diff options
Diffstat (limited to 'docs/README.Win2kSP2')
-rw-r--r-- | docs/README.Win2kSP2 | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/docs/README.Win2kSP2 b/docs/README.Win2kSP2 new file mode 100644 index 0000000000..49a8fbf4ae --- /dev/null +++ b/docs/README.Win2kSP2 @@ -0,0 +1,56 @@ +!== +!== README.Win2kSP2 +!== + +Author: Gerald (Jerry) Carter <jerry@samba.org> + +================================================================== + +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not. + +In order to server profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have + + nt acl support = no + +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the smb.conf(5) man page +for more details on this option. Also note that the "nt acl support" +parameter was formally a global parameter in releases prior +to Samba 2.2.2. + +The following is a minimal profile share + + [profile] + path = /export/profile + create mask = 0600 + directory mask = 0700 + nt acl support = no + read only = no + +The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the "access denied" message. + +By disabling the "nt acl support" parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes + + DOMAIN\user "Full Control" + + +NOTE : This bug does not occur when using winbind to +create accounts on the Samba host for Domain users. + + |