What happend to 2.2.2

[Oktay Akbal]

Well it seems to work now. I can't see why you say it only a Problem
with a third server storing the Profiles but it now works with my setup.

Someone got a hint how to remove the old Directories .00x etc. ?
Users that once failed to login with the "old" 2.2.2 now can't
login on that workstation with the same error as earlier. New
Users on that workstation can. How to correct the old entries on the
w2k sp2 workstation ?

Thanks

Oktay



On Fri, 12 Oct 2001, Jeremy Allison wrote:

> Ok, I have a work-around for the problems with profiles in
> W2K SP2 and Samba 2.2.2 CVS. I'm checking it in now. It
> means a change to a parameter, but seems to fix the problem.
>
> Gerry - we'll need to change the profile docs to reflect this.
>
> To recap - the problem is that when W2K SP2 creates a local
> copy of a roving profile, it copies the security descriptors
> from the remote system. This is ok when the profile is stored
> on the Samba PDC (as the PDC SID is the same as the sid returned
> as the owner of the files). It fails when the profile is stored
> on a third Samba server, as the owner of the files is returned as a
> SID that is local to the profile Samba server.
>
> ie. PDC called JEREMY1 for domain JEREMYNET, profile server called JEREMY3
> user logging in is JEREMYNET\jeremy, the security set on the cached profile
> directory is :
>
> Administrator: Full access
> SYSTEM: Full access
> JEREMY3\jeremy: Full access
>
> As you can see, the PDC sid for jeremy (JEREMYNET\jeremy) has no access
> to the cached profile directory - leading to access denied on modification.
>
> If winbindd were running on the profile server then the file owner would be
> returned as JEREMYNET\jeremy rather than JEREMY3\jeremy, and everything
> would be fine. Unfortunately winbindd won't run against a Samba PDC
> (this is nasty, and will be my #2 priority - after the memory leaks - once
> 2.2.2 ships) so we can't use this solution. Also it requires winbindd
> running on the profile server, which you might not want.
>
> Enter my workaround :-).
>
> I modified the "nt acl support" parameter to be a per-share parameter,
> not a global parameter. Then I changed the semantics slightly so that
> it just returned "success" on ACL set, not changing the filesystem, and
> returned a null ACL consisting of "Owner:World, Group:World, no DACL"
> on get.
>
> With the PDC (JEREMY1) set to be :
>
>         logon home = \\jeremy3\%U
>         logon path = \\jeremy3\profiles\%U\profile
>
> and the profile server (JEREMY3) having a share :
>
> [profiles]
>         comment = user profiles
>         writable = yes
>         path = /export/home/profiles
>         nt acl support = no
>
> then everything now works as it did with W2K no service pack.
> The permissions on the profile created are acceptible (rw-r--r--
> for jeremy) and so I think this will work for the 2.2.2 release
> (which I really would like to be a good PDC for W2KSP2).
>
> I realise we need to fix this better using winbindd so I'll
> put lots more effort into this once we've got 2.2.2 out the door.
>
> If the people who were complaining about this could check out
> the SAMBA_2_2 release and try this workaround with their environments
> I'd be very grateful.
>
> Jeremy.
>