diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-08-07 17:31:13 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-12-13 20:34:24 +0100 |
commit | 19ba1b7503b9d554b63f613b3c78bdc3b21e189f (patch) | |
tree | 5b90084b4c2782e9f8ed16e5b9f0c1859ac54ea8 /docs-xml | |
parent | 5dd307928a1e20b3fb7fcf550546de70a9149e4c (diff) | |
download | samba-19ba1b7503b9d554b63f613b3c78bdc3b21e189f.tar.gz |
docs-xml: remove deprecated 'profile acls' option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/protocol/profileacls.xml | 62 |
1 files changed, 0 insertions, 62 deletions
diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml deleted file mode 100644 index a660c528a69..00000000000 --- a/docs-xml/smbdotconf/protocol/profileacls.xml +++ /dev/null @@ -1,62 +0,0 @@ -<samba:parameter name="profile acls" - context="S" - type="boolean" - deprecated="1" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -<description> - <para> - As most system support support posix acls and extended attributes - today. The "acl_xattr" vfs module should be used instead of - using <smbconfoption name="profile acls">yes</smbconfoption>. - Using an vfs module that provides nfs4 acls may also work. - </para> - - <para> - With modern clients (as of 2017) it's not possible to - use <smbconfoption name="profile acls">yes</smbconfoption> anymore. - </para> - - <para> - This boolean parameter was added to fix the problems that people have been - having with storing user profiles on Samba shares from Windows 2000 or - Windows XP clients. New versions of Windows 2000 or Windows XP service - packs do security ACL checking on the owner and ability to write of the - profile directory stored on a local workstation when copied from a Samba - share. - </para> - - <para> - When not in domain mode with winbindd then the security info copied - onto the local workstation has no meaning to the logged in user (SID) on - that workstation so the profile storing fails. Adding this parameter - onto a share used for profile storage changes two things about the - returned Windows ACL. Firstly it changes the owner and group owner - of all reported files and directories to be BUILTIN\\Administrators, - BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly - it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to - every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile. - </para> - - <para> - Note that if you have multiple users logging - on to a workstation then in order to prevent them from being able to access - each others profiles you must remove the "Bypass traverse checking" advanced - user right. This will prevent access to other users profile directories as - the top level profile directory (named after the user) is created by the - workstation profile code and has an ACL restricting entry to the directory - tree to the owning user. - </para> - - <para> - Note that this parameter should be set to yes on dedicated profile shares only. - On other shares, it might cause incorrect file ownerships. - </para> - - <para> - This parameter is deprecated with Samba 4.7 and will be removed in future versions. - </para> -</description> - -<value type="default">no</value> -</samba:parameter> |