From e4840f0db911eaf3aee1195030c6efca70d78f14 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Dec 2001 07:37:58 +0000 Subject: merge from 2.2 (This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456) --- docs/README.Win2kSP2 | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 docs/README.Win2kSP2 (limited to 'docs/README.Win2kSP2') diff --git a/docs/README.Win2kSP2 b/docs/README.Win2kSP2 new file mode 100644 index 0000000000..49a8fbf4ae --- /dev/null +++ b/docs/README.Win2kSP2 @@ -0,0 +1,56 @@ +!== +!== README.Win2kSP2 +!== + +Author: Gerald (Jerry) Carter + +================================================================== + +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not. + +In order to server profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have + + nt acl support = no + +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the smb.conf(5) man page +for more details on this option. Also note that the "nt acl support" +parameter was formally a global parameter in releases prior +to Samba 2.2.2. + +The following is a minimal profile share + + [profile] + path = /export/profile + create mask = 0600 + directory mask = 0700 + nt acl support = no + read only = no + +The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the "access denied" message. + +By disabling the "nt acl support" parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes + + DOMAIN\user "Full Control" + + +NOTE : This bug does not occur when using winbind to +create accounts on the Samba host for Domain users. + + -- cgit