From ee998cde338dacc1c3ef4909d10a2f9883f647b8 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Sun, 6 Jul 2003 06:56:58 +0000
Subject: Adding profile acls man entry for smb.conf.5 (This used to be commit
 80709d4304a02ca99853df009c5641e65b0ab12b)

---
 docs/docbook/smbdotconf/protocol/profileacls.xml | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 docs/docbook/smbdotconf/protocol/profileacls.xml

(limited to 'docs')

diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml
new file mode 100644
index 0000000000..6f2b3ec510
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/profileacls.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="profile acls"
+                 context="S"
+                 advanced="1" wizard="1"
+                 xmlns:samba="http://samba.org/common">
+<listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> 
+	This boolean parameter was added to fix the problems that people have been
+	having with storing user profiles on Samba shares from Windows 2000 or
+	Windows XP clients. New versions of Windows 2000 or Windows XP service
+	packs do security ACL checking on the owner and ability to write of the
+	profile directory stored on a local workstation when copied from a Samba
+	share. When not in domain mode with winbindd then the security info copied
+	onto the local workstation has no meaning to the logged in user (SID) on
+	that workstation so the profile storing fails. Adding this parameter
+	onto a share used for profile storage changes two things about the
+	returned Windows ACL. Firstly it changes the owner and group owner
+	of all reported files and directories to be BUILTIN\\Administrators,
+	BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
+	it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
+	every returned ACL. This will allow any Windows 2000 or XP workstation
+	user to access the profile. Note that if you have multiple users logging
+	on to a workstation then in order to prevent them from being able to access
+	each others profiles you must remove the "Bypass traverse checking" advanced
+	user right. This will prevent access to other users profile directories as
+	the top level profile directory (named after the user) is created by the
+	workstation profile code and has an ACL restricting entry to the directory
+	tree to the owning user.
+    </para>
+		
+    <para>Default: <command moreinfo="none">profile acls = no</command></para>
+</listitem>
+</samba:parameter>
-- 
cgit