1<samba:parameter name="profile acls" 2 context="S" 3 type="boolean" 4 advanced="1" wizard="1" 5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> 6<description> 7 <para> 8 This boolean parameter was added to fix the problems that people have been 9 having with storing user profiles on Samba shares from Windows 2000 or 10 Windows XP clients. New versions of Windows 2000 or Windows XP service 11 packs do security ACL checking on the owner and ability to write of the 12 profile directory stored on a local workstation when copied from a Samba 13 share. 14 </para> 15 16 <para> 17 When not in domain mode with winbindd then the security info copied 18 onto the local workstation has no meaning to the logged in user (SID) on 19 that workstation so the profile storing fails. Adding this parameter 20 onto a share used for profile storage changes two things about the 21 returned Windows ACL. Firstly it changes the owner and group owner 22 of all reported files and directories to be BUILTIN\\Administrators, 23 BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly 24 it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to 25 every returned ACL. This will allow any Windows 2000 or XP workstation 26 user to access the profile. 27 </para> 28 29 <para> 30 Note that if you have multiple users logging 31 on to a workstation then in order to prevent them from being able to access 32 each others profiles you must remove the "Bypass traverse checking" advanced 33 user right. This will prevent access to other users profile directories as 34 the top level profile directory (named after the user) is created by the 35 workstation profile code and has an ACL restricting entry to the directory 36 tree to the owning user. 37 </para> 38</description> 39 40<value type="default">no</value> 41</samba:parameter> 42