37.5 Windows 2000 Service Pack 2


There are several annoyances with Windows 2000 SP2. One of which only appears when using a Samba server to host user profiles to Windows 2000 SP2 clients in a Windows domain. This assumes that Samba is a member of the domain, but the problem will most likely occur if it is not.

In order to serve profiles successfully to Windows 2000 SP2 clients (when not operating as a PDC), Samba must have nt acl support = no added to the file share which houses the roaming profiles. If this is not done, then the Windows 2000 SP2 client will complain about not being able to access the profile (Access Denied ) and create multiple copies of it on disk (DOMAIN.user.001, DOMAIN.user.002, and so on). See the smb.conf man page for more details on this option. Also note that the nt acl support parameter was formally a global parameter in releases prior to Samba 2.2.2.

Example 37.1 provides a minimal profile share.

Example 37.1 Minimal profile share
  [profile]   path = /export/profile   create mask = 0600   directory mask = 0700   nt acl support = no   read only = no  

The reason for this bug is that the Windows 200x SP2 client copies the security descriptor for the profile that contains the Samba server's SID, and not the domain SID. The client compares the SID for SAMBA\user and realizes it is different from the one assigned to DOMAIN\user. Hence, the reason for the access denied message.

By disabling the nt acl support parameter, Samba will send the Windows 200x client a response to the QuerySecurityDescriptor trans2 call, which causes the client to set a default ACL for the profile. This default ACL includes:

DOMAIN\user "Full Control">

N OTE

graphics/round_pencil.gif

This bug does not occur when using Winbind to create accounts on the Samba host for Domain users.




Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net