summaryrefslogtreecommitdiff
path: root/docs/README.Win2kSP2
diff options
context:
space:
mode:
Diffstat (limited to 'docs/README.Win2kSP2')
-rw-r--r--docs/README.Win2kSP256
1 files changed, 56 insertions, 0 deletions
diff --git a/docs/README.Win2kSP2 b/docs/README.Win2kSP2
new file mode 100644
index 0000000000..49a8fbf4ae
--- /dev/null
+++ b/docs/README.Win2kSP2
@@ -0,0 +1,56 @@
+!==
+!== README.Win2kSP2
+!==
+
+Author: Gerald (Jerry) Carter <jerry@samba.org>
+
+==================================================================
+
+There are several annoyances with Windows 2000 SP2. One of which
+only appears when using a Samba server to host user profiles
+to Windows 2000 SP2 clients in a Windows domain. This assumes
+that Samba is a member of the domain, but the problem will
+likely occur if it is not.
+
+In order to server profiles successfully to Windows 2000 SP2
+clients (when not operating as a PDC), Samba must have
+
+ nt acl support = no
+
+added to the file share which houses the roaming profiles.
+If this is not done, then the Windows 2000 SP2 client will
+complain about not being able to access the profile (Access
+Denied) and create multiple copies of it on disk (DOMAIN.user.001,
+DOMAIN.user.002, etc...). See the smb.conf(5) man page
+for more details on this option. Also note that the "nt acl support"
+parameter was formally a global parameter in releases prior
+to Samba 2.2.2.
+
+The following is a minimal profile share
+
+ [profile]
+ path = /export/profile
+ create mask = 0600
+ directory mask = 0700
+ nt acl support = no
+ read only = no
+
+The reason for this bug is that the Win2k SP2 client copies
+the security descriptor for the profile which contains
+the Samba server's SID, and not the domain SID. The client
+compares the SID for SAMBA\user and realizes it is
+different that the one assigned to DOMAIN\user. Hence the reason
+for the "access denied" message.
+
+By disabling the "nt acl support" parameter, Samba will send
+the Win2k client a response to the QuerySecurityDescriptor
+trans2 call which causes the client to set a default ACL
+for the profile. This default ACL includes
+
+ DOMAIN\user "Full Control"
+
+
+NOTE : This bug does not occur when using winbind to
+create accounts on the Samba host for Domain users.
+
+