docs-xml: remove deprecated 'profile acls' option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml
deleted file mode 100644 (file)
index a660c52..0000000
--- a/docs-xml/smbdotconf/protocol/profileacls.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<samba:parameter name="profile acls"
-                 context="S"
-                 type="boolean"
-                 deprecated="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-       <para>
-       As most system support support posix acls and extended attributes
-       today. The "acl_xattr" vfs module should be used instead of
-       using <smbconfoption name="profile acls">yes</smbconfoption>.
-       Using an vfs module that provides nfs4 acls may also work.
-       </para>
-
-       <para>
-       With modern clients (as of 2017) it's not possible to
-       use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
-       </para>
-
-       <para>
-       This boolean parameter was added to fix the problems that people have been
-       having with storing user profiles on Samba shares from Windows 2000 or
-       Windows XP clients. New versions of Windows 2000 or Windows XP service
-       packs do security ACL checking on the owner and ability to write of the
-       profile directory stored on a local workstation when copied from a Samba
-       share.
-       </para>
-
-       <para>
-       When not in domain mode with winbindd then the security info copied
-       onto the local workstation has no meaning to the logged in user (SID) on
-       that workstation so the profile storing fails. Adding this parameter
-       onto a share used for profile storage changes two things about the
-       returned Windows ACL. Firstly it changes the owner and group owner
-       of all reported files and directories to be BUILTIN\\Administrators,
-       BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
-       it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
-       every returned ACL. This will allow any Windows 2000 or XP workstation
-       user to access the profile.
-       </para>
-
-       <para>
-       Note that if you have multiple users logging
-       on to a workstation then in order to prevent them from being able to access
-       each others profiles you must remove the "Bypass traverse checking" advanced
-       user right. This will prevent access to other users profile directories as
-       the top level profile directory (named after the user) is created by the
-       workstation profile code and has an ACL restricting entry to the directory
-       tree to the owning user.
-       </para>
-
-       <para>
-       Note that this parameter should be set to yes on dedicated profile shares only.
-       On other shares, it might cause incorrect file ownerships.
-       </para>
-
-       <para>
-       This parameter is deprecated with Samba 4.7 and will be removed in future versions.
-       </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5853c8f70c0393242959a46a2ed7ed9468c2d93b..a2fcc4246c96260d4fc580a57936553051b79169 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -229,7 +229,6 @@ static const struct loadparm_service _sDefault =
        .nt_acl_support = true,
        .force_unknown_acl_user = false,
        ._use_sendfile = false,
-       .profile_acls = false,
        .map_acl_inherit = false,
        .afs_share = false,
        .ea_support = false,