working on updates for the 2.2.1 release

1 files changed, 389 insertions, 291 deletions

diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index ad577524559..4ab4e2247e8 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -25,6 +25,29 @@ How to Configure Samba 2.2 as a Primary Domain Controller
 
 <!-- **********************************************************
 
+     Prerequisite Reading
+
+*************************************************************** -->
+<sect1>
+<title>Prerequisite Reading</title>
+
+<para>
+Before you continue readingin this chapter, please make sure 
+that you are comfortable with configuring basic files services
+in smb.conf and how to enable and administrate password 
+encryption in Samba.  Theses two topics are covered in the
+<ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink> 
+manpage and the <ulink url="EMCRYPTION.html">Encryption chapter</ulink> 
+of this HOWTO Collection.
+</para>
+
+
+</sect1>
+
+
+
+<!-- **********************************************************
+
      Background Information
 
 *************************************************************** -->
@@ -43,13 +66,21 @@ Both documents are superceeded by this one.
 
 <para>
 Version of Samba prior to release 2.2 had marginal capabilities to
-act as a Windows NT 4.0 Primary Domain Controller (PDC).  The following 
-functionality should work in 2.2:
+act as a Windows NT 4.0 Primary Domain Controller (PDC).  Beginning with 
+Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 
+style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through 
+SP1) clients.  This article outlines the steps necessary for configuring Samba 
+as a PDC.  It is necessary to have a working Samba server prior to implementing the 
+PDC functionality.  If you have not followed the steps outlined in 
+<ulink url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure 
+that your server is configured correctly before proceeding.  Another good 
+resource in the <ulink url="smb.conf.5.html">smb.conf(5) man 
+page</ulink>. The following  functionality should work in 2.2:
 </para>
 
 <itemizedlist>
 	<listitem><para>
-	domain logons for Windows NT 4.0/2000 clients
+	domain logons for Windows NT 4.0/2000 clients.
 	</para></listitem>
 	
 	<listitem><para>
@@ -70,6 +101,15 @@ functionality should work in 2.2:
 	</para></listitem>
 </itemizedlist>
 
+<warning>
+	<title>Windows 2000 Service Pack 2 Clients</title>
+	<para>
+	Samba 2.2.1 is required for PDC functionality when using Windows 2000 
+	SP2 clients. 
+	</para>
+</warning>
+
+
 <para>
 The following pieces of functionality are not included in the 2.2 release:
 </para>
@@ -102,18 +142,6 @@ from NT4 domain logons and has been officially supported for some
 time.
 </para>
 
-<para>
-Beginning with Samba 2.2.0, we are proud to announce official 
-support for Windows NT 4.0 style domain logons from Windows NT
-4.0 and Windows 2000 (including SP1) clients.  This article 
-outlines the steps necessary for configuring Samba as a PDC.
-It is necessary to have a working Samba server prior to implementing the 
-PDC functionality.  If you have not followed the steps outlined in 
-<ulink url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure 
-that your server is configured correctly before proceeding.  Another good 
-resource in the <ulink url="smb.conf.5.html">smb.conf(5) man 
-page</ulink>.
-</para>
 
 <para>
 Implementing a Samba PDC can basically be divided into 2 broad
@@ -227,7 +255,9 @@ There are a couple of points to emphasize in the above configuration.
 	
 	<listitem><para>
 	The server must be the domain master browser in order for Windows 
-	client to locate the server as a DC.
+	client to locate the server as a DC.  Please refer to the various 
+	Network Browsing documentation included with this distribution for 
+	details.
 	</para></listitem>
 </itemizedlist>    
 
@@ -248,22 +278,31 @@ style accounts.
 to the Domain</title>
 
 <para>
-A machine trust account is a user account owned by a computer.  
+A machine trust account is a samba user account owned by a computer.  
 The account password acts as the shared secret for secure 
-communication with the Domain Controller.  Hence the reason that
-a Windows 9x host is never a true member of a domain because
-it does not posses a machine trust account and thus has no shared
-secret with the DC.
+communication with the Domain Controller.  This is a security feature
+to prevent an unauthorized machine with the same netbios name from 
+joining the domain and gaining access to domain user/group accounts.  
+Hence a Windows 9x host is never a true member of a domain because it does 
+not posses a machine trust account, and thus has no shared secret with the DC.
 </para>
 
 <para>
 On a Windows NT PDC, these machine trust account passwords are stored
-in the registry.  A Samba PDC stores these accounts in he same location
+in the registry.  A Samba PDC stores these accounts in the same location
 as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
 However, machine trust accounts only possess and use the NT password hash.
 </para>
 
 <para>
+Because Samba requires machine accounts to possess a UNIX uid from
+which an Windows NT SID can be generated, all of these accounts
+must have an entry in <filename>/etc/passwd</filename> and smbpasswd.  
+Future releases will alleviate the need to create 
+<filename>/etc/passwd</filename> entries.  
+</para>
+
+<para>
 There are two means of creating machine trust accounts.
 </para>
 
@@ -278,18 +317,25 @@ There are two means of creating machine trust accounts.
 	Creation of the account at the time of joining the domain.  In 
 	this case, the session key of the administrative account used to join 
 	the client to the domain acts as an encryption key for setting the 
-	password to a random value.
+	password to a random value (This is the recommended method).
 	</para></listitem>
 </itemizedlist>
 
+<sect2>
+<title>Manually creating machine trust accounts</title>
+
 <para>
-Because Samba requires machine accounts to possess a UNIX uid from
-which an Windows NT SID can be generated, all of these accounts
-will have an entry in <filename>/etc/passwd</filename> and smbpasswd.  
-Future releases will alleviate the need to create 
-<filename>/etc/passwd</filename> entries.
+The first step in creating a machine trust account by hand is to 
+create an entry for the machine in /etc/passwd.  This can be done 
+using <command>vipw</command> or any 'add userr' command which is normally 
+used to create new UNIX accounts.  The following is an example for a Linux 
+based Samba server:
 </para>
 
+<para>
+<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>
+machine_nickname</replaceable> -m -s /bin/false <replaceable>machine_name</replaceable>$
+</para>
 
 <para>
 The <filename>/etc/passwd</filename> entry will list the machine name 
@@ -299,39 +345,60 @@ home directory. For example a machine called 'doppy' would have an
 </para>
 
 <para><programlisting>
-doppy$:x:505:501:NTMachine:/dev/null:/bin/false
+doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
 </programlisting></para>
 
 <para>
-If you are manually creating the machine accounts, it is necessary
-to add the <filename>/etc/passwd</filename> (or NIS passwd
-map) entry prior to adding the <filename>smbpasswd</filename>
-entry.  The following command will create a new machine account
-ready for use.
+Above, <replaceable>machine_nickname</replaceable> can be any descriptive name for the
+pc i.e. BasementComputer. The <replaceable>machine_name</replaceable> absolutely must be 
+the netbios name of the pc to be added to the domain.  The "$" must append the netbios
+name of the pc or samba will not recognize this as a machine account
 </para>
 
+
 <para>
-<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable>
+Now that the UNIX account has been created, the next step is to create 
+the smbpasswd entry for the machine containing the well known initial 
+trust account password.  This can be done using the <ulink 
+url="smbpasswd.6.html"><command>smbpasswd(8)</command></ulink> command 
+as shown here:
 </para>
 
 <para>
-where <replaceable>machine_name</replaceable> is the machine's netbios
-name.
+<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable>
 </para>
 
 <para>
-<emphasis>If you manually create a machine account, immediately join
-the client to the domain.</emphasis>  An open account like this
-can allow intruders to gain access to user account information
-in your domain.
+where <replaceable>machine_name</replaceable> is the machine's netbios
+name. 
 </para>
 
+<warning>
+	<title>Join the client to the domain immediately</title>
+
+	<para>
+	Manually creating a machine trust account using this method is the 
+	equivalent of creating a machine account on a Windows NT PDC using 
+	the "Server Manager".  From the time at which the account is created
+	to the time which th client joins the domain and changes the password,
+	your domain is vulnerable to an intruder joining your domain using a
+	a machine with the same netbios name.  A PDC inherently trusts
+	members of the domain and will serve out a large degree of user 
+	information to such clients.  You have been warned!
+	</para>
+</warning>
+</sect2>
+
+
+<sect2>
+<title>Creating machine trust accounts "on the fly"</title>
+
 <para>
-The second way of creating machine trust accounts is to add
-them on the fly at the time the client is joined to the domain.
-You will need to include a value for the <ulink 
+The second, and most recommended way of creating machine trust accounts 
+is to create them as needed at the time the client is joined to 
+the domain.  You will need to include a value for the <ulink 
 url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink>
-parameter.  Below is an example I use on a RedHat 6.2 Linux system.
+parameter.  Below is an example from a RedHat 6.2 Linux system.
 </para>
 
 <para><programlisting>
@@ -339,12 +406,13 @@ add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
 </programlisting></para>
 
 <para>
-In Samba 2.2, <emphasis>only the root account</emphasis> can be used to create
-machine accounts on the fly like this.  Therefore, it is required to create 
+In Samba 2.2.1, <emphasis>only the root account</emphasis> can be used to create
+machine accounts like this.  Therefore, it is required to create 
 an entry in smbpasswd for <emphasis>root</emphasis>.  The password 
 <emphasis>SHOULD</emphasis> be set to s different password that the 
 associated <filename>/etc/passwd</filename> entry for security reasons.
 </para>
+</sect2>
 </sect1>
 
 <!-- **********************************************************
@@ -358,138 +426,145 @@ associated <filename>/etc/passwd</filename> entry for security reasons.
 
 <para>
 </para>
+<itemizedlist>
+<listitem>
+	<para>
+	<emphasis>I cannot include a '$' in a machine name.</emphasis>
+	</para>
+    
+	<para>
+	A 'machine name' in (typically) <filename>/etc/passwd</> 	
+	of the machine name with a '$' appended. FreeBSD (and other BSD 
+	systems ?) won't create a user with a '$' in their name.
+	</para>
 
-<para>
-<emphasis>I cannot include a '$' in a machine name.</emphasis>
-</para>
-
-<para>
-A 'machine name' in (typically) <filename>/etc/passwd</> 	
-of the machine name with a '$' appended. FreeBSD (and other BSD 
-systems ?) won't create a user with a '$' in their name.
-</para>
-
-<para>
-The problem is only in the program used to make the entry, once 
-made, it works perfectly. So create a user without the '$' and 
-use <command>vipw</> to edit the entry, adding the '$'. Or create 
-the whole entry with vipw if you like, make sure you use a 
-unique uid !
-</para>
-
-
-<para>
-<emphasis>I get told "You already have a connection to the Domain...." 
-or "Cannot join domain, the credentials supplied conflict with an 
-existing set.." when creating a machine account.</emphasis>
-</para>
-
-<para>
-This happens if you try to create a machine account from the 
-machine itself and already have a connection (e.g. mapped drive) 
-to a share (or IPC$) on the Samba PDC.  The following command
-will remove all network drive connections:
-</para>
+	<para>
+	The problem is only in the program used to make the entry, once 
+	made, it works perfectly. So create a user without the '$' and 
+	use <command>vipw</> to edit the entry, adding the '$'. Or create 
+	the whole entry with vipw if you like, make sure you use a 
+	unique uid !
+	</para>
+</listitem>
+  
+<listitem>
+	<para>
+	<emphasis>I get told "You already have a connection to the Domain...." 
+	or "Cannot join domain, the credentials supplied conflict with an 
+	existing set.." when creating a machine account.</emphasis>
+	</para>
 
-<para>
-<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
-</para>
+	<para>
+	This happens if you try to create a machine account from the 
+	machine itself and already have a connection (e.g. mapped drive) 
+	to a share (or IPC$) on the Samba PDC.  The following command
+	will remove all network drive connections:
+	</para>
 
-<para>
-Further, if the machine is a already a 'member of a workgroup' that 
-is the same name as the domain you are joining (bad idea) you will 
-get this message.  Change the workgroup name to something else, it 
-does not matter what, reboot, and try again.
-</para>
+	<para>
+	<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
+	</para>
 
+	<para>
+	Further, if the machine is a already a 'member of a workgroup' that 
+	is the same name as the domain you are joining (bad idea) you will 
+	get this message.  Change the workgroup name to something else, it 
+	does not matter what, reboot, and try again.
+	</para>
+</listitem>
 
-<para>
-<emphasis>
-"The system can not log you on (C000019B)...."</emphasis>
-</para>
+<listitem>
+	<para>
+	<emphasis>The system can not log you on (C000019B)....</emphasis>
+	</para>
 
-<para>I joined the domain successfully but after upgrading 
-to a newer version of the Samba code I get the message, "The system 
-can not log you on (C000019B), Please try a gain or consult your 
-system administrator" when attempting to logon.
-</para>
+	<para>I joined the domain successfully but after upgrading 
+	to a newer version of the Samba code I get the message, "The system 
+	can not log you on (C000019B), Please try a gain or consult your 
+	system administrator" when attempting to logon.
+	</para>
 
-<para>
-This occurs when the domain SID stored in 
-<filename>private/WORKGROUP.SID</filename> is 
-changed.  For example, you remove the file and <command>smbd</command> automatically 
-creates a new one.  Or you are swapping back and forth between 
-versions 2.0.7, TNG and the HEAD branch code (not recommended).  The 
-only way to correct the problem is to restore the original domain 
-SID or 	remove the domain client from the domain and rejoin.
-</para> 
+	<para>
+	This occurs when the domain SID stored in 
+	<filename>private/WORKGROUP.SID</filename> is 
+	changed.  For example, you remove the file and <command>smbd</command> automatically 
+	creates a new one.  Or you are swapping back and forth between 
+	versions 2.0.7, TNG and the HEAD branch code (not recommended).  The 
+	only way to correct the problem is to restore the original domain 
+	SID or remove the domain client from the domain and rejoin.
+	</para>
+</listitem>
 
+<listitem>
+	<para>
+	<emphasis>The machine account for this computer either does not 
+	exist or is not accessible.</emphasis>
+	</para>
 
-<para>
-<emphasis>"The machine account for this computer either does not 
-exist or is not accessible."</emphasis>
-</para>
+	<para>
+	When I try to join the domain I get the message "The machine account 
+	for this computer either does not exist or is not accessible". Whats 
+	wrong?
+	</para>
 
-<para>
-When I try to join the domain I get the message "The machine account 
-for this computer either does not exist or is not accessible". Whats 
-wrong ?
-</para>
+	<para>
+	This problem is caused by the PDC not having a suitable machine account. 
+	If you are using the <parameter>add user script</parameter> method to create 
+	accounts then this would indicate that it has not worked. Ensure the domain 
+	admin user system is working.
+	</para>
 
-<para>
-This problem is caused by the PDC not having a suitable machine account. 
-If you are using the <parameter>add user script</parameter> method to create 
-accounts then this would indicate that it has not worked. Ensure the domain 
-admin user system is working.
-</para>
+	<para>
+	Alternatively if you are creating account entries manually then they 
+	have not been created correctly. Make sure that you have the entry 
+	correct for the machine account in smbpasswd file on the Samba PDC. 
+	If you added the account using an editor rather than using the smbpasswd 
+	utility, make sure that the account name is the machine netbios name 
+	with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
+	in both /etc/passwd and the smbpasswd file. Some people have reported 
+	that inconsistent subnet masks between the Samba server and the NT 
+	client have caused this problem.   Make sure that these are consistent 
+	for both client and server.
+	</para>
+</listitem>
 
-<para>
-Alternatively if you are creating account entries manually then they 
-have not been created correctly. Make sure that you have the entry 
-correct for the machine account in smbpasswd file on the Samba PDC. 
-If you added the account using an editor rather than using the smbpasswd 
-utility, make sure that the account name is the machine netbios name 
-with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
-in both /etc/passwd and the smbpasswd file. Some people have reported 
-that inconsistent subnet masks between the Samba server and the NT 
-client have caused this problem.   Make sure that these are consistent 
-for both client and server.
-</para>
+<listitem>
+	<para>
+	<emphasis>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
+	I get a message about my account being disabled.</emphasis>
+	</para>
 
-<para>
-<emphasis>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
-I get a message about my account being disabled.</emphasis>
-</para>
- 
-<para>
-This problem is caused by a PAM related bug in Samba 2.2.0.  This bug is 
-fixed in 2.2.1.  Other symptoms could be unaccessible shares on 
-NT/W2K member servers in the domain or the following error in your smbd.log:
-passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
-</para>
+	<para>
+	This problem is caused by a PAM related bug in Samba 2.2.0.  This bug is 
+	fixed in 2.2.1.  Other symptoms could be unaccessible shares on 
+	NT/W2K member servers in the domain or the following error in your smbd.log:
+	passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
+	</para>
  
-<para>
-At first be ensure to enable the useraccounts with <command>smbpasswd -e 
-%user%</command>, this is normaly done, when you create an account.
-</para>
+	<para>
+	At first be ensure to enable the useraccounts with <command>smbpasswd -e 
+	%user%</command>, this is normaly done, when you create an account.
+	</para>
 
-<para>
-In order to work around this problem in 2.2.0, configure the 
-<parameter>account</parameter> control flag in 
-<filename>/etc/pam.d/samba</filename> file as follows:
-</para> 
+	<para>
+	In order to work around this problem in 2.2.0, configure the 
+	<parameter>account</parameter> control flag in 
+	<filename>/etc/pam.d/samba</filename> file as follows:
+	</para> 
 
-<para><programlisting>
-account required        pam_permit.so
-</programlisting></para>
+	<para><programlisting>
+	account required        pam_permit.so
+	</programlisting></para>
 
-<para>
-If you want to remain backward compatibility to samba 2.0.x use
-<filename>pam_permit.so</filename>, it's also possible to use 
-<filename>pam_pwdb.so</filename>. There are some bugs if you try to 
-use <filename>pam_unix.so</filename>, if you need this, be ensure to use
-the most recent version of this file.
-</para>
+	<para>
+	If you want to remain backward compatibility to samba 2.0.x use
+	<filename>pam_permit.so</filename>, it's also possible to use 
+	<filename>pam_pwdb.so</filename>. There are some bugs if you try to 
+	use <filename>pam_unix.so</filename>, if you need this, be ensure to use
+	the most recent version of this file.
+	</para>
+</listitem>
+</itemizedlist>
 
 </sect1>
 
@@ -518,89 +593,98 @@ Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
 Here are some additional details:
 </para>
 
-<para>
-<emphasis>What about Windows NT Policy Editor ?</emphasis>
-</para>
+<itemizedlist>
 
-<para>
-To create or edit <filename>ntconfig.pol</filename> you must use 
-the NT Server Policy Editor, <command>poledit.exe</command>	which 
-is included with NT Server but <emphasis>not NT Workstation</emphasis>. 
-There is a Policy Editor on a NTws 
-but it is not suitable for creating <emphasis>Domain Policies</emphasis>. 
-Further, although the Windows 95 
-Policy Editor can be installed on an NT Workstation/Server, it will not
-work with NT policies because the registry key that are set by the policy templates. 
-However, the files from the NT Server will run happily enough on an NTws. 
-You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
-to put the two *.adm files in <filename>c:\winnt\inf</> which is where
-the binary will look for them unless told otherwise. Note also that that 
-directory is 'hidden'.
-</para>
+<listitem>
+	<para>
+	<emphasis>What about Windows NT Policy Editor ?</emphasis>
+	</para>
 
-<para>The Windows NT policy editor is also included with the 
-Service Pack 3 (and later) for Windows NT 4.0. Extract the files using 
-<command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe 
-/x</command> for service pack 6a.  The policy editor, <command>poledit.exe</command> and the 
-associated template files (*.adm) should
-be extracted as well.  It is also possible to downloaded the policy template 
-files for Office97 and get a copy of the policy editor.  Another possible 
-location is with the Zero Administration Kit available for download from Microsoft.
-</para>
+	<para>
+	To create or edit <filename>ntconfig.pol</filename> you must use 
+	the NT Server Policy Editor, <command>poledit.exe</command>	which 
+	is included with NT Server but <emphasis>not NT Workstation</emphasis>. 
+	There is a Policy Editor on a NTws 
+	but it is not suitable for creating <emphasis>Domain Policies</emphasis>. 
+	Further, although the Windows 95 
+	Policy Editor can be installed on an NT Workstation/Server, it will not
+	work with NT policies because the registry key that are set by the policy templates. 
+	However, the files from the NT Server will run happily enough on an NTws. 	
+	You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
+	to put the two *.adm files in <filename>c:\winnt\inf</> which is where
+	the binary will look for them unless told otherwise. Note also that that 
+	directory is 'hidden'.
+	</para>
 
+	<para>
+	The Windows NT policy editor is also included with the Service Pack 3 (and 
+	later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, 
+	ie thats <command>Nt4sp6ai.exe /x</command> for service pack 6a.  The policy editor, 
+	<command>poledit.exe</command> and the associated template files (*.adm) should
+	be extracted as well.  It is also possible to downloaded the policy template 
+	files for Office97 and get a copy of the policy editor.  Another possible 
+	location is with the Zero Administration Kit available for download from Microsoft.
+	</para>
+</listitem>
 
-<para>
-<emphasis>Can Win95 do Policies ?</emphasis>
-</para>
 
-<para>
-Install the group policy handler for Win9x to pick up group 
-policies.   Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. 
-Install group policies on a Win9x client by double-clicking 
-<filename>grouppol.inf</filename>. Log off and on again a couple of 
-times and see if Win98 picks up group policies.  Unfortunately this needs 
-to be done on every Win9x machine that uses group policies....
-</para> 
+<listitem>
+	<para>
+	<emphasis>Can Win95 do Policies ?</emphasis>
+	</para>
 
-<para>
-If group policies don't work one reports suggests getting the updated 
-(read: working) grouppol.dll for Windows 9x. The group list is grabbed 
-from /etc/group.
-</para>
+	<para>
+	Install the group policy handler for Win9x to pick up group 
+	policies.   Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. 
+	Install group policies on a Win9x client by double-clicking 
+	<filename>grouppol.inf</filename>. Log off and on again a couple of 
+	times and see if Win98 picks up group policies.  Unfortunately this needs 
+	to be done on every Win9x machine that uses group policies....
+	</para> 
 
-<para>
-<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis>
-</para>
+	<para>
+	If group policies don't work one reports suggests getting the updated 
+	(read: working) grouppol.dll for Windows 9x. The group list is grabbed 
+	from /etc/group.
+	</para>
+</listitem>
 
-<para>
-Since I don't need to buy an NT Server CD now, how do I get 
-the 'User Manager for Domains', the 'Server Manager' ?
-</para>
 
-<para>
-Microsoft distributes a version of 
-these tools called nexus for installation on Windows 95 systems.  The 
-tools set includes
-</para>
+<listitem>
+	<para>
+	<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis>
+	</para>
+
+	<para>
+	Since I don't need to buy an NT Server CD now, how do I get 
+	the 'User Manager for Domains', the 'Server Manager' ?
+	</para>
+
+	<para>
+	Microsoft distributes a version of these tools called nexus for 
+	installation on Windows 95 systems.  The tools set includes
+	</para>
 	
-<itemizedlist>
-	<listitem><para>Server Manager</para></listitem> 
+	<itemizedlist>
+		<listitem><para>Server Manager</para></listitem> 
 		
-	<listitem><para>User Manager for Domains</para></listitem> 
+		<listitem><para>User Manager for Domains</para></listitem> 
 
-	<listitem><para>Event Viewer</para></listitem> 
-</itemizedlist>
+		<listitem><para>Event Viewer</para></listitem> 
+	</itemizedlist>
 
-<para>
-Click here to download the archived file <ulink 
-url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
-</para>
+	<para>
+	Click here to download the archived file <ulink 
+	url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
+	</para>
 
-<para>
-The Windows NT 4.0 version of the 'User Manager for 
-Domains' and 'Server Manager' are available from Microsoft via ftp 
-from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
-</para>
+	<para>
+	The Windows NT 4.0 version of the 'User Manager for 
+	Domains' and 'Server Manager' are available from Microsoft via ftp 
+	from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
+	</para>
+</listitem>
+</itemizedlist>
 
 </sect1>
 
@@ -622,12 +706,14 @@ of mailing lists, RFC's and documentation.  The docs that come
 with the samba distribution contain very good explanations of 
 general SMB topics such as browsing.</para> 
 
-<para>
-<emphasis>What are some diagnostics tools I can use to debug the domain logon 
-process and where can I	find them?</emphasis>
-</para>
+<itemizedlist>
+<listitem>
+	<para>
+	<emphasis>What are some diagnostics tools I can use to debug the domain logon 
+	process and where can I	find them?</emphasis>
+	</para>
 
-    <para>
+   <para>
 	One of the best diagnostic tools for debugging problems is Samba itself.  
 	You can use the -d option for both smbd and nmbd to specifiy what 
 	'debug level' at which to run.  See the man pages on smbd, nmbd  and 
@@ -659,9 +745,9 @@ process and where can I	find them?</emphasis>
 		<listitem><para>smbclient -L //{netbios name of server}</para></listitem>
 	</itemizedlist>
     
-    <para>
+	<para>
 	An SMB enabled version of tcpdump is available from 
-    <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>.
+	<ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>.
 	Ethereal, another good packet sniffer for UNIX and Win32
 	hosts, can be downloaded from <ulink 
 	url="http://www.ethereal.com/">http://www.ethereal.com</ulink>.
@@ -678,11 +764,15 @@ process and where can I	find them?</emphasis>
 	local subnet.  Be aware that Ethereal can read and write netmon 
 	formatted files.
 	</para>
+</listitem>
+
+
+<listitem>
+	<para>
+	<emphasis>How do I install 'Network Monitor' on an NT Workstation 
+	or a Windows 9x box?</emphasis>
+	</para>
 
-<para>
-<emphasis>How do I install 'Network Monitor' on an NT Workstation 
-or a Windows 9x box?</emphasis>
-</para>
 	<para>
 	Installing netmon on an NT workstation requires a couple 
 	of steps.  The following are for installing Netmon V4.00.349, which comes 
@@ -754,12 +844,17 @@ or a Windows 9x box?</emphasis>
 	information on how to do this.  Copy the files from a working 
 	Netmon installation.
 	</para> 
+</listitem>
 
-<sect2>
-<title>URLs and similar</title>
 
 
-<itemizedlist>
+
+<listitem>
+	<para>
+	The following is a list if helpful URLs and other links:
+	</para>
+
+	<itemizedlist>
 
  	<listitem><para>Home of Samba site <ulink url="http://samba.org">
         http://samba.org</ulink>. We have a mirror near you !</para></listitem>
@@ -786,36 +881,35 @@ or a Windows 9x box?</emphasis>
         <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
         ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
 
+	</itemizedlist>
+</listitem>
 </itemizedlist>
 
-</sect2>
-
 
-<sect2>
-<title>Mailing Lists</title>
-
-<para>
-<emphasis>How do I get help from the mailing lists ?</emphasis>
-</para>
+<itemizedlist>
+<listitem>
+	<para>
+	<emphasis>How do I get help from the mailing lists ?</emphasis>
+	</para>
 
-<para>
-There are a number of Samba related mailing lists. Go to <ulink 
-url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
-and then click on <command>Support</> and then click on <command>
-Samba related mailing lists</>.
-</para>
+	<para>
+	There are a number of Samba related mailing lists. Go to <ulink 
+	url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
+	and then click on <command>Support</> and then click on <command>
+	Samba related mailing lists</>.
+	</para>
 
-<para>
-For questions relating to Samba TNG go to
-<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> 
-It has been requested that you don't post questions about Samba-TNG to the
-main stream Samba lists.</para>
+	<para>
+	For questions relating to Samba TNG go to
+	<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> 
+	It has been requested that you don't post questions about Samba-TNG to the
+	main stream Samba lists.</para>
 	 
-<para>
-If you post a message to one of the lists please observe the following guide lines :
-</para>
+	<para>
+	If you post a message to one of the lists please observe the following guide lines :
+	</para>
 
-<itemizedlist>
+	<itemizedlist>
 
 	<listitem><para> Always remember that the developers are volunteers, they are 
 		not paid and they never guarantee to produce a particular feature at 
@@ -859,25 +953,30 @@ If you post a message to one of the lists please observe the following guide lin
         mailing lists go to a huge number of people, do they all need a copy of your 
         smb.conf in their attach directory ?</para></listitem>
 
-</itemizedlist>
+	</itemizedlist>
+</listitem>
 
 
-<para>
-<emphasis>How do I get off the mailing lists ?</emphasis>
-</para>
+<listitem>
+	<para>
+	<emphasis>How do I get off the mailing lists ?</emphasis>
+	</para>
 
-    <para>To have your name removed from a samba mailing list, go to the
-        same place you went to to get on it. Go to <ulink url=
-        "http://lists.samba.org/">http://lists.samba.org</ulink>, click 
-		on your nearest mirror and then click on <command>Support</> and 
-		then click on <command> Samba related mailing lists</>. Or perhaps see 
-        <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para>
+	<para>To have your name removed from a samba mailing list, go to the
+	same place you went to to get on it. Go to <ulink 
+	url="http://lists.samba.org/">http://lists.samba.org</ulink>, 
+	click on your nearest mirror and then click on <command>Support</> and 
+	then click on <command> Samba related mailing lists</>. Or perhaps see 
+	<ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink>
+	</para>
 
-    <para>
+	<para>
 	Please don't post messages to the list asking to be removed, you will just
-        be referred to the above address (unless that process failed in some way...)
-    </para>
-</sect2>      
+	be referred to the above address (unless that process failed in some way...)
+	</para>
+</listitem>
+</itemizedlist>
+
 </sect1>
 
 
@@ -894,10 +993,14 @@ If you post a message to one of the lists please observe the following guide lin
 DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
 </title>
 
-<para>
-This appendix was originally authored by John H Terpstra of the Samba Team
-and is included here for posterity.
-</para>
+<warning>
+	<title>Possibly Outdated Material</title>
+
+	<para>
+	This appendix was originally authored by John H Terpstra of 
+	the Samba Team and is included here for posterity.
+	</para>
+</warning>
 
 
 <para>
@@ -916,13 +1019,8 @@ Windows NT SAM.
 Windows NT Server can be installed as either a plain file and print server
 (WORKGROUP workstation or server) or as a server that participates in Domain
 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
-</para>
-
-<para>
 The same is true for OS/2 Warp Server, Digital Pathworks and other similar
 products, all of which can participate in Domain Control along with Windows NT.
-However only those servers which have licensed Windows NT code in them can be
-a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
 </para>
 
 <para>