diff options
author | John Terpstra <jht@samba.org> | 2003-07-06 06:56:58 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-07-06 06:56:58 +0000 |
commit | ee998cde338dacc1c3ef4909d10a2f9883f647b8 (patch) | |
tree | 381df85a0548a2f7ff99b074062300148566c1ea /docs/docbook/smbdotconf | |
parent | cd2c5e1f63ba4c9baad333071e9e21897a415c2a (diff) | |
download | samba-ee998cde338dacc1c3ef4909d10a2f9883f647b8.tar.gz samba-ee998cde338dacc1c3ef4909d10a2f9883f647b8.tar.bz2 samba-ee998cde338dacc1c3ef4909d10a2f9883f647b8.zip |
Adding profile acls man entry for smb.conf.5
(This used to be commit 80709d4304a02ca99853df009c5641e65b0ab12b)
Diffstat (limited to 'docs/docbook/smbdotconf')
-rw-r--r-- | docs/docbook/smbdotconf/protocol/profileacls.xml | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml new file mode 100644 index 0000000000..6f2b3ec510 --- /dev/null +++ b/docs/docbook/smbdotconf/protocol/profileacls.xml @@ -0,0 +1,33 @@ +<samba:parameter name="profile acls" + context="S" + advanced="1" wizard="1" + xmlns:samba="http://samba.org/common"> +<listitem> + <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + </para> + + <para>Default: <command moreinfo="none">profile acls = no</command></para> +</listitem> +</samba:parameter> |