| 1 | <samba:parameter name="profile acls"
|
|---|
| 2 | context="S"
|
|---|
| 3 | type="boolean"
|
|---|
| 4 | advanced="1" wizard="1"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 | <para>
|
|---|
| 8 | This boolean parameter was added to fix the problems that people have been
|
|---|
| 9 | having with storing user profiles on Samba shares from Windows 2000 or
|
|---|
| 10 | Windows XP clients. New versions of Windows 2000 or Windows XP service
|
|---|
| 11 | packs do security ACL checking on the owner and ability to write of the
|
|---|
| 12 | profile directory stored on a local workstation when copied from a Samba
|
|---|
| 13 | share.
|
|---|
| 14 | </para>
|
|---|
| 15 |
|
|---|
| 16 | <para>
|
|---|
| 17 | When not in domain mode with winbindd then the security info copied
|
|---|
| 18 | onto the local workstation has no meaning to the logged in user (SID) on
|
|---|
| 19 | that workstation so the profile storing fails. Adding this parameter
|
|---|
| 20 | onto a share used for profile storage changes two things about the
|
|---|
| 21 | returned Windows ACL. Firstly it changes the owner and group owner
|
|---|
| 22 | of all reported files and directories to be BUILTIN\\Administrators,
|
|---|
| 23 | BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
|
|---|
| 24 | it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
|
|---|
| 25 | every returned ACL. This will allow any Windows 2000 or XP workstation
|
|---|
| 26 | user to access the profile.
|
|---|
| 27 | </para>
|
|---|
| 28 |
|
|---|
| 29 | <para>
|
|---|
| 30 | Note that if you have multiple users logging
|
|---|
| 31 | on to a workstation then in order to prevent them from being able to access
|
|---|
| 32 | each others profiles you must remove the "Bypass traverse checking" advanced
|
|---|
| 33 | user right. This will prevent access to other users profile directories as
|
|---|
| 34 | the top level profile directory (named after the user) is created by the
|
|---|
| 35 | workstation profile code and has an ACL restricting entry to the directory
|
|---|
| 36 | tree to the owning user.
|
|---|
| 37 | </para>
|
|---|
| 38 |
|
|---|
| 39 | <para>
|
|---|
| 40 | Note that this parameter should be set to yes on dedicated profile shares only.
|
|---|
| 41 | On other shares, it might cause incorrect file ownerships.
|
|---|
| 42 | </para>
|
|---|
| 43 |
|
|---|
| 44 | </description>
|
|---|
| 45 |
|
|---|
| 46 | <value type="default">no</value>
|
|---|
| 47 | </samba:parameter>
|
|---|
