What happend to 2.2.2

Jeremy Allison jra at samba.org
Fri Oct 12 14:41:04 GMT 2001


Ok, I have a work-around for the problems with profiles in
W2K SP2 and Samba 2.2.2 CVS. I'm checking it in now. It
means a change to a parameter, but seems to fix the problem.

Gerry - we'll need to change the profile docs to reflect this.

To recap - the problem is that when W2K SP2 creates a local
copy of a roving profile, it copies the security descriptors
from the remote system. This is ok when the profile is stored
on the Samba PDC (as the PDC SID is the same as the sid returned
as the owner of the files). It fails when the profile is stored
on a third Samba server, as the owner of the files is returned as a
SID that is local to the profile Samba server.

ie. PDC called JEREMY1 for domain JEREMYNET, profile server called JEREMY3
user logging in is JEREMYNET\jeremy, the security set on the cached profile
directory is :

Administrator: Full access
SYSTEM: Full access
JEREMY3\jeremy: Full access

As you can see, the PDC sid for jeremy (JEREMYNET\jeremy) has no access
to the cached profile directory - leading to access denied on modification.

If winbindd were running on the profile server then the file owner would be
returned as JEREMYNET\jeremy rather than JEREMY3\jeremy, and everything
would be fine. Unfortunately winbindd won't run against a Samba PDC
(this is nasty, and will be my #2 priority - after the memory leaks - once
2.2.2 ships) so we can't use this solution. Also it requires winbindd
running on the profile server, which you might not want.

Enter my workaround :-).

I modified the "nt acl support" parameter to be a per-share parameter,
not a global parameter. Then I changed the semantics slightly so that
it just returned "success" on ACL set, not changing the filesystem, and
returned a null ACL consisting of "Owner:World, Group:World, no DACL"
on get.

With the PDC (JEREMY1) set to be :

        logon home = \\jeremy3\%U
        logon path = \\jeremy3\profiles\%U\profile

and the profile server (JEREMY3) having a share :

[profiles]
        comment = user profiles
        writable = yes
        path = /export/home/profiles
        nt acl support = no

then everything now works as it did with W2K no service pack.
The permissions on the profile created are acceptible (rw-r--r--
for jeremy) and so I think this will work for the 2.2.2 release
(which I really would like to be a good PDC for W2KSP2).

I realise we need to fix this better using winbindd so I'll
put lots more effort into this once we've got 2.2.2 out the door.

If the people who were complaining about this could check out
the SAMBA_2_2 release and try this workaround with their environments
I'd be very grateful.

Jeremy.




More information about the samba-technical mailing list