You can also
-			create a new default profile that can be used for all new users.
-			</para></listitem>
-		</orderedlist>
-
-		<para>
-		<indexterm><primary>disk image</primary></indexterm>
-		You configure a new MS Windows XP Professional workstation disk image that you roll out
-		to all desktop users. The instructions you have created are followed on a staging machine
-		from which all changes can be carefully tested before inflicting them on your network users.
-		</para>
-
-		<para>
-		<indexterm><primary>CUPS</primary></indexterm>
-		This is the last network example in which specific mention of printing is made. The example
-		again makes use of the CUPS printing system.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>BDC</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>OpenLDAP</primary></indexterm>
-	The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
-	For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
-	LDAP servers in current use with Samba-3 include:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		<indexterm><primary>eDirectory</primary></indexterm>
-		Novell <ulink url="http://www.novell.com/products/edirectory/">eDirectory</ulink>
-		is being successfully used by some sites. Information on how to use eDirectory can be
-		obtained from the Samba mailing lists or from Novell.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>Tivoli Directory Server</primary></indexterm>
-		IBM <ulink url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli 
-		Directory Server</ulink> can be used to provide the Samba LDAP backend. Example schema 
-		files are provided in the Samba source code tarball under the directory 
-		<filename>~samba/example/LDAP.</filename>
-		</para></listitem> 
-
-		<listitem><para>
-		<indexterm><primary>Sun ONE Identity Server</primary></indexterm>
-		Sun <ulink url="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml">ONE Identity 
-		Server product suite</ulink> provides an LDAP server that can be used for Samba.
-		Example schema files are provided in the Samba source code tarball under the directory
-		<filename>~samba/example/LDAP.</filename>
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
-	offerings, it requires that you manually edit the server configuration files and manually
-	initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
-	help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
-	</para>
-
-	<para>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
-	adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
-	GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database 
-	requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
-	</para>
-
-	<para>
-	<indexterm><primary>Identity Management</primary></indexterm>
-	<indexterm><primary>high availability</primary></indexterm>
-	<indexterm><primary>directory</primary><secondary>replication</secondary></indexterm>
-	<indexterm><primary>directory</primary><secondary>synchronization</secondary></indexterm>
-	<indexterm><primary>performance</primary></indexterm>
-	<indexterm><primary>directory</primary><secondary>management</secondary></indexterm>
-	<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
-	When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. 
-	High availability operation may be obtained through directory replication/synchronization and 
-	master/slave server configurations. OpenLDAP is a mature platform to host the organizational 
-	directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. 
-	The price paid through learning how to design an LDAP directory schema in implementation and configuration 
-	of management tools is well rewarded by performance and flexibility and the freedom to manage directory
-	contents with greater ability to back up, restore, and modify the directory than is generally possible
-	with Microsoft Active Directory.
-	</para>
-
-	<para>
-	<indexterm><primary>comparison</primary><secondary>Active Directory & OpenLDAP</secondary></indexterm>
-	<indexterm><primary>ADAM</primary></indexterm>
-	<indexterm><primary>Active Directory</primary></indexterm>
-	<indexterm><primary>OpenLDAP</primary></indexterm>
-	A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
-	tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
-	for a specific task orientation. It comes with a set of administrative tools that is entirely customized
-	for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
-	server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
-	who wants to build a custom directory solution. Microsoft provides an application called 
-	<ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
-	MS ADAM</ulink> that provides more generic LDAP services, yet it does not have the vanilla-like services
-	of OpenLDAP.
-	</para>
-
-	<para>
-	<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
-	<indexterm><primary>passdb backend</primary></indexterm>
-	You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
-	if you find the challenge of learning about LDAP directories, schemas, configuration, and management
-	tools and the creation of shell and Perl scripts a bit
-	challenging. OpenLDAP can be easily customized, though it includes
-	many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
-	that is required for use as a passdb backend.
-	</para>
-
-	<para>
-	<indexterm><primary>interoperability</primary></indexterm>
-	For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
-	there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
-	The Web-based tools you might like to consider include the
-	<ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM) and the Webmin-based
-	<ulink url="http://www.webmin.com">Webmin</ulink> Idealx
-	<ulink url="http://webmin.idealx.org/index.en.html">CGI tools</ulink>.
-	</para>
-
-	<para>
-	Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of 
-	these, so it may be useful to them: 
-	<ulink url="http://biot.com/gq">GQ</ulink>, a GTK-based LDAP browser; 
-	LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor</ulink> 
-	<ulink url="http://www.jxplorer.org/">; JXplorer</ulink> (by Computer Associates);
-	and <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin</ulink>.
-	</para>
-
-	<note><para>
-	The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
-	security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
-	is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
-	LDAP before attempting to deploy it in a business-critical environment.
-	</para></note>
-
-	<para>
-	Information to help you get started with OpenLDAP is available from the
-	<ulink url="http://www.openldap.org/pub/">OpenLDAP web site</ulink>. Many people have found the book
-	<ulink url="http://www.oreilly.com/catalog/ldapsa/index.html"><emphasis>LDAP System Administration</emphasis>,</ulink>
-	by Jerry Carter quite useful.
-	</para>
-
-	<para>
-	<indexterm><primary>BDC</primary></indexterm>
-	<indexterm><primary>network</primary><secondary>segment</secondary></indexterm>
-	<indexterm><primary>performance</primary></indexterm>
-	<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
-	Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
-	main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
-	be loaded over the WAN connection. The addition of BDCs on each network segment significantly
-	improves overall network performance for most users, but it is not enough. You must gain control over
-	user desktops, and this must be done in a way that wins their support and does not cause further loss of
-	staff morale. The following procedures solve this problem.
-	</para>
-
-	<para>
-	<indexterm><primary>smart printing</primary></indexterm>
-	There is also an opportunity to implement smart printing features. You add this to the Samba configuration
-	so that future printer changes can be managed without need to change desktop configurations.
-	</para>
-
-	<para>
-	You add the ability to automatically download new printer drivers, even if they are not installed 
-	in the default desktop profile. Only one example of printing configuration is given. It is assumed that
-	you can extrapolate the principles and use them to install all printers that may be needed.
-	</para>
-
-	<sect2>
-	<title>Technical Issues</title>
-
-	<para>
-	<indexterm><primary>identity</primary><secondary>management</secondary></indexterm>
-	<indexterm><primary>directory</primary><secondary>server</secondary></indexterm>
-	<indexterm><primary>Posix</primary></indexterm>
-	The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
-	server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
-	accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account 
-	attributes Samba needs. Samba-3 can use the LDAP backend to store:
-	</para>
-	
-	<itemizedlist>
-		<listitem><para>Windows Networking User Accounts</para></listitem>
-		<listitem><para>Windows NT Group Accounts</para></listitem>
-		<listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
-		<listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
-	</itemizedlist>
-
-	<para>
-	<indexterm><primary>UNIX accounts</primary></indexterm>
-	<indexterm><primary>Windows accounts</primary></indexterm>
-	<indexterm><primary>PADL LDAP tools</primary></indexterm>
-	<indexterm><primary>/etc/group</primary></indexterm>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>name service switch</primary><see>NSS</see></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	<indexterm><primary>UID</primary></indexterm>
-	<indexterm><primary>nss_ldap</primary></indexterm>
-	The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
-	accounts in the LDAP backend. This implies the need to use the 
-	<ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools</ulink>. The resolution 
-	of the UNIX group name to its GID must be enabled from either the <filename>/etc/group</filename> 
-	or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> tool-set
-	that integrates with the NSS. The same requirements exist for resolution
-	of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
-	</para>
-
-	<figure id="sbehap-LDAPdiag">
-		<title>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</title>
-		<imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>security</primary></indexterm>
-	<indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm>
-	You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
-	ought to learn how to configure secure communications over LDAP so that site security is not
-	at risk. This is not covered in the following guidance.
-	</para>
-
-	<para>
-	<indexterm><primary>PDC</primary></indexterm>
-	<indexterm><primary>LDAP Interchange Format</primary><see>LDIF</see></indexterm>
-	<indexterm><primary>LDIF</primary></indexterm>
-	<indexterm><primary>secrets.tdb</primary></indexterm>
-	When OpenLDAP has been made operative, you configure the PDC called <constant>MASSIVE</constant>.
-	You initialize the Samba <filename>secrets.tdb<subscript></subscript></filename> file. Then you
-	create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
-	You need to decide how best to create user and group accounts. A few hints are, of course, provided.
-	You can also find on the enclosed CD-ROM, in the <filename>Chap06</filename> directory, a few tools
-	that help to manage user and group configuration.
-	</para>
-
-	<para>
-	<indexterm><primary>folder redirection</primary></indexterm>
-	<indexterm><primary>default profile</primary></indexterm>
-	<indexterm><primary>roaming profile</primary></indexterm>
-	In order to effect folder redirection and to add robustness to the implementation,
-	create a network default profile. All network users workstations are configured to use
-	the new profile. Roaming profiles will automatically be deleted from the workstation
-	when the user logs off.
-	</para>
-
-	<para>
-	<indexterm><primary>mandatory profile</primary></indexterm>
-	The profile is configured so that users cannot change the appearance
-	of their desktop. This is known as a mandatory profile. You make certain that users
-	are able to use their computers efficiently.
-	</para>
-
-	<para>
-	<indexterm><primary>logon script</primary></indexterm>
-	A network logon script is used to deliver flexible but consistent network drive
-	connections.
-	</para>
-
-		<sect3 id="sbehap-ppc">
-		<title>Addition of Machines to the Domain</title>
-
-		<para>
-		<indexterm><primary></primary></indexterm>
-		<indexterm><primary></primary></indexterm>
-		<indexterm><primary></primary></indexterm>
-		<indexterm><primary></primary></indexterm>
-		Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
-		that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
-		user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
-		<constant>Privileges</constant>, which provides five new privileges that
-		can be assigned to users and/or groups; see Table 5.1.
-		</para>
-
-
-		<table id="sbehap-privs">
-			<title>Current Privilege Capabilities</title>
-			<tgroup cols="2">
-				<colspec align="left"/>
-				<colspec align="left"/>
-				<thead>
-					<row>
-						<entry align="left">Privilege</entry>
-						<entry align="left">Description</entry>
-					</row>
-				</thead>
-				<tbody>
-					<row>
-						<entry><para>SeMachineAccountPrivilege</para></entry>
-						<entry><para>Add machines to domain</para></entry>
-					</row>
-					<row>
-						<entry><para>SePrintOperatorPrivilege</para></entry>
-						<entry><para>Manage printers</para></entry>
-					</row>
-					<row>
-						<entry><para>SeAddUsersPrivilege</para></entry>
-						<entry><para>Add users and groups to the domain</para></entry>
-					</row>
-					<row>
-						<entry><para>SeRemoteShutdownPrivilege</para></entry>
-						<entry><para>Force shutdown from a remote system</para></entry>
-					</row>
-					<row>
-						<entry><para>SeDiskOperatorPrivilege</para></entry>
-						<entry><para>Manage disk share</para></entry>
-					</row>
-				</tbody>
-			</tgroup>
-		</table>
-
-		<para>
-		In this network example use is made of one of the supported privileges purely to demonstrate
-		how any user can now be given the ability to add machines to the domain using a normal user account
-		that has been given the appropriate privileges.
-		</para>
-
-		</sect3>
-
-		<sect3>
-		<title>Roaming Profile Background</title>
-
-		<para>
-		As XP roaming profiles grow, so does the amount of time it takes to log in and out.
-		</para>
-
-		<para>
-		<indexterm><primary>roaming profile</primary></indexterm>
-		<indexterm><primary>HKEY_CURRENT_USER</primary></indexterm>
-		<indexterm><primary>NTUSER.DAT</primary></indexterm>
-		<indexterm><primary>%USERNAME%</primary></indexterm>
-		An XP roaming profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
-		<filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
-		Desktop, Start Menu, Templates, NetHood, Favorites, and so on).  When a user logs onto the 
-		network with the default configuration of MS Windows NT/200x/XPP, all this data is 
-		copied to the local machine under the <filename>C:\Documents and Settings\%USERNAME%</filename>
-		directory. While the user is logged in, any changes made to any of these folders or to the
-		<constant>HKEY_CURRENT_USER</constant> branch of the registry are made to the local copy
-		of the profile.  At logout the profile data is copied back to the server. This behavior
-		can be changed through appropriate registry changes and/or through changes to the default
-		user profile. In the latter case, it updates the registry with the values that are set in the
-		profile <filename>NTUSER.DAT</filename>
-		file.
-		</para>
-
-		<para>
-		The first challenge is to reduce the amount of data that must be transferred to and 
-		from the profile server as roaming profiles are processed.  This includes removing 
-		all the shortcuts in the Recent directory, making sure the cache used by the Web browser 
-		is not being dumped into the <filename>Application Data</filename> folder, removing the 
-		Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the 
-		user to not place large files on the desktop and to use his or her mapped home directory
-		instead of the <filename>My Documents</filename> folder for saving documents.
-		</para>
-
-		<para>
-		<indexterm><primary>My Documents</primary></indexterm>
-		Using a folder other than <filename>My Documents</filename> is a nuisance for 
-		some users, since many applications use it by default.
-		</para>
-
-		<para>
-		<indexterm><primary>roaming profiles</primary></indexterm>
-		<indexterm><primary>Local Group Policy</primary></indexterm>
-		<indexterm><primary>NTUSER.DAT</primary></indexterm>
-		The secret to rapid loading of roaming profiles is to prevent unnecessary data from 
-		being copied back and forth, without losing any functionality. This is not difficult; 
-		it can be done by making changes to the Local Group Policy on each client as well 
-		as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
-		</para>
-
-		<para>
-		<indexterm><primary>Network Default Profile</primary></indexterm>
-		<indexterm><primary>redirected folders</primary></indexterm>
-		Every user profile has its own <filename>NTUSER.DAT</filename> file. This means
-		you need to edit every user's profile, unless a better method can be
-		followed. Fortunately, with the right preparations, this is not difficult.
-		It is possible to remove the <filename>NTUSER.DAT</filename> file from each
-		user's profile. Then just create a Network Default Profile. Of course, it is
-		necessary to copy all files from redirected folders to the network share to which
-		they are redirected.
-		</para>
-
-		</sect3>
-
-		<sect3 id="sbehap-locgrppol">
-		<title>The Local Group Policy</title>
-
-		<para>
-		<indexterm><primary>Group Policy Objects</primary></indexterm>
-		<indexterm><primary>Active Directory</primary></indexterm>
-		<indexterm><primary>PDC</primary></indexterm>
-		<indexterm><primary>Group Policy editor</primary></indexterm>
-		Without an Active Directory PDC, you cannot take full advantage of Group Policy 
-		Objects. However, you can still make changes to the Local Group Policy by using 
-		the Group Policy editor (<command>gpedit.msc</command>).
-		</para>
-
-		<para>
-		The <emphasis>Exclude directories in roaming profile</emphasis> settings can 
-		be found under 
-		<menuchoice>
-			<guimenu>User Configuration</guimenu>
-			<guimenuitem>Administrative Templates</guimenuitem>
-			<guimenuitem>System</guimenuitem>
-			<guimenuitem>User Profiles</guimenuitem>
-		</menuchoice>. 
-		By default this setting contains
-		<quote>Local Settings; Temporary Internet Files; History; Temp</quote>.
-		</para>
-
-		<para>
-		Simply add the folders you do not wish to be copied back and forth to this 
-		semicolon-separated list. Note that this change must be made on all clients 
-		that are using roaming profiles.
-		</para>
-
-		</sect3>
-
-		<sect3>
-		<title>Profile Changes</title>
-
-		<para>
-		<indexterm><primary>NTUSER.DAT</primary></indexterm>
-		<indexterm><primary>%USERNAME%</primary></indexterm>
-		There are two changes that should be done to each user's profile. Move each of 
-		the directories that you have excluded from being copied back and forth out of 
-		the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file 
-		to point to the new paths that are shared over the network instead of to the default
-		path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
-		</para>
-
-		<para>
-		<indexterm><primary>Default User</primary></indexterm>
-		<indexterm><primary>regedt32</primary></indexterm>
-		The above modifies existing user profiles. So that newly created profiles have 
-		these settings, you need to modify the <filename>NTUSER.DAT</filename> in 
-		the <filename>C:\Documents and Settings\Default User</filename> folder on each 
-		client machine, changing the same registry keys.  You could do this by copying 
-		<filename>NTUSER.DAT</filename> to a Linux box and using <command>regedt32</command>.
-		The basic method is described under <link linkend="redirfold"/>.
-		</para>
-
-		</sect3>
-
-		<sect3>
-		<title>Using a Network Default User Profile</title>
-
-		<para>
-		<indexterm><primary>NETLOGON</primary></indexterm>
-		<indexterm><primary>NTUSER.DAT</primary></indexterm>
-		If you are using Samba as your PDC, you should create a file share called 
-		<constant>NETLOGON</constant> and within that create a directory called 
-		<filename>Default User</filename>, which is a copy of the desired default user 
-		configuration (including a copy of <filename>NTUSER.DAT</filename>).
-		If this share exists and the <filename>Default User</filename> folder exists, 
-		the first login from a new account pulls its configuration from it.
-		See also <ulink url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
-		the Real Men Don't Click</ulink> Web site.
-		</para>
-
-		</sect3>
-
-		<sect3>
-		<title>Installation of Printer Driver Auto-Download</title>
-
-		<para>
-		<indexterm><primary>printing</primary><secondary>dumb</secondary></indexterm>
-		<indexterm><primary>dumb printing</primary></indexterm>
-		<indexterm><primary>Raw Print Through</primary></indexterm>
-		The subject of printing is quite topical. Printing problems run second place to name
-		resolution issues today. So far in this book, you have experienced only what is generally
-		known as <quote>dumb</quote> printing. Dumb printing is the arrangement by which all drivers
-		are manually installed on each client and the printing subsystems perform no filtering
-		or intelligent processing. Dumb printing is easily understood. It usually works without
-		many problems, but it has its limitations also. Dumb printing is better known as
-		<command>Raw-Print-Through</command> printing.
-		</para>
-
-		<para>
-		<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
-		<indexterm><primary>printing</primary><secondary>point-n-click</secondary></indexterm>
-		Samba permits the configuration of <command>smart</command> printing using the Microsoft
-		Windows point-and-click (also called drag-and-drop) printing. What this provides is
-		essentially the ability to print to any printer. If the local client does not yet have a
-		driver installed, the driver is automatically downloaded from the Samba server and
-		installed on the client. Drag-and-drop printing is neat; it means the user never needs
-		to fuss with driver installation, and that is a <trademark>Good Thing,</trademark>
-		isn't it?
-		</para>
-
-		<para>
-		There is a further layer of print job processing that is known as <command>intelligent</command>
-		printing that automatically senses the file format of data submitted for printing and
-		then invokes a suitable print filter to convert the incoming data stream into a format
-		suited to the printer to which the job is dispatched.
-		</para>
-
-		<para>
-		<indexterm><primary>CUPS</primary></indexterm>
-		<indexterm><primary>Easy Software Products</primary></indexterm>
-		<indexterm><primary>Postscript</primary></indexterm>
-		The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
-		detect the data format and apply a print filter. This means that it is feasible to install
-		on all Windows clients a single printer driver for use with all printers that are routed
-		through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
-		<ulink url="http://www.easysw.com">Easy Software Products</ulink>, the authors of CUPS, have
-		released a PostScript printing driver for Windows. It can be installed into the Samba
-		printing backend so that it automatically downloads to the client when needed. 
-		</para>
-
-		<para>
-		This means that so long as there is a CUPS driver for the printer, all printing from Windows 
-		software can use PostScript, no matter what the actual printer language for the physical 
-		device is. It also means that the administrator can swap out a printer with a totally 
-		different type of device without ever needing to change a client workstation driver.
-		</para>
-
-		<para>
-		This book is about Samba-3, so you can confine the printing style to just the smart
-		style of installation. Those interested in further information regarding intelligent
-		printing should review documentation on the Easy Software Products Web site.
-		</para>
-
-		</sect3>
-
-		<sect3 id="sbeavoid">
-		<title>Avoiding Failures: Solving Problems Before They Happen</title>
-
-		<para>
-		It has often been said that there are three types of people in the world: those who
-		have sharp minds and those who forget things. Please do not ask what the third group
-		is like! Well, it seems that many of us have company in the second group. There must
-		be a good explanation why so many network administrators fail to solve apparently
-		simple problems efficiently and effectively.
-		</para>
-
-		<para>
-		Here are some diagnostic guidelines that can be referred to when things go wrong:
-		</para>
-
-		<sect4>
-		<title>Preliminary Advice: Dangers Can Be Avoided</title>
-
-		<para>
-		The best advice regarding how to mend a broken leg is <quote>Never break a leg!</quote>
-		</para>
-
-		<para>
-		<indexterm><primary>LDAP</primary></indexterm>
-		Newcomers to Samba and LDAP seem to struggle a great deal at first.  If you want advice
-		regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
-		</para>
-
-		<para>
-		If you are now asking yourself how problems can be avoided, the best advice is to start
-		out your learning experience with a <emphasis>known-good configuration.</emphasis> After
-		you have seen a fully working solution, a good way to learn is to make slow and progressive
-		changes that cause things to break, then observe carefully how and why things ceased to work.
-		</para>
-
-		<para>
-		The examples in this chapter (also in the book as a whole) are known to work. That means
-		that they could serve as the kick-off point for your journey through fields of knowledge.
-		Use this resource carefully; we hope it serves you well.
-		</para>
-
-		<warning><para>
-		Do not be lulled into thinking that you can easily adopt the examples in this
-		book and adapt them without first working through the examples provided. A little
-		thing overlooked can cause untold pain and may permanently tarnish your experience.
-		</para></warning>
-
-		</sect4>
-
-		<sect4>
-		<title>The Name Service Caching Daemon</title>
-
-		<para>
-		The name service caching daemon (nscd) is a primary cause of difficulties with name
-		resolution, particularly where <command>winbind</command> is used. Winbind does its
-		own caching, thus nscd causes double caching which can lead to peculiar problems during
-		debugging. As a rule, it is a good idea to turn off the name service caching daemon.
-		</para>
-
-		<para>
-		Operation of the name service caching daemon is controlled by the 
-		<filename>/etc/nscd.conf</filename> file. Typical contents of this file are as follows:
-<screen>
-# /etc/nscd.conf
-# An example Name Service Cache config file.  This file is needed by nscd.
-# Legal entries are:
-#       logfile                 <file>
-#       debug-level             <level>
-#       threads                 <threads to use>
-#       server-user             <user to run server as instead of root>
-#               server-user is ignored if nscd is started with -S parameters
-#       stat-user               <user who is allowed to request statistics>
-#       reload-count            unlimited|<number>
-#
-#       enable-cache            <service> <yes|no>
-#       positive-time-to-live   <service> <time in seconds>
-#       negative-time-to-live   <service> <time in seconds>
-#       suggested-size          <service> <prime number>
-#       check-files             <service> <yes|no>
-#       persistent              <service> <yes|no>
-#       shared                  <service> <yes|no>
-# Currently supported cache names (services): passwd, group, hosts
-#       logfile                 /var/log/nscd.log
-#       threads                 6
-#       server-user             nobody
-#       stat-user               somebody
-        debug-level             0
-#       reload-count            5
-        enable-cache            passwd          yes
-        positive-time-to-live   passwd          600
-        negative-time-to-live   passwd          20
-        suggested-size          passwd          211
-        check-files             passwd          yes
-        persistent              passwd          yes
-        shared                  passwd          yes
-        enable-cache            group           yes
-        positive-time-to-live   group           3600
-        negative-time-to-live   group           60
-        suggested-size          group           211
-        check-files             group           yes
-        persistent              group           yes
-        shared                  group           yes
-# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
-# cache hosts will cause your local system to not be able to trust
-# forward/reverse lookup checks. DO NOT USE THIS if your system relies on
-# this sort of security mechanism. Use a caching DNS server instead.
-        enable-cache            hosts           no
-        positive-time-to-live   hosts           3600
-        negative-time-to-live   hosts           20
-        suggested-size          hosts           211
-        check-files             hosts           yes
-        persistent              hosts           yes
-        shared                  hosts           yes
-</screen>
-	It is feasible to comment out the <constant>passwd</constant> and <constant>group</constant>
-	entries so they will not be cached. Alternatively, it is often simpler to just disable the
-	<command>nscd</command> service by executing (on Novell SUSE Linux):
-<screen>
-&rootprompt; chkconfig nscd off
-&rootprompt; rcnscd off
-</screen>
-		</para>
-
-		</sect4>
-
-		<sect4>
-		<title>Debugging LDAP</title>
-
-		<para>
-		<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
-		<indexterm><primary>loglevel</primary></indexterm>
-		<indexterm><primary>slapd</primary></indexterm>
-		In the example <filename>/etc/openldap/slapd.conf</filename> control file
-		(see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel	256</constant>.
-		To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
-		and restart <command>slapd</command>.
-		</para>
-
-		<para>
-		<indexterm><primary>/etc/syslog.conf</primary></indexterm>
-		<indexterm><primary>/var/log/ldaplogs</primary></indexterm>
-		LDAP log information can be directed into a file that is separate from the normal system
-		log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
-		contents:
-<screen>
-# Some foreign boot scripts require local7
-#
-local0,local1.*                 -/var/log/localmessages
-local2,local3.*                 -/var/log/localmessages
-local5.*                        -/var/log/localmessages
-local6,local7.*                 -/var/log/localmessages
-local4.*                        -/var/log/ldaplogs
-</screen>
-		In this case, all LDAP-related logs will be directed to the file
-		<filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
-		The snippet provides a simple example of usage that can be modified to suit
-		local site needs. The configuration used later in this chapter reflects such
-		customization with the intent that LDAP log files will be stored at a location
-		that meets local site needs and wishes more fully.
-		</para>
-
-		</sect4>
-
-		<sect4>
-		<title>Debugging NSS_LDAP</title>
-
-		<para>
-		The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
-		<filename>/etc/ldap.conf</filename> file the following parameters:
-<screen>
-debug 256
-logdir /data/logs
-</screen>
-		Create the log directory as follows:
-<screen>
-&rootprompt; mkdir /data/logs
-</screen>
-		</para>
-
-<?latex \newpage ?>
-
-		<para>
-		The diagnostic process should follow these steps:
-		</para>
-
-		<procedure>
-		<title>NSS_LDAP Diagnostic Steps</title>
-
-			<step><para>
-			Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
-			in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
-			tree location that was chosen when the directory was first created.
-			</para>
-
-			<para>
-			One way this can be done is by executing:
-<screen>
-&rootprompt; slapcat | grep Group | grep dn
-dn: ou=Groups,dc=abmas,dc=biz
-dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
-dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
-dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
-dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
-dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
-dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
-dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
-dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
-</screen>
-			The first line is the DIT entry point for the container for POSIX groups. The correct entry
-			for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
-			parameter therefore is the distinguished name (dn) as applied here:
-<screen>
-nss_base_group ou=Groups,dc=abmas,dc=biz?one
-</screen>
-			The same process may be followed to determine the appropriate dn for user accounts.
-			If the container for computer accounts is not the same as that for users (see the &smb.conf;
-			file entry for <constant>ldap machine suffix</constant>), it may be necessary to set the 
-			following DIT dn in the <filename>/etc/ldap.conf</filename> file:
-<screen>
-nss_base_passwd dc=abmas,dc=biz?sub
-</screen>
-			This instructs LDAP to search for machine as well as user entries from the top of the DIT
-			down. This is inefficient, but at least should work. Note: It is possible to specify multiple
-			<constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file; they
-			will be evaluated sequentially. Let us consider an example of use where the following DIT
-			has been implemented:
-			</para>
-
-			<para>
-			<itemizedlist>
-			<listitem><para>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</para></listitem>
-			<listitem><para>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</para></listitem>
-			<listitem><para>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</para></listitem>
-			</itemizedlist>
-			</para>
-
-			<para>
-			The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
-			in the <filename>/etc/ldap.conf</filename> file may be:
-<screen>
-nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
-nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
-</screen>
-			</para></step>
-
-			<step><para>
-			Perform lookups such as:
-<screen>
-&rootprompt; getent passwd
-</screen>
-			Each such lookup will create an entry in the <filename>/data/log</filename> directory
-			for each such process executed. The contents of each file created in this directory
-			may provide a hint as to the cause of the a problem that is under investigation. 
-			</para></step>
-
-			<step><para>
-			For additional diagnostic information, check the contents of the <filename>/var/log/messages</filename>
-			to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
-			a successful lookup:
-<screen>
-slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
-(IP=0.0.0.0:389)
-slapd[12164]: conn=0 op=0 BIND dn="" method=128
-slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
-slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
-filter="(objectClass=*)"
-slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
-nentries=1 text=
-slapd[12164]: conn=0 op=2 UNBIND
-slapd[12164]: conn=0 fd=10 closed
-slapd[12164]: conn=1 fd=10 ACCEPT from
-IP=127.0.0.1:33540 (IP=0.0.0.0:389)
-slapd[12164]: conn=1 op=0 BIND
-dn="cn=Manager,dc=abmas,dc=biz" method=128
-slapd[12164]: conn=1 op=0 BIND
-dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
-slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
-slapd[12164]: conn=1 op=1 SRCH
-base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
-filter="(objectClass=posixAccount)"
-slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
-uidNumber gidNumber cn
-homeDirectory loginShell gecos description objectClass
-slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
-nentries=2 text=
-slapd[12164]: conn=1 fd=10 closed
-
-</screen>
-			</para></step>
-
-			<step><para>
-			Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
-			<filename>/etc/ldap.secrets</filename> file is correct, as specified in the
-			<filename>/etc/openldap/slapd.conf</filename> file.
-			</para></step>
-
-		</procedure>
-
-		</sect4>
-
-		<sect4>
-		<title>Debugging Samba</title>
-
-		<para>
-		The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems:
-<screen>
-[global]
-	...
-	log level = 5
-	log file = /var/log/samba/%m.log
-	max log size = 0
-	...
-</screen>
-		This will result in the creation of a separate log file for every client from which connections
-		are made. The log file will be quite verbose and will grow continually. Do not forget to
-		change these lines to the following when debugging has been completed:
-<screen>
-[global]
-	...
-	log level = 1
-	log file = /var/log/samba/%m.log
-	max log size = 50
-	...
-</screen>
-		</para>
-
-		<para>
-		The log file can be analyzed by executing:
-<screen>
-&rootprompt; cd /var/log/samba
-&rootprompt; grep -v "^\[200" machine_name.log
-</screen>
-		</para>
-
-		<para>
-		Search for hints of what may have failed by looking for the words <emphasis>fail</emphasis>
-		and <emphasis>error</emphasis>.
-		</para>
-
-		</sect4>
-
-		<sect4>
-		<title>Debugging on the Windows Client</title>
-
-		<para>
-		MS Windows 2000 Professional and Windows  XP Professional clients can be configured
-		to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
-		the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
-		version of MS Windows.
-		</para>
-
-		</sect4>
-
-		</sect3>
-
-	</sect2>
-
-
-	<sect2>
-		<title>Political Issues</title>
-
-		<para>
-		MS Windows network users are generally very sensitive to limits that may be imposed when 
-		confronted with locked-down workstation configurations. The challenge you face must 
-		be promoted as a choice between reliable, fast network operation and a constant flux 	
-		of problems that result in user irritation.
-		</para>
-
-	</sect2>
-
-	<sect2>
-		<title>Installation Checklist</title>
-
-	<para>
-	You are starting a complex project. Even though you went through the installation of a complex
-	network in <link linkend="Big500users"/>, this network is a bigger challenge because of the
-	large number of complex applications that must be configured before the first few steps
-	can be validated. Take stock of what you are about to undertake, prepare yourself, and
-	frequently review the steps ahead while making at least a mental note of what has already
-	been completed. The following task list may help you to keep track of the task items
-	that are covered:
-	</para>
-
-
-	<itemizedlist>
-		<listitem><para>Samba-3 PDC Server Configuration</para>
-			<orderedlist>
-				<listitem><para>DHCP and DNS servers</para></listitem>
-				<listitem><para>OpenLDAP server</para></listitem>
-				<listitem><para>PAM and NSS client tools</para></listitem>
-				<listitem><para>Samba-3 PDC</para></listitem>
-				<listitem><para>Idealx smbldap scripts</para></listitem>
-				<listitem><para>LDAP initialization</para></listitem>
-				<listitem><para>Create user and group accounts</para></listitem>
-				<listitem><para>Printers</para></listitem>
-				<listitem><para>Share point directory roots</para></listitem>
-				<listitem><para>Profile directories</para></listitem>
-				<listitem><para>Logon scripts</para></listitem>
-				<listitem><para>Configuration of user rights and privileges</para></listitem>
-			</orderedlist>
-		</listitem>
-		<listitem><para>Samba-3 BDC Server Configuration</para>
-			<orderedlist>
-				<listitem><para>DHCP and DNS servers</para></listitem>
-				<listitem><para>PAM and NSS client tools</para></listitem>
-				<listitem><para>Printers</para></listitem>
-				<listitem><para>Share point directory roots</para></listitem>
-				<listitem><para>Profiles directories</para></listitem>
-			</orderedlist>
-		</listitem>
-		<listitem><para>Windows XP Client Configuration</para>
-			<orderedlist>
-				<listitem><para>Default profile folder redirection</para></listitem>
-				<listitem><para>MS Outlook PST file relocation</para></listitem>
-				<listitem><para>Delete roaming profile on logout</para></listitem>
-				<listitem><para>Upload printer drivers to Samba servers</para></listitem>
-				<listitem><para>Install software</para></listitem>
-				<listitem><para>Creation of roll-out images</para></listitem>
-			</orderedlist>
-		</listitem>
-	</itemizedlist>
-
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Samba Server Implementation</title>
-
-	<para>
-	<indexterm><primary>file servers</primary></indexterm>
-	<indexterm><primary>BDC</primary></indexterm>
-	The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
-	that you will install additional file servers and possibly additional BDCs.
-	</para>
-
-	<figure id="chap6net">
-		<title>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend</title>
-		<imagefile scale="50">chap6-net</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>SUSE Linux</primary></indexterm>
-	<indexterm><primary>Red Hat Linux</primary></indexterm>
-	All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
-	Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
-	adjust the locations for your particular Linux system distribution/implementation.
-	</para>
-
-<note><para>
-The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
-scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
-please verify that the versions you are about to use are matching. The smbldap-tools package
-uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
-issued for POSIX accounts. The LDAP rdn under which this information is stored are called
-<constant>uidNumber</constant> and <constant>gidNumber</constant> respectively. These may be
-located in any convenient part of the directory information tree (DIT). In the examples that
-follow they have been located under <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>.
-They could just as well be located under the rdn <constant>cn=NextFreeUnixId</constant>.
-</para></note>
-
-	<para>
-	The steps in the process involve changes from the network configuration shown in
-	<link linkend="Big500users"/>.  Before implementing the following steps, you must
-	have completed the network implementation shown in that chapter. If you are starting
-	with newly installed Linux servers, you must complete the steps shown in
-	<link linkend="ch5-dnshcp-setup"/> before commencing at <link linkend="ldapsetup"/>.
-	</para>
-
-	<sect2 id="ldapsetup">
-	<title>OpenLDAP Server Configuration</title>
-
-	<para>
-	<indexterm><primary>nss_ldap</primary></indexterm>
-	<indexterm><primary>pam_ldap</primary></indexterm>
-	<indexterm><primary>openldap</primary></indexterm>
-	Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
-	</para>
-
-	<table id="oldapreq">
-		<title>Required OpenLDAP Linux Packages</title>
-		<tgroup cols="3">
-			<colspec align="left"/>
-			<colspec align="left"/>
-			<colspec align="left"/>
-			<thead>
-				<row>
-					<entry align="center">SUSE Linux 8.x</entry>
-					<entry align="center">SUSE Linux 9.x</entry>
-					<entry align="center">Red Hat Linux</entry>
-				</row>
-			</thead>
-			<tbody>
-				<row>
-					<entry>nss_ldap</entry>
-					<entry>nss_ldap</entry>
-					<entry>nss_ldap</entry>
-				</row>
-				<row>
-					<entry>pam_ldap</entry>
-					<entry>pam_ldap</entry>
-					<entry>pam_ldap</entry>
-				</row>
-				<row>
-					<entry>openldap2</entry>
-					<entry>openldap2</entry>
-					<entry>openldap</entry>
-				</row>
-				<row>
-					<entry>openldap2-client</entry>
-					<entry>openldap2-client</entry>
-					<entry></entry>
-				</row>
-			</tbody>
-		</tgroup>
-	</table>
-
-	<para>
-	Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
-	for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
-	follow these guidelines, the resulting system should work fine.
-	</para>
-
-	<procedure>
-	<title>OpenLDAP Server Configuration Steps</title>
-
-		<step><para>
-		<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
-		Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
-		<filename>/etc/openldap</filename>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>/data/ldap</primary></indexterm>
-		<indexterm><primary>group account</primary></indexterm>
-		<indexterm><primary>user account</primary></indexterm>
-		Remove all files from the directory <filename>/data/ldap</filename>, making certain that
-		the directory exists with permissions:
-<screen>
-&rootprompt; ls -al /data | grep ldap
-drwx------   2 ldap    ldap       48 Dec 15 22:11 ldap
-</screen>
-		This may require you to add a user and a group account for LDAP if they do not exist.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>DB_CONFIG</primary></indexterm>
-		Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
-		<filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
-		has been started, it is possible to cause the new settings to take effect by shutting down
-		the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
-		<filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>syslog</primary></indexterm>
-		Performance logging can be enabled and should preferably be sent to a file on
-		a file system that is large enough to handle significantly sized logs. To enable
-		the logging at a verbose level to permit detailed analysis, uncomment the entry in
-		the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>.
-		</para>
-
-		<para>
-		Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end
-		of the file:
-<screen>
-local4.*        -/data/ldap/log/openldap.log
-</screen>
-		Note: The path <filename>/data/ldap/log</filename> should be set at a location
-		that is convenient and that can store a large volume of data.
-		</para></step>
-
-	</procedure>
-
-<example id="sbehap-dbconf">
-<title>LDAP DB_CONFIG File</title>
-<screen>
-set_cachesize           0 150000000 1
-set_lg_regionmax        262144
-set_lg_bsize            2097152
-#set_lg_dir             /var/log/bdb
-set_flags               DB_LOG_AUTOREMOVE
-</screen>
-</example>
-
-<example id="sbehap-slapdconf">
-<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
-<screen>
-include		/etc/openldap/schema/core.schema
-include		/etc/openldap/schema/cosine.schema
-include		/etc/openldap/schema/inetorgperson.schema
-include		/etc/openldap/schema/nis.schema
-include		/etc/openldap/schema/samba3.schema
-
-pidfile		/var/run/slapd/slapd.pid
-argsfile	/var/run/slapd/slapd.args
-
-access to dn.base=""
-		by self write
-		by * auth
-
-access to attr=userPassword
-		by self write
-		by * auth
-
-access to attr=shadowLastChange
-		by self write
-		by * read
-
-access to *
-                by * read
-                by anonymous auth
-
-#loglevel	256
-
-schemacheck 	on
-idletimeout	30
-backend		bdb
-database	bdb
-checkpoint      1024 5
-cachesize       10000
-
-suffix		"dc=abmas,dc=biz"
-rootdn		"cn=Manager,dc=abmas,dc=biz"
-
-# rootpw = not24get
-rootpw          {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
-
-directory	/data/ldap
-</screen>
-</example>
-
-<example id="sbehap-slapdconf2">
-<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
-<screen>
-# Indices to maintain
-index objectClass           eq
-index cn                    pres,sub,eq
-index sn                    pres,sub,eq
-index uid                   pres,sub,eq
-index displayName           pres,sub,eq
-index uidNumber             eq
-index gidNumber             eq
-index memberUID             eq
-index sambaSID              eq
-index sambaPrimaryGroupSID  eq
-index sambaDomainName       eq
-index default               sub
-</screen>
-</example>
-
-	</sect2>
-
-	<sect2 id="sbehap-PAM-NSS">
-	<title>PAM and NSS Client Configuration</title>
-
-	<para>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	<indexterm><primary>PAM</primary></indexterm>
-	The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
-	groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
-	the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
-	</para>
-
-	<para>
-	<indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm>
-	<indexterm><primary>pam_unix2.so</primary></indexterm>
-	Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
-	that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
-	correct configuration of PAM. The <command>pam_ldap</command> open source package provides the
-	PAM modules that most people would use. On SUSE Linux systems, the <command>pam_unix2.so</command>
-	module also has the ability to redirect authentication requests through LDAP.
-	</para>
-
-	<para>
-	<indexterm><primary>YaST</primary></indexterm>
-	<indexterm><primary>SUSE Linux</primary></indexterm>
-	<indexterm><primary>Red Hat Linux</primary></indexterm>
-	<indexterm><primary>authconfig</primary></indexterm>
-	You have chosen to configure these services by directly editing the system files, but of course, you
-	know that this configuration can be done using system tools provided by the Linux system vendor.
-	SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
-	<guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
-	configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <command>authconfig</command>
-	tool for this.
-	</para>
-
-	<procedure>
-	<title>PAM and NSS Client Configuration Steps</title>
-
-		<step><para>
-		<indexterm><primary>/lib/libnss_ldap.so.2</primary></indexterm>
-		<indexterm><primary>/etc/ldap.conf</primary></indexterm>
-		<indexterm><primary>nss_ldap</primary></indexterm>
-		Execute the following command to find where the <filename>nss_ldap</filename> module
-		expects to find its control file:
-<screen>
-&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
-</screen>
-		The preferred and usual location is <filename>/etc/ldap.conf</filename>.
-		</para></step>
-
-		<step><para>
-		On the server <constant>MASSIVE</constant>, install the file shown in 
-		<link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
-		On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
-		<link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
-		</para></step>
-
-<example id="sbehap-nss01">
-<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
-<screen>
-host 127.0.0.1
-
-base dc=abmas,dc=biz
-
-binddn cn=Manager,dc=abmas,dc=biz
-bindpw not24get
-
-timelimit 50
-bind_timelimit 50
-bind_policy hard
-
-idle_timelimit 3600
-
-pam_password exop
-
-nss_base_passwd ou=People,dc=abmas,dc=biz?one
-nss_base_shadow ou=People,dc=abmas,dc=biz?one
-nss_base_group  ou=Groups,dc=abmas,dc=biz?one
-
-ssl off
-</screen>
-</example>
-
-<example id="sbehap-nss02">
-<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
-<screen>
-host 172.16.0.1
-
-base dc=abmas,dc=biz
-
-binddn cn=Manager,dc=abmas,dc=biz
-bindpw not24get
-
-timelimit 50
-bind_timelimit 50
-bind_policy hard
-
-idle_timelimit 3600
-
-pam_password exop
-
-nss_base_passwd ou=People,dc=abmas,dc=biz?one
-nss_base_shadow ou=People,dc=abmas,dc=biz?one
-nss_base_group  ou=Groups,dc=abmas,dc=biz?one
-
-ssl off
-</screen>
-</example>
-
-		<step><para>
-		<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-		Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
-		control user and group resolution will obtain information from the normal system files as
-		well as from <command>ldap</command>:
-<screen>
-passwd: files ldap
-shadow: files ldap
-group:  files ldap
-hosts:  files dns wins
-</screen>
-		Later, when the LDAP database has been initialized and user and group accounts have been
-		added, you can validate resolution of the LDAP resolver process. The inclusion of 
-		WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be 
-		resolved to their IP addresses, whether or not they are DHCP clients.
-		</para>
-
-		<note><para>
-		Some Linux systems (Novell SUSE Linux in particular) add entries to the <filename>nsswitch.conf</filename>
-		file that may cause operational problems with the configuration methods adopted in this book. It is
-		advisable to comment out the entries <constant>passwd_compat</constant> and <constant>group_compat</constant>
-		where they are found in this file.
-		</para></note>
-
-		<para>
-		Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
-		<filename>nsswitch.conf</filename> file is a significant cause of operational problems with LDAP.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>pam_unix2.so</primary><secondary>use_ldap</secondary></indexterm>
-		For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
-		files in the <filename>/etc/pam.d</filename> directory: <command>login</command>, <command>password</command>,
-		<command>samba</command>, <command>sshd</command>.  In each file, locate every entry that has the
-		<command>pam_unix2.so</command> entry and add to the line the entry <command>use_ldap</command> as shown
-		for the <command>login</command> module in this example:
-<screen>
-#%PAM-1.0
-auth      requisite  pam_unix2.so   nullok use_ldap #set_secrpc
-auth      required   pam_securetty.so
-auth      required   pam_nologin.so
-#auth     required   pam_homecheck.so
-auth      required   pam_env.so
-auth      required   pam_mail.so
-account   required   pam_unix2.so   use_ldap
-password  required   pam_pwcheck.s  nullok
-password  required   pam_unix2.so   nullok use_first_pass \
-                                    use_authtok use_ldap
-session   required   pam_unix2.so   none use_ldap # debug or trace
-session   required   pam_limits.so
-</screen>
-		</para>
-
-		<para>
-		<indexterm><primary>pam_ldap.so</primary></indexterm>
-		On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
-		you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
-<screen>
-#%PAM-1.0
-auth     required    pam_securetty.so
-auth     required    pam_nologin.so
-auth     sufficient  pam_ldap.so
-auth     required    pam_unix2.so   nullok try_first_pass #set_secrpc
-account  sufficient  pam_ldap.so
-account  required    pam_unix2.so
-password required    pam_pwcheck.so nullok
-password required    pam_ldap.so    use_first_pass use_authtok
-password required    pam_unix2.so   nullok use_first_pass use_authtok
-session  required    pam_unix2.so   none # debug or trace
-session  required    pam_limits.so
-session  required    pam_env.so
-session  optional    pam_mail.so
-</screen>
-		This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
-		demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
-		implementation, but if the <command>pam_unix2.so</command> on your system supports
-		LDAP, you probably want to use it rather than add an additional module.
-		</para></step>
-
-	</procedure>
-
-	</sect2>
-
-	<sect2 id="sbehap-massive">
-	<title>Samba-3 PDC Configuration</title>
-
-	<para>
-	<indexterm><primary>Samba RPM Packages</primary></indexterm>
-	Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server 
-	before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
-	choice to either build your own or obtain the packages from a dependable source.
-	Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for 
-	Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
-	is included with this book.
-	</para>
-
-	<procedure>
-	<title>Configuration of PDC Called <constant>MASSIVE</constant></title>
-
-		<step><para>
-		Install the files in <link linkend="sbehap-massive-smbconfa"/>, 
-		<link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>, 
-		and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename> 
-		directory. The three files should be added together to form the &smb.conf; 
-		master file. It is a good practice to call this file something like
-		<filename>smb.conf.master</filename> and then to perform all file edits
-		on the master file. The operational &smb.conf; is then generated as shown in
-		the next step.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>testparm</primary></indexterm>
-		Create and verify the contents of the &smb.conf; file that is generated by:
-<screen>
-&rootprompt; testparm -s smb.conf.master > smb.conf
-</screen>
-		Immediately follow this with the following:
-<screen>
-&rootprompt; testparm
-</screen>
-		The output that is created should be free from errors, as shown here:
-
-<screen>
-Load smb config files from /etc/samba/smb.conf
-Processing section "[accounts]"
-Processing section "[service]"
-Processing section "[pidata]"
-Processing section "[homes]"
-Processing section "[printers]"
-Processing section "[apps]"
-Processing section "[netlogon]"
-Processing section "[profiles]"
-Processing section "[profdata]"
-Processing section "[print$]"
-Loaded services file OK.
-Server role: ROLE_DOMAIN_PDC
-Press enter to see a dump of your service definitions
-</screen>
-		</para></step>
-		
-		<step><para>
-		Delete all runtime files from prior Samba operation by executing (for SUSE
-		Linux):
-<screen>
-&rootprompt; rm /etc/samba/*tdb
-&rootprompt; rm /var/lib/samba/*tdb
-&rootprompt; rm /var/lib/samba/*dat
-&rootprompt; rm /var/log/samba/*
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>secrets.tdb</primary></indexterm>
-		<indexterm><primary>smbpasswd</primary></indexterm>
-		Samba-3 communicates with the LDAP server. The password that it uses to
-		authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
-		file. Execute the following to create the new <filename>secrets.tdb</filename> files
-		and store the password for the LDAP Manager:
-<screen>
-&rootprompt; smbpasswd -w not24get
-</screen>
-		The expected output from this command is:
-<screen>
-Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbd</primary></indexterm>
-		<indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
-		Samba-3 generates a Windows Security Identifier (SID) only when <command>smbd</command>
-		has been started. For this reason, you start Samba. After a few seconds delay,
-		execute:
-<screen>
-&rootprompt; smbclient -L localhost -U%
-&rootprompt; net getlocalsid
-</screen>
-		A report such as the following means that the domain SID has not yet
-		been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
-<screen>
-[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
-  failed to bind to server ldap://massive.abmas.biz
-with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
-        (unknown)
-[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
-  smbldap_search_suffix: Problem during the LDAP search:
-        (unknown) (Timed out)
-</screen>
-		The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
-		is not running, this operation will fail by way of a timeout, as shown previously. This is
-		normal output; do not worry about this error message.  When the domain has been created and
-		written to the <filename>secrets.tdb</filename> file, the output should look like this:
-<screen>
-SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
-</screen>
-		If, after a short delay (a few seconds), the domain SID has still not been written to 
-		the <filename>secrets.tdb</filename> file, it is necessary to investigate what 
-		may be misconfigured. In this case, carefully check the &smb.conf; file for typographical 
-		errors (the most common problem).  The use of the <command>testparm</command> is highly 
-		recommended to validate the contents of this file.
-		</para></step>
-
-		<step><para>
-		When a positive domain SID has been reported, stop Samba.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>NFS server</primary></indexterm>
-		<indexterm><primary>/etc/exports</primary></indexterm>
-		<indexterm><primary>BDC</primary></indexterm>
-		<indexterm><primary>rsync</primary></indexterm>
-		Configure the NFS server for your Linux system. So you can complete the steps that
-		follow, enter into the <filename>/etc/exports</filename> the following entry:
-<screen>
-/home   *(rw,root_squash,sync)
-</screen>
-		This permits the user home directories to be used on the BDC servers for testing
-		purposes. You, of course, decide what is the best way for your site to distribute
-		data drives, and you create suitable backup and restore procedures for Abmas
-		I'd strongly recommend that for normal operation the BDC is completely independent 
-		of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite 
-		closely. If you do use NFS, do not forget to start the NFS server as follows:
-<screen>
-&rootprompt; rcnfsserver start
-</screen>
-		</para></step>
-	</procedure>
-
-	<para>
-	Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
-	configuration of the LDAP server.
-	</para>
-
-<example id="sbehap-massive-smbconfa">
-<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-	<smbconfoption name="unix charset">LOCALE</smbconfoption>
-	<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-	<smbconfoption name="netbios name">MASSIVE</smbconfoption>
-	<smbconfoption name="interfaces">eth1, lo</smbconfoption>
-	<smbconfoption name="bind interfaces only">Yes</smbconfoption>
-	<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="enable privileges">Yes</smbconfoption>
-	<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-	<smbconfoption name="log level">1</smbconfoption>
-	<smbconfoption name="syslog">0</smbconfoption>
-	<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-	<smbconfoption name="max log size">50</smbconfoption>
-	<smbconfoption name="smb ports">139</smbconfoption>
-	<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-	<smbconfoption name="time server">Yes</smbconfoption>
-	<smbconfoption name="printcap name">CUPS</smbconfoption>
-	<smbconfoption name="show add printer wizard">No</smbconfoption>
-	<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
-	<smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption>
-	<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
-	<smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption>
-	<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
-	<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
-	<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
-	<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="sbehap-massive-smbconfb">
-<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
-<smbconfblock>
-	<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-	<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-	<smbconfoption name="logon drive">X:</smbconfoption>
-	<smbconfoption name="domain logons">Yes</smbconfoption>
-	<smbconfoption name="preferred master">Yes</smbconfoption>
-	<smbconfoption name="wins support">Yes</smbconfoption>
-	<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-	<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-	<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-	<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-	<smbconfoption name="map acl inherit">Yes</smbconfoption>
-	<smbconfoption name="printing">cups</smbconfoption>
-	<smbconfoption name="printer admin">root, chrisr</smbconfoption>
-</smbconfblock>
-</example>
-
-	</sect2>
-
-
-	<sect2 id="sbeidealx">
-	<title>Install and Configure Idealx smbldap-tools Scripts</title>
-
-	<para>
-	<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
-	The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
-	on the LDAP server. You have chosen the Idealx scripts because they are the best-known
-	LDAP configuration scripts. The use of these scripts will help avoid the necessity
-	to create custom scripts. It is easy to download them from the Idealx
-	<ulink url="http://samba.idealx.org/index.en.html">Web site</ulink>. The tarball may
-	be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz">downloaded</ulink>
-	from this site also. Alternatively, you may obtain the 
-	<ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm">smbldap-tools-0.9.1-1.src.rpm</ulink>
-	file that may be used to build an installable RPM package for your Linux system.
-	</para>
-
-<note><para>
-The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
-change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
-</para></note>
-
-	<para>
-	The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>.
-	The scripts are not needed on BDC machines because all LDAP updates are handled by
-	the PDC alone.
-	</para>
-
-	<sect3>
-	<title>Installation of smbldap-tools from the Tarball</title>
-
-	<para>
-	To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
-	</para>
-
-	<procedure id="idealxscript">
-	<title>Unpacking and Installation Steps for the <constant>smbldap-tools</constant> Tarball</title>
-
-		<step><para>
-		Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions
-		and ownership as shown here:
-<screen>
-&rootprompt; mkdir -p /opt/IDEALX/sbin
-&rootprompt; chown root:root /opt/IDEALX/sbin
-&rootprompt; chmod 755 /opt/IDEALX/sbin
-&rootprompt; mkdir -p /etc/smbldap-tools
-&rootprompt; chown root:root /etc/smbldap-tools
-&rootprompt; chmod 755 /etc/smbldap-tools
-</screen>
-		</para></step>
-
-		<step><para>
-		If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
-		Change into either the directory extracted from the tarball or the smbldap-tools
-		directory in your <filename>/usr/share/doc/packages</filename> directory tree.
-		</para></step>
-
-		<step><para>
-		Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the 
-		<filename>/opt/IDEALX/sbin</filename> directory, as shown here:
-<screen>
-&rootprompt; cd smbldap-tools-0.9.1/
-&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
-&rootprompt; cp smbldap*conf /etc/smbldap-tools/
-&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
-&rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl
-&rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf
-&rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf
-</screen>
-		</para></step>
-
-		<step><para>
-		The smbldap-tools scripts master control file must now be configured.
-		Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the
-		<filename>smbldap_tools.pm</filename> to affect the changes
-		shown here:
-<screen>
-...
-# ugly funcs using global variables and spawning openldap clients
-
-my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
-my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
-...
-</screen>
-		</para></step>
-
-		<step><para>
-		To complete the configuration of the smbldap-tools, set the permissions and ownership
-		by executing the following commands:
-<screen>
-&rootprompt; chown root:root /opt/IDEALX/sbin/* 
-&rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-*
-&rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm 
-</screen>
-		The smbldap-tools scripts are now ready for the configuration step outlined in
-		<link linkend="smbldap-init"/>.
-		</para></step>
-
-	</procedure>
-
-	</sect3>
-
-	<sect3>
-	<title>Installing smbldap-tools from the RPM Package</title>
-
-	<para>
-	In the event that you have elected to use the RPM package provided by Idealx, download the
-	source RPM <filename>smbldap-tools-0.9.1-1.src.rpm</filename>, then follow this procedure:
-	</para>
-
-	<procedure>
-	<title>Installation Steps for <constant>smbldap-tools</constant> RPM's</title>
-
-		<step><para>
-		Install the source RPM that has been downloaded as follows:
-<screen>
-&rootprompt; rpm -i smbldap-tools-0.9.1-1.src.rpm
-</screen>
-		</para></step>
-
-		<step><para>
-		Change into the directory in which the SPEC files are located. On SUSE Linux:
-<screen>
-&rootprompt; cd /usr/src/packages/SPECS
-</screen>
-		On Red Hat Linux systems:
-<screen>
-&rootprompt; cd /usr/src/redhat/SPECS
-</screen>
-		</para></step>
-
-		<step><para>
-		Edit the <filename>smbldap-tools.spec</filename> file to change the value of the
-		<constant>_sysconfig</constant> macro as shown here:
-<screen>
-%define _prefix /opt/IDEALX
-%define _sysconfdir /etc
-</screen>
-		Note: Any suitable directory can be specified.
-		</para></step>
-
-		<step><para>
-		Build the package by executing:
-<screen>
-&rootprompt; rpmbuild -ba -v smbldap-tools.spec
-</screen>
-		A build process that has completed without error will place the installable binary
-		files in the directory <filename>../RPMS/noarch</filename>.
-		</para></step>
-
-		<step><para>
-		Install the binary package by executing:
-<screen>
-&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
-</screen>
-		</para></step>
-
-	</procedure>
-
-	<para>
-	The Idealx scripts should now be ready for configuration using the steps outlined in
-	<link linkend="smbldap-init">Configuration of smbldap-tools</link>.
-	</para>
-
-	</sect3>
-
-	<sect3 id="smbldap-init">
-	<title>Configuration of smbldap-tools</title>
-
-	<para>
-	Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file
-	and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption
-	is made that the &smb.conf; file has correct contents. The following procedure ensures that
-	this is completed correctly:
-	</para>
-
-	<para>
-	The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
-	in the &smb.conf; file.
-	</para>
-
-	<procedure>
-	<title>Configuration Steps for <constant>smbldap-tools</constant> to Enable Use</title>
-
-		<step><para>
-		Change into the directory that contains the <filename>configure.pl</filename> script.
-<screen>
-&rootprompt; cd /opt/IDEALX/sbin
-</screen>
-		</para></step>
-
-		<step><para>
-		Execute the <filename>configure.pl</filename> script as follows:
-<screen>
-&rootprompt; ./configure.pl
-</screen>
-		The interactive use of this script for the PDC is demonstrated here:
-<screen>
-&rootprompt; /opt/IDEALX/sbin/configure.pl 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-       smbldap-tools script configuration
-       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Before starting, check
- . if your samba controller is up and running.
- . if the domain SID is defined (you can get it with the
-                                                    'net getlocalsid')
-
- . you can leave the configuration using the Crtl-c key combination
- . empty value can be set with the "." character
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Looking for configuration files...
-
-Samba Config File Location [/etc/samba/smb.conf] > 
-smbldap-tools configuration file Location (global parameters)
-                        [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > 
-smbldap Config file Location (bind parameters) 
-                   [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Let's start configuring the smbldap-tools scripts ...
-
-. workgroup name: name of the domain Samba act as a PDC
-  workgroup name [MEGANET2] > 
-. netbios name: netbios name of the samba controler
-  netbios name [MASSIVE] > 
-. logon drive: local path to which the home directory 
-                    will be connected (for NT Workstations). Ex: 'H:'
-  logon drive [H:] > 
-. logon home: home directory location (for Win95/98 or NT Workstation)
-  (use %U as username) Ex:'\\MASSIVE\%U'
-  logon home (press the "." character if you don't want homeDirectory)
-                                                     [\\MASSIVE\%U] > 
-. logon path: directory where roaming profiles are stored. 
-                                            Ex:'\\MASSIVE\profiles\%U'
-  logon path (press the "." character
-               if you don't want roaming profile) [\\%L\profiles\%U] >
-. home directory prefix (use %U as username)
-                                           [/home/%U] > /data/users/%U
-. default users' homeDirectory mode [700] > 
-. default user netlogon script (use %U as username)
-                                                 [scripts\logon.bat] >
-  default password validation time (time in days) [45] > 900
-. ldap suffix [dc=abmas,dc=biz] > 
-. ldap group suffix [ou=Groups] > 
-. ldap user suffix [ou=People,ou=Users] > 
-. ldap machine suffix [ou=Computers,ou=Users] > 
-. Idmap suffix [ou=Idmap] > 
-. sambaUnixIdPooldn: object where you want to store the next uidNumber
-  and gidNumber available for new users and groups
-  sambaUnixIdPooldn object (relative to ${suffix}) 
-                                          [sambaDomainName=MEGANET2] > 
-. ldap master server: IP adress or DNS name of the master 
-                                                (writable) ldap server
-  ldap master server [massive.abmas.biz] > 
-. ldap master port [389] > 
-. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > 
-. ldap master bind password [] > 
-. ldap slave server: IP adress or DNS name of the slave ldap server: 
-                                            can also be the master one
-  ldap slave server [massive.abmas.biz] > 
-. ldap slave port [389] > 
-. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > 
-. ldap slave bind password [] > 
-. ldap tls support (1/0) [0] > 
-. SID for domain MEGANET2: SID of the domain 
-                      (can be obtained with 'net getlocalsid MASSIVE')
-  SID for domain MEGANET2
-                        [S-1-5-21-3504140859-1010554828-2431957765]] >
-. unix password encryption: encryption used for unix passwords
-  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
-. default user gidNumber [513] > 
-. default computer gidNumber [515] > 
-. default login shell [/bin/bash] > 
-. default skeleton directory [/etc/skel] > 
-. default domain name to append to mail adress [] > abmas.biz
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-backup old configuration files:
-  /etc/opt/IDEALX/smbldap-tools/smbldap.conf->
-                        /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
-  /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
-                   /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
-writing new configuration file:
-  /etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
-  /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
-</screen>
-		Since a slave LDAP server has not been configured, it is necessary to specify the IP
-		address of the master LDAP server for both the master and the slave configuration
-		prompts.
-		</para></step>
-
-		<step><para>
-		Change to the directory that contains the <filename>smbldap.conf</filename> file,
-		then verify its contents.
-		</para></step>
-
-	</procedure>
-
-	<para>
-	The smbldap-tools are now ready for use.
-	</para>
-
-	</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>LDAP Initialization and Creation of User and Group Accounts</title>
-
-	<para>
-	The LDAP database must be populated with well-known Windows domain user accounts and domain group 
-	accounts before Samba can be used. The following procedures step you through the process.
-	</para>
-
-	<para>
-	At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
-	mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
-	hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
-	database. From a UNIX system perspective, the NSS resolver checks system files before
-	referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
-	does not need to ask LDAP.
-	</para>
-
-	<para>
-	Addition of an account to the LDAP backend can be done in two ways:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		<indexterm><primary>NIS</primary></indexterm>
-		<indexterm><primary>/etc/passwd</primary></indexterm>
-		<indexterm><primary>Posix accounts</primary></indexterm>
-		<indexterm><primary>pdbedit</primary></indexterm>
-		<indexterm><primary>SambaSamAccount</primary></indexterm>
-		<indexterm><primary>PosixAccount</primary></indexterm>
-		If you always have a user account in the <filename>/etc/passwd</filename> on every 
-		server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in 
-		LDAP. In this case, you can add Windows domain user accounts using the 
-		<command>pdbedit</command> utility. Use of this tool from the command line adds the 
-		SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
-		</para>
-
-		<para>
-		This is the least desirable method because when LDAP is used as the passwd backend Samba
-		expects the POSIX account to be in LDAP also. It is possible to use the PADL account
-		migration tool to migrate all system accounts from either the <filename>/etc/passwd</filename>
-		files, or from NIS, to LDAP.
-		</para></listitem>
-
-		<listitem><para>
-		If you decide that it is probably a good idea to add both the PosixAccount attributes
-		as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
-		In the example system you are installing in this exercise, you are making use of the
-		Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
-		is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
-	If you wish to have more control over how the LDAP database is initialized or 
-	if you don't want to use the Idealx smbldap-tools, you should refer to 
-	<link linkend="appendix"/>, <link linkend="altldapcfg"/>.
-	</para>
-
-	<para>
-	<indexterm><primary>smbldap-populate</primary></indexterm>
-	The following steps initialize the LDAP database, and then you can add user and group
-	accounts that Samba can use. You use the <command>smbldap-populate</command> to
-	seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>. 
-	The list of users does not cover all 500 network users; it provides examples only.
-	</para>
-
-	<note><para>
-	<indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
-	<indexterm><primary>directory</primary><secondary>People container</secondary></indexterm>
-	<indexterm><primary>directory</primary><secondary>Computers container</secondary></indexterm>
-	In the following examples, as the LDAP database is initialized, we do create a container
-	for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
-	of the People container, not the Computers container, for domain member accounts. This is not a
-	mistake; it is a deliberate action that is necessitated by the fact that the resolution of 
-	a machine (computer) account to a UID is done via NSS. The only way this can be handled is
-	using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>,
-	which is resolved using the <filename>nss_ldap</filename> library. The configuration file for
-	the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that
-	provides only one possible LDAP search command that is specified by the entry called
-	<constant>nss_base_passwd</constant>. This means that the search path must take into account
-	the directory structure so that the LDAP search will commence at a level that is above
-	both the Computers container and the Users (or People) container. If this is done, it is
-	necessary to use a search that will descend the directory tree so that the machine account
-	can be found. Alternatively, by placing all machine accounts in the People container, we
-	are able to sidestep this limitation. This is the simpler solution that has been adopted
-	in this chapter.
-	</para></note>
-
-
-	<table id="sbehap-bigacct">
-		<title>Abmas Network Users and Groups</title>
-		<tgroup cols="4">
-			<colspec align="left"/>
-			<colspec align="left"/>
-			<colspec align="left"/>
-			<colspec align="left"/>
-			<thead>
-				<row>
-					<entry align="center">Account Name</entry>
-					<entry align="center">Type</entry>
-					<entry align="center">ID</entry>
-					<entry align="center">Password</entry>
-				</row>
-			</thead>
-			<tbody>
-				<row>
-					<entry>Robert Jordan</entry>
-					<entry>User</entry>
-					<entry>bobj</entry>
-					<entry>n3v3r2l8</entry>
-				</row>
-				<row>
-					<entry>Stanley Soroka</entry>
-					<entry>User</entry>
-					<entry>stans</entry>
-					<entry>impl13dst4r</entry>
-				</row>
-				<row>
-					<entry>Christine Roberson</entry>
-					<entry>User</entry>
-					<entry>chrisr</entry>
-					<entry>S9n0nw4ll</entry>
-				</row>
-				<row>
-					<entry>Mary Vortexis</entry>
-					<entry>User</entry>
-					<entry>maryv</entry>
-					<entry>kw13t0n3</entry>
-				</row>
-				<row>
-					<entry>Accounts</entry>
-					<entry>Group</entry>
-					<entry>Accounts</entry>
-					<entry></entry>
-				</row>
-				<row>
-					<entry>Finances</entry>
-					<entry>Group</entry>
-					<entry>Finances</entry>
-					<entry></entry>
-				</row>
-				<row>
-					<entry>Insurance</entry>
-					<entry>Group</entry>
-					<entry>PIOps</entry>
-					<entry></entry>
-				</row>
-			</tbody>
-		</tgroup>
-	</table>
-
-	<procedure id="creatacc">
-	<title>LDAP Directory Initialization Steps</title>
-
-		<step><para>
-		Start the LDAP server by executing:
-<screen>
-&rootprompt; rcldap start
-Starting ldap-server                           done
-</screen>
-		</para></step>
-
-		<step><para>
-		Change to the <filename>/opt/IDEALX/sbin</filename> directory.
-		</para></step>
-
-		<step><para>
-		Execute the script that will populate the LDAP database as shown here:
-<screen>
-&rootprompt; ./smbldap-populate -a root -k 0 -m 0
-</screen>
-		The expected output from this is:
-<screen>
-Using workgroup name from smb.conf: sambaDomainName=MEGANET2
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=> Warning: you must update smbldap.conf configuration file to :
-=> sambaUnixIdPooldn parameter must be set
-	to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Using builtin directory structure
-adding new entry: dc=abmas,dc=biz
-adding new entry: ou=People,dc=abmas,dc=biz
-adding new entry: ou=Groups,dc=abmas,dc=biz
-entry ou=People,dc=abmas,dc=biz already exist.
-adding new entry: ou=Idmap,dc=abmas,dc=biz
-adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
-adding new entry: uid=root,ou=People,dc=abmas,dc=biz
-adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
-adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
-</screen>
-		</para></step>
-
-		<step><para>
-		Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following
-		information is changed from:
-<screen>
-# Where to store next uidNumber and gidNumber available
-sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
-</screen>
-		to read, after modification:
-<screen>
-# Where to store next uidNumber and gidNumber available
-#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
-sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
-</screen>
-		</para></step>
-
-		<step><para>
-		It is necessary to restart the LDAP server as shown here:
-<screen>
-&rootprompt; rcldap restart
-Shutting down ldap-server                            done
-Starting ldap-server                                 done
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>slapcat</primary></indexterm>
-		So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. 
-		There are several ways you can check that your LDAP database is able to receive IDMAP information. One of 
-		the simplest is to execute:
-<screen>
-&rootprompt; slapcat | grep -i idmap
-dn: ou=Idmap,dc=abmas,dc=biz
-ou: idmap
-</screen>
-		<indexterm> <primary>ldapadd</primary></indexterm>
-	        If the execution of this command does not return IDMAP entries, you need to create an LDIF
-		template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using 
-		the following command:
-<screen>
-&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
-		-w not24get < /etc/openldap/idmap.LDIF
-</screen>
-		Samba automatically populates this LDAP directory container when it needs to.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>slapcat</primary></indexterm>
-		It looks like all has gone well, as expected. Let's confirm that this is the case
-		by running a few tests. First we check the contents of the database directly
-		by running <command>slapcat</command> as follows (the output has been cut down):
-<screen>
-&rootprompt; slapcat
-dn: dc=abmas,dc=biz
-objectClass: dcObject
-objectClass: organization
-dc: abmas
-o: abmas
-structuralObjectClass: organization
-entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
-creatorsName: cn=Manager,dc=abmas,dc=biz
-createTimestamp: 20031217234200Z
-entryCSN: 2003121723:42:00Z#0x0001#0#0000
-modifiersName: cn=Manager,dc=abmas,dc=biz
-modifyTimestamp: 20031217234200Z
-...
-dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 553
-cn: Domain Computers
-description: Netbios Domain Computers accounts
-sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
-sambaGroupType: 2
-displayName: Domain Computers
-structuralObjectClass: posixGroup
-entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
-creatorsName: cn=Manager,dc=abmas,dc=biz
-createTimestamp: 20031217234206Z
-entryCSN: 2003121723:42:06Z#0x0002#0#0000
-modifiersName: cn=Manager,dc=abmas,dc=biz
-modifyTimestamp: 20031217234206Z
-</screen>
-		This looks good so far.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>ldapsearch</primary></indexterm>
-		The next step is to prove that the LDAP server is running and responds to a
-		search request. Execute the following as shown (output has been cut to save space):
-<screen>
-&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
-# extended LDIF
-#
-# LDAPv3
-# base <dc=abmas,dc=biz> with scope sub
-# filter: (ObjectClass=*)
-# requesting: ALL
-#
-
-# abmas.biz
-dn: dc=abmas,dc=biz
-objectClass: dcObject
-objectClass: organization
-dc: abmas
-o: abmas
-
-# People, abmas.biz
-dn: ou=People,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: People
-...
-# Domain Computers, Groups, abmas.biz
-dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
-objectClass: posixGroup
-objectClass: sambaGroupMapping
-gidNumber: 553
-cn: Domain Computers
-description: Netbios Domain Computers accounts
-sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
-sambaGroupType: 2
-displayName: Domain Computers
-
-# search result
-search: 2
-result: 0 Success
-
-# numResponses: 20
-# numEntries: 19
-</screen>
-		Good. It is all working just fine.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>getent</primary></indexterm>
-		You must now make certain that the NSS resolver can interrogate LDAP also.
-		Execute the following commands:
-<screen>
-&rootprompt; getent passwd | grep root
-root:x:998:512:Netbios Domain Administrator:/home:/bin/false
-
-&rootprompt; getent group | grep Domain
-Domain Admins:x:512:root
-Domain Users:x:513:
-Domain Guests:x:514:
-Domain Computers:x:553:
-</screen>
-		<indexterm><primary>nss_ldap</primary></indexterm>
-		This demonstrates that the <command>nss_ldap</command> library is functioning
-		as it should. If these two steps fail to produce this information, refer to
-		<link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
-		isolate the cause of the problem. Proceed to the next step only when the previous steps
-		have been successfully completed.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbldap-useradd</primary></indexterm>
-		<indexterm><primary>smbldap-passwd</primary></indexterm>
-		<indexterm><primary>smbpasswd</primary></indexterm>
-		Our database is now ready for the addition of network users. For each user for
-		whom an account must be created, execute the following:
-<screen>
-&rootprompt; ./smbldap-useradd -m -a <constant>username</constant>
-&rootprompt; ./smbldap-passwd <constant>username</constant>
-Changing password for <constant>username</constant>
-New password : XXXXXXXX
-Retype new password : XXXXXXXX
-
-&rootprompt; smbpasswd <constant>username</constant>
-New SMB password: XXXXXXXX
-Retype new SMB password: XXXXXXXX
-</screen>
-		where <constant>username</constant> is the login ID for each user.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>getent</primary></indexterm>
-		Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
-		following:
-<screen>
-&rootprompt; getent passwd
-root:x:0:0:root:/root:/bin/bash
-bin:x:1:1:bin:/bin:/bin/bash
-...
-root:x:0:512:Netbios Domain Administrator:/home:/bin/false
-nobody:x:999:514:nobody:/dev/null:/bin/false
-bobj:x:1000:513:System User:/home/bobj:/bin/bash
-stans:x:1001:513:System User:/home/stans:/bin/bash
-chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
-maryv:x:1003:513:System User:/home/maryv:/bin/bash
-</screen>
-		This demonstrates that user account resolution via LDAP is working.
-		</para></step>
-
-		<step><para>
-		This step will determine whether or not identity resolution is working correctly.
-		Do not procede is this step fails, rather find the cause of the failure. The
-		<command>id</command> command may be used to validate your configuration so far,
-		as shown here:
-<screen>
-&rootprompt; id chrisr
-uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
-</screen>
-		This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
-		by system tools that make a getentpw() system call.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbldap-usermod</primary></indexterm>
-		The root account must have UID=0; if not, this means that operations conducted from
-		a Windows client using tools such as the Domain User Manager fails under UNIX because
-		the management of user and group accounts requires that the UID=0. Additionally, it is
-		a good idea to make certain that no matter how root account credentials are resolved,
-		the home directory and shell are valid. You decide to effect this immediately
-		as demonstrated here:
-<screen>
-&rootprompt; cd /opt/IDEALX/sbin
-&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root
-</screen>
-		</para></step>
-
-		<step><para>
-		Verify that the changes just made to the <constant>root</constant> account were
-		accepted by executing:
-<screen>
-&rootprompt; getent passwd | grep root
-root:x:0:0:root:/root:/bin/bash
-root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
-</screen>
-		This demonstrates that the changes were accepted.
-		</para></step>
-
-		<step><para>
-		Make certain that a home directory has been created for every user by listing the
-		directories in <filename>/home</filename> as follows:
-<screen>
-&rootprompt; ls -al /home
-drwxr-xr-x   8 root   root         176 Dec 17 18:50 ./
-drwxr-xr-x  21 root   root         560 Dec 15 22:19 ../
-drwx------   7 bobj   Domain Users     568 Dec 17 01:16 bobj/
-drwx------   7 chrisr Domain Users     568 Dec 17 01:19 chrisr/
-drwx------   7 maryv  Domain Users     568 Dec 17 01:27 maryv/
-drwx------   7 stans  Domain Users     568 Dec 17 01:43 stans/
-</screen>
-		This is precisely what we want to see.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>ldapsam</primary></indexterm>
-		<indexterm><primary>pdbedit</primary></indexterm>
-		The final validation step involves making certain that Samba-3 can obtain the user
-		accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
-<screen>
-&rootprompt; pdbedit -Lv chrisr
-Unix username:        chrisr
-NT username:          chrisr
-Account Flags:        [U          ]
-User SID:             S-1-5-21-3504140859-1010554828-2431957765-3004
-Primary Group SID:    S-1-5-21-3504140859-1010554828-2431957765-513
-Full Name:            System User
-Home Directory:       \\MASSIVE\homes
-HomeDir Drive:        H:
-Logon Script:         scripts\login.cmd
-Profile Path:         \\MASSIVE\profiles\chrisr
-Domain:               MEGANET2
-Account desc:         System User
-Workstations:
-Munged dial:
-Logon time:           0
-Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
-Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
-Password last set:    Wed, 17 Dec 2003 17:17:40 GMT
-Password can change:  Wed, 17 Dec 2003 17:17:40 GMT
-Password must change: Mon, 18 Jan 2038 20:14:07 GMT
-Last bad password   : 0
-Bad password count  : 0
-Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-</screen>
-		This looks good. Of course, you fully expected that it would all work, didn't you?
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbldap-groupadd</primary></indexterm>
-		Now you add the group accounts that are used on the Abmas network. Execute
-		the following exactly as shown:
-<screen>
-&rootprompt; ./smbldap-groupadd -a Accounts
-&rootprompt; ./smbldap-groupadd -a Finances
-&rootprompt; ./smbldap-groupadd -a PIOps
-</screen>
-		The addition of groups does not involve keyboard interaction, so the lack of console
-		output is of no concern.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>getent</primary></indexterm>
-		You really do want to confirm that UNIX group resolution from LDAP is functioning 
-		as it should. Let's do this as shown here:
-<screen>
-&rootprompt; getent group
-...
-Domain Admins:x:512:root
-Domain Users:x:513:bobj,stans,chrisr,maryv
-Domain Guests:x:514:
-...
-Accounts:x:1000:
-Finances:x:1001:
-PIOps:x:1002:
-</screen>
-		The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
-		as our own site-specific group accounts, are correctly listed. This is looking good.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
-		The final step we need to validate is that Samba can see all the Windows domain groups
-		and that they are correctly mapped to the respective UNIX group account. To do this,
-		just execute the following command:
-<screen>
-&rootprompt; net groupmap list
-Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
-Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
-Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
-...
-Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
-Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
-PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
-</screen>
-		This is looking good. Congratulations &smbmdash; it works! Note that in the above output
-		the lines were shortened by replacing the middle value (1010554828) of the SID with the 
-		ellipsis (...).
-		</para></step>
-
-		<step><para>
-		The server you have so carefully built is now ready for another important step. You 
-		start the Samba-3 server and validate its operation. Execute the following to render all 
-		the processes needed fully operative so that, on system reboot, they are automatically 
-		started:
-<screen>
-&rootprompt; chkconfig named on
-&rootprompt; chkconfig dhcpd on
-&rootprompt; chkconfig ldap on
-&rootprompt; chkconfig nmb on
-&rootprompt; chkconfig smb on
-&rootprompt; chkconfig winbind on
-&rootprompt; rcnmb start
-&rootprompt; rcsmb start
-&rootprompt; rcwinbind start
-</screen>
-		</para></step>
-
-		<step><para>
-		The next step might seem a little odd at this point, but take note that you are about to
-		start <command>winbindd</command>, which must be able to authenticate to the PDC via the
-		localhost interface with the <command>smbd</command> process. This account can be
-		easily created by joining the PDC to the domain by executing the following command:
-<screen>
-&rootprompt; net rpc join -S MASSIVE -U root%not24get
-</screen>
-		Note: Before executing this command on the PDC, both <command>nmbd</command> and
-		<command>smbd</command> must be started so that the <command>net</command> command
-		can communicate with <command>smbd</command>. The expected output is as follows:
-<screen>
-Joined domain MEGANET2.
-</screen>
-		This indicates that the domain security account for the PDC has been correctly created.
-		</para></step>
-
-		<step><para>
-		At this time it is necessary to restart <command>winbindd</command> so that it can
-		correctly authenticate to the PDC. The following command achieves that:
-<screen>
-&rootprompt; rcwinbind restart
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbclient</primary></indexterm>
-		You may now check Samba-3 operation as follows:
-<screen>
-&rootprompt; smbclient -L massive -U%
-
-        Sharename      Type      Comment
-        ---------      ----      -------
-        IPC$           IPC       IPC Service (Samba 3.0.20)
-        accounts       Disk      Accounting Files
-        service        Disk      Financial Services Files
-        pidata         Disk      Property Insurance Files
-        apps           Disk      Application Files
-        netlogon       Disk      Network Logon Service
-        profiles       Disk      Profile Share
-        profdata       Disk      Profile Data Share
-        ADMIN$         IPC       IPC Service (Samba 3.0.20)
-
-        Server               Comment
-        ---------            -------
-        MASSIVE              Samba 3.0.20
-
-        Workgroup            Master
-        ---------            -------
-        MEGANET2             MASSIVE
-</screen>
-	This shows that an anonymous connection is working.
-		</para></step>
-
-		<step><para>
-		For your finale, let's try an authenticated connection:
-<screen>
-&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
-smb: \> dir
-  .                    D        0  Wed Dec 17 01:16:19 2003
-  ..                   D        0  Wed Dec 17 19:04:42 2003
-  bin                  D        0  Tue Sep  2 04:00:57 2003
-  Documents            D        0  Sun Nov 30 07:28:20 2003
-  public_html          D        0  Sun Nov 30 07:28:20 2003
-  .urlview             H      311  Fri Jul  7 06:55:35 2000
-  .dvipsrc             H      208  Fri Nov 17 11:22:02 1995
-
-          57681 blocks of size 524288. 57128 blocks available
-smb: \> q
-</screen>
-		Well done. All is working fine.
-		</para></step>
-	</procedure>
-
-	<para>
-	The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
-	</para>
-
-	</sect2>
-
-	<sect2 id="sbehap-ptrcfg">
-	<title>Printer Configuration</title>
-
-	<para>
-	<indexterm><primary>CUPS</primary></indexterm>
-	The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
-	taken care of in the &smb.conf; file. The only preparation needed for <constant>smart</constant>
-	printing to be possible involves creation of the directories in which Samba-3 stores
-	Windows printing driver files.
-	</para>
-
-	<procedure>
-	<title>Printer Configuration Steps</title>
-
-                <step><para>
-                Configure all network-attached printers to have a fixed IP address.
-                </para></step>
-
-                <step><para>
-                Create an entry in the DNS database on the server <constant>MASSIVE</constant>
-                in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
-                and in the reverse lookup database for the network segment that the printer is to
-                be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
-                <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
-                </para></step>
-
-                <step><para>
-                Follow the instructions in the printer manufacturers' manuals to permit printing
-                to port 9100.  Use any other port the manufacturer specifies for direct mode,
-                raw printing.  This allows the CUPS spooler to print using raw mode protocols.
-                <indexterm><primary>CUPS</primary></indexterm>
-                <indexterm><primary>raw printing</primary></indexterm>
-                </para></step>
-
-		<step><para>
-		<indexterm><primary>lpadmin</primary></indexterm>
-                <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
-                Only on the server to which the printer is attached, configure the CUPS Print
-                Queues as follows:
-<screen>
-&rootprompt; lpadmin -p <parameter>printque</parameter>
-	 -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
-</screen>
-                <indexterm><primary>print filter</primary></indexterm>
-                This step creates the necessary print queue to use no assigned print filter. This
-                is ideal for raw printing, that is, printing without use of filters.
-                The name <parameter>printque</parameter> is the name you have assigned for
-                the particular printer.
-                </para></step>
-
-                <step><para>
-                Print queues may not be enabled at creation. Make certain that the queues
-                you have just created are enabled by executing the following:
-<screen>
-&rootprompt; /usr/bin/enable <parameter>printque</parameter>
-</screen>
-                </para></step>
-
-                <step><para>
-                Even though your print queue may be enabled, it is still possible that it
-                may not accept print jobs. A print queue will service incoming printing
-                requests only when configured to do so. Ensure that your print queue is
-                set to accept incoming jobs by executing the following commands:
-<screen>
-&rootprompt; /usr/bin/accept <parameter>printque</parameter>
-</screen>
-                </para></step>
-
-		<step><para>
-                <indexterm><primary>mime type</primary></indexterm>
-                <indexterm><primary>/etc/mime.convs</primary></indexterm>
-                <indexterm><primary>application/octet-stream</primary></indexterm>
-                Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
-<screen>
-application/octet-stream     application/vnd.cups-raw      0     -
-</screen>
-		</para></step>
-
-		 <step><para>
-		 <indexterm><primary>/etc/mime.types</primary></indexterm>
-		 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
-<screen>
-application/octet-stream
-</screen>
-	        </para></step>
-
-	        <step><para>
-	        Refer to the CUPS printing manual for instructions regarding how to configure
-	        CUPS so that print queues that reside on CUPS servers on remote networks
-	        route print jobs to the print server that owns that queue. The default setting
-	        on your CUPS server may automatically discover remotely installed printers and
-	        may permit this functionality without requiring specific configuration.
-	        </para></step>
-
-		<step><para>
-		The following action creates the necessary directory subsystem. Follow these 
-		steps to printing heaven:
-<screen>
-&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
-&rootprompt; chown -R root:root /var/lib/samba/drivers
-&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
-</screen>
-		</para></step>
-
-	</procedure>
-
-	</sect2>
-
-</sect1>
-
-<sect1 id="sbehap-bldg1">
-	<title>Samba-3 BDC Configuration</title>
-
-	<procedure>
-	<title>Configuration of BDC Called: <constant>BLDG1</constant></title>
-
-		<step><para>
-		Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
-		<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
-		into the <filename>/etc/samba/</filename> directory. The three files
-		should be added together to form the &smb.conf; file.
-		</para></step>
-
-		<step><para>
-		Verify the &smb.conf; file as in step 2 of <link
-	      linkend="sbehap-massive"/>.
-		</para></step>
-
-		<step><para>
-		Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
-		particular note to install the correct <filename>ldap.conf</filename>.
-		</para></step>
-
-		<step><para>
-		Verify that the NSS resolver is working. You may need to cycle the run level
-		to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
-		commands:
-<screen>
-&rootprompt; init 1
-</screen>
-		After the run level has been achieved, you are prompted to provide the
-		<constant>root</constant> password. Log on, and then execute:
-<screen>
-&rootprompt; init 5
-</screen>
-		When the normal logon prompt appears, log into the system as <constant>root</constant>
-		and then execute these commands:
-<screen>
-&rootprompt; getent passwd
-root:x:0:0:root:/root:/bin/bash
-bin:x:1:1:bin:/bin:/bin/bash
-daemon:x:2:2:Daemon:/sbin:/bin/bash
-lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
-mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
-...
-root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
-nobody:x:999:514:nobody:/dev/null:/bin/false
-bobj:x:1000:513:System User:/home/bobj:/bin/bash
-stans:x:1001:513:System User:/home/stans:/bin/bash
-chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
-maryv:x:1003:513:System User:/home/maryv:/bin/bash
-vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
-bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
-</screen>
-		This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>getent</primary></indexterm>
-		The next step in the verification process involves testing the operation of UNIX group
-		resolution via the NSS LDAP resolver. Execute these commands:
-<screen>
-&rootprompt; getent group
-root:x:0:
-bin:x:1:daemon
-daemon:x:2:
-sys:x:3:
-...
-Domain Admins:x:512:root
-Domain Users:x:513:bobj,stans,chrisr,maryv,jht
-Domain Guests:x:514:
-Administrators:x:544:
-Users:x:545:
-Guests:x:546:nobody
-Power Users:x:547:
-Account Operators:x:548:
-Server Operators:x:549:
-Print Operators:x:550:
-Backup Operators:x:551:
-Replicator:x:552:
-Domain Computers:x:553:
-Accounts:x:1000:
-Finances:x:1001:
-PIOps:x:1002:
-</screen>
-		This is also the correct and desired output, because it demonstrates that the LDAP client
-		is able to communicate correctly with the LDAP server (<constant>MASSIVE</constant>).
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>smbpasswd</primary></indexterm>
-		You must now set the LDAP administrative password into the Samba-3 <filename>secrets.tdb</filename>
-		file by executing this command:
-<screen>
-&rootprompt; smbpasswd -w not24get
-Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-</screen>
-		</para></step>
-
-		<step><para>
-		Now you must obtain the domain SID from the PDC and store it into the
-		<filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
-		passdb backend because Samba-3 obtains the domain SID from the 
-		sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
-		add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this 
-		command can achieve that:
-<screen>
-&rootprompt; net rpc getsid MEGANET2
-Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
-                           for Domain MEGANET2 in secrets.tdb
-</screen>
-		When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
-		any special action to join it to the domain. However, winbind communicates with the
-		domain controller that is running on the localhost and must be able to authenticate,
-		thus requiring that the BDC should be joined to the domain. The process of joining
-		the domain creates the necessary authentication accounts.
-		</para></step>
-
-		<step><para>
-		To join the Samba BDC to the domain, execute the following:
-<screen>
-&rootprompt; net rpc join -U root%not24get
-Joined domain MEGANET2.
-</screen>
-		This indicates that the domain security account for the BDC has been correctly created.
-		</para></step>
-
-		<step><para>
-		<indexterm>
-			<primary>pdbedit</primary>
-		</indexterm>
-		Verify that user and group account resolution works via Samba-3 tools as follows:
-<screen>
-&rootprompt; pdbedit -L
-root:0:root
-nobody:65534:nobody
-bobj:1000:System User
-stans:1001:System User
-chrisr:1002:System User
-maryv:1003:System User
-bldg1$:1006:bldg1$
-
-&rootprompt; net groupmap list
-Domain Admins (S-1-5-21-3504140859-...-2431957765-512) ->
-                                                        Domain Admins
-Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
-Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> 
-                                                        Domain Guests
-Administrators (S-1-5-21-3504140859-...-2431957765-544) ->
-                                                       Administrators
-...
-Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
-Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
-PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
-</screen>
-		These results show that all things are in order.
-		</para></step>
-
-                <step><para>
-                The server you have so carefully built is now ready for another important step. Now
-                start the Samba-3 server and validate its operation. Execute the following to render all
-                the processes needed fully operative so that, upon system reboot, they are automatically
-                started:
-<screen>
-&rootprompt; chkconfig named on
-&rootprompt; chkconfig dhcpd on
-&rootprompt; chkconfig nmb on
-&rootprompt; chkconfig smb on
-&rootprompt; chkconfig winbind on
-&rootprompt; rcnmb start
-&rootprompt; rcsmb start
-&rootprompt; rcwinbind start
-</screen>
-		Samba-3 should now be running and is ready for a quick test. But not quite yet!
-                </para></step>
-
-		<step><para>
-		Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
-		To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename>
-		file, add a mount entry to mount the <constant>home</constant> directory that has been exported
-		from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
-		approach could be to create local home directories for users who are to use these machines.
-		This is a choice that you, as system administrator, must make. The following entry in the
-		<filename>/etc/fstab</filename> file suffices for now:
-<screen>
-massive.abmas.biz:/home  /home  nfs     rw 0 0
-</screen>
-		To mount this resource, execute:
-<screen>
-&rootprompt; mount -a
-</screen>
-		Verify that the home directory has been mounted as follows:
-<screen>
-&rootprompt; df | grep home
-massive:/home         29532988    283388  29249600   1% /home
-</screen>
-		</para></step>
-
-		<step><para>
-		Implement a quick check using one of the users that is in the LDAP database. Here you go:
-<screen>
-&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
-smb: \> dir
-  .                    D        0  Wed Dec 17 01:16:19 2003
-  ..                   D        0  Wed Dec 17 19:04:42 2003
-  bin                  D        0  Tue Sep  2 04:00:57 2003
-  Documents            D        0  Sun Nov 30 07:28:20 2003
-  public_html          D        0  Sun Nov 30 07:28:20 2003
-  .urlview             H      311  Fri Jul  7 06:55:35 2000
-  .dvipsrc             H      208  Fri Nov 17 11:22:02 1995
-
-          57681 blocks of size 524288. 57128 blocks available
-smb: \> q
-</screen>
-		</para></step>
-
-	</procedure>
-
-	<para>
-	Now that the first BDC (<constant>BDLG1</constant>) has been configured it is time to build 
-	and configure the second BDC server (<constant>BLDG2</constant>) as follows:
-	</para>
-
-	<procedure id="sbehap-bldg2">
-	<title>Configuration of BDC Called <constant>BLDG2</constant></title>
-
-		<step><para>
-		Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
-		<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
-		into the <filename>/etc/samba/</filename> directory. The three files
-		should be added together to form the &smb.conf; file.
-		</para></step>
-
-		<step><para>
-		Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
-		</para></step>
-
-	</procedure>
-
-<example id="sbehap-bldg1-smbconf">
-<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-	<smbconfoption name="unix charset">LOCALE</smbconfoption>
-	<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-	<smbconfoption name="netbios name">BLDG1</smbconfoption>
-	<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="enable privileges">Yes</smbconfoption>
-	<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-	<smbconfoption name="log level">1</smbconfoption>
-	<smbconfoption name="syslog">0</smbconfoption>
-	<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-	<smbconfoption name="max log size">50</smbconfoption>
-	<smbconfoption name="smb ports">139</smbconfoption>
-	<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-	<smbconfoption name="printcap name">CUPS</smbconfoption>
-	<smbconfoption name="show add printer wizard">No</smbconfoption>
-	<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-	<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-	<smbconfoption name="logon drive">X:</smbconfoption>
-	<smbconfoption name="domain logons">Yes</smbconfoption>
-	<smbconfoption name="domain master">No</smbconfoption>
-	<smbconfoption name="wins server">172.16.0.1</smbconfoption>
-	<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-	<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-	<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-	<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-	<smbconfoption name="printing">cups</smbconfoption>
-	<smbconfoption name="printer admin">root, chrisr</smbconfoption>
-</smbconfblock>
-</example>
-
-
-<example id="sbehap-bldg2-smbconf">
-<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-	<smbconfoption name="unix charset">LOCALE</smbconfoption>
-	<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-	<smbconfoption name="netbios name">BLDG2</smbconfoption>
-	<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="enable privileges">Yes</smbconfoption>
-	<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-	<smbconfoption name="log level">1</smbconfoption>
-	<smbconfoption name="syslog">0</smbconfoption>
-	<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-	<smbconfoption name="max log size">50</smbconfoption>
-	<smbconfoption name="smb ports">139</smbconfoption>
-	<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-	<smbconfoption name="printcap name">CUPS</smbconfoption>
-	<smbconfoption name="show add printer wizard">No</smbconfoption>
-	<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
-	<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-	<smbconfoption name="logon drive">X:</smbconfoption>
-	<smbconfoption name="domain logons">Yes</smbconfoption>
-	<smbconfoption name="domain master">No</smbconfoption>
-	<smbconfoption name="wins server">172.16.0.1</smbconfoption>
-	<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-	<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-	<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-	<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
-	<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
-	<smbconfoption name="idmap uid">10000-20000</smbconfoption>
-	<smbconfoption name="idmap gid">10000-20000</smbconfoption>
-	<smbconfoption name="printing">cups</smbconfoption>
-	<smbconfoption name="printer admin">root, chrisr</smbconfoption>
-</smbconfblock>
-</example>
-
-
-<example id="sbehap-shareconfa">
-<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
-<smbconfblock>
-<smbconfsection name="[accounts]"/>
-	<smbconfoption name="comment">Accounting Files</smbconfoption>
-	<smbconfoption name="path">/data/accounts</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[service]"/>
-	<smbconfoption name="comment">Financial Services Files</smbconfoption>
-	<smbconfoption name="path">/data/service</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[pidata]"/>
-	<smbconfoption name="comment">Property Insurance Files</smbconfoption>
-	<smbconfoption name="path">/data/pidata</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-	<smbconfoption name="comment">Home Directories</smbconfoption>
-	<smbconfoption name="valid users">%S</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-	<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-	<smbconfoption name="comment">SMB Print Spool</smbconfoption>
-	<smbconfoption name="path">/var/spool/samba</smbconfoption>
-	<smbconfoption name="guest ok">Yes</smbconfoption>
-	<smbconfoption name="printable">Yes</smbconfoption>
-	<smbconfoption name="browseable">No</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="sbehap-shareconfb">
-<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
-<smbconfblock>
-<smbconfsection name="[apps]"/>
-	<smbconfoption name="comment">Application Files</smbconfoption>
-	<smbconfoption name="path">/apps</smbconfoption>
-	<smbconfoption name="admin users">bjordan</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[netlogon]"/>
-	<smbconfoption name="comment">Network Logon Service</smbconfoption>
-	<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
-	<smbconfoption name="guest ok">Yes</smbconfoption>
-	<smbconfoption name="locking">No</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-	<smbconfoption name="comment">Profile Share</smbconfoption>
-	<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-	<smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[profdata]"/>
-	<smbconfoption name="comment">Profile Data Share</smbconfoption>
-	<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
-	<smbconfoption name="read only">No</smbconfoption>
-	<smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-	<smbconfoption name="comment">Printer Drivers</smbconfoption>
-	<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-	<smbconfoption name="browseable">yes</smbconfoption>
-	<smbconfoption name="guest ok">no</smbconfoption>
-	<smbconfoption name="read only">yes</smbconfoption>
-	<smbconfoption name="write list">root, chrisr</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="sbehap-ldifadd">
-<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
-<screen>
-dn: ou=Idmap,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: idmap
-structuralObjectClass: organizationalUnit
-</screen>
-</example>
-
-</sect1>
-
-<sect1>
-	<title>Miscellaneous Server Preparation Tasks</title>
-
-	<para>
-	My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
-	The makings of a great network environment take a lot of effort and attention to detail.
-	So far, you have completed most of the complex (and to many administrators, the interesting
-	part of server configuration) steps, but remember to tie it all together. Here are
-	a few more steps that must be completed so that your network runs like a well-rehearsed
-	orchestra.
-	</para>
-
-	<sect2>
-	<title>Configuring Directory Share Point Roots</title>
-
-	<para>
-	In your &smb.conf; file, you have specified Windows shares. Each has a <parameter>path</parameter>
-	parameter. Even though it is obvious to all, one of the common Samba networking problems is
-	caused by forgetting to verify that every such share root directory actually exists and that it
-	has the necessary permissions and ownership.
-	</para>
-
-	<para>
-	Here is an example, but remember to create the directory needed for every share:
-<screen>
-&rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
-&rootprompt; mkdir -p /apps
-&rootprompt; chown -R root:root /data
-&rootprompt; chown -R root:root /apps
-&rootprompt; chown -R bobj:Accounts /data/accounts
-&rootprompt; chown -R bobj:Finances /data/finsvcs
-&rootprompt; chown -R bobj:PIOps /data/piops
-&rootprompt; chmod -R ug+rwxs,o-rwx /data
-&rootprompt; chmod -R ug+rwx,o+rx-w /apps
-</screen>
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Configuring Profile Directories</title>
-
-	<para>
-	You made a conscious decision to do everything it would take to improve network client
-	performance. One of your decisions was to implement folder redirection. This means that Windows
-	user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
-	network folders.
-	</para>
-
-	<para>
-	For this arrangement to work, every user needs a directory structure for the network folder
-	portion of his or her profile as shown here:
-<screen>
-&rootprompt; mkdir -p /var/lib/samba/profdata
-&rootprompt; chown root:root /var/lib/samba/profdata
-&rootprompt; chmod 755 /var/lib/samba/profdata
-
-# Per user structure
-&rootprompt; cd /var/lib/samba/profdata
-&rootprompt; mkdir -p <emphasis>username</emphasis>
-&rootprompt; for i in InternetFiles Cookies History AppData \
-                      LocalSettings MyPictures MyDocuments Recent
-&rootprompt; do
-&rootprompt; mkdir <emphasis>username</emphasis>/$i
-&rootprompt; done
-&rootprompt; chown -R <emphasis>username</emphasis>:Domain\ Users <emphasis>username</emphasis>
-&rootprompt; chmod -R 750 <emphasis>username</emphasis>
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>roaming profile</primary></indexterm>
-	<indexterm><primary>mandatory profile</primary></indexterm>
-	You have three options insofar as the dynamically loaded portion of the roaming profile
-	is concerned: 
-	</para>
-
-	<itemizedlist>
-		<listitem><para>You may permit the user to obtain a default profile.</para></listitem>
-		<listitem><para>You can create a mandatory profile.</para></listitem>
-		<listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
-	</itemizedlist>
-
-	<para>
-	Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
-	profile is effected by renaming the <filename>NTUSER.DAT</filename> to <filename>NTUSER.MAN</filename>,
-	that is, just by changing the filename extension.
-	</para>
-
-	<para>
-	<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
-	<indexterm><primary>Domain User Manager</primary></indexterm>
-	The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
-	You can manage this using the Idealx smbldap-tools or using the 
-	<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager</ulink>.
-	</para>
-
-	<para>
-	It may not be obvious that you must ensure that the root directory for the user's profile exists
-	and has the needed permissions. Use the following commands to create this directory:
-<screen>
-&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
-&rootprompt; chown <emphasis>username</emphasis>:Domain\ Users
-	    /var/lib/samba/profiles/<emphasis>username</emphasis>
-&rootprompt; chmod 700  /var/lib/samba/profiles/<emphasis>username</emphasis>
-</screen>
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Preparation of Logon Scripts</title>
-
-	<para>
-	<indexterm><primary>logon script</primary></indexterm>
-	The use of a logon script with Windows XP Professional is an option that every site should consider.
-	Unless you have locked down the desktop so the user cannot change anything, there is risk that
-	a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
-	can help to restore persistent network folder (drive) and printer connections in a predictable
-	manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
-	user attaches to another company's network that forces environment changes that are alien to your
-	network.
-	</para>
-
-	<para>
-	If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain
-	controllers, you see that the path to the share point for the <constant>NETLOGON</constant>
-	share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
-	script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
-	NT/200x/XP client logs onto the network, it tries to obtain the file <filename>logon.bat</filename>
-	from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
-	qualified path should therefore exist whether you install the <filename>logon.bat</filename>.
-	</para>
-
-	<para>
-	You can, of course, create the fully qualified path by executing:
-<screen>
-&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
-</screen>
-	</para>
-
-	<para>
-	You should research the options for logon script implementation by referring to <emphasis>TOSHARG2</emphasis>, Chapter 24,
-	Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
-	facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Assigning User Rights and Privileges</title>
-
-	<para>
-	The ability to perform tasks such as joining Windows clients to the domain can be assigned to
-	normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
-	systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
-	this privilege in a very limited fashion to particular accounts.
-	</para>
-
-	<para>
-	By default, even Samba-3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
-	group. Here we grant this group all privileges.
-	</para>
-
-	<para>
-	Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
-	are granted rights can be restricted to particular machines. It is left to the network administrator
-	to determine which rights should be provided and to whom.
-	</para>
-
-	<procedure>
-	<title>Steps for Assignment of User Rights and Privileges</title>
-
-		<step><para>
-		Log onto the PDC as the <constant>root</constant> account.
-		</para></step>
-
-		<step><para>
-		Execute the following command to grant the <constant>Domain Admins</constant> group all
-		rights and privileges:
-<screen>
-&rootprompt; net -S MASSIVE  -U root%not24get rpc rights grant \
-        "MEGANET2\Domain Admins" SeMachineAccountPrivilege \
-	SePrintOperatorPrivilege SeAddUsersPrivilege \
-	SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
-Successfully granted rights.
-</screen>
-		Repeat this step on each domain controller, in each case substituting the name of the server
-		(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
-		</para></step>
-
-		<step><para>
-		In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
-		to the domain. Execute the following only on the PDC. It is not necessary to do this on
-		BDCs or on DMS machines because machine accounts are only ever added by the PDC:
-<screen>
-&rootprompt; net -S MASSIVE  -U root%not24get rpc rights grant \
-             "MEGANET2\bobj" SeMachineAccountPrivilege
-Successfully granted rights.
-</screen>
-		</para></step>
-
-		<step><para>
-		Verify that privilege assignments have been correctly applied by executing:
-<screen>
-net rpc rights list accounts -Uroot%not24get
-MEGANET2\bobj
-SeMachineAccountPrivilege
-
-S-0-0
-No privileges assigned
-
-BUILTIN\Print Operators
-No privileges assigned
-
-BUILTIN\Account Operators
-No privileges assigned
-
-BUILTIN\Backup Operators
-No privileges assigned
-
-BUILTIN\Server Operators
-No privileges assigned
-
-BUILTIN\Administrators
-No privileges assigned
-
-Everyone
-No privileges assigned
-
-MEGANET2\Domain Admins
-SeMachineAccountPrivilege
-SePrintOperatorPrivilege
-SeAddUsersPrivilege
-SeRemoteShutdownPrivilege
-SeDiskOperatorPrivilege
-</screen>
-		</para></step>
-
-	</procedure>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Windows Client Configuration</title>
-
-	<para>
-	<indexterm><primary>NETLOGON</primary></indexterm>
-	In the next few sections, you can configure a new Windows XP Professional disk image on a staging
-	machine. You will configure all software, printer settings, profile and policy handling, and desktop
-	default profile settings on this system. When it is complete, you copy the contents of the
-	<filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
-	name in the <constant>NETLOGON</constant> share on the domain controllers.
-	</para>
-
-	<para>
-	Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
-	One knowledge-base article in particular stands out:
-	"<ulink url="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475">How to Create a 
-	Base Profile for All Users."</ulink>
-
-	</para>
-
-	<sect2 id="redirfold">
-	<title>Configuration of Default Profile with Folder Redirection</title>
-
-	<para>
-	<indexterm><primary>folder redirection</primary></indexterm>
-	Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
-	It is necessary to expose folders that are generally hidden to provide access to the
-	<constant>Default User</constant> folder.
-	</para>
-
-	<procedure>
-	<title>Expose Hidden Folders</title>
-
-		<step><para>
-		Launch the Windows Explorer by clicking
-			<menuchoice>
-                                <guimenu>Start</guimenu>
-                                <guimenuitem>My Computer</guimenuitem>
-                                <guimenuitem>Tools</guimenuitem>
-                                <guimenuitem>Folder Options</guimenuitem>
-                                <guimenuitem>View Tab</guimenuitem>
-                        </menuchoice>.
-		Select <guilabel>Show hidden files and folders</guilabel>,
-		and click <guibutton>OK</guibutton>.  Exit Windows Explorer.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>regedt32</primary></indexterm>
-		Launch the Registry Editor. Click 
-		<menuchoice>
-			<guimenu>Start</guimenu>
-			<guimenuitem>Run</guimenuitem>
-		</menuchoice>. Key in <command>regedt32</command>, and click
-		<guibutton>OK</guibutton>.
-		</para></step>
-
-	</procedure>
-
-	<para>
-	</para>
-
-	<procedure id="sbehap-rdrfldr">
-	<title>Redirect Folders in Default System User Profile</title>
-
-		<step><para>
-		<indexterm><primary>HKEY_LOCAL_MACHINE</primary></indexterm>
-		<indexterm><primary>Default User</primary></indexterm>
-		Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
-		Click <menuchoice>
-			<guimenu>File</guimenu>
-			<guimenuitem>Load Hive...</guimenuitem>
-			<guimenuitem>Documents and Settings</guimenuitem>
-			<guimenuitem>Default User</guimenuitem>
-			<guimenuitem>NTUSER</guimenuitem>
-			<guimenuitem>Open</guimenuitem>
-		      </menuchoice>. In the dialog box that opens, enter the key name
-		<constant>Default</constant> and click <guibutton>OK</guibutton>.
-		</para></step>
-
-		<step><para>
-		Browse inside the newly loaded Default folder to:
-<screen>
-HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
-                     CurrentVersion\Explorer\User Shell Folders\
-</screen>
-		The right panel reveals the contents as shown in <link linkend="XP-screen001"/>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>%USERPROFILE%</primary></indexterm>
-		<indexterm><primary>%LOGONSERVER%</primary></indexterm>
-		You edit hive keys. Acceptable values to replace the 
-		<constant>%USERPROFILE%</constant> variable includes:
-
-		<itemizedlist>
-			<listitem><para>A drive letter such as <constant>U:</constant></para></listitem>
-			<listitem><para>A direct network path such as
-				<constant>\\MASSIVE\profdata</constant></para></listitem>
-			<listitem><para>A network redirection (UNC name) that contains a macro such as </para>
-				<para><constant>%LOGONSERVER%\profdata\</constant></para></listitem>
-		</itemizedlist>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>registry keys</primary></indexterm>
-		Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
-		that users have statically located machines. Notebook computers (mobile users) need to be
-		accommodated using local profiles. This is not an uncommon assumption.
-		</para></step>
-
-		<step><para>
-		Click back to the root of the loaded hive <constant>Default</constant>.
-		Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
-		<guimenuitem>Yes</guimenuitem></menuchoice>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Registry Editor</primary></indexterm>
-		Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
-		Registry Editor.
-		</para></step>
-
-		<step><para>
-		Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
-		have redirected is in the exclusion list.
-		</para></step>
-
-		<step><para>
-		You are now ready to copy<footnote><para>
-			There is an alternate method by which a default user profile can be added to the
-			<constant>NETLOGON</constant> share. This facility in the Windows System tool 
-			permits profiles to be exported. The export target may be a particular user or 
-			group profile share point or else the <constant>NETLOGON</constant> share. 
-			In this case, the profile directory must be named <constant>Default User</constant>.
-			</para></footnote> 
-		the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
-		and use it to copy the full contents of the directory <filename>Default User</filename> that
-		is in the <filename>C:\Documents and Settings</filename> to the root directory of the
-		<constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
-		UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must
-		be a directory in there called <filename>Default User</filename>.
-		</para></step>
-
-	</procedure>
-
-	<para>
-	Before punching out new desktop images for the client workstations, it is perhaps a good idea that
-	desktop behavior should be returned to the original Microsoft settings. The following steps achieve
-	that ojective:
-	</para>
-
-	<procedure>
-	<title>Reset Folder Display to Original Behavior</title>
-
-		<step><para>
-		To launch the Windows Explorer, click
-			<menuchoice>
-                                <guimenu>Start</guimenu>
-                                <guimenuitem>My Computer</guimenuitem>
-                                <guimenuitem>Tools</guimenuitem>
-                                <guimenuitem>Folder Options</guimenuitem>
-                                <guimenuitem>View Tab</guimenuitem>
-                        </menuchoice>.
-		Deselect <guilabel>Show hidden files and folders</guilabel>, and click <guibutton>OK</guibutton>.
-		Exit Windows Explorer.
-		</para></step>
-
-	</procedure>
-
-	<figure id="XP-screen001">
-		<title>Windows XP Professional &smbmdash; User Shared Folders</title>
-		<imagefile scale="65">XP-screen001</imagefile>
-	</figure>
-
-<table id="proffold">
-	<title>Default Profile Redirections</title>
-	<tgroup cols="2">
-		<colspec align="left"/>
-		<colspec align="left"/>
-		<thead>
-			<row>
-				<entry>Registry Key</entry>
-				<entry>Redirected Value</entry>
-			</row>
-		</thead>
-		<tbody>
-			<row>
-				<entry>Cache</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
-			</row>
-			<row>
-				<entry>Cookies</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
-			</row>
-			<row>
-				<entry>History</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry>
-			</row>
-			<row>
-				<entry>Local AppData</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
-			</row>
-			<row>
-				<entry>Local Settings</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
-			</row>
-			<row>
-				<entry>My Pictures</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
-			</row>
-			<row>
-				<entry>Personal</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
-			</row>
-			<row>
-				<entry>Recent</entry>
-				<entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
-			</row>
-		</tbody>
-	</tgroup>
-</table>
-
-	</sect2>
-
-	<sect2>
-	<title>Configuration of MS Outlook to Relocate PST File</title>
-
-	<para>
-	<indexterm><primary>Outlook</primary><secondary>PST</secondary></indexterm>
-	<indexterm><primary>MS Outlook</primary><secondary>PST</secondary></indexterm>
-	Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
-	It is the nature of email storage that this file grows, at times quite rapidly.
-	So that users' email is available to them at every workstation they may log onto,
-	it is common practice in well-controlled sites to redirect the PST folder to the
-	users' home directory. Follow these steps for each user who wishes to do this.
-	</para>
-
-	<para>
-	To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
-	slightly differently), follow these steps:
-	</para>
-
-	<procedure>
-	<title>Outlook PST File Relocation</title>
-
-		<step><para>
-		Close Outlook if it is open.
-		</para></step>
-
-		<step><para>
-		From the <guimenu>Control Panel</guimenu>, launch the Mail icon.
-		</para></step>
-
-		<step><para>
-		Click <guimenu>Email Accounts.</guimenu>
-		</para></step>
-
-		<step><para>
-		Make a note of the location of the PST file(s). From this location, move
-		the files to the desired new target location. The most desired new target location 
-		may well be the users' home directory.
-		</para></step>
-
-		<step><para>
-		Add a new data file, selecting the PST file in the new desired target location.
-		Give this entry (not the filename) a new name such as <quote>Personal Mail Folders.</quote>
-		</para>
-
-		<para>
-		Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems
-		following these instructions. Feedback from users suggests that where IMAP is used the PST
-		file is used to store rules and filters. When the PST store is relocated it appears to break
-		MS Outlook's Send/Receive button. If anyone has successfully relocated PST files where IMAP is
-		used please email <literal>jht at samba.org</literal> with useful tips and suggestions so that
-		this warning can be removed or modified.
-		</para></step>
-
-		<step><para>
-		Close the <guimenu>Date Files</guimenu> windows, then click <guimenu>Email Accounts</guimenu>.
-		</para></step>
-
-		<step><para>
-		Select <guimenu>View of Change</guimenu> exiting email accounts, click <guibutton>Next.</guibutton>
-		</para></step>
-
-		<step><para>
-		Change the <guimenu>Mail Delivery Location</guimenu> so as to use the data file in the new
-		target location.
-		</para></step>
-
-		<step><para>
-		Go back to the <guimenu>Data Files</guimenu> window, then delete the old data file entry.
-		</para></step>
-
-	</procedure>
-	
-	<note><para>
-	<indexterm><primary>Outlook Address Book</primary></indexterm>
-	You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise 
-	the user may be not be able to retrieve contacts when addressing a new email message.
-	</para></note>
-
-	<note><para>
-	<indexterm><primary>Outlook Express</primary></indexterm>
-	Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
-	Express storage files can not be redirected to network shares. The options panel will not permit
-	this, but they can be moved to folders outside of the user's profile. They can also be excluded
-	from folder synchronization as part of the roaming profile.
-	</para>
-
-	<para>
-	While it is possible to redirect the data stores for Outlook Express data stores by editing the 
-	registry, experience has shown that data corruption and loss of email messages will result.
-	</para>
-
-	<para>
-	<indexterm><primary>Outlook Express</primary></indexterm>
-	<indexterm><primary>MS Outlook</primary></indexterm>
-	In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
-	roaming profiles this can result in excruciatingly long login and logout behavior will files are
-	synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
-	profiles are used.
-	</para></note>
-
-	<para>
-	<indexterm><primary>PST file</primary></indexterm>
-	Microsoft does not support storing PST files on network shares, although the practice does appear
-	to be rather popular. Anyone who does relocation the PST file to a network resource should refer
-	the Microsoft <ulink url="http://support.microsoft.com/kb/297019/">reference</ulink> to better
-	understand the issues.
-	</para>
-
-	<para>
-	<indexterm><primary>PST file</primary></indexterm>
-	Apart from manually moving PST files to a network share, it is possible to set the default PST
-	location for new accounts by following the instructions at the WindowsITPro <ulink
-	url="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html">web</ulink> site.
-	</para>
-
-	<para>
-	<indexterm><primary>PST file</primary></indexterm>
-	User feedback suggests that disabling of oplocks on PST files will significantly improve
-	network performance by reducing locking overheads. One way this can be done is to add to the
-	&smb.conf; file stanza for the share the PST file the following:
-<screen>
-veto oplock files = /*.pdf/*.PST/
-</screen>
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Configure Delete Cached Profiles on Logout</title>
-
-	<para>
-	Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
-	</para>
-
-	<para>
-	<indexterm><primary>MMC</primary></indexterm>
-	Click 
-	<menuchoice>
-		<guimenu>Start</guimenu>
-		<guimenuitem>Run</guimenuitem>
-	</menuchoice>. In the dialog box, enter <command>MMC</command> and click <guibutton>OK</guibutton>.
-	</para>
-
-	<para>
-	Follow these steps to set the default behavior of the staging machine so that all roaming
-	profiles are deleted as network users log out of the system. Click
-	<menuchoice>
-		<guimenu>File</guimenu>
-		<guimenuitem>Add/Remove Snap-in</guimenuitem>
-		<guimenuitem>Add</guimenuitem>
-		<guimenuitem>Group Policy</guimenuitem>
-		<guimenuitem>Add</guimenuitem>
-		<guimenuitem>Finish</guimenuitem>
-		<guimenuitem>Close</guimenuitem>
-		<guimenuitem>OK</guimenuitem>
-	</menuchoice>. 
-	</para>
-
-	<para>
-	<indexterm><primary>Microsoft Management Console</primary><see>MMC</see></indexterm>
-	The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
-	utility that enables you to set the policies needed. In the left panel, click
-	<menuchoice>
-		<guimenuitem>Local Computer Policy</guimenuitem>
-		<guimenuitem>Administrative Templates</guimenuitem>
-		<guimenuitem>System</guimenuitem>
-		<guimenuitem>User Profiles</guimenuitem>
-	</menuchoice>. In the right panel, set the properties shown here by double-clicking on each
-	item as shown:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
-		<listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
-	</itemizedlist>
-
-	<para>
-	Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
-	made of this system to deploy the new standard desktop system.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Uploading Printer Drivers to Samba Servers</title>
-
-	<para>
-	<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
-	Users want to be able to use network printers. You have a vested interest in making
-	it easy for them to print. You have chosen to install the printer drivers onto the Samba
-	servers and to enable point-and-click (drag-and-drop) printing. This process results in
-	Samba being able to automatically provide the Windows client with the driver necessary to
-	print to the printer chosen. The following procedure must be followed for every network
-	printer:
-	</para>
-
-	<procedure>
-	<title>Steps to Install Printer Drivers on the Samba Servers</title>
-
-		<step><para>
-		Join your Windows XP Professional workstation (the staging machine) to the 
-		<constant>MEGANET2</constant> domain. If you are not sure of the procedure, 
-		follow the guidance given in <link linkend="appendix"/>, <link linkend="domjoin"/>.
-		</para></step>
-
-		<step><para>
-		After the machine has rebooted, log onto the workstation as the domain
-		<constant>root</constant> (this is the Administrator account for the 
-		operating system that is the host platform for this implementation of Samba.
-		</para></step>
-
-		<step><para>
-		Launch MS Windows Explorer. Navigate in the left panel. Click
-		<menuchoice>
-			<guimenu>My Network Places</guimenu>
-			<guimenuitem>Entire Network</guimenuitem>
-			<guimenuitem>Microsoft Windows Network</guimenuitem>
-			<guimenuitem>Meganet2</guimenuitem>
-			<guimenuitem>Massive</guimenuitem>
-		</menuchoice>. Click on <guimenu>Massive</guimenu>
-			<guimenu>Printers and Faxes</guimenu>.
-		</para></step>
-
-		<step><para>
-		Identify a printer that is shown in the right panel. Let us assume the printer is called 
-		<constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
-		and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
-		that <quote>The printer driver is not installed on this computer. Some printer properties
-		will not be accessible unless you install the printer driver. Do you want to install the
-		driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
-		</para></step>
-
-		<step><para>
-		The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server 
-		<constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
-		Note that the box labeled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
-		button that is next to the <guimenu>Driver</guimenu> box. This launches the <quote>Add Printer Wizard</quote>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Add Printer Wizard</primary><secondary>APW</secondary></indexterm>
-		<indexterm><primary>APW</primary></indexterm>
-		The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel 
-		is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the 
-		printer manufacturer. In your case, you are adding a driver for a printer manufactured by 
-		Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click 
-		<guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A 
-		progress bar appears and instructs you as each file is being uploaded and that it is being 
-		directed at the network server <constant>\\massive\ps01-color</constant>.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
-		<indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
-		<indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
-		<indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
-		<indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
-		<indexterm><primary>AD printer publishing</primary></indexterm>
-		The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
-		you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel. 
-		You can set the Location (under the <guimenu>General</guimenu> tab) and Security settings (under 
-		the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
-		load additional printer drivers; there is also a check-box in this tab called <quote>List in the
-		directory</quote>. When this box is checked, the printer will be published in Active Directory
-		(Applicable to Active Directory use only.)
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
-		Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server. 
-		You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
-		Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu> 
-		<guimenuitem>Device Settings</guimenuitem> </menuchoice>.  Now change the settings to suit 
-		your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if 
-		you need to reverse the changes back to their original settings. 
-		</para></step>
-
-		<step><para>
-		This is necessary so that the printer settings are initialized in the Samba printers
-		database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
-		just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
-		click <guimenu>Apply</guimenu> again.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Print Test Page</primary></indexterm>
-		Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
-		click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
-		A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
-		in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on 
-		massive Properties</guimenu> panel.
-		</para></step>
-
-		<step><para>
-		You must repeat this process for all network printers (i.e., for every printer on each server).
-		When you have finished uploading drivers to all printers, close all applications. The next task
-		is to install software your users require to do their work.
-		</para></step>
-
-	</procedure>
-
-	</sect2>
-
-	<sect2>
-	<title>Software Installation</title>
-
-	<para>
-	Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
-	a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
-	Notebooks require special handling that is beyond the scope of this chapter.
-	</para>
-
-	<para>
-	For desktop systems, the installation of software onto administratively centralized application servers
-	make a lot of sense. This means that you can manage software maintenance from a central
-	perspective and that only minimal application stubware needs to be installed onto the desktop
-	systems. You should proceed with software installation and default configuration as far as is humanly
-	possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
-	of software operations and configuration.
-	</para>
-
-	<para>
-	When you believe that the overall configuration is complete, be sure to create a shared group profile
-	and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
-	case a user may have specific needs you had not anticipated.
-	</para>
-
-	</sect2>
-
-	<sect2>
-	<title>Roll-out Image Creation</title>
-
-	<para>
-	The final steps before preparing the distribution Norton Ghost image file you might follow are:
-	</para>
-
-	<blockquote><para>
-	Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently
-	joined into domain membership.
-	</para></blockquote>
-
-	<blockquote><para>
-	Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
-	in better performance and often significantly reduces the size of the compressed disk image. That
-	also means it will take less time to deploy the image onto 500 workstations.
-	</para></blockquote>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Key Points Learned</title>
-
-	<para>
-	This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
-	avoided any consideration of security. Security does not just happen; you must design it into your total
-	network. Security begins with a systems design and implementation that anticipates hostile behavior from
-	users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
-	they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
-	practices, you must not deploy the design presented in this book in an environment where there is risk
-	of compromise.
-	</para>
-
-	<para>
-	<indexterm><primary>Access Control Lists</primary><see>ACLs</see></indexterm>
-	<indexterm><primary>ACLs</primary></indexterm>
-	As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
-	configured to use secure protocols for all communications over the network. Of course, secure networking
-	does not result just from systems design and implementation but involves constant user education
-	training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
-	or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
-	Jerry Carter's book <ulink url="http://www.booksense.com/product/info.jsp&isbn=1565924916">
-	<emphasis>LDAP System Administration</emphasis></ulink> is a good place to start reading about OpenLDAP
-	as well as security considerations.
-	</para>
-
-	<para>
-	The substance of this chapter that has been deserving of particular attention includes:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
-		domain control.
-		</para></listitem>
-
-		<listitem><para>
-		Implementation of Samba primary and secondary domain controllers with a common LDAP backend
-		for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
-		pam_ldap tool-sets.
-		</para></listitem>
-
-		<listitem><para>
-		Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
-		to manage Samba Windows user and group accounts.
-		</para></listitem>
-
-		<listitem><para>
-		The basics of implementation of Group Policy controls for Windows network clients.
-		</para></listitem>
-
-		<listitem><para>
-		Control over roaming profiles, with particular focus on folder redirection to network drives.
-		</para></listitem>
-
-		<listitem><para>
-		Use of the CUPS printing system together with Samba-based printer driver auto-download.
-		</para></listitem>
-	</itemizedlist>
-
-</sect1>
-
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	Well, here we are at the end of this chapter and we have only ten questions to help you to
-	remember so much. There are bound to be some sticky issues here.
-	</para>
-
-	<qandaset defaultlabel="chap06qa" type="number">
-	<qandaentry>
-	<question>
-
-		<para>
-		Why did you not cover secure practices? Isn't it rather irresponsible to instruct
-		network administrators to implement insecure solutions?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Let's get this right. This is a book about Samba, not about OpenLDAP and secure
-		communication protocols for subjects other than Samba. Earlier on, you note,
-		that the dynamic DNS and DHCP solutions also used no protective secure communications
-		protocols. The reason for this is simple: There are so many ways of implementing
-		secure protocols that this book would have been even larger and more complex.
-		</para>
-
-		<para>
-		The solutions presented here all work (at least they did for me). Network administrators
-		have the interest and the need to be better trained and instructed in secure networking
-		practices and ought to implement safe systems. I made the decision, right or wrong,
-		to keep this material as simple as possible. The intent of this book is to demonstrate
-		a working solution and not to discuss too many peripheral issues.
-		</para>
-
-		<para>
-		This book makes little mention of backup techniques. Does that mean that I am recommending
-		that you should implement a network without provision for data recovery and for disaster
-		management? Back to our focus: The deployment of Samba has been clearly demonstrated.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
-		you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
-		to the Linux I might be using?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
-		for a standard Linux distribution. The differences are marginal. Surely you know
-		your Linux platform, and you do have access to administration manuals for it. This
-		book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
-		the Samba part of the book; all the other bits are peripheral (but important) to
-		creation of a total network solution. 
-		</para>
-
-		<para>
-		What I find interesting is the attention reviewers give to Linux installation and to
-		the look and feel of the desktop, but does that make for a great server? In this book,
-		I have paid particular attention to the details of creating a whole solution framework.
-		I have not tightened every nut and bolt, but I have touched on all the issues you
-		need to be familiar with. Over the years many people have approached me wanting to
-		know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
-		and WINS. In this chapter, it is plain to see what needs to be configured to provide
-		transparent interoperability. Likewise for CUPS and Samba interoperation. These are
-		key stumbling areas for many people.
-		</para>
-
-		<para>
-		At every critical junction, I have provided comparative guidance for both SUSE and
-		Red Hat Linux. Both manufacturers have done a great job in furthering the cause
-		of open source software. I favor neither and respect both. I like particular
-		features of both products (companies also). No bias in presentation is intended.
-		Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You did not use SWAT to configure Samba. Is there something wrong with it?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		That is a good question. As it is, the &smb.conf; file configurations are presented
-		in as direct a format as possible. Adding SWAT into the equation would have complicated
-		matters. I sought simplicity of implementation. The fact is that I did use SWAT to
-		create the files in the first place.
-		</para>
-
-		<para>
-		There are people in the Linux and open source community who feel that SWAT is dangerous
-		and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
-		hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG2</emphasis>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
-		not irresponsible? 
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Well, I had to use a password of some sort. At least this one has been consistently
-		used throughout. I guess you can figure out that in a real deployment it would make 
-		sense to use a more secure and original password.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		The Idealx smbldap-tools create many domain group accounts that are not used. Is that
-		a good thing?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		I took this up with Idealx and found them most willing to change that in the next version.
-		Let's give Idealx some credit for the contribution they have made. I appreciate their work
-		and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time 
-		Samba may well use them.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Can I use LDAP just for Samba accounts and not for UNIX system accounts?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
-		group account for every Windows domain group account. But if you put your users into
-		the system password account, how do you plan to keep all domain controller system
-		password files in sync? I think that having everything in LDAP makes a lot of sense
-		for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Why are the Windows domain RID portions not the same as the UNIX UID?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
-		This algorithm ought to ensure that there will be no clashes with well-known RIDs.
-		Well-known RIDs have special significance to MS Windows clients. The automatic
-		assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
-		permit you to override that to some extent. See the &smb.conf; man page entry
-		for <parameter>algorithmic rid base</parameter>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Printer configuration examples all show printing to the HP port 9100. Does this
-		mean that I must have HP printers for these solutions to work?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		No. You can use any type of printer and must use the interfacing protocol supported
-		by the printer. Many networks use LPR/LPD print servers to which are attached
-		PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
-		inkjet printer. Use the appropriate device URI (Universal Resource Interface)
-		argument to the <constant>lpadmin -v</constant> option that is right for your
-		printer.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is folder redirection dangerous? I've heard that you can lose your data that way.
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		The only loss of data I know of that involved folder redirection was caused by
-		manual misuse of the redirection tool. The administrator redirected a folder to
-		a network drive and said he wanted to migrate (move) the data over. Then he 
-		changed his mind, so he moved the folder back to the roaming profile. This time,
-		he declined to move the data because he thought it was still in the local profile
-		folder. That was not the case, so by declining to move the data back, he wiped out
-		the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		Is it really necessary to set a local Group Policy to exclude the redirected
-		folders from the roaming profile?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Yes. If you do not do this, the data will still be copied from the network folder
-		(share) to the local cached copy of the profile.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	</qandaset>
-
-</sect1>
-
-</chapter>
diff --git a/docs-xml/Samba3-ByExample/SBE-MigrateNT4Samba3.xml b/docs-xml/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
deleted file mode 100644
index f7ab1d1..0000000
--- a/docs-xml/Samba3-ByExample/SBE-MigrateNT4Samba3.xml
+++ /dev/null
@@ -1,1787 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="ntmigration">
-  <title>Migrating NT4 Domain to Samba-3</title>
-
-	<para>
-	Ever since Microsoft announced that it was discontinuing support for Windows
-	NT4, Samba users started to ask for detailed instructions on how to migrate
-	from NT4 to Samba-3. This chapter provides background information that should
-	meet these needs.
-	</para>
-
-	<para>
-	One wonders how many NT4 systems will be left in service by the time you read this
-	book though.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-      <para><indexterm>
-	  <primary>migration</primary>
-	</indexterm>
-	Network administrators who want to migrate off a Windows NT4 environment know
-	one thing with certainty. They feel that NT4 has been abandoned, and they want
-	to update. The desire to get off NT4 and to not adopt Windows 200x and Active
-	Directory is driven by a mixture of concerns over complexity, cost, fear of
-	failure, and much more.
-	</para>
-
-	<para>
-	<indexterm><primary>group policies</primary></indexterm>
-	<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
-	<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
-	<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
-	The migration from NT4 to Samba-3 can involve a number of factors, including
-	migration of data to another server, migration of network environment controls
-	such as group policies, and migration of the users, groups, and machine
-	accounts.
-	</para>
-
-	<para>
-	<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
-	It should be pointed out now that it is possible to migrate some systems from
-	a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
-	not possible in every case. It is possible to just migrate the domain accounts
-	to Samba-3 and then to switch machines, but as a hands-off transition, this is more
-	the exception than the rule. Most systems require some tweaking after
-	migration before an environment that is acceptable for immediate use
-	is obtained.
-	</para>
-
-	<sect2>
-	<title>Assignment Tasks</title>
-
-	<para>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>ldapsam</primary></indexterm>
-	<indexterm><primary>passdb backend</primary></indexterm>
-	You are about to migrate an MS Windows NT4 domain accounts database to
-	a Samba-3 server. The Samba-3 server is using a 
-	<parameter>passdb backend</parameter> based on LDAP. The 
-	<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
-	for use with BDCs &smbmdash; generally essential for larger networks.
-	</para>
-
-	<para>
-	Your objective is to document the process of migrating user and group accounts
-	from several NT4 domains into a single Samba-3 LDAP backend database.
-	</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>snap-shot</primary></indexterm>
-	<indexterm><primary>NT4 registry</primary></indexterm>
-	<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SAM</tertiary></indexterm>
-	<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
-	<indexterm><primary>SAM</primary></indexterm>
-	<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
-	The migration process takes a snapshot of information that is stored in the
-	Windows NT4 registry-based accounts database. That information resides in
-	the Security Account Manager (SAM) portion of the NT4 registry under keys called
-	<constant>SAM</constant> and <constant>SECURITY</constant>.
-	</para>
-
-	<warning><para>
-	<indexterm><primary>crippled</primary></indexterm>
-	<indexterm><primary>inoperative</primary></indexterm>
-	The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
-	are protected so that you cannot view the contents. If you change the security setting
-	to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
-	do this unless you are willing to render your domain controller inoperative.
-	</para></warning>
-
-	<para>
-	<indexterm><primary>migration</primary><secondary>objectives</secondary></indexterm>
-	<indexterm><primary>disruptive</primary></indexterm>
-	Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
-	While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
-	that may not be a good idea from an administration perspective. Since the process involves going
-	through a certain amount of disruptive activity anyhow, why not take this opportunity to
-	review the structure of the network, how Windows clients are controlled and how they
-	interact with the network environment.
-	</para>
-
-	<para>
-	<indexterm><primary>network</primary><secondary>logon scripts</secondary></indexterm>
-	<indexterm><primary>profiles share</primary></indexterm>
-	<indexterm><primary>security descriptors</primary></indexterm>
-	MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
-	have done little to keep the NT4 server environment up to date with more recent Windows releases, 
-	particularly Windows XP Professional. The migration provides opportunity to revise and update 
-	roaming profile deployment as well as folder redirection. Given that you must port the 
-	greater network configuration of this from the old NT4 server to the new Samba-3 server.
-	Do not forget to validate the security descriptors in the profiles share as well as network logon
-	scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
-	as a good time to update desktop systems also. In all, the extra effort should constitute no
-	real disruption to users, but rather, with due diligence and care, should make their network experience
-	a much happier one.
-	</para>
-
-	<sect2>
-	<title>Technical Issues</title>
-
-	<para>
-	<indexterm><primary>strategic</primary></indexterm>
-	<indexterm><primary>active directory</primary></indexterm>
-	Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic
-	element. Many sites have asked for instructions regarding merging of multiple NT4
-	domains into one Samba-3 LDAP database. It seems that this is viewed as a significant
-	added value compared with the alternative of migration to Windows Server 200x and Active
-	Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
-	from a Windows NT4 domain to a Samba domain.
-	</para>
-
-	<figure id="ch8-migration">
-		<title>Schematic Explaining the <command>net rpc vampire</command> Process</title>
-		<imagefile scale="55">ch8-migration</imagefile>
-	</figure>
-
-	<para>
-	<indexterm><primary>merge</primary></indexterm>
-	<indexterm><primary>passdb.tdb</primary></indexterm>
-	If you want to merge multiple NT4 domain account databases into one Samba domain,
-	you must now dump the contents of the first migration and edit it as appropriate. Now clean
-	out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>) or the LDAP database
-	files. You must start each migration with a new database into which you merge your NT4 
-	domains.
-	</para>
-
-	<para><indexterm>
-	<primary>dump</primary>
-	</indexterm>
-	At this point, you are ready to perform the second migration, following the same steps as
-	for the first. In other words, dump the database, edit it, and then you may merge the
-	dump for the first and second migrations.
-	</para>
-
-	<para><indexterm>
-	<primary>LDAP</primary>
-	</indexterm><indexterm>
-	<primary>migrate</primary>
-	</indexterm><indexterm>
-	<primary>Domain SID</primary>
-	</indexterm>
-	You must be careful. If you choose to migrate to an LDAP backend, your dump file
-	now contains the full account information, including the domain SID. The domain SID for each 
-	of the two NT4 domains will be different. You must choose one and change the domain 
-	portion of the account SIDs so that all are the same.
-	</para>
-
-	<para>
-	<indexterm><primary>passdb.tdb</primary></indexterm>
-	<indexterm><primary>/etc/passwd</primary></indexterm>
-	<indexterm><primary>merged</primary></indexterm>
-	<indexterm><primary>logon script</primary></indexterm>
-	<indexterm><primary>logon hours</primary></indexterm>
-	<indexterm><primary>logon machines</primary></indexterm>
-	<indexterm><primary>profile path</primary></indexterm>
-	<indexterm><primary>smbpasswd</primary></indexterm>
-	<indexterm><primary>tdbsam</primary></indexterm>
-	<indexterm><primary>LDAP backend</primary></indexterm>
-	<indexterm><primary>export</primary></indexterm>
-	<indexterm><primary>import</primary></indexterm>
-	If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
-	is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
-	smbpasswd data file. This automatically strips out all domain-specific information,
-	such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
-	The resulting file can be easily merged with other migration attempts (each of which must start
-	with a clean file). It should also be noted that all users who end up in the merged smbpasswd
-	file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
-	may be exported or imported into either a tdbsam (<filename>passdb.tdb</filename>) or
-	an LDAP backend.
-	</para>
-
-	<figure id="NT4DUM">
-		<title>View of Accounts in NT4 Domain User Manager</title>
-		<imagefile scale="50">UserMgrNT4</imagefile>
-	</figure>
-
-</sect2>
-
-
-<sect2>
-	<title>Political Issues</title>
-
-	<para>
-	The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3
-	domain may be seen by those who had power over them as a loss of prestige or a loss of
-	power. The imposition of a single domain may even be seen as a threat. So in migrating and
-	merging account databases, be consciously aware of the political fall-out in which you
-	may find yourself entangled when key staff feel a loss of prestige.
-	</para>
-
-	<para>
-	The best advice that can be given to those who set out to merge NT4 domains into a single
-	Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers
-	greater network interoperability and manageability.
-	</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
-	to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
-	server. If you contemplate doing this, please note that the steps that follow in this
-	chapter assume familiarity with the information that has been previously covered in this
-	book. You are particularly encouraged to be familiar with <link linkend="secure"/>,
-	<link linkend="Big500users"/> and <link linkend="happy"/>.
-	</para>
-
-	<para>
-	We present here the steps and example output for two NT4 to Samba-3 domain migrations. The
-	first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
-	scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
-	collection of parameters are used to effect the addition of accounts into the passdb backend.
-	</para>
-
-	<para>
-	Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
-	review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
-	functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
-	(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
-	</para>
-
-	<para>
-	The migration process involves the following steps:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		Prepare the target Samba-3 server. This involves configuring Samba-3 for
-		migration to either a tdbsam or an ldapsam backend.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>uppercase</primary></indexterm>
-		<indexterm><primary>Posix</primary></indexterm>
-		<indexterm><primary>lower-case</primary></indexterm>
-		Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
-		Delete all files that should not be migrated. Where possible, change NT group
-		names so there are no spaces or uppercase characters. This is important if
-		the target UNIX host insists on POSIX-compliant all lowercase user and group
-		names.
-		</para></listitem>
-
-		<listitem><para>
-		Step through the migration process.
-		</para></listitem>
-
-		<listitem><para><indexterm><primary>PDC</primary></indexterm>
-		Remove the NT4 PDC from the network.
-		</para></listitem>
-
-		<listitem><para>
-		Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
-		information.
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	It may help to use the above outline as a pre-migration checklist.
-	</para>
-
-	<sect2>
-	<title>NT4 Migration Using LDAP Backend</title>
-
-	<para>
-	In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
-	to be migrated are shown in <link linkend="NT4DUM"/>. In this example use is made of the
-	smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
-	Four scripts are essential to the migration process. Other scripts will be required
-	for daily management, but these are not critical to migration. The critical scripts are dependant
-	on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
-	must be provided so that the migration process can complete.
-	</para>
-
-	<para>
-	Verify that you have correctly specified in the &smb.conf; file the scripts and arguments 
-	that should be passed to them before attempting to perform the account migration. Note also
-	that the deletion scripts must be commented out during migration. These should be uncommented
-	following successful migration of the NT4 Domain accounts.
-	</para>
-
-	<warning><para>
-	Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
-	Delete the <filename>/etc/samba/secrets.tdb</filename> file and all Samba control tdb files
-	before commencing the following configuration steps.
-	</para></warning>
-
-	<table id="ch8-vampire">
-		<title>Samba &smb.conf; Scripts Essential to Samba Operation</title>
-		<tgroup cols="3">
-			<colspec align="left"/>
-			<colspec align="center"/>
-			<colspec align="center"/>
-			<thead>
-				<row>
-					<entry>Entity</entry>
-					<entry>ldapsam Script</entry>
-					<entry>tdbsam Script</entry>
-				</row>
-			</thead>
-			<tbody>
-				<row>
-					<entry>Add User Accounts</entry>
-					<entry>smbldap-useradd</entry>
-					<entry>useradd</entry>
-				</row>
-				<row>
-					<entry>Delete User Accounts</entry>
-					<entry>smbldap-userdel</entry>
-					<entry>userdel</entry>
-				</row>
-				<row>
-					<entry>Add Group Accounts</entry>
-					<entry>smbldap-groupadd</entry>
-					<entry>groupadd</entry>
-				</row>
-				<row>
-					<entry>Delete Group Accounts</entry>
-					<entry>smbldap-groupdel</entry>
-					<entry>groupdel</entry>
-				</row>
-				<row>
-					<entry>Add User to Group</entry>
-					<entry>smbldap-groupmod</entry>
-					<entry>usermod (See Note)</entry>
-				</row>
-				<row>
-					<entry>Add Machine Accounts</entry>
-					<entry>smbldap-useradd</entry>
-					<entry>useradd</entry>
-				</row>
-			</tbody>
-		</tgroup>
-	</table>
-
-	<note><para>
-	<indexterm><primary>usermod</primary></indexterm>
-	<indexterm><primary>groupmem</primary></indexterm>
-	<indexterm><primary>smbldap-tools</primary></indexterm>
-	The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
-	of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
-	capability, you must create your own tool to do this. Alternately, you can search the Web
-	to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
-	The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
-	in the formal commands provided by Linux distributions (March 2004).
-	</para></note>
-
-	<note><para>
-	<indexterm><primary>tdbdump</primary></indexterm>
-	The <command>tdbdump</command> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
-	Linux distribution, you will need to build this yourself or else forgo its use.
-	</para></note>
-
-	<para>
-	<indexterm><primary>User Manager</primary></indexterm>
-	Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.
-	</para>
-
-	<procedure>
-	<title>User Migration Steps</title>
-
-		<step><para>
-		Configure the Samba &smb.conf; file to create a BDC. An example configuration is
-		given in <link linkend="sbent4smb"/>.
-		The delete scripts are commented out so that during the process of migration
-		no account information can be deleted.
-		</para></step>
-
-<example id="sbent4smb">
-<title>NT4 Migration Samba-3 Server <filename>smb.conf</filename> &smbmdash; Part: A</title>
-<smbconfblock>
-<smbconfsection name="[global]"/>
-        <smbconfoption name="workgroup">DAMNATION</smbconfoption>
-        <smbconfoption name="netbios name">MERLIN</smbconfoption>
-        <smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
-        <smbconfoption name="log level">1</smbconfoption>
-        <smbconfoption name="syslog">0</smbconfoption>
-        <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
-        <smbconfoption name="max log size">0</smbconfoption>
-        <smbconfoption name="smb ports">139 445</smbconfoption>
-        <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
-        <smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m '%u'</smbconfoption>
-        <smbconfoption name="#delete user script">/opt/IDEALX/sbin/smbldap-userdel '%u'</smbconfoption>
-        <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd '%g'</smbconfoption>
-        <smbconfoption name="#delete group script">/opt/IDEALX/sbin/smbldap-groupdel '%g'</smbconfoption>
-		<smbconfoption name="add user to group script">/opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</smbconfoption>
-		<smbconfoption name="#delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</smbconfoption>
-		<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption>
-		<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w '%u'</smbconfoption>
-        <smbconfoption name="logon script">scripts\logon.cmd</smbconfoption>
-        <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
-        <smbconfoption name="logon home">\\%L\%U</smbconfoption>
-        <smbconfoption name="logon drive">X:</smbconfoption>
-        <smbconfoption name="domain logons">Yes</smbconfoption>
-        <smbconfoption name="domain master">No</smbconfoption>
-        <smbconfoption name="#wins support">Yes</smbconfoption>
-        <smbconfoption name="wins server">192.168.123.124</smbconfoption>
-        <smbconfoption name="ldap admin dn">cn=Manager,dc=terpstra-world,dc=org</smbconfoption>
-        <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-        <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
-        <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-        <smbconfoption name="ldap passwd sync">Yes</smbconfoption>
-        <smbconfoption name="ldap suffix">dc=terpstra-world,dc=org</smbconfoption>
-        <smbconfoption name="ldap ssl">no</smbconfoption>
-        <smbconfoption name="ldap timeout">20</smbconfoption>
-        <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-        <smbconfoption name="idmap backend">ldap:ldap://localhost</smbconfoption>
-        <smbconfoption name="idmap uid">15000-20000</smbconfoption>
-        <smbconfoption name="idmap gid">15000-20000</smbconfoption>
-        <smbconfoption name="winbind nested groups">Yes</smbconfoption>
-        <smbconfoption name="ea support">Yes</smbconfoption>
-        <smbconfoption name="map acl inherit">Yes</smbconfoption>
-	</smbconfblock>
-</example>
-
-<example id="sbent4smb2">
-<title>NT4 Migration Samba-3 Server <filename>smb.conf</filename> &smbmdash; Part: B</title>
-<smbconfblock>
-<smbconfsection name="[apps]"/>
-        <smbconfoption name="comment">Application Data</smbconfoption>
-        <smbconfoption name="path">/data/home/apps</smbconfoption>
-		<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-        <smbconfoption name="comment">Home Directories</smbconfoption>
-        <smbconfoption name="path">/home/users/%U/Documents</smbconfoption>
-        <smbconfoption name="valid users">%S</smbconfoption>
-        <smbconfoption name="read only">No</smbconfoption>
-        <smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-        <smbconfoption name="comment">SMB Print Spool</smbconfoption>
-        <smbconfoption name="path">/var/spool/samba</smbconfoption>
-        <smbconfoption name="guest ok">Yes</smbconfoption>
-        <smbconfoption name="printable">Yes</smbconfoption>
-        <smbconfoption name="use client driver">No</smbconfoption>
-        <smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[netlogon]"/>
-        <smbconfoption name="comment">Network Logon Service</smbconfoption>
-        <smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
-        <smbconfoption name="guest ok">Yes</smbconfoption>
-        <smbconfoption name="locking">No</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-        <smbconfoption name="comment">Profile Share</smbconfoption>
-        <smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
-        <smbconfoption name="read only">No</smbconfoption>
-        <smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[profdata]"/>
-        <smbconfoption name="comment">Profile Data Share</smbconfoption>
-        <smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
-        <smbconfoption name="read only">No</smbconfoption>
-        <smbconfoption name="profile acls">Yes</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-        <smbconfoption name="comment">Printer Drivers</smbconfoption>
-        <smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
-	</smbconfblock>
-</example>
-
-		<step><para>
-		<indexterm><primary>slapd.conf</primary></indexterm>
-		Configure OpenLDAP in preparation for the migration. An example
-		<filename>sladp.conf</filename> file is shown in <link linkend="sbentslapd"/>.
-		The <constant>rootpw</constant> value is an encrypted password string that can
-		be obtained by executing the <command>slappasswd</command> command.
-		</para></step>
-
-<example id="sbentslapd">
-<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part A</title>
-<screen>
-include         /etc/openldap/schema/core.schema
-include         /etc/openldap/schema/cosine.schema
-include         /etc/openldap/schema/inetorgperson.schema
-include         /etc/openldap/schema/nis.schema
-include         /etc/openldap/schema/samba3.schema
-
-pidfile         /var/run/slapd/slapd.pid
-argsfile        /var/run/slapd/slapd.args
-
-access to dn.base=""
-                by self write
-                by * auth
-
-access to attr=userPassword
-                by self write
-                by * auth
-
-access to attr=shadowLastChange
-                by self write
-                by * read
-
-access to *
-                by * read
-                by anonymous auth
-</screen>
-</example>
-
-<example id="sbentslapd2">
-<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part B</title>
-<screen>
-#loglevel       256
-
-#schemacheck     on
-idletimeout     30
-#backend         bdb
-database        bdb
-checkpoint      1024 5
-cachesize       10000
-
-suffix          "dc=terpstra-world,dc=org"
-rootdn          "cn=Manager,dc=terpstra-world,dc=org"
-
-# rootpw = not24get
-rootpw          {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
-
-directory       /var/lib/ldap
-
-# Indices to maintain
-index objectClass           eq
-index cn                    pres,sub,eq
-index sn                    pres,sub,eq
-index uid                   pres,sub,eq
-index displayName           pres,sub,eq
-index uidNumber             eq
-index gidNumber             eq
-index memberUID             eq
-index sambaSID              eq
-index sambaPrimaryGroupSID  eq
-index sambaDomainName       eq
-index default               sub
-</screen>
-</example>
-
-		<step><para>
-		<indexterm><primary>nss_ldap</primary></indexterm>
-		<indexterm><primary>/etc/ldap.conf</primary></indexterm>
-		Install the PADL <command>nss_ldap</command> tool set, then configure the <filename>/etc/ldap.conf</filename>
-		as shown in <link linkend="sbrntldapconf"/>.
-		</para></step>
-
-<example id="sbrntldapconf">
-<title>NT4 Migration NSS LDAP File: <filename>/etc/ldap.conf</filename></title>
-<screen>
-host    127.0.0.1
-
-base    dc=terpstra-world,dc=org
-
-ldap_version    3
-
-binddn cn=Manager,dc=terpstra-world,dc=org
-bindpw not24get
-
-pam_password exop
-
-nss_base_passwd         ou=People,dc=terpstra-world,dc=org?one
-nss_base_shadow         ou=People,dc=terpstra-world,dc=org?one
-nss_base_group          ou=Groups,dc=terpstra-world,dc=org?one
-
-ssl off
-</screen>
-</example>
-
-		<step><para>
-		<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
-		Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown
-		in <link linkend="sbentnss"/>. Note that the LDAP entries have been commented out.
-		This is deliberate. If these entries are active (not commented out), and the
-		<filename>/etc/ldap.conf</filename> file has been configured, when the LDAP server
-		is started, the process of starting the LDAP server will cause LDAP lookups. This
-		causes the LDAP server <command>slapd</command> to hang because it finds port 389
-		open and therefore cannot gain exclusive control of it. By commenting these entries
-		out, it is possible to avoid this gridlock situation and thus the overall
-		installation and configuration will progress more smoothly.
-		</para></step>
-
-<example id="sbentnss">
-<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:1)</title>
-<screen>
-passwd:         files #ldap
-shadow:         files #ldap
-group:          files #ldap
-
-hosts:          files dns wins
-networks:       files dns
-
-services:       files
-protocols:      files
-rpc:            files
-ethers:         files
-netmasks:       files
-netgroup:       files
-publickey:      files
-
-bootparams:     files
-automount:      files nis
-aliases:        files
-#passwd_compat: ldap       #Not needed.
-#group_compat:  ldap      #Not needed.
-</screen>
-</example>
-
-		<step><para>
-		Validate the the target NT4 PDC name is being correctly resolved to its IP address by
-		executing the following:
-<screen>
-&rootprompt; ping transgression
-PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data.
-64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms
-64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms
-64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms
-
---- transgression.terpstra-world.org ping statistics ---
-3 packets transmitted, 3 received, 0% packet loss, time 2000ms
-rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
-</screen>
-		Do not proceed to the next step if this step fails. It is imperative that the name of the PDC
-		can be resolved to its IP address. If this is broken, fix it.
-		</para></step>
-
-		<step><para>
-		Pull the domain SID from the NT4 domain that is being migrated as follows:
-<screen>
-&rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get
-Storing SID S-1-5-21-1385457007-882775198-1210191635 \
-                     for Domain DAMNATION in secrets.tdb
-</screen>
-		</para>
-
-		<para>
-		Another way to obtain the domain SID from the target NT4 domain that is being
-		migrated to Samba-3 is by executing the following:
-<screen>
-&rootprompt; net rpc info -S TRANSGRESSION
-</screen>
-		If this method is used, do not forget to store the SID obtained into the
-		<filename>secrets.tdb</filename> file. This can be done by executing:
-<screen>
-&rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
-</screen>
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Idealx</primary></indexterm>
-		<indexterm><primary>configure.pl</primary></indexterm>
-		<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
-		<indexterm><primary>smbldap-tools</primary></indexterm>
-		Install the Idealx <command>smbldap-tools</command> software package, following
-		the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
-		should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
-		Change into that location, or wherever the scripts have been installed. Execute the
-		<filename>configure.pl</filename> script to configure the Idealx package for use.
-		Note: Use the domain SID obtained from the step above. The following is
-		an example configuration session:
-<screen>
-&rootprompt; ./configure.pl
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-       smbldap-tools script configuration
-       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Before starting, check
- . if your samba controller is up and running.
- . if the domain SID is defined
-                           (you can get it with the 'net getlocalsid')
-
- . you can leave the configuration using the Crtl-c key combination
- . empty value can be set with the "." character
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Looking for configuration files...
-
-Samba Config File Location [/etc/samba/smb.conf] >
-smbldap Config file Location (global parameters)
-           [/etc/smbldap-tools/smbldap.conf] >
-smbldap Config file Location (bind parameters)
-      [/etc/smbldap-tools/smbldap_bind.conf] >
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Let's start configuring the smbldap-tools scripts ...
-
-. workgroup name: name of the domain Samba act as a PDC
-  workgroup name [DAMNATION] >
-. netbios name: netbios name of the samba controller
-  netbios name [MERLIN] >
-. logon drive: local path to which the home directory
-         will be connected (for NT Workstations). Ex: 'H:'
-  logon drive [X:] > H:
-. logon home: home directory location (for Win95/98 or NT Workstation)
-  (use %U as username) Ex:'\\MERLIN\home\%U'
-  logon home (leave blank if you don't want homeDirectory)
-                                       [\\MERLIN\home\%U] > \\%L\%U
-. logon path: directory where roaming profiles are stored.
-                                     Ex:'\\MERLIN\profiles\%U'
-  logon path (leave blank if you don't want roaming profile)
-                          [\\MERLIN\profiles\%U] > \\%L\profiles\%U
-. home directory prefix (use %U as username) [/home/%U] >
-                                                        /home/users/%U
-. default user netlogon script (use %U as username) 
-                               [%U.cmd] > scripts\logon.cmd
-  default password validation time (time in days) [45] > 180
-. ldap suffix [dc=terpstra-world,dc=org] >
-. ldap group suffix [ou=Groups] >
-. ldap user suffix [ou=People] >
-. ldap machine suffix [ou=People] >
-. Idmap suffix [ou=Idmap] >
-. sambaUnixIdPooldn: object where you want to store the next uidNumber
-  and gidNumber available for new users and groups
-  sambaUnixIdPooldn object (relative to ${suffix}) 
-                                         [sambaDomainName=DAMNATION] >
-. ldap master server: 
-           IP address or DNS name of the master (writable) ldap server
-  ldap master server [] > 127.0.0.1
-. ldap master port [389] >
-. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] >
-. ldap master bind password [] >
-. ldap slave server: IP address or DNS name of the slave ldap server:
-                                         can also be the master one
-  ldap slave server [] > 127.0.0.1
-. ldap slave port [389] >
-. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] >
-. ldap slave bind password [] >
-. ldap tls support (1/0) [0] >
-. SID for domain DAMNATION: SID of the domain 
-                       (can be obtained with 'net getlocalsid MERLIN')
-  SID for domain DAMNATION []
-        > S-1-5-21-1385457007-882775198-1210191635
-. unix password encryption: encryption used for unix passwords
-unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
-. default user gidNumber [513] >
-. default computer gidNumber [515] >
-. default login shell [/bin/bash] >
-. default domain name to append to mail address [] >
-                                                    terpstra-world.org
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-backup old configuration files:
-  /etc/smbldap-tools/smbldap.conf->
-                              /etc/smbldap-tools/smbldap.conf.old
-  /etc/smbldap-tools/smbldap_bind.conf->
-                              /etc/smbldap-tools/smbldap_bind.conf.old
-writing new configuration file:
-  /etc/smbldap-tools/smbldap.conf done.
-  /etc/smbldap-tools/smbldap_bind.conf done.
-</screen>
-		<indexterm><primary>sambaDomainName</primary></indexterm>
-		<indexterm><primary>NextFreeUnixId</primary></indexterm>
-		<indexterm><primary>updating smbldap-tools</primary></indexterm>
-		<indexterm><primary>smbldap-tools updating</primary></indexterm>
-		Note that the NT4 domain SID that was previously obtained was entered above. Also,
-		the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
-		the location into which the Idealx smbldap-tools store the next available UID/GID
-		information. It is also where Samba stores domain specific information such as the
-		next RID, the SID, and so on. In older version of the smbldap-tools this information
-		was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools
-		are being upgraded to version 0.9.1 it is appropriate to update this to the new location
-		only if the directory information is also relocated.
-		</para></step>
-
-		<step><para>
-		Start the LDAP server using the system interface script. On Novell SLES9
-		this is done as shown here:
-<screen>
-&rootprompt; rcldap start
-</screen>
-		</para></step>
-
-		<step><para>
-		Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown in
-		<link linkend="sbentnss2"/>. Note that the LDAP entries have now been uncommented.
-		</para></step>
-
-<example id="sbentnss2">
-<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:2)</title>
-<screen>
-passwd:         files ldap
-shadow:         files ldap
-group:          files ldap
-
-hosts:          files dns wins
-networks:       files dns
-
-services:       files
-protocols:      files
-rpc:            files
-ethers:         files
-netmasks:       files
-netgroup:       files
-publickey:      files
-
-bootparams:     files
-automount:      files nis
-aliases:        files
-#passwd_compat: ldap       #Not needed.
-#group_compat:  ldap      #Not needed.
-</screen>
-</example>
-
-		<step><para>
-		The LDAP management password must be installed into the <filename>secrets.tdb</filename>
-		file as follows:
-<screen>
-&rootprompt; smbpasswd -w not24get
-Setting stored password for 
-            "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
-</screen>
-		</para></step>
-
-		<step><para>
-		Populate the LDAP directory as shown here:
-<screen>
-&rootprompt; /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0
-Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
-                          sambaDomainName=DAMNATION
-Using builtin directory structure
-adding new entry: dc=terpstra-world,dc=org
-adding new entry: ou=People,dc=terpstra-world,dc=org
-adding new entry: ou=Groups,dc=terpstra-world,dc=org
-entry ou=People,dc=terpstra-world,dc=org already exist.
-adding new entry: ou=Idmap,dc=terpstra-world,dc=org
-adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org
-adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org
-adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org
-adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org
-adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org
-</screen>
-		The script tries to add the ou=People container twice, hence the error message.
-		This is expected behavior.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>Novell SUSE SLES 9</primary></indexterm>
-		Restart the LDAP server following initialization of the LDAP directory. Execute the
-		system control script provided on your system. The following steps can be used on
-		Novell SUSE SLES 9:
-<screen>
-&rootprompt; rcldap restart
-&rootprompt; chkconfig ldap on
-</screen>
-		</para></step>
-
-		<step><para>
-		Verify that the new user accounts that have been added to the LDAP directory can be
-		resolved as follows:
-<screen>
-&rootprompt; getent passwd
-...
-nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
-man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
-news:x:9:13:News system:/etc/news:/bin/bash
-uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
-+::0:0:::
-root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false
-nobody:x:999:514:nobody:/dev/null:/bin/false
-</screen>
-		Now repeat this for the group accounts as shown here:
-<screen>
-&rootprompt; getent group
-...
-nobody:x:65533:
-nogroup:x:65534:nobody
-users:x:100:
-+::0:
-Domain Admins:x:512:root
-Domain Users:x:513:
-Domain Guests:x:514:
-Domain Computers:x:515:
-Administrators:x:544:
-Print Operators:x:550:
-Backup Operators:x:551:
-Replicators:x:552:
-</screen>
-		In both cases the LDAP accounts follow the <quote>+::0:</quote> entry.
-		</para></step>
-
-		<step><para>
-		Now it is time to join the Samba BDC to the target NT4 domain that is being
-		migrated to Samba-3 by executing the following:
-<screen>
-&rootprompt; net rpc join -S TRANSGRESSION -U Administrator%not24get
-merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \
-                         -U Administrator%not24get
-Joined domain DAMNATION.
-</screen>
-		</para></step>
-
-		<step><para>
-		Set the new domain administrator (root) password for both UNIX and Windows as shown here:
-<screen>
-&rootprompt; /opt/IDEALX/sbin/smbldap-passwd root
-Changing password for root
-New password : ********
-Retype new password : ********
-</screen>
-		Note: During account migration, the Windows Administrator account will not be migrated
-		to the Samba server.
-		</para></step>
-
-		<step><para>
-		Now validate that these accounts can be resolved using Samba's tools as
-		shown here for user accounts:
-<screen>
-&rootprompt; pdbedit -Lw
-root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
-        AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U          ]:LCT-425F6467:
-nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
-        NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
-</screen>
-		Now complete the following step to validate that group account mappings have
-		been correctly set:
-<screen>
-&rootprompt; net groupmap list
-Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
-                                            -> Domain Admins
-Domain Users (S-1-5-21-1385457007-882775198-1210191635-513) 
-                                             -> Domain Users
-Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514) 
-                                            -> Domain Guests
-Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515) 
-                                          -> Domain Computers
-Administrators (S-1-5-32-544) -> Administrators
-Print Operators (S-1-5-32-550) -> Print Operators
-Backup Operators (S-1-5-32-551) -> Backup Operators
-Replicators (S-1-5-32-552) -> Replicators
-</screen>
-		These are the expected results for a correctly configured system.
-		</para></step>
-
-		<step><para>
-		Commence migration as shown here:
-<screen>
-&rootprompt; net rpc vampire -S TRANSGRESSION \
-       -U Administrator%not24get > /tmp/vampire.log 2>1
-</screen>
-		Check the vampire log to confirm that only expected errors have been
-		reported. See <link linkend="sbevam1"/>.
-		</para></step>
-
-		<step><para>
-		The migration of user accounts can be quickly validated as follows:
-<screen>
-&rootprompt; pdbedit -Lw
-root:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
-nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:...
-Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
-Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:...
-TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:...
-IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:...
-MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:...
-atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:...
-barryf:6:B829BCDE01FF24376E45D5F10408CFBD:...
-fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:...
-gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:...
-hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:...
-jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:...
-maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:...
-jacko:12:8E8982D86BD037C364BBD09A598E07AD:...
-bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:...
-sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:...
-jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:...
-dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:...
-dork:17:69E2D19E69A593D5AAD3B435B51404EE:...
-blue:18:E355EBF9559979FEAAD3B435B51404EE:...
-billw:19:EE35C3481CF7F7DB484448BC86A641A5:...
-rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:...
-MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:...
-TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:...
-MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:...
-NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:...
-LAPDOG$:25:14AA535885120943AAD3B435B51404EE:...
-SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:...
-merlin$:27:820C50523F368C54AB9D85AE603AD09D:...
-</screen>
-		</para></step>
-
-		<step><para>
-		The mapping of UNIX and Windows groups can be validated as show here:
-<screen>
-&rootprompt; net groupmap list
-Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
-                                                     -> Domain Admins
-Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
-                                                      -> Domain Users
-Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
-                                                     -> Domain Guests
-Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
-                                                   -> Domain Computers
-Administrators (S-1-5-32-544) -> Administrators
-Print Operators (S-1-5-32-550) -> Print Operators
-Backup Operators (S-1-5-32-551) -> Backup Operators
-Replicator (S-1-5-32-552) -> Replicators
-Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers
-Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids
-Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes
-Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst
-Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving
-Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot
-Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales
-Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting
-Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping
-Account Operators (S-1-5-32-548) -> Account Operators
-Guests (S-1-5-32-546) -> Guests
-Server Operators (S-1-5-32-549) -> Server Operators
-Users (S-1-5-32-545) -> Users
-</screen>
-		It is of vital importance that the domain SID portions of all group
-		accounts are identical.
-		</para></step>
-
-		<step><para>
-		The final responsibility in the migration process is to create identical
-		shares and printing resources on the new Samba-3 server, copy all data
-		across, set up privileges, and set share and file/directory access controls.
-		</para></step>
-
-		<step><para>
-		<indexterm><primary>domain master</primary></indexterm>
-		<indexterm><primary>PDC</primary></indexterm>
-		Edit the &smb.conf; file to  reset the parameter 
-		<smbconfoption name="domain master">Yes</smbconfoption> so that
-		the Samba server functions as a PDC for the purpose of migration.
-		Also, uncomment the deletion scripts so they will now be fully functional,
-		enable the <parameter>wins support = yes</parameter> parameter and
-		comment out the <parameter>wins server</parameter>. Validate the configuration
-		with the <command>testparm</command> utility as shown here:
-<screen>
-&rootprompt; testparm
-Load smb config files from /etc/samba/smb.conf
-Processing section "[apps]"
-Processing section "[media]"
-Processing section "[homes]"
-Processing section "[printers]"
-Processing section "[netlogon]"
-Processing section "[profiles]"
-Processing section "[profdata]"
-Processing section "[print$]"
-Loaded services file OK.
-Server role: ROLE_DOMAIN_PDC
-Press enter to see a dump of your service definitions
-</screen>
-                </para></step>
-
-		<step><para>
-		Now shut down the old NT4 PDC. Only when the old NT4 PDC and all
-		NT4 BDCs have been shut down can the Samba-3 PDC be started.
-		</para></step>
-
-		<step><para>
-		All workstations should function as they did with the old NT4 PDC. All
-		interdomain trust accounts should remain in place and fully functional.
-		All machine accounts and user logon accounts should also function correctly.
-		</para></step>
-
-		<step><para>
-		The configuration of Samba-3 BDC servers can be accomplished now or at any
-		convenient time in the future. Please refer to the carefully detailed process
-		for doing so is outlined in <link linkend="sbehap-bldg1"/>.
-		</para></step>
-
-	</procedure>
-
-	<sect3 id="sbevam1">
-	<title>Migration Log Validation</title>
-
-	<para>
-	The following <filename>vampire.log</filename> file is typical of a valid migration.
-<screen>
-adding user Administrator to group Domain Admins
-adding user atrickhoffer to group Engineers
-adding user dhenwick to group Engineers
-adding user dork to group Engineers
-adding user rfreshmill to group Marketoids
-adding user jacko to group Gnomes
-adding user jimbo to group Gnomes
-adding user maryk to group Gnomes
-adding user gdaison to group Gnomes
-adding user dhenwick to group Catalyst
-adding user jacko to group Catalyst
-adding user jacko to group Recieving
-adding user blue to group Recieving
-adding user hrambotham to group Rubberboot
-adding user billw to group Sales
-adding user bridge to group Sales
-adding user jrhapsody to group Sales
-adding user maryk to group Sales
-adding user rfreshmill to group Sales
-adding user fsellerby to group Sales
-adding user sharpec to group Sales
-adding user jimbo to group Accounting
-adding user gdaison to group Accounting
-adding user jacko to group Shipping
-adding user blue to group Shipping
-Fetching DOMAIN database
-Creating unix group: 'Engineers'
-Creating unix group: 'Marketoids'
-Creating unix group: 'Gnomes'
-Creating unix group: 'Catalyst'
-Creating unix group: 'Recieving'
-Creating unix group: 'Rubberboot'
-Creating unix group: 'Sales'
-Creating unix group: 'Accounting'
-Creating unix group: 'Shipping'
-Creating account: Administrator
-Creating account: Guest
-Creating account: TRANSGRESSION$
-Creating account: IUSR_TRANSGRESSION
-Creating account: MIDEARTH$
-Creating account: atrickhoffer
-Creating account: barryf
-Creating account: fsellerby
-Creating account: gdaison
-Creating account: hrambotham
-Creating account: jrhapsody
-Creating account: maryk
-Creating account: jacko
-Creating account: bridge
-Creating account: sharpec
-Creating account: jimbo
-Creating account: dhenwick
-Creating account: dork
-Creating account: blue
-Creating account: billw
-Creating account: rfreshmill
-Creating account: MAGGOT$
-Creating account: TRENTWARE$
-Creating account: MORTON$
-Creating account: NARM$
-Creating account: LAPDOG$
-Creating account: SCAVENGER$
-Creating account: merlin$
-Group members of Domain Admins: Administrator,
-Group members of Domain Users: Administrator(primary),
-TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary),
-MIDEARTH$(primary),atrickhoffer(primary),barryf(primary),
-fsellerby(primary),gdaison(primary),hrambotham(primary),
-jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary),
-sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary),
-blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary),
-TRENTWARE$(primary),MORTON$(primary),NARM$(primary),
-LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary),
-Group members of Domain Guests: Guest(primary),
-Group members of Engineers: atrickhoffer,dhenwick,dork,
-Group members of Marketoids: rfreshmill,
-Group members of Gnomes: jacko,jimbo,maryk,gdaison,
-Group members of Catalyst: dhenwick,jacko,
-Group members of Recieving: jacko,blue,
-Group members of Rubberboot: hrambotham,
-Group members of Sales: billw,bridge,jrhapsody,maryk,
-rfreshmill,fsellerby,sharpec,
-Group members of Accounting: jimbo,gdaison,
-Group members of Shipping: jacko,blue,
-Fetching BUILTIN database
-skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
-Creating unix group: 'Account Operators'
-Creating unix group: 'Guests'
-Creating unix group: 'Server Operators'
-Creating unix group: 'Users'
-</screen>
-	</para>
-
-	</sect3>
-
-	</sect2>
-
-	<sect2>
-	<title>NT4 Migration Using tdbsam Backend</title>
-
-	<para>
-	In this example, we change the domain name of the NT4 server from
-	<constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
-	of the vampire (migration) tool. This migration process makes use of Linux system tools
-	(like <command>useradd</command>) to add the accounts that are migrated into the 
-	UNIX/Linux <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
-	databases. These entries must therefore be present, and correct options specified,
-	in your &smb.conf; file, or else the migration does not work as it should.
-	</para>
-
-	<procedure>
-	<title>Migration Steps Using tdbsam</title>
-
-		<step><para>
-		Prepare a Samba-3 server precisely per the instructions shown in <link linkend="Big500users"/>.
-		Set the workgroup name to <constant>MEGANET</constant>.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>domain master</primary>
-	      </indexterm><indexterm>
-		<primary>BDC</primary>
-	      </indexterm>
-		Edit the &smb.conf; file to temporarily change the parameter 
-		<smbconfoption name="domain master">No</smbconfoption> so
-		the Samba server functions as a BDC for the purpose of migration.
-                </para></step>
-
-		<step><para>
-		Start Samba as you have done previously.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>net</primary>
-		<secondary>rpc</secondary>
-		<tertiary>join</tertiary>
-	      </indexterm>
-		Join the NT4 Domain as a BDC, as shown here:
-<screen>
-&rootprompt; net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
-Joined domain MEGANET.
-</screen>
-		</para></step>
-
-		<step><para><indexterm>
-		<primary>net</primary>
-		<secondary>rpc</secondary>
-		<tertiary>vampire</tertiary>
-	      </indexterm>
-		You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
-<screen>
-&rootprompt; net rpc vampire -S oldnt4pdc -U Administrator%not24get
-Fetching DOMAIN database
-SAM_DELTA_DOMAIN_INFO not handled
-Creating unix group: 'Domain Admins'
-Creating unix group: 'Domain Users'
-Creating unix group: 'Domain Guests'
-Creating unix group: 'Engineers'
-Creating unix group: 'Marketoids'
-Creating unix group: 'Account Operators'
-Creating unix group: 'Administrators'
-Creating unix group: 'Backup Operators'
-Creating unix group: 'Guests'
-Creating unix group: 'Print Operators'
-Creating unix group: 'Replicator'
-Creating unix group: 'Server Operators'
-Creating unix group: 'Users'
-Creating account: Administrator
-Creating account: Guest
-Creating account: oldnt4pdc$
-Creating account: jacko
-Creating account: maryk
-Creating account: bridge
-Creating account: sharpec
-Creating account: jimbo
-Creating account: dhenwick
-Creating account: dork
-Creating account: blue
-Creating account: billw
-Creating account: massive$
-Group members of Engineers: Administrator,
-                 sharpec(primary),bridge,billw(primary),dhenwick
-Group members of Marketoids: Administrator,jacko(primary),
-                maryk(primary),jimbo,blue(primary),dork(primary)
-Creating unix group: 'Gnomes'
-Fetching BUILTIN database
-SAM_DELTA_DOMAIN_INFO not handled
-</screen>
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>pdbedit</primary>
-	      </indexterm>
-		At this point, we can validate our migration. Let's look at the accounts
-		in the form in which they are seen in a smbpasswd file. This achieves that:
-<screen>
-&rootprompt; pdbedit -Lw
-Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
-     AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX         ]:LCT-3DF7AA9F:
-jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF:
-     CDF7E305E639966E489A0CEFB95EE5E0:[UX         ]:LCT-3E9362BC:
-sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151:
-     7000255938831D5B948C95C1931534C5:[UX         ]:LCT-3E8B42C4:
-dhenwick:513:DCD8886141E3F892AAD3B435B51404EE:
-     2DB36465949CB938DD98C312EFDC2639:[UX         ]:LCT-3E939F41:
-bridge:510:3FE6873A43101B46417EAF50CFAC29C3:
-     891741F481AF111B4CAA09A94016BD01:[UX         ]:LCT-3E8B4291:
-blue:515:256D41D2559BB3D2AAD3B435B51404EE:
-     9CCADDA4F7D281DD0FAD321478C6F971:[UX         ]:LCT-3E939FDC:
-diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B:
-     3323AC63C666CFAACB60C13F65D54E9A:[S          ]:LCT-00000000:
-oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568:
-     95DBAF885854A919C7C7E671060478B9:[S          ]:LCT-3DF7AA9F:
-Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
-     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX        ]:LCT-3E93A008:
-billw:516:85380CA7C21B6EBE168C8150662AF11B:
-     5D7478508293709937E55FB5FBA14C17:[UX         ]:LCT-3FED7CA1:
-dork:514:78C70DDEC35A35B5AAD3B435B51404EE:
-     0AD886E015AC595EC0AF40E6C9689E1A:[UX         ]:LCT-3E939F9A:
-jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1:
-     0C6822AAF85E86600A40DC73E40D06D5:[UX         ]:LCT-3E8B4242:
-maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
-     CF271B744F7A55AFDA277FF88D80C527:[UX         ]:LCT-3E8B4270:
-</screen>
-		</para></step>
-
-		<step><para><indexterm>
-		<primary>pdbedit</primary>
-	      </indexterm>
-		An expanded view of a user account entry shows more of what was
-		obtained from the NT4 PDC:
-<screen>
-sleeth:~ # pdbedit -Lv maryk
-Unix username:        maryk
-NT username:          maryk
-Account Flags:        [UX         ]
-User SID:             S-1-5-21-1988699175-926296742-1295600288-1003
-Primary Group SID:    S-1-5-21-1988699175-926296742-1295600288-1007
-Full Name:            Mary Kathleen
-Home Directory:       \\diamond\maryk
-HomeDir Drive:        X:
-Logon Script:         scripts\logon.bat
-Profile Path:         \\diamond\profiles\maryk
-Domain:               MEGANET
-Account desc:         Peace Maker
-Workstations:
-Munged dial:
-Logon time:           0
-Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
-Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
-Password last set:    Wed, 02 Apr 2003 13:05:04 GMT
-Password can change:  0
-Password must change: Mon, 18 Jan 2038 20:14:07 GMT
-</screen>
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>net</primary>
-		<secondary>group</secondary>
-	      </indexterm>
-		The following command lists the long names of the groups that have been
-		imported (vampired) from the NT4 PDC:
-<screen>
-&rootprompt; net group -l -Uroot%not24get -Smassive
-
-Group name            Comment
------------------------------
-Engineers             Snake Oil Engineers
-Marketoids            Untrustworthy Hype Vendors
-Gnomes                Plain Vanilla Garden Gnomes
-Replicator            Supports file replication in a domain
-Guests                Users granted guest access to the computer/domain
-Administrators        Members can fully administer the computer/domain
-Users                 Ordinary users
-</screen>
-		Everything looks well and in order.
-		</para></step>
-
-	  <step><para><indexterm>
-		<primary>domain master</primary>
-	      </indexterm><indexterm>
-		<primary>PDC</primary>
-	      </indexterm>
-		Edit the &smb.conf; file to  reset the parameter 
-		<smbconfoption name="domain master">Yes</smbconfoption> so
-		the Samba server functions as a PDC for the purpose of migration.
-                </para></step>
-	</procedure>
-	</sect2>
-
-	<sect2>
-		<title>Key Points Learned</title>
-
-		<para>
-		Migration of an NT4 PDC database to a Samba-3 PDC is possible.
-		</para>
-
-		<itemizedlist>
-			<listitem><para>
-			An LDAP backend is a suitable vehicle for NT4 migrations.
-			</para></listitem>
-
-			<listitem><para>
-			A tdbsam backend can be used to perform a migration.
-			</para></listitem>
-
-			<listitem><para>
-			Multiple NT4 domains can be merged into a single Samba-3
-			domain.
-			</para></listitem>
-
-			<listitem><para>
-			The net Samba-3 domain most likely requires some
-			administration and updating before going live.
-			</para></listitem>
-		</itemizedlist>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Questions and Answers</title>
-
-	<para>
-	</para>
-
-	<qandaset defaultlabel="chap08qa" type="number">
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>clean database</primary>
-	      </indexterm>
-		Why must I start each migration with a clean database?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>merge</primary>
-	      </indexterm>
-		This is a recommendation that permits the data from each NT4 domain to
-		be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
-		you may find errors due to users or groups from multiple domains having the
-		same name but different SIDs. It is better to permit each migration to complete
-		without undue errors and then to handle the merging of vampired data under
-		proper supervision.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>Domain SID</primary>
-	      </indexterm>
-		Is it possible to set my domain SID to anything I like?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>auto-generated SID</primary>
-	      </indexterm><indexterm>
-		<primary>SID</primary>
-	      </indexterm><indexterm>
-		<primary>Domain SID</primary>
-	      </indexterm>
-		Yes, so long as the SID you create has the same structure as an autogenerated SID.
-		The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
-		the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
-		would you really want to create your own SID? I cannot think of a good reason.
-		You may want to set the SID to one that is already in use somewhere on your network,
-		but that is a little different from straight out creating your own domain SID.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/group</primary>
-	      </indexterm><indexterm>
-		<primary>tdbsam</primary>
-	      </indexterm><indexterm>
-		<primary>passdb backend</primary>
-	      </indexterm><indexterm>
-		<primary>accounts</primary>
-		<secondary>user</secondary>
-	      </indexterm><indexterm>
-		<primary>accounts</primary>
-		<secondary>group</secondary>
-	      </indexterm><indexterm>
-		<primary>accounts</primary>
-		<secondary>Domain</secondary>
-	      </indexterm>
-		When using a tdbsam passdb backend, why must I have all domain user and group accounts
-		in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>UID</primary>
-	      </indexterm><indexterm>
-		<primary>GID</primary>
-	      </indexterm><indexterm>
-		<primary>smbpasswd</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm><indexterm>
-		<primary>Posix</primary>
-	      </indexterm><indexterm>
-		<primary>LDAP database</primary>
-	      </indexterm>
-		Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
-		does not fabricate the UNIX IDs from thin air, but rather requires them to be located
-		in a suitable place. 
-		</para>
-
-		<para>
-		When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
-		UID of each account is taken together with the account information in the 
-		<filename>/etc/passwd</filename>, and both sets of data are used to create the account
-		entry in the LDAP database. 
-		</para>
-
-		<para>
-		If you elect to create the POSIX account also, the entire UNIX account is copied to the 
-		LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of 
-		migration to the LDAP database, the accounts may be removed from the UNIX database files. 
-		In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in 
-		LDAP, require UIDs/GIDs.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>validate</primary>
-	      </indexterm><indexterm>
-		<primary>connectivity</primary>
-	      </indexterm><indexterm>
-		<primary>migration</primary>
-	      </indexterm>
-		Why did you validate connectivity before attempting migration?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
-		potential problems that may otherwise affect or impede account migration. I am always
-		mindful of the 4 P's of migration: Planning Prevents Poor Performance.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		How would you merge 10 tdbsam-based domains into an LDAP database?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>risk</primary>
-	      </indexterm><indexterm>
-		<primary>dump</primary>
-	      </indexterm><indexterm>
-		<primary>tdbsam</primary>
-	      </indexterm><indexterm>
-		<primary>Samba Domain</primary>
-	      </indexterm><indexterm>
-		<primary>UID</primary>
-	      </indexterm><indexterm>
-		<primary>GID</primary>
-	      </indexterm><indexterm>
-		<primary>pdbedit</primary>
-	      </indexterm><indexterm>
-		<primary>transfer</primary>
-	      </indexterm><indexterm>
-		<primary>smbpasswd</primary>
-	      </indexterm><indexterm>
-		<primary>LDAP</primary>
-	      </indexterm><indexterm>
-		<primary>tool</primary>
-	      </indexterm>
-		If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
-		accounts that have the same UNIX identifier (UID/GID). This means that you almost 
-		certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
-		file format and then manually edit all records to ensure that each has a unique UID. Each
-		file can then be imported a number of ways. You can use the <command>pdbedit</command> tool
-		to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
-		tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
-		you have migrated before handing over access to a user. After all, too many users with a bad
-		migration experience may threaten your career.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>machine accounts</primary>
-	      </indexterm><indexterm>
-		<primary>accounts</primary>
-		<secondary>machine</secondary>
-	      </indexterm>
-		I want to change my domain name after I migrate all accounts from an NT4 domain to a 
-		Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>registry</primary>
-	      </indexterm><indexterm>
-		<primary>un-join</primary>
-	      </indexterm><indexterm>
-		<primary>rejoin</primary>
-	      </indexterm><indexterm>
-		<primary>tattooing</primary>
-	      </indexterm>
-		I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
-		on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
-		unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
-		this tattooing effect.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>multiple group mappings</primary>
-	      </indexterm>
-		After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>/etc/passwd</primary>
-	      </indexterm><indexterm>
-		<primary>/etc/group</primary>
-	      </indexterm>
-		Samba-3 currently does not implement multiple group membership internally. If you use the Windows 
-		NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
-		membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
-		then multiple group membership is handled through the UNIX groups file. When you dump the user
-		accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
-		file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
-		and <filename>/etc/group</filename> information also. That is where the multiple group information
-		is most closely at your fingertips.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-		<para>
-		How can I reset group membership after loading the account information into the LDAP database?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>SRVTOOLS.EXE</primary>
-	      </indexterm>
-		You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
-		installation file is called <filename>SRVTOOLS.EXE</filename>.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>group names</primary>
-	      </indexterm>
-		What are the limits or constraints that apply to group names?
-		</para>
-
-	</question>
-	<answer>
-
-	    <para><indexterm>
-		<primary>limit</primary>
-	      </indexterm><indexterm>
-		<primary>shadow-utils</primary>
-	      </indexterm><indexterm>
-		<primary>groupadd</primary>
-	      </indexterm><indexterm>
-		<primary>groupdel</primary>
-	      </indexterm><indexterm>
-		<primary>groupmod</primary>
-	      </indexterm><indexterm>
-		<primary>account names</primary>
-	      </indexterm>
-		A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
-		name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows 
-		groups can contain upper- and lowercase characters, as well as spaces.
-		Many UNIX system do not permit the use of uppercase characters, and some do not permit the
-		space character either. A number of systems (i.e., Linux) work fine with both uppercase
-		and space characters in group names, but the shadow-utils package that provides the group
-		control functions (<command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>, and so on) do not permit them.
-		Also, a number of UNIX systems management tools enforce their own particular interpretation
-		of the POSIX standards and likewise do not permit uppercase or space characters in group
-		or user account names. You have to experiment with your system to find what its 
-		peculiarities are.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	<qandaentry>
-	<question>
-
-	    <para><indexterm>
-		<primary>vampire</primary>
-	      </indexterm>
-		My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
-		LDAP backend system using the vampire process?
-		</para>
-
-	</question>
-	<answer>
-
-		<para>
-		UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
-		kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
-		you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
-		integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. 
-		Please check this carefully before you attempt to effect a migration using the vampire process.
-		</para>
-
-	    <para><indexterm>
-		<primary>Migration speed</primary>
-	      </indexterm>
-		Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
-		LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
-		to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
-		per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.
-		</para>
-
-	</answer>
-	</qandaentry>
-
-	</qandaset>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml b/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
deleted file mode 100644
index 2664c77..0000000
--- a/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
+++ /dev/null
@@ -1,1798 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="nw4migration">
-  <title>Migrating NetWare Server to Samba-3</title>
-
-	<para>
-	<indexterm><primary>Novell</primary></indexterm>
-	<indexterm><primary>SUSE</primary></indexterm>
-	Novell is a company any seasoned IT manager has to admire. It has become increasingly
-	Linux-friendly and is emerging out of a deep regression that almost saw the company
-	disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
-	platform of choice to which many older NetWare servers are being migrated. 
-	It will be interesting to see what becomes of NetWare over time.
-	Meanwhile, there can be no denying that Novell is a Linux company.
-	</para>
-
-	<para>
-	<indexterm><primary>Red Hat</primary></indexterm>
-	<indexterm><primary>Debian</primary></indexterm>
-	<indexterm><primary>Gentoo</primary></indexterm>
-	<indexterm><primary>Mandrake</primary></indexterm>
-	Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
-	Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
-	the knowledge that file locations may vary a little; even so, the information
-	in this chapter should provide something of value.
-	</para>
-
-	<para>
-	<indexterm><primary>migration</primary></indexterm>
-	Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
-	years who surfaced on the Samba mailing list with a barrage of questions and who
-	regularly helps other administrators to solve thorny Samba migration questions.
-	</para>
-
-	<para>
-	<indexterm><primary>NetWare</primary></indexterm>
-	<indexterm><primary>NLM</primary></indexterm>
-	<indexterm><primary>NetWare</primary></indexterm>
-	<indexterm><primary>Mars_NWE</primary></indexterm>
-	One wonders how many NetWare servers remain in active service. Many are being migrated
-	to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
-	ideal target platforms to which a NetWare server may be migrated. The migration method
-	of choice is much dependent on the tools that the administrator finds most natural to use.
-	The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
-	<command>rsync</command> to migrate files from the NetWare server to the Samba server.
-	The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
-	Emulator) open source package. The MS Windows network administrator will likely make use of the
-	NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
-	migration will be filled with joyous and challenging moments &smbmdash; though probably not
-	concurrently.
-	</para>
-
-	<para>
-	The priority that Misty faced was one of migration of the data files off the NetWare 4.11
-	server and onto a Samba-based Windows file and print server. This chapter does not pretend
-	to document all the different methods that could be used to migrate user and group accounts
-	off a NetWare server. Its focus is on migration of data files.
-	</para>
-
-	<para>
-	This chapter tells its own story, so ride along. Maybe the information presented here
-	will help to smooth over a similar migration challenge in your favorite networking environment.
-	</para>
-
-	<para>
-	File paths have been modified to permit use of RPM packages provided by Novell. In the
-	original documentation contributed by Misty, the Courier-IMAP package had been built
-	directly from the original source tarball.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	<indexterm><primary>Novell</primary></indexterm>
-	Misty Stanley-Jones was recruited by Abmas to administer a network that had
-	not received much attention for some years and was much in need of a makeover.
-	As a brand-new sysadmin to this company, she inherited a very old Novell file server
-	and came with a determination to change things for the better.
-	</para>
-
-	<para>
-	A site survey turned up the following details for the old NetWare server:
-	</para>
-
-	<simplelist>
-		<member>200 MHz MMX processor</member>
-		<member>512K RAM</member>
-		<member>24 GB disk space in RAID1</member>
-		<member>Novell 4.11 patched to service pack 7</member>
-		<member>60+ users</member>
-		<member>7 network-attached printers</member>
-	</simplelist>
-
-	<para>
-	The company had outgrown this server several years before and was dealing with
-	severe growing pains. Some of the problems experienced were:
-	</para>
-		
-	<itemizedlist>
-		<listitem>
-			<para>Very slow performance</para>
-		</listitem>
-		<listitem>
-			<para>Available storage hovering around the 5% range</para>
-			<itemizedlist>
-				<listitem>
-					<para>Extremely slow print spooling.</para>
-				</listitem>
-				<listitem>
-					<para>
-					Users storing information on their local hard
-					drives, causing backup integrity problems
-					</para>
-				</listitem>
-			</itemizedlist>
-		</listitem>
-	  </itemizedlist>
-
-	<para>
-	<indexterm><primary>payroll</primary></indexterm>
-	At one point disk space had filled up to 100 percent, causing the payroll database
-	to become corrupt. This caused the accounting department to be down for over
-	a week and necessitated deployment of another file server. The replacement
-	server was created with very poor security and design considerations from
-	a discarded desktop PC.
-	</para>
-
-	<sect2>
-		<title>Assignment Tasks</title>
-
-	<para>
-	Misty has provided this summary of her migration experience in the hope
-	that it will help someone to avoid the challenges she faced. Perhaps her
-	configuration files and background will accelerate your learning as you
-	grapple with a similar migration challenge. Let there be no confusion,
-	the information presented in this chapter is provided to demonstrate
-	how Misty dealt with a particular NetWare migration requirement, and
-	it provides an overall approach to the implementation of a Samba-3
-	environment that is significantly divergent from that presented in
-	<link linkend="happy"/>.
-	</para>
-
-	<para>
-	The complete removal of all site-specific information in order to produce	
-	a generic migration solution would rob this chapter of its character.
-	It should be recognized, therefore, that the examples given require
-	significant adaptation to suit local needs and thus
-	there are some gaps in the example files. That is not Misty's fault;it
-	is the result of treatment given to her files in an attempt to make
-	the overall information more useful to you.
-	</para>
-
-	<para>
-	<indexterm><primary>cost-benefit</primary></indexterm>
-	After management reviewed a cost-benefit report as well as an estimated
-	time-to-completion, approval was given proceed with the solution proposed.
-	The server was built from purchased components. The total project cost
-	was $3,000. A brief description of the configuration follows:
-	</para>
-
-	<simplelist>
-		<member>
-			3.0 GHz P4 Processor
-		</member>
-		<member>
-			1 GB RAM
-		</member>
-		<member>
-			120 GB SATA operating system drive
-		</member>
-		<member>
-			4 x 80 GB SATA data drives (RAID5 240 GB capacity)
-		</member>
-		<member>
-			2 x 80 GB SATA removable drives for online backup
-		</member>
-		<member>
-			A DLT drive for asynchronous offline backup
-		</member>
-		<member>
-			SUSE Linux Professional 9.1
-		</member>
-	</simplelist>
-
-	<para>
-	The new system has operated for 6 months without problems. Over the past months
-	much attention has been focused on cleaning up desktops and user profiles.
-	</para>
-
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>e-Directory</primary></indexterm>
-	<indexterm><primary>authentication</primary></indexterm>
-	<indexterm><primary>identity management</primary></indexterm>
-	A decision to use LDAP was made even though I knew nothing about LDAP except that
-	I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter.
-	LDAP seemed to provide some of the functionality of Novell's e-Directory Services
-	and would provide centralized authentication and identity management.
-	</para>
-
-	<para>
-	<indexterm><primary>database</primary></indexterm>
-	<indexterm><primary>RPM</primary></indexterm>
-	<indexterm><primary>tree</primary></indexterm>
-	Building the LDAP database took a while and a lot of trial and error. Following
-	the guidance I obtained from <quote>LDAP System 
-	Administration,</quote> I installed OpenLDAP (from RPM; later I compiled
-	a more current version from source) and built my initial LDAP tree.
-	</para>
-
-	<sect2>
-	<title>Technical Issues</title>
-
-	<para>
-	<indexterm><primary>white-pages</primary></indexterm>
-	<indexterm><primary>inetOrgPerson</primary></indexterm>
-	<indexterm><primary>OpenLDAP</primary></indexterm>
-	<indexterm><primary>/etc/passwd</primary></indexterm>
-	<indexterm><primary>/etc/shadow</primary></indexterm>
-	<indexterm><primary>LDIF</primary></indexterm>
-	<indexterm><primary>IMAP</primary></indexterm>
-	<indexterm><primary>POP3</primary></indexterm>
-	<indexterm><primary>SMTP</primary></indexterm>
-	The first challenge was to create a company white pages, followed by manually
-	entering everything from the printed company directory. This used only the inetOrgPerson
-	object class from the OpenLDAP schemas. The next step was to write a shell script that
-	would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
-	files on our mail server and create an LDIF file from which the information could be
-	imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
-	and SMTP.
-	</para>
-
-	<para>
-	Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote>
-	from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
-	needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
-	<filename>courier.schema</filename>.
-	</para>
-
-	<para>
-	Looking back, it would have been much easier to populate the LDAP directory using a convenient
-	tool such as <command>phpLDAPAdmin</command> from the outset. An excessive amount of time was
-	spent trying to generate LDIF files that could be parsed using the <command>ldapmodify</command>
-	so that necessary changes could be written to the directory. This was a learning experience!
-	</para>
-
-	<para>
-	An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
-	make them work. Instead, even though it is most inelegant, I wrote a simple script that did
-	what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
-	a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>.
-	</para>
-
-<example id="sbeamg">
-<title>A Rough Tool to Create an LDIF File from the System Account Files</title>
-<screen>
-#!/bin/bash
-
-cat /etc/passwd | while read l; do
-  uid=`echo $l | cut -d : -f 1`
-  uidNumber=`echo $l | cut -d : -f 3`
-  gidNumber=`echo $1 | cut -d : -f 4`
-  gecos=`echo $l | cut -d : -f 5`
-  homeDirectory=`echo $l | cut -d : -f 6`
-  loginShell=`echo $l | cut -d : -f 6`
-  userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2`
-
-  echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"
-  echo "objectClass: account"
-  echo "objectClass: posixAccount"
-  echo "cn: $gecos"
-  echo "uid: $uid"
-  echo "uidNumber: $uidNumber"
-  echo "gidNumber: $gidNumber"
-  echo "homeDirectory: $homeDirectory"
-  echo "loginShell: $loginShell"
-  echo "userPassword: $userPassword"
-done
-</screen>
-</example>
-
-	<note><para>
-	
-	The PADL MigrationTools are recommended for migration of the UNIX account information into
-	the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
-	aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
-	files (or from a name service such as NIS). This too set can be obtained from the <ulink url=
-	"http://www.padl.com">PADL Web site</ulink>.
-	</para></note>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	</para>
-
-	<sect2>
-	<title>NetWare Migration Using LDAP Backend</title>
-
-	<para>
-	The following software must be installed on the SUSE Linux Enterprise Server to perform
-	this migration:
-	</para>
-
-	<simplelist>
-		<member>courier-imap</member>
-		<member>courier-imap-ldap</member>
-		<member>nss_ldap</member>
-		<member>openldap2-client</member>
-		<member>openldap2-devel (only for Samba compilation)</member>
-		<member>openldap2</member>
-		<member>pam_ldap</member>
-		<member>samba-3.0.20 or later</member>
-		<member>samba-client-3.0.20 or later</member>
-		<member>samba-winbind-3.0.20 or later</member>
-		<member>smbldap-tools Version 0.9.1</member>
-	</simplelist>
-
-	<para>
-	Each software application must be carefully configured in preparation for migration.
-	The configuration files used at Abmas are provided as a guide and should be modified
-	to meet needs at your site.
-	</para>
-
-	<sect3>
-	<title>LDAP Server Configuration</title>
-
-	<para>
-	The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown here:
-<programlisting>
-#/etc/openldap/slapd.conf
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include   /etc/openldap/schema/core.schema
-include   /etc/openldap/schema/cosine.schema
-include   /etc/openldap/schema/inetorgperson.schema
-include   /etc/openldap/schema/nis.schema
-include   /etc/openldap/schema/samba3.schema
-include   /etc/openldap/schema/dhcp.schema
-include   /etc/openldap/schema/misc.schema
-include   /etc/openldap/schema/idpool.schema
-include   /etc/openldap/schema/eduperson.schema
-include   /etc/openldap/schema/commURI.schema
-include   /etc/openldap/schema/local.schema
-include   /etc/openldap/schema/courier.schema
-
-pidfile   /var/run/slapd/run/slapd.pid
-argsfile  /var/run/slapd/run/slapd.args
-
-replogfile  /data/ldap/log/slapd.replog
-
-# Load dynamic backend modules:
-modulepath  /usr/lib/openldap/modules
-
-#######################################################################
-# Logging parameters
-#######################################################################
-loglevel 256
-
-#######################################################################
-# SASL and TLS options
-#######################################################################
-sasl-host     ldap.corp.abmas.org
-sasl-realm    DIGEST-MD5
-sasl-secprops   none
-TLSCipherSuite HIGH:MEDIUM:+SSLV2
-TLSCertificateFile    /etc/ssl/certs/private/abmas-cert.pem
-TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
-password-hash   {SSHA}
-defaultsearchbase "dc=abmas,dc=biz"
-
-#######################################################################
-# bdb database definitions
-#######################################################################
-database          bdb
-suffix            "dc=abmas,dc=biz"
-rootdn            "cn=manager,dc=abmas,dc=biz"
-rootpw            {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
-directory         /data/ldap
-mode    0600
-# The following is for BDB to make it flush its data to disk every
-# 500 seconds or 5kb of data
-checkpoint 500 5
-
-## For running slapindex
-#readonly on
-
-## Indexes for often-requested attributes
-index   objectClass             eq
-index   cn                      eq,sub
-index   sn                      eq,sub
-index   uid                     eq,sub
-index   uidNumber               eq
-index   gidNumber               eq
-index   sambaSID                eq
-index   sambaPrimaryGroupSID    eq
-index   sambaDomainName         eq
-index   default                 sub
-cachesize 2000
-
-replica         host=baa.corp.abmas.org:389
-                suffix="dc=abmas,dc=biz"
-                binddn="cn=replica,dc=abmas,dc=biz"
-                credentials=verysecret
-                bindmethod=simple
-                tls=yes
-replica         host=ns.abmas.org:389
-                suffix="dc=abmas,dc=biz"
-                binddn="cn=replica,dc=abmas,dc=biz"
-                credentials=verysecret
-                bindmethod=simple
-                tls=yes
-
-#######################################################################
-# ACL section
-#######################################################################
-## MOST RESTRICTIVE RULES MUST GO FIRST!
-# Admins get access to everything. This way I do not have to rename.
-access to *
-  by group/groupOfUniqueNames/uniqueMember="cn=LDAP
-Administrators,ou=groups,dc=abmas,dc=biz" write
-  by * break
-
-## Users can change their own passwords. 
-access to 
-attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,
-sambaPwdMustChange,sambaPwdCanChange
-  by self write
-  by * auth
-
-## Home contact info restricted to the logged-in user and the HR dept
-access to attrs=hometelephoneNumber,homePostalAddress,
-mobileTelephoneNumber,pagerTelephoneNumber
-  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
-ou=groups,dc=abmas,dc=biz" 
-write
-  by self write
-  by * none
-
-## Everyone can read email aliases
-access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
-  by * read
-
-## Only admins can manage email aliases
-## If someone is the role occupant of an alias they can change it -- this
-## is accomplished by the "organizationalRole" objectclass and is
-## pretty cool -- like a groupOfUniqueNames but for individual
-## users.
-access to dn.children="ou=Email Aliases,dc=abmas,dc=biz"
-  by dnattr=roleOccupant write
-  by * read
-
-## Admins and HR can add and delete users
-access to dn.sub="ou=people,dc=abmas,dc=biz"
-  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
-ou=groups,dc=abmas,dc=biz" 
-write
-  by * read
-
-## Admins and HR can add and delete bizputers
-access to dn.sub="ou=bizputers,dc=abmas,dc=biz"
-  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
-ou=groups,dc=abmas,dc=biz" 
-write
-  by * read
-
-## Admins and HR can add and delete groups
-access to dn.sub="ou=groups,dc=abmas,dc=biz"
-  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
-ou=groups,dc=abmas,dc=biz" 
-write
-  by * read
-
-## This is used to quickly deactivate any LDAP object only 
-##  Admins have access.
-access to dn.sub="ou=inactive,dc=abmas,dc=biz"
-  by * none
-
-## This is for programs like Windows Address Book that can 
-## detect the default search base.
-access to attrs=namingcontexts,supportedControl
-  by anonymous =cs
-  by * read
-
-## Default to read-only access
-access to *
-  by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write
-  by * read
-</programlisting>
-</para>
-
-	<para>
-	<indexterm><primary>/etc/ldap.conf</primary></indexterm>
-	The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>.
-	</para>
-
-<example id="ch8ldap">
-<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title>
-<screen>
-# /etc/ldap.conf
-# This file is present on every *NIX client that authenticates to LDAP.
-# For me, most of the defaults are fine. There is an amazing amount of
-# customization that can be done see the man page for info.
-
-# Your LDAP server. Must be resolvable without using LDAP. The following
-# is for the LDAP server all others use the FQDN of the server
-URI ldap://127.0.0.1
-
-# The distinguished name of the search base.
-base ou=corp,dc=abmas,dc=biz
-
-# The LDAP version to use (defaults to 3 if supported by client library)
-ldap_version 3
-
-# The distinguished name to bind to the server with if the effective
-# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
-rootbinddn cn=Manager,dc=abmas,dc=biz
-
-# Filter to AND with uid=%s
-pam_filter objectclass=posixAccount
-
-# The user ID attribute (defaults to uid)
-pam_login_attribute uid
-
-# Group member attribute
-pam_member_attribute memberUID
-
-# Use the OpenLDAP password change
-# extended operation to update the password.
-pam_password exop
-
-# OpenLDAP SSL mechanism
-# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
-ssl start_tls
-
-tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
-...
-</screen>
-</example>
-
-	<para>
-	The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents:
-<screen>
-# /etc/nsswitch.conf
-# This file controls the resolve order for system databases.
-
-# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
-passwd:   compat ldap
-group:    compat ldap
-# The above are all that I store in LDAP at this point. There are 
-# possibilities to store hosts, services, ethers, and lots of other things.
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>PAM</primary></indexterm>
-	<indexterm><primary>NSS</primary></indexterm>
-	In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
-	The configuration file that controls the behavior of the PAM <command>pam_unix2</command>
-	module is shown in <link linkend="sbepu2"/> file.
-	This works out of the box with the configuration files in this chapter. It
-	enables you to have no local accounts for users (it is highly advisable 
-	to have a local account for the root user).  Traps for the unwary include the following:
-	</para>
-
-<example id="sbepu2">
-<title>The PAM Control File <filename>/etc/security/pam_unix2.conf</filename></title>
-<screen>
-# pam_unix2 config file
-#
-# This file contains options for the pam_unix2.so module.
-# It contains a list of options for every type of management group,
-# which will be used for authentication, account management and
-# password management. Not all options will be used from all types of
-# management groups.
-#
-# At first, pam_unix2 will read this file and then uses the local
-# options. Not all options can be set her global.
-#
-# Allowed options are:
-#
-# debug                 (account, auth, password, session)
-# nullok                (auth)
-# md5                   (password / overwrites /etc/default/passwd)
-# bigcrypt              (password / overwrites /etc/default/passwd)
-# blowfish              (password / overwrites /etc/default/passwd)
-# crypt_rounds=XX
-# none                  (session)
-# trace                 (session)
-# call_modules=x,y,z    (account, auth, password)
-#
-#  Example:
-#  auth:        nullok
-#  account:
-#  password:    nullok blowfish crypt_rounds=8
-#  session:     none
-#
-auth: use_ldap
-account: use_ldap
-password: use_ldap
-session: none
-</screen>
-</example>
-
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>authenticate</primary></indexterm>
-	<indexterm><primary>DNS</primary></indexterm>
-	<itemizedlist>
-		<listitem>
-			<para>
-			If your LDAP database goes down, nobody can authenticate except for root.
-			</para>
-		</listitem>
-
-		<listitem>
-			<para>
-			If failover is configured incorrectly, weird behavior can occur. For example, 
-			DNS can fail to resolve.
-			</para>
-		</listitem>
-	</itemizedlist>
-
-	<para>
-	I do have two LDAP slave servers configured. That subject is beyond the scope
-	of this document, and steps for implementing it are well documented.
-	</para>
-
-	<para>
-	The following services authenticate using LDAP:
-	</para>
-	<indexterm><primary>UNIX</primary></indexterm>
-	<indexterm><primary>Postfix</primary></indexterm>
-	<indexterm><primary>Courier-IMAP</primary></indexterm>
-	<simplelist>
-		<member>UNIX login/ssh</member>
-		<member>Postfix (SMTP)</member>
-		<member>Courier-IMAP/IMAPS/POP3/POP3S</member>
-	</simplelist>
-
-	<para>
-	<indexterm><primary>white-pages</primary></indexterm>
-	<indexterm><primary>Windows Address Book</primary></indexterm>
-	Companywide white pages can be searched using an LDAP client
-	such as the one in the Windows Address Book.
-	</para>
-
-	<para>
-	<indexterm><primary>LDAP</primary></indexterm>
-	<indexterm><primary>smbldap-tools</primary></indexterm>
-	Having gained a solid understanding of LDAP and a relatively workable LDAP tree
-	thus far, it was time to configure Samba. I compiled the latest stable Samba and
-	also installed the latest <command>smbldap-tools</command> from 
-	<ulink url="http://idealx.com">Idealx</ulink>.
-	</para>
-
-	<para>
-	The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>.
-	</para>
-
-<example id="ch8smbconf">
-<title>Samba Configuration File &smbmdash; smb.conf Part A</title>
-<smbconfblock>
-<smbconfcomment>Global parameters</smbconfcomment>
-<smbconfsection name="[global]"/>
-<smbconfoption name="workgroup">MEGANET2</smbconfoption>
-<smbconfoption name="netbios name">MASSIVE</smbconfoption>
-<smbconfoption name="server string">Corp File Server</smbconfoption>
-<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
-<smbconfoption name="pam password change">Yes</smbconfoption>
-<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
-<smbconfoption name="log level">1</smbconfoption>
-<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption>
-<smbconfoption name="name resolve order">wins host bcast</smbconfoption>
-<smbconfoption name="time server">Yes</smbconfoption>
-<smbconfoption name="printcap name">cups</smbconfoption>
-<smbconfoption name="show add printer wizard">No</smbconfoption>
-<smbconfoption name="cups options">Raw</smbconfoption>
-<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
-<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
-<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
-<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
-<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
-<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption>
-<smbconfoption name="logon script">logon.bat</smbconfoption>
-<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption>
-<smbconfoption name="logon drive">H:</smbconfoption>
-<smbconfoption name="logon home">\\%L\%U</smbconfoption>
-<smbconfoption name="domain logons">Yes</smbconfoption>
-<smbconfoption name="wins support">Yes</smbconfoption>
-<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
-<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
-<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
-<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption>
-<smbconfoption name="ldap ssl">no</smbconfoption>
-<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
-<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption>
-<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption>
-<smbconfoption name="force printername">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch8smbconf2">
-<title>Samba Configuration File &smbmdash; smb.conf Part B</title>
-<smbconfblock>
-<smbconfsection name="[netlogon]"/>
-<smbconfoption name="comment">Network logon service</smbconfoption>
-<smbconfoption name="path">/data/samba/netlogon</smbconfoption>
-<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-
-<smbconfsection name="[profiles]"/>
-<smbconfoption name="comment">Roaming Profile Share</smbconfoption>
-<smbconfoption name="path">/data/samba/profiles/</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="profile acls">Yes</smbconfoption>
-<smbconfoption name="veto files">desktop.ini</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[homes]"/>
-<smbconfoption name="comment">Home Directories</smbconfoption>
-<smbconfoption name="valid users">%S</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0770</smbconfoption>
-<smbconfoption name="veto files">desktop.ini</smbconfoption>
-<smbconfoption name="hide files">desktop.ini</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[software]"/>
-<smbconfoption name="comment">Software for %a computers</smbconfoption>
-<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-
-<smbconfsection name="[public]"/>
-<smbconfoption name="comment">Public Files</smbconfoption>
-<smbconfoption name="path">/data/samba/shares/public</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-
-<smbconfsection name="[PDF]"/>
-<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption>
-<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch8smbconf3">
-<title>Samba Configuration File &smbmdash; smb.conf Part C</title>
-<smbconfblock>
-<smbconfsection name="[EVERYTHING]"/>
-<smbconfoption name="comment">All shares</smbconfoption>
-<smbconfoption name="path">/data/samba</smbconfoption>
-<smbconfoption name="valid users">"@Domain Admins"</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[CDROM]"/>
-<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption>
-<smbconfoption name="path">/mnt</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-
-<smbconfsection name="[print$]"/>
-<smbconfoption name="comment">Printer Drivers Share</smbconfoption>
-<smbconfoption name="path">/data/samba/drivers</smbconfoption>
-<smbconfoption name="write list">root</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[printers]"/>
-<smbconfoption name="comment">All Printers</smbconfoption>
-<smbconfoption name="path">/data/samba/spool</smbconfoption>
-<smbconfoption name="create mask">0644</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-
-<smbconfsection name="[acct_hp8500]"/>
-<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption>
-<smbconfoption name="path">/data/samba/spool/private</smbconfoption>
-<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins", at Receptionist, dwayne, terri, danae, jerry</smbconfoption>
-<smbconfoption name="create mask">0644</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="copy">printers</smbconfoption>
-
-<smbconfsection name="[plotter]"/>
-<smbconfoption name="comment">Engineering Plotter</smbconfoption>
-<smbconfoption name="path">/data/samba/spool</smbconfoption>
-<smbconfoption name="create mask">0644</smbconfoption>
-<smbconfoption name="printable">Yes</smbconfoption>
-<smbconfoption name="use client driver">Yes</smbconfoption>
-<smbconfoption name="copy">printers</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch8smbconf4">
-<title>Samba Configuration File &smbmdash; smb.conf Part D</title>
-<smbconfblock>
-<smbconfsection name="[APPS]"/>
-<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption>
-<smbconfoption name="force group">"Domain Users"</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-
-<smbconfsection name="[ACCT]"/>
-<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption>
-<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption>
-<smbconfoption name="force group">acct</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0660</smbconfoption>
-<smbconfoption name="directory mask">0770</smbconfoption>
-
-<smbconfsection name="[ACCT_ADMIN]"/>
-<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption>
-<smbconfoption name="valid users">@"acct_admin"</smbconfoption>
-<smbconfoption name="force group">acct_admin</smbconfoption>
-
-<smbconfsection name="[HR_PR]"/>
-<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption>
-<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption>
-<smbconfoption name="force group">hr</smbconfoption>
-
-<smbconfsection name="[ENGR]"/>
-<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption>
-<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
-<smbconfoption name="force group">engr</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0770</smbconfoption>
-
-<smbconfsection name="[DATA]"/>
-<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption>
-<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
-<smbconfoption name="force group">engr</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0770</smbconfoption>
-<smbconfoption name="copy">engr</smbconfoption>
-</smbconfblock>
-</example>
-
-<example id="ch8smbconf5">
-<title>Samba Configuration File &smbmdash; smb.conf Part E</title>
-<smbconfblock>
-<smbconfsection name="[X]"/>
-<smbconfoption name="path">/data/samba/shares/X</smbconfoption>
-<smbconfoption name="valid users">@engr, @acct</smbconfoption>
-<smbconfoption name="force group">engr</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0770</smbconfoption>
-<smbconfoption name="copy">engr</smbconfoption>
-
-<smbconfsection name="[NETWORK]"/>
-<smbconfoption name="path">/data/samba/shares/network</smbconfoption>
-<smbconfoption name="valid users">"@Domain Users"</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="create mask">0770</smbconfoption>
-<smbconfoption name="guest ok">Yes</smbconfoption>
-
-<smbconfsection name="[UTILS]"/>
-<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption>
-<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
-
-<smbconfsection name="[SYS]"/>
-<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption>
-<smbconfoption name="valid users">chad</smbconfoption>
-<smbconfoption name="read only">No</smbconfoption>
-<smbconfoption name="browseable">No</smbconfoption>
-</smbconfblock>
-</example>
-
-	<para>
-	<indexterm><primary>Qbasic</primary></indexterm>
-	<indexterm><primary>Rbase</primary></indexterm>
-	<indexterm><primary>drive letters</primary></indexterm>
-	Most of these shares are only used by one company group, but they are required
-	because of some ancient Qbasic and Rbase applications were that written expecting
-	their own drive letters.
-	</para>
-
-	<para>
-	<indexterm><primary>rsync</primary></indexterm>
-	<indexterm><primary>rsyncd.conf</primary></indexterm>
-	<indexterm><primary>synchronize</primary></indexterm>
-	Note: During the process of building the new server, I kept data files
-	up to date with the Novell server via use of <command>rsync</command>. 
-	On a separate system (my workstation in fact), which could be rebooted
-	whenever necessary, I set up a mount point to the Novell server via
-	<command>ncpmount</command>. I then created a
-	<filename>rsyncd.conf</filename> to share that mount point out to my
-	new server, and synchronized once an hour. The script I used to synchronize
-	is shown in <link linkend="sbersync"/>. The files exclusion list I used
-	is shown in <link linkend="sbexcld"/>.  The reason I had to have the
-	<command>rsync</command> daemon running on a system that could be
-	rebooted frequently is because <constant>ncpfs</constant>
-	(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
-	mount points that cannot be recovered without a reboot. The reason for hourly
-	synchronization is because some part of the chain was very slow and
-	performance-heavy (whether <command>rsync</command> itself, the network,
-	or the Novell server, I am not sure, but it was probably the Novell server).
-	</para>
-
-<example id="sbersync">
-<title>Rsync Script</title>
-<screen>
-#!/bin/bash
-# Part 1 - rsync the Novell directories to the new server
-echo "#############################################"
-echo "New sync operation starting at `date`"
-if ! pgrep -fl '^rsync\> ; then
-        echo "Good, no rsync is running!"
-  echo "Synchronizing oink to BHPRO"
-        rsync -av --exclude-from=/root/excludes.txt 
-baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1
-        retval=$?
-        [ ${retval} = 0 ] && echo "Sync operation completed at `date`"
-        echo "Fixing permissions"
-        # I had a whole lot more permission-fixing stuff here.  It got
-        # pared down as groups got moved over.  The problem
-        # was that the way I was mounting the directory, everything
-        # was owned by the Novell administrator which translated to
-        # Root.  This is also why I could only do one-way sync because
-        # I could not fix the ACLs on the Novell side.
-        find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \;
-        find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \;
-else
-        # This rsync took ages and ages -- I had it set to run every hour but
-        # I needed a way to prevent it running into itself.
-        echo "Oh no, rsync is already running!"
-echo "#############################################"
-fi
-</screen>
-</example>
-
-<example id="sbexcld">
-<title>Rsync Files Exclusion List &smbmdash; <filename>/root/excludes.txt</filename></title>
-<screen>
-/Acct/
-/Apps/
-/DATA/
-/Engr/*.pc3
-/Engr/plotter
-/Engr/APPOLO/
-/Engr/LIBRARY/
-/Home/Accounting/
-/Home/Angie/
-/Home/AngieY/
-/Home/Brandon/
-/Home/Carl/
-</screen>
-</example>
-
-	<para>
-	After Samba was configured, I initialized the LDAP database. The first
-	thing I had to do was store the LDAP password in the Samba configuration by
-	issuing the command (as root):
-<screen>
-&rootprompt; smbpasswd -w verysecret
-</screen>
-	where <quote>verysecret</quote> is replaced by the LDAP bind password.
-	</para>
-
-<note><para>
-The Idealx smbldap-tools package can be configured using a script called 
-<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
-for an example of its use. Many administrators, like Misty, choose to do this manually
-so as to maintain greater awareness of how the tool-chain works and possibly to avoid
-undesirable actions from occurring unnoticed.
-</para></note>
-
-	<para>
-	Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
-	relevant files, which are usually put into the directory
-	<filename>/etc/smbldap-tools</filename>. The main file,
-	<filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
-	</para>
-
-<example id="ch8ideal">
-<title>Idealx smbldap-tools Control File &smbmdash; Part A</title>
-<screen>
-#########
-#
-# located in /etc/smbldap-tools/smbldap.conf
-#
-######################################################################
-#
-# General Configuration
-#
-######################################################################
-
-# Put your own SID
-# to obtain this number do: net getlocalsid
-SID="S-1-5-21-725326080-1709766072-2910717368"
-
-######################################################################
-#
-# LDAP Configuration
-#
-######################################################################
-
-# Notes: to use to dual ldap servers backend for Samba, you must patch
-# Samba with the dual-head patch from IDEALX. If not using this patch
-# just use the same server for slaveLDAP and masterLDAP.
-# Those two servers declarations can also be used when you have
-# . one master LDAP server where all writing operations must be done
-# . one slave LDAP server where all reading operations must be done
-#   (typically a replication directory)
-
-# Ex: slaveLDAP=127.0.0.1
-slaveLDAP="127.0.0.1"
-slavePort="389"
-
-# Master LDAP : needed for write operations
-# Ex: masterLDAP=127.0.0.1
-masterLDAP="127.0.0.1"
-masterPort="389"
-
-# Use TLS for LDAP
-# If set to 1, this option will use start_tls for connection
-# (you should also used the port 389)
-ldapTLS="0"
-
-# How to verify the server's certificate (none, optional or require)
-# see "man Net::LDAP" in start_tls section for more details
-verify=""
-</screen>
-</example>
-
-<example id="ch8ideal2">
-<title>Idealx smbldap-tools Control File &smbmdash; Part B</title>
-<screen>
-# CA certificate
-# see "man Net::LDAP" in start_tls section for more details
-cafile=""
- certificate to use to connect to the ldap server
-# see "man Net::LDAP" in start_tls section for more details
-clientcert=""
-
-# key certificate to use to connect to the ldap server
-# see "man Net::LDAP" in start_tls section for more details
-clientkey=""
-
-# LDAP Suffix
-# Ex: suffix=dc=IDEALX,dc=ORG
-suffix="ou=MEGANET2,dc=abmas,dc=biz"
-
-# Where are stored Users
-# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
-usersdn="ou=People,${suffix}"
-
-# Where are stored Computers
-# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
-computersdn="ou=People,${suffix}"
-
-# Where are stored Groups
-# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
-groupsdn="ou=Groups,${suffix}"
-
-# Where are stored Idmap entries
-# (used if samba is a domain member server)
-# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
-idmapdn="ou=Idmap,${suffix}"
-
-# Where to store next uidNumber and gidNumber available
-sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}"
-
-# Default scope Used
-scope="sub"
-</screen>
-</example>
-
-<example id="ch8ideal3">
-<title>Idealx smbldap-tools Control File &smbmdash; Part C</title>
-<screen>
-# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
-hash_encrypt="MD5"
-
-# if hash_encrypt is set to CRYPT, you may set a salt format.
-# default is "%s", but many systems will generate MD5 hashed
-# passwords if you use "$1$%.8s". This parameter is optional!
-crypt_salt_format="%s"
-
-######################################################################
-#
-# Unix Accounts Configuration
-#
-######################################################################
-
-# Login defs
-# Default Login Shell
-# Ex: userLoginShell="/bin/bash"
-userLoginShell="/bin/false"
-
-# Home directory
-# Ex: userHome="/home/%U"
-userHome="/home/%U"
-
-# Gecos
-userGecos="Samba User"
-
-# Default User (POSIX and Samba) GID
-defaultUserGid="513"
-
-# Default Computer (Samba) GID
-defaultComputerGid="515"
-
-# Skel dir
-skeletonDir="/etc/skel"
-
-# Default password validation time (time in days) Comment the next
-# line if you don't want password to be enable for
-# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange
-# attribute's value)
-defaultMaxPasswordAge="45"
-</screen>
-</example>
-
-<example id="ch8ideal4">
-<title>Idealx smbldap-tools Control File &smbmdash; Part D</title>
-<screen>
-######################################################################
-#
-# SAMBA Configuration
-#
-######################################################################
-
-# The UNC path to home drives location (%U username substitution)
-# Ex: \\My-PDC-netbios-name\homes\%U
-# Just set it to a null string if you want to use the smb.conf
-# 'logon home' directive and/or disable roaming profiles
-userSmbHome=""
-
-# The UNC path to profiles locations (%U username substitution)
-# Ex: \\My-PDC-netbios-name\profiles\%U
-# Just set it to a null string if you want to use the smb.conf
-# 'logon path' directive and/or disable roaming profiles
-userProfile=""
-
-# The default Home Drive Letter mapping
-# (will be automatically mapped at logon time if home directory exist)
-# Ex: H: for H:
-userHomeDrive=""
-
-# The default user netlogon script name (%U username substitution)
-# if not used, will be automatically username.cmd
-# make sure script file is edited under DOS
-# Ex: %U.cmd
-# userScript="startup.cmd" # make sure script file is edited under DOS
-userScript=""
-
-# Domain appended to the users "mail"-attribute
-# when smbldap-useradd -M is used
-mailDomain="abmas.org"
-
-######################################################################
-#
-# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
-#
-######################################################################
-# Allows not to use smbpasswd
-# (if with_smbpasswd == 0 in smbldap_conf.pm) but
-# prefer Crypt::SmbHash library
-with_smbpasswd="0"
-smbpasswd="/usr/bin/smbpasswd"
-</screen>
-</example>
-
-	<para>
-	<indexterm><primary>TLS</primary></indexterm>
-	Note: I chose not to take advantage of the TLS capability of this. 
-	Eventually I may go back and tweak it.  Also, I chose not to take advantage
-	of the master/slave configuration as I heard horror stories that it was
-	unstable.  My slave servers are replicas only.
-	</para>
-
-	<para>
-	The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here:
-<screen>
-# smbldap_bind.conf
-#
-# This file simply tells smbldap-tools how to bind to your LDAP server.
-# It has to be a DN with full write access to the Samba portion of
-# the database.
-
-############################
-# Credential Configuration #
-############################
-# Notes: you can specify two different configurations if you use a
-# master ldap for writing access and a slave ldap server for reading access
-# By default, we will use the same DN (so it will work for standard Samba
-# release)
-slaveDN="cn=Manager,dc=abmas,dc=biz"
-slavePw="verysecret"
-masterDN="cn=Manager,dc=abmas,dc=biz"
-masterPw="verysecret"
-</screen>
-	</para>
-
-	<para>
-	The next step was to run the <command>smbldap-populate</command> command, which populates
-	the LDAP tree with the appropriate default users, groups, and UID and GID pools.
-	It creates a user called Administrator with UID=0 and GID=0 matching the
-	Domain Admins group. This is fine because you can still log on as root to a Windows system,
-	but it will break cached credentials if you need to log on as the administrator
-	to a system that is not on the network.
-	</para>
-
-	<para>
-	After the LDAP database has been preloaded, it is prudent to validate that the
-	information needed is in the LDAP directory. This can be done done by restarting
-	the LDAP server, then performing an LDAP search by executing:
-<screen>
-&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\
-	 -D "cn=Manager,dc=abmas,dc=biz" \
-	"(Objectclass=*)"
-Enter LDAP Password:
-# extended LDIF
-#
-# LDAPv3
-# base <dc=abmas,dc=biz> with scope sub
-# filter: (ObjectClass=*)
-# requesting: ALL
-#
-
-# abmas.biz
-dn: dc=abmas,dc=biz
-objectClass: dcObject
-objectClass: organization
-o: abmas
-dc: abmas
-
-# People, abmas.biz
-dn: ou=People,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: People
-
-# Groups, abmas.biz
-dn: ou=Groups,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: Groups
-
-# Idmap, abmas.biz
-dn: ou=Idmap,dc=abmas,dc=biz
-objectClass: organizationalUnit
-ou: Idmap
-...
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>Windows</primary></indexterm>
-	<indexterm><primary>POSIX</primary></indexterm>
-	<indexterm><primary>smbldap-groupadd</primary></indexterm>
-	<indexterm><primary>RID</primary></indexterm>
-	<indexterm><primary>sambaGroupMapping</primary></indexterm>
-	With the LDAP directory now initialized, it was time to create the Windows and POSIX
-	(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
-	The easiest way to do this was to use <command>smbldap-groupadd</command> command.
-	It creates the group with the posixGroup and sambaGroupMapping attributes, a
-	unique GID, and an automatically determined RID. I learned the hard way not to
-	try to do this by hand.
-	</para>
-
-	<para>
-	<indexterm><primary>group mapping</primary></indexterm>
-	<indexterm><primary>smbldap-groupmod</primary></indexterm>
-	<indexterm><primary>memberUID</primary></indexterm>
-	After I had my group mappings in place, I added users to the groups (the users
-	don't really have to exist yet). I used the <command>smbldap-groupmod</command>
-	command to accomplish this. It can also be done manually by adding memberUID
-	attributes to the group entries in LDAP.
-	</para>
-
-	<para>
-	<indexterm><primary>sambaSamAccount</primary></indexterm>
-	<indexterm><primary>posixAccount</primary></indexterm>
-	<indexterm><primary>smbldap-usermod</primary></indexterm>
-	The most monumental task of all was adding the sambaSamAccount information to each
-	already existent posixAccount entry.  I did it one at a time as I moved people onto
-	the new server, by issuing the command:
-<screen>
-&rootprompt; smbldap-usermod -a -P username
-</screen>
-	<indexterm><primary>NetWare</primary></indexterm>
-	<indexterm><primary>LDIF</primary></indexterm>
-	<indexterm><primary>slapcat</primary></indexterm>
-	I completed that step for every user after asking the person what his or her current
-	NetWare password was. The wiser way to have done it would probably have been to dump the
-	entire database to an LDIF file. This can be done by executing:
-<screen>
-&rootprompt; slapcat > somefile.ldif
-</screen>
-	<indexterm><primary>Perl</primary></indexterm>
-	<indexterm><primary>objectClass</primary></indexterm>
-	Then update the LDIF file created by using a Perl script to parse and add the
-	appropriate attributes and objectClasses to each entry, followed by re-importing
-	the entire database into the LDAP directory. 
-	</para>
-
-	<para>
-	Rebuilding of the LDAP directory can be done as follows:
-<screen>
-&rootprompt; rcldap stop
-&rootprompt; cd /data/ldap
-&rootprompt; rm *bdb _* log*
-&rootprompt; su - ldap -c "slapadd -l somefile.ldif"
-&rootprompt; rcldap start
-</screen>
-	This can be done at any time and for any reason, with no harm to the database.
-	</para>
-
-	<para>
-	I first added a test user, of course. The LDIF for this test user looks like
-	this, to give you an idea:
-<screen>
-# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
-dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
-cn: Test User
-gecos: Test User
-gidNumber: 513
-givenName: Test
-homeDirectory: /home/test.user
-homePhone: 555
-l: Somewhere
-l: ST
-mail: test.user
-o: Corp
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: posixAccount
-objectClass: sambaSamAccount
-postalCode: 12345
-sn: User
-street: 10 Some St.
-uid: test.user
-uidNumber: 1074
-sambaLogonTime: 0
-sambaLogoffTime: 2147483647
-sambaKickoffTime: 2147483647
-sambaPwdCanChange: 0
-displayName: Samba User
-sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
-sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
-sambaAcctFlags: [U]
-sambaNTPassword: D062088E99C95E37D7702287BB35E770
-sambaPwdLastSet: 1102537694
-sambaPwdMustChange: 1106425694
-userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
-loginShell: /bin/false
-</screen>
-	</para>
-
-	<para>
-	Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
-	It worked, and the machine's account entry under ou=Computers looks like this:
-<screen>
-dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: posixAccount
-objectClass: sambaSamAccount
-cn: w2kengrspare$
-sn: w2kengrspare$
-uid: w2kengrspare$
-uidNumber: 1104
-gidNumber: 515
-homeDirectory: /dev/null
-loginShell: /bin/false
-description: Computer
-gecos: Computer
-sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
-sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
-displayName: W2KENGRSPARE$
-sambaPwdCanChange: 1103149236
-sambaPwdMustChange: 2147483647
-sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
-sambaPwdLastSet: 1103149236
-sambaAcctFlags: [W          ]
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>netlogon</primary></indexterm>
-	So now I could log on with a test user from the machine w2kengrspare. It was all well and
-	good, but that user was in no groups yet and so had pretty boring access.  I fixed that
-	by writing the login script! To write the login script, I used
-	<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
-	with every architecture of Windows, has an active and helpful user base, and was both
-	easier to learn and more powerful than the standard netlogon scripts I have seen.
-	I also did not have to do a logon script per user or per group.
-	</para>
-
-	<para>
-	<indexterm><primary>Kixtart</primary></indexterm>
-	I downloaded Kixtart and put the following files in my netlogon share:
-<screen>
-KIX32.EXE
-KX32.dll
-KX95.dll  <-- Not needed unless you are running Win9x clients.
-kx16.dll  <-- Probably not needed unless you are running DOS clients.
-kxrpc.exe <-- Probably useless as it has to run on the server and can
-          only be run on NT.  It's for Windows 95 to become group-aware.
-          We can get around the need.
-</screen>
-	</para>
-
-	<para>
-	<indexterm><primary>logon.kix</primary></indexterm>
-	I then wrote the <filename>logon.kix</filename> file that is shown in
-	<link linkend="ch8kix"/>. I chose to keep it all in one file, but it
-	can be split up and linked via include directives.
-	</para>
-
-<example id="ch8kix">
-<title>Kixtart Control File &smbmdash; File: logon.kix</title>
-<screen>
-; This script just calls the other scripts.
-
-; First we want to get things done for everyone.
-
-; Second, we do first-time login stuff.
-
-; Third, we go through the group-oriented scripts one at a time.
-
-
-; We want to check for group membership here to avoid the overhead of running
-; scripts which don't apply.
-call "\\massive\netlogon\scripts\main.kix"
-call "\\massive\netlogon\scripts\setup.kix"
-IF INGROUP("MEGANET2\ACCT")
-  call "scripts\acct.kix"
-ENDIF
-IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
-call "\\massive\netlogon\scripts\engr.kix"
-ENDIF
-IF INGROUP("MEGANET2\FURN")
-  call "\\massive\netlogon\scripts\furn.kix"
-ENDIF
-IF INGROUP("MEGANET2\TRUSS")
-  call "\\massive\netlogon\scripts\truss.kix"
-ENDIF
-</screen>
-</example>
-
-<example id="ch8kix2">
-<title>Kixtart Control File &smbmdash; File: main.kix</title>
-<screen>
-break on
-
-; Choose whether to hide the login window or not
-IF INGROUP("MEGANET2\Domain Admins")
-  USE Z: \\massive\everything
-  SETCONSOLE("show")
-ELSE
-  ; Nobody cares about seeing the login script except admins
-  SETCONSOLE("hide")
-ENDIF
-
-; Delete all previously connected shares
-USE * /delete
-
-SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
-
-; Set the time on the workstation
-$Timeserver = "\\massive"
-Settime $TimeServer
-
-; Map the home directory
-USE H: @HOMESHR ; connect to user's home share
-IF @ERROR = 0
-
-  H:
-  CD @HOMEDIR ; change directory to user's home directory
-ENDIF
-
-; Everyone gets the N drive
-USE N: \\massive\network
-</screen>
-</example>
-
-<example id="ch8kix3">
-<title>Kixtart Control File &smbmdash; File: setup.kix, Part A</title>
-<screen>
-; My setup.kix is where all of the redirection stuff happens.  Note that with 
-; the use of registry keys, this only happens the first time they log in ,or if 
-; I delete the pertinent registry keys which triggers it to happen again:
-
-; Check to see if we have written the abmas sub-key before
-$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas")
-IF NOT $RETURNCODE = 0
-; Add key for abmas-specific things on the first login
-  ADDKEY("HKEY_CURRENT_USER\abmas")
-  ; The following key gets deleted at the end of the first login
-  ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
-ENDIF
-
-; People with laptops need My Documents to be in their profile.  People with
-; desktops can have My Documents redirected to their home directory to avoid
-; long delays with logging out and out-of-sync files.
-
-; Check to see if this is the first login -- doesn't make sense to do this
-; at the very first login
-
-$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
-IF NOT $RETURNCODE = 0
-
-; We don't want to do this stuff for people with laptops or people in the FURN
-; group.  (They store their profiles in a different server)
-
-  IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
-    $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied")
-
-; A  crude way to tell what OS our profile is for and copy the "My Documents"
-; to the redirected folder on the server.  It works because the profiles
-; are stored as \\server\profiles\user\architecture
-    IF NOT $RETURNCODE = 0
-      IF EXIST("\\massive\profiles\@userID\WinXP")
-        copy "\\massive\profiles\@userID\WinXP\My Documents\*" 
-"\\massive\@userID\"
-      ENDIF
-      IF EXIST("\\massive\profiles\@userID\Win2K")
-        copy "\\massive\profiles\@userID\Win2K\My Documents\*" 
-"\\massive\@userID\"
-      ENDIF
-      IF EXIST("\\massive\profiles\@userID\WinNT")
-        copy "\\massive\profiles\@userID\WinNT\My Documents\*" 
-"\\massive\@userID\"
-      ENDIF
-</screen>
-</example>
-
-<example id="ch8kix3b">
-<title>Kixtart Control File &smbmdash; File: setup.kix, Part B</title>
-<screen>
-; Now we will write the registry values to redirect the locations of "My 
-Documents"
-; and other folders.
-      ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied")
-      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
-Windows\CurrentVersion\Explorer\User 
-Shell Folders", "Personal","\\massive\@userID","REG_SZ")
-      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
-Windows\CurrentVersion\Explorer\User 
-Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
-      IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
-Professional"
-      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
-Windows\CurrentVersion\Explorer\User 
-Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
-      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
-Windows\CurrentVersion\Explorer\User 
-Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
-      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
-Windows\CurrentVersion\Explorer\User 
-Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
-      ENDIF
-    ENDIF
-  ENDIF
-
-; Now we will delete the FIRST_LOGIN sub-key that we made before.
-; Note - to run this script again you will want to delete the HKCU\abmas
-; sub-key, log out, and log back in.
-$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
-IF $RETURNVALUE = 0
-  DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
-ENDIF
-</screen>
-</example>
-
-<example id="ch8kix4">
-<title>Kixtart Control File &smbmdash; File: acct.kix</title>
-<screen>
-; And here is one group-oriented script to show what can be
-; done that way: acct.kix:
-
-IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
-  USE I: \\MEGANET2\HR_PR
-ENDIF
-
-; Set up printer
-$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
-IF NOT $RETURNVALUE = 0
-  ADDPRINTERCONNECTION("\\massive\acct_hp8500")
-  SETDEFAULTPRINTER("\\massive\acct_hp8500")
-ENDIF
-; Set up drive mappings
-  USE M: \\massive\ACCT
-  IF INGROUP("MEGANET2\ABRA")
-    USE T: \\trussrv\abra
-  ENDIF
-</screen>
-</example>
-
-	<para>
-	As you can see in the script, I redirected the My Documents to the user's home
-	share if he or she were not in the Laptop group. I also added printers on a
-	group-by-group basis, and if applicable I set the group printer. For this to
-	be effective, the print drivers must be installed on the Samba server in the
-	<filename>[print$]</filename> share. Ample documentation exists about how to
-	do that, so it is not covered here.
-	</para>
-
-	<para>
-	I call this script via the logon.bat script in the [netlogon] directory:
-<screen>
-\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
-</screen>
-	I only had to fully qualify the paths for Windows 9x, as Windows NT and
-	greater automatically add [NETLOGON] to the path.
-	</para>
-
-	<para>
-	Also of note for Win9x is that the drive mappings and printer setup will not
-	work because they rely on RPC. You merely have to put the appropriate settings
-	into the <filename>c:\autoexec.bat</filename> file or map the drives manually.
-	One option is to check the OS as part of the Kixtart script, and if it
-	is Win9x and is the first login, copy a premade
-	<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
-	have only three such machines, and one is going away in the very near future,
-	so it was easier to do it by hand.
-	</para>
-
-	<para>
-	<indexterm><primary>upgrade</primary></indexterm>
-	At this point I was able to add the users. This is the part that really falls
-	into upgrade. I moved the users over one group at a time, starting with the
-	people who used the least amount of resources on the network. With each group
-	that I moved, I first logged on as a standard user in that group and took
-	careful note of the environment, mainly the printers he or she used, the PATH,
-	and what network resources he or she had access to (most importantly, which ones
-	the user actually needed access to).
-	</para>
-
-	<para>
-	I then added the user's SambaSamAccount information as mentioned earlier,
-	and join the computer to the domain. The very first thing I had to do was to
-	copy the user's profile to the new server. This was very important, and I really
-	struggled with the most effective way to do it.  Here is the method that worked
-	for every one of my users on Windows NT, 2000, and XP:
-	</para>
-
-	<procedure>
-		<step><para>
-			Log in as the user on the domain. This creates the local copy
-			of the user's profile and copies it to the server as he or she logs out.
-		</para></step>
-
-		<step><para>
-			Reboot the computer and log in as the local machine administrator.
-		</para></step>
-
-		<step><para>
-			Right-click My Computer, click Properties, and navigate to the
-			user profiles tab (varies per version of Windows).
-		</para></step>
-
-		<step><para>
-			Select the user's local profile <constant>(COMPUTERNAME\username)</constant>,
-			and click the <command>Copy To</command> button.
-		</para></step>
-
-		<step><para>
-			In the next dialog, copy it directly to the profiles share on the
-			Samba server (in my case \\PDCname\profiles\user\<architecture>.
-			You will have had to make a connection to the share as that
-			user (e.g., Windows Explorer type \\PDCname\profiles\username).
-		</para></step>
-
-		<step><para>
-			When the copy is complete (it can take a while) log out, and log back in
-			as the user. All of his or her settings and all contents of My Documents,
-			Favorites, and the registry should have been copied successfully.
-		</para></step>
-
-		<step><para>
-			If it doesn't look right (the dead giveaway is the desktop background),
-			shut down the computer without logging out (power cycle) and try logging
-			in as the user again. If it still doesn't work, repeat the steps above.
-			I only had to ever repeat it once.
-		</para></step>
-
-	</procedure>
-
-	<para>
-	Words to the Wise:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-			If the user was anything other than a standard user on his or her system
-			before, you will save yourself some headaches by giving him or her identical
-			permissions (on the local machine) as his or her domain account <emphasis>before</emphasis>
-			copying the profile over. Do this through the User Administrator
-			in the Control Panel, after joining the computer to the domain and
-			before logging on as that user for the first time. Otherwise the user will
-			have trouble with permissions on his or her registry keys.
-		</para></listitem>
-
-		<listitem><para>
-			If any application was installed for the user only, rather than for
-			the entire system, it will probably not work without being reinstalled.
-		</para></listitem>
-	</itemizedlist>
-
-	<para>
-	After all these steps are accomplished, only cleanup details are left. Make sure user's
-	shortcuts and Network Places point to the appropriate place on the new server, check
-	the important applications to be sure they work as expected and troubleshoot any problems
-	that might arise, and check to be sure the user's printers are present and working. By the
-	way, if there are any network printers installed as system printers (the Novell way),
-	you will need to log in as a local administrator and delete them.
-	</para>
-
-	<para>
-	For my non-laptop systems, I would then log in and out a couple times as the user
-	to be sure that his or her registry settings were modified, and then I was finished.
-	</para>
-
-	<para>
-	Some compatibility issues that cropped up included the following:
-	</para>
-
-	<para>
-	Blackberry client: It did not like having its registry settings moved around
-	and so had to be reinstalled. Also, it needed write permissions to a portion of
-	the hard drive, and I had to give it those manually on the one system where
-	this was an issue.
-	</para>
-
-	<para>
-	CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
-	with the registry. I had to use the Run as service to open the registry of
-	the local user while logged in as the domain user, and give the domain user
-	the appropriate permissions to some registry keys, then export that portion
-	of the registry to a file. Then, as the domain user, I had to import that file
-	into the registry.
-	</para>
-
-	<para>
-	Crystal Reports version 7: More registry problems that were solved by recopying
-	the user's profile.
-	</para>
-
-	<para>
-	Printing from legacy applications: I found out that Novell sends its jobs to
-	the printer in a raw format. CUPS sends them in PostScript by default. I had
-	to make a second printer definition for one printer and tell CUPS specifically
-	to send raw data to the printer, then assign this printer to the LPT port with
-	Kixtart's version of the net use command.
-	</para>
-
-	<para>
-	These were all eventually solved by elbow grease, queries to the Samba mailing
-	list and others, and diligence. The complete migration took about 5 weeks.
-	My userbase is relatively small but includes multiple versions of Windows,
-	multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
-	applications written in Qbasic and R:Base, just to name a few. I actually
-	ended up making some of these applications work better (or work again, as
-	some of them had stopped functioning on the old server) because as part of
-	the process I had to find out how things were supposed to work.
-	</para>
-
-	<para>
-	The one thing I have not been able to get working is a very old database that
-	we had around for reference purposes; it uses Novell's Btrieve engine.
-	</para>
-
-	<para>
-	As the resources compare, I went from 95 percent disk usage to just around 10 percent.
-	I went from a very high load on the server to an average load of between one
-	and two runnable processes on the server. I have improved the security and
-	robustness of the system. I have also implemented
-	<ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software,
-	which scans the entire Samba server for viruses every 2 hours and
-	quarantines them. I have found it much less problematic than our ancient
-	version of Norton Antivirus Corporate Edition, and much more up-to-date.
-	</para>
-
-	<para>
-	In short, my users are much happier now that the new server is running, and that
-	is what is important to me.
-	</para>
-
-	</sect3>
-
-	</sect2>
-
-</sect1>
-
-</chapter>
-
diff --git a/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml b/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml
deleted file mode 100644
index 956bb4d..0000000
--- a/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml
+++ /dev/null
@@ -1,2693 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="secure">
-  <title>Secure Office Networking</title>
-
-	<para>
-	Congratulations, your Samba networking skills are developing nicely. You started out
-	with three simple networks in <link linkend="simple"/>, and then in <link linkend="small"/>
-	you designed and built a network that provides a high degree of flexibility, integrity,
-	and dependability. It was enough for the basic needs each was designed to fulfill. In
-	this chapter you address a more complex set of needs. The solution you explore 
-	introduces you to basic features that are specific to Samba-3.
-	</para>
-
-	<para>
-	You should note that a working and secure solution could be implemented using Samba-2.2.x. 
-	In the exercises presented here, you are gradually using more Samba-3-specific features,
-	so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. 
-	To avoid confusion, this book is all about Samba-3. Let's get the exercises in this 
-	chapter underway.
-	</para>
-
-<sect1>
-	<title>Introduction</title>
-
-	<para>
-	You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work 
-	well done. It is one year since the last network upgrade. You have been quite busy. 
-	Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over 
-	general network management. Soon she will provide primary user support. You have
-	demonstrated that you can delegate responsibility and can plan and execute according
-	to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
-	Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never 
-	expected: You are going to take charge of business operations. Mr. Meany 
-	is retiring and has entrusted the business to your capable hands. 
-	</para>
-
-	<para>
-	Mr. Meany may be retiring from this company, but not from work. He is taking the
-	opportunity to develop Abmas Accounting into a larger and more substantial company.
-	He says that it took him many years to learn that there is no future in just running
-	a business. He now realizes there is great personal satisfaction in the creation of
-	career opportunities for people in the local community. He wants to do more for others,
-	as he is doing for you. Today he spent a lot of time talking about his grand plan
-	for growth, which you will deal with in the chapters ahead.
-	</para>
-
-	<para>
-	Over the past year, the growth projections were exceeded. The network has grown to
-	meet the needs of 130 users. Along with growth, the demand for improved services
-	and better functionality has also developed. You are about to make an interim
-	improvement and then hand over all Help desk and network maintenance to Christine.
-	Christine has professional certifications in Microsoft Windows as well as in Linux;
-	she is a hard worker and quite likable. Christine does not want to manage the department
-	(although she manages well). She gains job satisfaction when left to sort things out.
-	Occasionally she wants to work with you on a challenging problem. When you told her
-	about your move, she almost resigned, although she was reassured that a new manager would
-	be hired to run Information Technology, and she would be responsible only for operations.
-	</para>
-
-	<sect2>
-		<title>Assignment Tasks</title>
-
-		<para>
-		You promised the staff Internet services including Web browsing, electronic mail, virus
-		protection, and a company Web site.  Christine is eager to help turn the vision into 
-		reality. Let's see how close you can get to the promises made.
-		</para>
-
-		<para>
-		The network you are about to deliver will service 130 users today. Within a year,
-		Abmas will aquire another company. Mr. Meany claims that within 2 years there will be
-		well over 500 users on the network. You have bought into the big picture, so prepare 
-		for growth.  You have purchased a new server and will implement a new network infrastructure. 
-		</para>
-
-		<para>
-		You have decided to not recycle old network components. The only items that will be
-		carried forward are notebook computers. You offered staff new notebooks, but not 
-		one person wanted the disruption for what was perceived as a marginal update. 
-		You decided to give everyone, even the notebook user, a new desktop computer.
-		</para>
-
-		<para>
-		You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional)
-		and a 10 Mb/sec ethernet port. You registered the domain
-		<constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying
-		secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>.
-		</para>
-
-		<para>
-		It is of paramount priority that under no circumstances will Samba offer
-		service access from an Internet connection. You are paying an ISP to
-		give, as part of its value-added services, full firewall protection for your
-		connection to the outside world. The only services allowed in from
-		the Internet side are the following destination ports: <constant>http/https (ports 
-		80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic
-		will be allowed out after network address translation (NAT). No internal IP addresses
-		are permitted through the NAT filter because complete privacy of internal network
-		operations must be assured.
-		</para>
-
-		<table id="chap4netid">
-			<title>Abmas.US ISP Information</title>
-			<tgroup cols="2">
-				<colspec align="left"/>
-				<colspec align="center"/>
-				<thead>
-					<row>
-						<entry>Parameter</entry>
-						<entry>Value</entry>
-					</row>
-				</thead>
-				<tbody>
-					<row>
-						<entry>Server IP Address</entry>
-						<entry>123.45.67.66</entry>
-					</row>
-					<row>
-						<entry>DSL Device IP Address</entry>
-						<entry>123.45.67.65</entry>
-					</row>
-					<row>
-						<entry>Network Address</entry>
-						<entry>123.45.67.64/30</entry>
-					</row>
-					<row>
-						<entry>Gateway Address</entry>
-						<entry>123.45.54.65</entry>
-					</row>
-					<row>
-						<entry>Primary DNS Server</entry>
-						<entry>123.45.54.65</entry>
-					</row>
-					<row>
-						<entry>Secondary DNS Server</entry>
-						<entry>123.45.54.32</entry>
-					</row>
-					<row>
-						<entry>Forwarding DNS Server</entry>
-						<entry>123.45.12.23</entry>
-					</row>
-				</tbody>
-			</tgroup>
-		</table>
-
-		<figure id="ch04net">
-			<title>Abmas Network Topology &smbmdash; 130 Users</title>
-			<imagefile scale="65">chap4-net</imagefile>
-		</figure>
-
-		<para>
-		Christine recommended that desktop systems should be installed from a single cloned
-		master system that has a minimum of locally installed software and loads all software
-		off a central application server. The benefit of having the central application server
-		is that it allows single-point maintenance of all business applications, a more
-		efficient way to manage software.  She further recommended installation of antivirus 
-		software on workstations as well as on the Samba server. Christine knows the dangers
-		of potential virus infection and insists on a comprehensive approach to detective
-		as well as corrective action to protect network operations.
-		</para>
-
-		<para>
-		A significant concern is the problem of managing company growth. Recently, a number 
-		of users had to share a PC while waiting for new machines to arrive. This presented 
-		some problems with desktop computers and software installation into the new users' 
-		desktop profiles.
-		</para>
-		
-	</sect2>
-</sect1>
-
-<sect1>
-	<title>Dissection and Discussion</title>
-
-	<para>
-	Many of the conclusions you draw here are obvious. Some requirements are not very clear
-	or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
-	than you will demonstrate here, but keep in mind that the network must scale to at least 500
-	users. This means that some functionality will be overdesigned for the current 130-user
-	environment.
-	</para>
-
-	<sect2>
-		<title>Technical Issues</title>
-
-		<para>
-		In this exercise we use a 24-bit subnet mask for the two local networks. This,
-		of course, limits our network to a maximum of 253 usable IP addresses. The network
-		address range chosen is one assigned by RFC1918 for private networks.
-		When the number of users on the network begins to approach the limit of usable
-		addresses, it is a good idea to switch to a network address specified in RFC1918
-		in the 172.16.0.0/16 range. This is done in subsequent chapters.
-		</para>
-
-		<para>
-		<indexterm><primary>tdbsam</primary></indexterm>
-		<indexterm><primary>smbpasswd</primary></indexterm>
-		The high growth rates projected are a good reason to use the <constant>tdbsam</constant>
-		passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in
-		performance problems. The <constant>tdbsam</constant> passdb backend offers features that
-		are not available with the older, flat ASCII-based <constant>smbpasswd</constant> database.
-		</para>
-
-		<para>
-		<indexterm><primary>risk</primary></indexterm>
-		The proposed network design uses a single server to act as an Internet services host for
-		electronic mail, Web serving, remote administrative access via SSH, 
-		Samba-based file and print services. This design is often chosen by sites that feel 	
-		they cannot afford or justify the cost or overhead of having separate servers. It must 
-		be realized that if security of this type of server should ever be violated (compromised), 
-		the whole network and all data is at risk. Many sites continue to choose this type 
-		of solution; therefore, this chapter provides detailed coverage of key implementation 
-		aspects.
-		</para>
-
-		<para>
-		Samba will be configured to specifically not operate on the Ethernet interface that is
-		directly connected to the Internet.
-		</para>
-
-		<para>
-		<indexterm><primary>iptables</primary></indexterm>
-		<indexterm><primary>NAT</primary></indexterm>
-		<indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm>
-		<indexterm><primary>firewall</primary></indexterm>
-		You know that your ISP is providing full firewall services, but you cannot rely on that.
-		Always assume that human error will occur, so be prepared by using Linux firewall facilities
-		based on <command>iptables</command> to effect NAT. Block all
-		incoming traffic except to permitted well-known ports. You must also allow incoming packets
-		to establish outgoing connections. You will permit all internal outgoing requests.
-		</para>
-
-		<para>
-		The configuration of Web serving, Web proxy services, electronic mail, and the details of
-		generic antivirus handling are beyond the scope of this book and therefore are not
-		covered except insofar as this affects Samba-3.
-		</para>
-
-		<para>
-		<indexterm><primary>login</primary></indexterm>
-		Notebook computers are configured to use a network login when in the office and a
-		local account to log in while away from the office. Users store all work done in
-		transit (away from the office) by using a local share for work files. Standard procedures
-		dictate that on completion of the work that necessitates mobile file access, all
-		work files are moved back to secure storage on the office server. Staff is instructed
-		to not carry on any company notebook computer any files that are not absolutely required.
-		This is a preventative measure to protect client information as well as private business
-		records.
-		</para>
-
-		<para>
-		<indexterm><primary>application server</primary></indexterm>
-		All applications are served from the central server from a share called <constant>apps</constant>.
-		Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network 
-		(or administrative) installation. Accounting and financial management software can also
-		be run only from the central application server. Notebook users are provided with
-		locally installed applications on a need-to-have basis only.
-		</para>
-
-		<para>
-		<indexterm><primary>roaming profiles</primary></indexterm>
-		The introduction of roaming profiles support means that users can move between
-		desktop computer systems without constraint while retaining full access to their data.
-		The desktop travels with them as they move.
-		</para>
-
-		<para>
-		<indexterm><primary>DNS</primary></indexterm>
-		The DNS server implementation must now address both internal and external
-		needs. You forward DNS lookups to your ISP-provided server as well as the 
-		<constant>abmas.us</constant> external secondary DNS server.
-		</para>
-
-		<para>
-		<indexterm><primary>dynamic DNS</primary></indexterm>
-		<indexterm><primary>DDNS</primary><see>dynamic DNS</see></indexterm>
-		<indexterm><primary>DHCP server</primary></indexterm>
-		Compared with the DHCP server configuration in <link linkend="small"/>, <link linkend="dhcp01"/>, the 
-		configuration used in this example has to deal with the presence of an Internet connection.
-		The scope set for it ensures that no DHCP services will be offered on the external
-		connection. All printers are configured as DHCP clients so that the DHCP server assigns
-		the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional
-		feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic
-		DNS (DDNS) operation.
-		</para>
-
-		<para>
-		This is the first implementation that depends on a correctly functioning DNS server.
-		Comprehensive steps are included to provide for a fully functioning DNS server that also
-		is enabled for DDNS operation. This means that DHCP clients can be autoregistered
-		with the DNS server.
-		</para>
-
-		<para>
-		You are taking the opportunity to manually set the netbios name of the Samba server to
-		a name other than what will be automatically resolved. You are doing this to ensure that
-		the machine has the same NetBIOS name on both network segments.
-		</para>
-
-		<para>
-		As in the previous network configuration, printing in this network configuration uses
-		direct raw printing (i.e., no smart printing and no print driver autodownload to Windows
-		clients). Printer drivers are installed on the Windows client manually. This is not
-		a problem because Christine is to install and configure one single workstation and
-		then clone that configuration, using Norton Ghost, to all workstations. Each machine is
-		identical, so this should pose no problem.
-		</para>
-
-		<sect3>
-		<title>Hardware Requirements</title>
-
-		<para>
-		<indexterm><primary>memory requirements</primary></indexterm>
-		This server runs a considerable number of services. From similarly configured Linux
-		installations, the approximate calculated memory requirements are as shown in
-		<link linkend="ch4memoryest"/>.
-
-<example id="ch4memoryest">
-<title>Estimation of Memory Requirements</title>
-<screen>
-Application  Memory per User    130 Users      500 Users
-   Name        (MBytes)       Total MBytes   Total MBytes
------------  ---------------  ------------   ------------
-DHCP              2.5               3              3
-DNS              16.0              16             16
-Samba (nmbd)     16.0              16             16
-Samba (winbind)  16.0              16             16
-Samba (smbd)      4.0             520           2000
-Apache           10.0 (20 User)   200            200
-CUPS              3.5              16             32
-Basic OS        256.0             256            256
-                              -------------- --------------
-    Total:                       1043 MBytes    2539 MBytes
-                              -------------- --------------
-</screen>
-</example>
-		You should add a safety margin of at least 50% to these estimates. The minimum 
-		system memory recommended for initial startup 1 GB, but to permit the system
-		to scale to 500 users, it makes sense to provision the machine with 4 GB memory.
-		An initial configuration with only 1 GB memory would lead to early performance complaints
-		as the system load builds up. Given the low cost of memory, it does not make sense to
-		compromise in this area.
-		</para>
-
-		<para>
-		<indexterm><primary>bandwidth calculations</primary></indexterm>
-		Aggregate input/output loads should be considered for sizing network configuration as 
-		well as disk subsystems. For network bandwidth calculations, one would typically use an
-		estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec)
-		would deliver below acceptable capacity for the initial user load. It is therefore a good
-		idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached
-		to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T
-		switched ports.
-		</para>
-
-		<para>
-		<indexterm><primary>network segments</primary></indexterm>
-		<indexterm><primary>RAID</primary></indexterm>
-		Considering the choice of 1 Gb Ethernet interfaces for the two local network segments,
-		the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O
-		demand that would require a fast disk storage I/O capability. Peak disk throughput is 
-		limited by the disk subsystem chosen. It is desirable to provide the maximum 
-		I/O bandwidth affordable. If a low-cost solution must be chosen, 
-		3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a 
-		64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI 
-		controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec).
-		Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
-		it makes sense to purchase well-known, branded hardware that has appropriate performance
-		specifications. As a minimum, one should attempt to provide a disk subsystem that can
-		deliver I/O rates of at least 100 MB/sec. 
-		</para>
-
-		<para>
-		Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>.
-
-<example id="ch4diskest">
-<title>Estimation of Disk Storage Requirements</title>
-<screen>
-Corporate Data: 100 MBytes/user per year
-Email Storage:  500 MBytes/user per year
-Applications:   5000 MBytes
-Safety Buffer:  At least 50%
-
-Given 500 Users and 2 years:
------------------------------
-        Corporate Data:  2 x 100 x 500 = 100000 MBytes = 100 GBytes
-        Email Storage:   2 x 500 x 500 = 500000 MBytes = 500 GBytes
-        Applications:                      5000 MBytes =   5 GBytes
-                                       ----------------------------
-                             Total:                      605 GBytes
-             Add 50% buffer                              303 GBytes
-                       Recommended Storage:              908 GBytes
-</screen>
-</example>
-		<indexterm><primary>storage capacity</primary></indexterm>
-		The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5
-		with two hot spare drives would require an 8-drive by 200 GB capacity per drive array.
-		</para>
-
-		</sect3>
-
-	</sect2>
-
-
-	<sect2>
-		<title>Political Issues</title>
-
-		<para>
-		Your industry is coming under increasing accountability pressures. Increased paranoia
-		is necessary so you can demonstrate that you have acted with due diligence. You must
-		not trust your Internet connection.
-		</para>
-
-		<para>
-		Apart from permitting more efficient management of business applications through use of
-		an application server, your primary reason for the decision to implement this is that it
-		gives you greater control over software licensing.
-		</para>
-
-		<para>
-		<indexterm><primary>Outlook Express</primary></indexterm>
-		You are well aware that the current configuration results in some performance issues
-		as the size of the desktop profile grows. Given that users use Microsoft Outlook
-		Express, you know that the storage implications of the <constant>.PST</constant> file
-		is something that needs to be addressed later.
-		</para>
-
-	</sect2>
-
-</sect1>
-
-<sect1>
-	<title>Implementation</title>
-
-	<para>
-	<link linkend="ch04net"/> demonstrates the overall design of the network that you will implement.
-	</para>
-
-	<para>
-	The information presented here assumes that you are already familiar with many basic steps.
-	As this stands, the details provided already extend well beyond just the necessities of
-	Samba configuration. This decision is deliberate to ensure that key determinants
-	of a successful installation are not overlooked. This is the last case that documents
-	the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
-	here, there are many other good reference books on these subjects.
-	</para>
-
-	<para>
-	The &smb.conf; file has the following noteworthy features:
-	</para>
-
-	<itemizedlist>
-		<listitem><para>
-		The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>.
-		</para></listitem>
-
-		<listitem><para>
-		The Domain name is set to <constant>PROMISES</constant>.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>broadcast messages</primary></indexterm>
-		<indexterm><primary>interfaces</primary></indexterm>
-		<indexterm><primary>bind interfaces only</primary></indexterm>
-		Ethernet interface <constant>eth0</constant> is attached to the Internet connection
-		and is externally exposed. This interface is explicitly not available for Samba to use.
-		Samba listens on this interface for broadcast messages but does not broadcast any
-		information on <constant>eth0</constant>, nor does it accept any connections from it.
-		This is achieved by way of the <parameter>interfaces</parameter> parameter and the
-		<parameter>bind interfaces only</parameter> entry.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>passdb backend</primary></indexterm>
-		<indexterm><primary>tdbsam</primary></indexterm>
-		<indexterm><primary>binary database</primary></indexterm>
-		The <parameter>passdb backend</parameter> parameter specifies the creation and use
-		of the <constant>tdbsam</constant> password backend. This is a binary database that
-		has excellent scalability for a large number of user account entries.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>WINS serving</primary></indexterm>
-		<indexterm><primary>wins support</primary></indexterm>
-		<indexterm><primary>name resolve order</primary></indexterm>
-		WINS serving is enabled by the <smbconfoption name="wins support">Yes</smbconfoption>,
-		and name resolution is set to use it by means of the
-		<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> entry.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>time server</primary></indexterm>
-		The Samba server is configured for use by Windows clients as a time server.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>CUPS</primary></indexterm>
-		<indexterm><primary>printing</primary></indexterm>
-		<indexterm><primary>printcap name</primary></indexterm>
-		Samba is configured to directly interface with CUPS via the direct internal interface
-		that is provided by CUPS libraries. This is achieved with the 
-		<smbconfoption name="printing">CUPS</smbconfoption> as well as the
-		<smbconfoption name="printcap name">CUPS</smbconfoption> entries.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>user management</primary></indexterm>
-		<indexterm><primary>group management</primary></indexterm>
-		<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
-		External interface scripts are provided to enable Samba to interface smoothly to
-		essential operating system functions for user and group management. This is important
-		to enable workstations to join the Domain and is also important so that you can use
-		the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools
-		are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be 
-		downloaded from the Microsoft FTP
-		<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site</ulink>.
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>User Mode</primary></indexterm>
-		The &smb.conf; file specifies that the Samba server will operate in (default) <parameter>
-		security = user</parameter> mode<footnote><para>See <emphasis>TOSHARG2</emphasis>, Chapter 3.
-		This is necessary so that Samba can act as a Domain Controller (PDC); see
-		<emphasis>TOSHARG2</emphasis>, Chapter 4, for additional information.</para></footnote>
-		(User Mode).
-		</para></listitem>
-
-		<listitem><para>
-		<indexterm><primary>logon services</primary></indexterm>
-		<indexterm><primary>logon script</primary></indexterm>
-		Domain logon services as well as a Domain logon script are spec