This is another *BIG* change...

Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem.  In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.

This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime.  The 'passdb backend' paramater
has been created (and documented!) to support this.

As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.

This patch also introduces two new backends:  smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd.  These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.

While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly).  Most of this was
to do with % macro expansion on stored data.  It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them.  tdbsam needs
to use a similar system to pdb_ldap in this regard.

This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these.  I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.

Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.

The non-unix-account support in this patch has been proven!  It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!

Other changes:

Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.

pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend).  Extra checks have been added in
some places.

Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.

pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.

The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly.  This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.

Doco:

I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)

2 files changed, 83 insertions, 72 deletions

diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index 7aa9ea3b9c5..a4646432340 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -594,6 +594,7 @@
 		<listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem>
 		<listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem>
 		<listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem>
+		<listitem><para><link linkend="AUTHMETHODS"><parameter>auth methods</parameter></link></para></listitem>
 		<listitem><para><link linkend="AUTOSERVICES"><parameter>auto services</parameter></link></para></listitem>
 		<listitem><para><link linkend="BINDINTERFACESONLY"><parameter>bind interfaces only</parameter></link></para></listitem>
 		<listitem><para><link linkend="BROWSELIST"><parameter>browse list</parameter></link></para></listitem>
@@ -679,8 +680,8 @@
 		<listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem>
 		<listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem>
 		<listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem>
+		<listitem><para><link linkend="NONUNIXACCOUNTRANGE"><parameter>non unix account range</parameter></link></para></listitem>
 		<listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem>
-		<listitem><para><link linkend="NTSMBSUPPORT"><parameter>nt smb support</parameter></link></para></listitem>
 		<listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem>
 		<listitem><para><link linkend="OBEYPAMRESTRICTIONS"><parameter>obey pam restrictions</parameter></link></para></listitem>
 		<listitem><para><link linkend="OPLOCKBREAKWAITTIME"><parameter>oplock break wait time</parameter></link></para></listitem>
@@ -688,6 +689,7 @@
 		<listitem><para><link linkend="OS2DRIVERMAP"><parameter>os2 driver map</parameter></link></para></listitem>
 		<listitem><para><link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link></para></listitem>
 		<listitem><para><link linkend="PANICACTION"><parameter>panic action</parameter></link></para></listitem>
+		<listitem><para><link linkend="PASSDBBACKEND"><parameter>passdb backend</parameter></link></para></listitem>
 		<listitem><para><link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link></para></listitem>
 		<listitem><para><link linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter></link></para></listitem>
 		<listitem><para><link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link></para></listitem>
@@ -1206,6 +1208,24 @@
 
 
 		<varlistentry>
+		<term><anchor id="AUTHMETHODS">auth methods (G)</term>
+		<listitem><para>This option allows the administrator to chose what
+                authentication methods <command>smbd</command> will use when authenticating
+                a user.  This option defaults to sensible values based on <link linkend="SECURITY"><parameter>
+		security</parameter></link>.
+
+                Each entry in the list attempts to authenticate the user in turn, until
+                the user authenticates.  In practice only one method will ever actually 
+                be able to complete the authentication.
+		</para>
+
+		<para>Default: <command>auth methods = &lt;empty string&gt;</command></para>
+		<para>Example: <command>auth methods = guest sam ntdomain</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
 		<term><anchor id="AVAILABLE">available (S)</term>
 		<listitem><para>This parameter lets you "turn off" a service. If 
 		<parameter>available = no</parameter>, then <emphasis>ALL</emphasis> 
@@ -2490,7 +2510,7 @@
 		</filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command>
 		smbpasswd(8)</command></ulink> program for information on how to set up 
  		and maintain this file), or set the <link
-		linkend="SECURITY">security = [server|domain]</link> parameter which 
+		linkend="SECURITY">security = [server|domain|ads]</link> parameter which 
 		causes <command>smbd</command> to authenticate against another 
 		server.</para>
 		
@@ -4919,6 +4939,40 @@
 
 
 		<varlistentry>
+		<term><anchor id="NONUNIXACCOUNTRANGE">non unix account range (G)</term>
+		<listitem><para>The non unix account range parameter specifies 
+                the range of 'user ids' that are allocated by the various 'non unix 
+                account' passdb backends.  These backends allow
+                the storage of passwords for users who don't exist in /etc/passwd.  
+                This is most often used for machine account creation. 
+                This range of ids should have no existing local or NIS users within 
+                it as strange conflicts can occur otherwise.</para>
+
+                <para>NOTE: These userids never appear on the system and Samba will never
+                'become' these users. They are used only to ensure that the algorithmic 
+                RID mapping does not conflict with normal users.
+
+		<para>Default: <command>non unix account range = &lt;empty string&gt;
+		</command></para>
+		
+		<para>Example: <command>non unix account range = 10000-20000</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<listitem><para>This boolean parameter controls whether 
+		<ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map 
+		UNIX permissions into Windows NT access control lists.
+		This parameter was formally a global parameter in releases
+		prior to 2.2.2.</para>
+		
+		<para>Default: <command>nt acl support = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
 		<term><anchor id="NTACLSUPPORT">nt acl support (S)</term>
 		<listitem><para>This boolean parameter controls whether 
 		<ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map 
@@ -4947,27 +5001,6 @@
 
 
 		<varlistentry>
-		<term><anchor id="NTSMBSUPPORT">nt smb support (G)</term>
-		<listitem><para>This boolean parameter controls whether <ulink 
-		url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific SMB 
-		support with Windows NT clients. Although this is a developer 
-		debugging option and should be left alone, benchmarking has discovered 
-		that Windows NT clients give faster performance with this option 
-		set to <constant>no</constant>. This is still being investigated. 
-	 	If this option is set to <constant>no</constant> then Samba offers 
-		exactly the same SMB calls that versions prior to Samba 2.0 offered. 
-		This information may be of use if any users are having problems 
-		with NT SMB support.</para>
-		
-		<para>You should not need to ever disable this parameter.</para>
-
-		<para>Default: <command>nt smb support = yes</command></para>
-		</listitem>
-		</varlistentry>
-	
-
-
-		<varlistentry>
 		<term><anchor id="NULLPASSWORDS">null passwords (G)</term>
 		<listitem><para>Allow or disallow client access to accounts 
 		that have null passwords. </para>
@@ -5192,6 +5225,21 @@
 
 
 		<varlistentry>
+		<term><anchor id="PASSDBBACKEND">passdb backend (G)</term>
+		<listitem><para>This option allows the administrator to chose what
+                backend in which to store passwords.  This allows (for example) both 
+                smbpasswd and tdbsam to be used without a recompile.  Only one can
+                be used at a time however, and experimental backends must still be selected
+                (eg --with-tdbsam) at configure time.
+		</para>
+
+		<para>Default: <command>passdb backend = smbpasswd</command></para>
+		<para>Example: <command>passdb backend = tdbsam</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
 		<term><anchor id="PASSWDCHAT">passwd chat (G)</term>
 		<listitem><para>This string controls the <emphasis>"chat"</emphasis> 
 		conversation that takes places between <ulink 
diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml
index 098e874cc85..3c7a6a5150a 100644
--- a/docs/docbook/manpages/smbpasswd.8.sgml
+++ b/docs/docbook/manpages/smbpasswd.8.sgml
@@ -86,9 +86,10 @@
 		new password typed (type &lt;Enter&gt; for the old password). This 
 		option is ignored if the username following already exists in 
 		the smbpasswd file and it is treated like a regular change 
-		password command. Note that the user to be added must already exist 
-		in the system password file (usually <filename>/etc/passwd</filename>)
-		else the request to add the user will fail. </para>
+		password command.  Note that the default passdb backends require 
+                the user to already exist in the system password file (usually 
+                <filename>/etc/passwd</filename>), else the request to add the 
+                user will fail.  </para>
 		
 		<para>This option is only available when running smbpasswd 
 		as root. </para></listitem>
@@ -119,8 +120,7 @@
 		
 		<para>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 
 		format) there is no space in the user's password entry to write
-		this information and so the user is disabled by writing 'X' characters 
-		into the password space in the smbpasswd file. See <command>smbpasswd(5)
+		this information and the command will FAIL. See <command>smbpasswd(5)
 		</command> for details on the 'old' and new password file formats.
 		</para>
 
@@ -138,10 +138,8 @@
 		the user will be able to authenticate via SMB once again. </para>
 		
 		<para>If the smbpasswd file is in the 'old' format, then <command>
-		smbpasswd</command> will prompt for a new password for this user, 
-		otherwise the account will be enabled by removing the <constant>'D'
-		</constant> flag from account control space in the <filename>
-		smbpasswd</filename> file. See <command>smbpasswd (5)</command> for 
+		smbpasswd</command> will FAIL to enable the account.  
+                See <command>smbpasswd (5)</command> for 
 		details on the 'old' and new password file formats. </para>
 
 		<para>This option is only available when running smbpasswd as root. 
@@ -275,45 +273,6 @@
 		
 		
 		<varlistentry>
-		<term>-j DOMAIN</term>
-		<listitem><para>This option is used to add a Samba server 
-		into a Windows NT Domain, as a Domain member capable of authenticating 
-		user accounts to any Domain Controller in the same way as a Windows 
-		NT Server. See the <command>security = domain</command> option in 
-		the <filename>smb.conf(5)</filename> man page. </para>
-		
-		<para>In order to be used in this way, the Administrator for 
-		the Windows NT Domain must have used the program "Server Manager 
-		for Domains" to add the primary NetBIOS name of  the Samba server 
-		as a member of the Domain. </para>
-		
-		<para>After this has been done, to join the Domain invoke <command>
-		smbpasswd</command> with this parameter. smbpasswd will then 
-		look up the Primary Domain Controller for the Domain (found in 
-		the <filename>smb.conf</filename> file in the parameter 
-		<parameter>password server</parameter> and change the machine account 
-		password used to create the secure Domain communication.  This 
-		password is then stored by smbpasswd in a TDB, writeable only by root, 
-		called <filename>secrets.tdb</filename> </para>
-		
-		<para>Once this operation has been performed the <filename>
-		smb.conf</filename> file may be updated to set the <command>
-		security = domain</command> option and all future logins
-		to the Samba server will be authenticated to the Windows NT 
-		PDC. </para>
-		
-		<para>Note that even though the authentication is being 
-		done to the PDC all users accessing the Samba server must still 
-		have a valid UNIX account on that machine. </para>
-
-
-		<para>This option is only available when running smbpasswd as root. 
-		</para></listitem>
-		</varlistentry>
-		
-		
-		
-		<varlistentry>
 		<term>-U username</term>
 		<listitem><para>This option may only be used in conjunction 
 		with the <parameter>-r</parameter> option. When changing
@@ -395,7 +354,7 @@
 <refsect1>
 	<title>VERSION</title>
 
-	<para>This man page is correct for version 2.2 of 
+	<para>This man page is correct for version 3.0 of 
 	the Samba suite.</para>
 </refsect1>
 
@@ -424,3 +383,7 @@
 </refsect1>
 
 </refentry>
+
+
+
+