diff options
Diffstat (limited to 'docs-xml/smbdotconf/protocol/profileacls.xml')
-rw-r--r-- | docs-xml/smbdotconf/protocol/profileacls.xml | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml new file mode 100644 index 0000000000..1c6f0c9ebf --- /dev/null +++ b/docs-xml/smbdotconf/protocol/profileacls.xml @@ -0,0 +1,41 @@ +<samba:parameter name="profile acls" + context="S" + type="boolean" + advanced="1" wizard="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. + </para> + + <para> + When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. + </para> + + <para> + Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> |