5 Author: Gerald (Jerry) Carter <jerry@samba.org>
7 ==================================================================
9 There are several annoyances with Windows 2000 SP2. One of which
10 only appears when using a Samba server to host user profiles
11 to Windows 2000 SP2 clients in a Windows domain. This assumes
12 that Samba is a member of the domain, but the problem will
13 likely occur if it is not.
15 In order to server profiles successfully to Windows 2000 SP2
16 clients (when not operating as a PDC), Samba must have
20 added to the file share which houses the roaming profiles.
21 If this is not done, then the Windows 2000 SP2 client will
22 complain about not being able to access the profile (Access
23 Denied) and create multiple copies of it on disk (DOMAIN.user.001,
24 DOMAIN.user.002, etc...). See the smb.conf(5) man page
25 for more details on this option. Also note that the "nt acl support"
26 parameter was formally a global parameter in releases prior
29 The following is a minimal profile share
32 path = /export/profile
38 The reason for this bug is that the Win2k SP2 client copies
39 the security descriptor for the profile which contains
40 the Samba server's SID, and not the domain SID. The client
41 compares the SID for SAMBA\user and realizes it is
42 different that the one assigned to DOMAIN\user. Hence the reason
43 for the "access denied" message.
45 By disabling the "nt acl support" parameter, Samba will send
46 the Win2k client a response to the QuerySecurityDescriptor
47 trans2 call which causes the client to set a default ACL
48 for the profile. This default ACL includes
50 DOMAIN\user "Full Control"
53 NOTE : This bug does not occur when using winbind to
54 create accounts on the Samba host for Domain users.