+++ /dev/null
-<samba:parameter name="profile acls"
- context="S"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- As most system support support posix acls and extended attributes
- today. The "acl_xattr" vfs module should be used instead of
- using <smbconfoption name="profile acls">yes</smbconfoption>.
- Using an vfs module that provides nfs4 acls may also work.
- </para>
-
- <para>
- With modern clients (as of 2017) it's not possible to
- use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
- </para>
-
- <para>
- This boolean parameter was added to fix the problems that people have been
- having with storing user profiles on Samba shares from Windows 2000 or
- Windows XP clients. New versions of Windows 2000 or Windows XP service
- packs do security ACL checking on the owner and ability to write of the
- profile directory stored on a local workstation when copied from a Samba
- share.
- </para>
-
- <para>
- When not in domain mode with winbindd then the security info copied
- onto the local workstation has no meaning to the logged in user (SID) on
- that workstation so the profile storing fails. Adding this parameter
- onto a share used for profile storage changes two things about the
- returned Windows ACL. Firstly it changes the owner and group owner
- of all reported files and directories to be BUILTIN\\Administrators,
- BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
- it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
- every returned ACL. This will allow any Windows 2000 or XP workstation
- user to access the profile.
- </para>
-
- <para>
- Note that if you have multiple users logging
- on to a workstation then in order to prevent them from being able to access
- each others profiles you must remove the "Bypass traverse checking" advanced
- user right. This will prevent access to other users profile directories as
- the top level profile directory (named after the user) is created by the
- workstation profile code and has an ACL restricting entry to the directory
- tree to the owning user.
- </para>
-
- <para>
- Note that this parameter should be set to yes on dedicated profile shares only.
- On other shares, it might cause incorrect file ownerships.
- </para>
-
- <para>
- This parameter is deprecated with Samba 4.7 and will be removed in future versions.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>