!== !== README.Win2kSP2 !== Author: Gerald (Jerry) Carter <jerry@samba.org> ================================================================== There are several annoyances with Windows 2000 SP2. One of which only appears when using a Samba server to host user profiles to Windows 2000 SP2 clients in a Windows domain. This assumes that Samba is a member of the domain, but the problem will likely occur if it is not. In order to server profiles successfully to Windows 2000 SP2 clients (when not operating as a PDC), Samba must have nt acl support = no added to the file share which houses the roaming profiles. If this is not done, then the Windows 2000 SP2 client will complain about not being able to access the profile (Access Denied) and create multiple copies of it on disk (DOMAIN.user.001, DOMAIN.user.002, etc...). See the smb.conf(5) man page for more details on this option. Also note that the "nt acl support" parameter was formally a global parameter in releases prior to Samba 2.2.2. The following is a minimal profile share [profile] path = /export/profile create mask = 0600 directory mask = 0700 nt acl support = no read only = no The reason for this bug is that the Win2k SP2 client copies the security descriptor for the profile which contains the Samba server's SID, and not the domain SID. The client compares the SID for SAMBA\user and realizes it is different that the one assigned to DOMAIN\user. Hence the reason for the "access denied" message. By disabling the "nt acl support" parameter, Samba will send the Win2k client a response to the QuerySecurityDescriptor trans2 call which causes the client to set a default ACL for the profile. This default ACL includes DOMAIN\user "Full Control" NOTE : This bug does not occur when using winbind to create accounts on the Samba host for Domain users.