What happend to 2.2.2

Toomas Soome tsoome at ut.ee
Fri Oct 12 16:05:02 GMT 2001


it seems better:)

I have found another issue, however.

I removed my profile, logged into my nt4 host and started terminal client
to w2k. w2k complained like 'unable to copy 3 Floppy (A).lnk or something.

so I have found file '3^Z\ Floppy\ \(A\).lnk' in profile/SendTo dir.

and I guess, it's needless to say, server is doing codepage conversion.

  character set = ISO8859-15
  client code page = 775

I guess it's bad idea to translate nontranslatable chars to ^Z in file
names....

On Fri, 12 Oct 2001, Jeremy Allison wrote:

> Ok, I have a work-around for the problems with profiles in
> W2K SP2 and Samba 2.2.2 CVS. I'm checking it in now. It
> means a change to a parameter, but seems to fix the problem.
>
> Gerry - we'll need to change the profile docs to reflect this.
>
> To recap - the problem is that when W2K SP2 creates a local
> copy of a roving profile, it copies the security descriptors
> from the remote system. This is ok when the profile is stored
> on the Samba PDC (as the PDC SID is the same as the sid returned
> as the owner of the files). It fails when the profile is stored
> on a third Samba server, as the owner of the files is returned as a
> SID that is local to the profile Samba server.
>
> ie. PDC called JEREMY1 for domain JEREMYNET, profile server called JEREMY3
> user logging in is JEREMYNET\jeremy, the security set on the cached profile
> directory is :
>
> Administrator: Full access
> SYSTEM: Full access
> JEREMY3\jeremy: Full access
>
> As you can see, the PDC sid for jeremy (JEREMYNET\jeremy) has no access
> to the cached profile directory - leading to access denied on modification.
>
> If winbindd were running on the profile server then the file owner would be
> returned as JEREMYNET\jeremy rather than JEREMY3\jeremy, and everything
> would be fine. Unfortunately winbindd won't run against a Samba PDC
> (this is nasty, and will be my #2 priority - after the memory leaks - once
> 2.2.2 ships) so we can't use this solution. Also it requires winbindd
> running on the profile server, which you might not want.
>
> Enter my workaround :-).
>
> I modified the "nt acl support" parameter to be a per-share parameter,
> not a global parameter. Then I changed the semantics slightly so that
> it just returned "success" on ACL set, not changing the filesystem, and
> returned a null ACL consisting of "Owner:World, Group:World, no DACL"
> on get.
>
> With the PDC (JEREMY1) set to be :
>
>         logon home = \\jeremy3\%U
>         logon path = \\jeremy3\profiles\%U\profile
>
> and the profile server (JEREMY3) having a share :
>
> [profiles]
>         comment = user profiles
>         writable = yes
>         path = /export/home/profiles
>         nt acl support = no
>
> then everything now works as it did with W2K no service pack.
> The permissions on the profile created are acceptible (rw-r--r--
> for jeremy) and so I think this will work for the 2.2.2 release
> (which I really would like to be a good PDC for W2KSP2).
>
> I realise we need to fix this better using winbindd so I'll
> put lots more effort into this once we've got 2.2.2 out the door.
>
> If the people who were complaining about this could check out
> the SAMBA_2_2 release and try this workaround with their environments
> I'd be very grateful.
>
> Jeremy.
>

toomas
-- 
It is far better to be deceived than to be undeceived by those we love.





More information about the samba-technical mailing list