!==
!== README.Win2kSP2
!==

Author:		Gerald (Jerry) Carter <jerry@samba.org>

==================================================================

There are several annoyances with Windows 2000 SP2. One of which
only appears when using a Samba server to host user profiles
to Windows 2000 SP2 clients in a Windows domain.  This assumes
that Samba is a member of the domain, but the problem will
likely occur if it is not.

In order to server profiles successfully to Windows 2000 SP2 
clients (when not operating as a PDC), Samba must have 

	nt acl support = no

added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access 
Denied) and create multiple copies of it on disk (DOMAIN.user.001,
DOMAIN.user.002, etc...).  See the smb.conf(5) man page
for more details on this option.  Also note that the "nt acl support"
parameter was formally a global parameter in releases prior
to Samba 2.2.2.

The following is a minimal profile share

	[profile]
		path = /export/profile
		create mask = 0600
		directory mask = 0700
		nt acl support = no
		read only = no

The reason for this bug is that the Win2k SP2 client copies
the security descriptor for the profile which contains
the Samba server's SID, and not the domain SID.  The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user.  Hence the reason
for the "access denied" message.

By disabling the "nt acl support" parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes 

	DOMAIN\user 	"Full Control"


NOTE : This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.