I've finally found out how to use roaming profiles in domain level.
Samba2.2 and 3.0 always checks owner's ACL for profile directories. But
Samba returns correct owner ACL in a little bit different format with
Windows. For example:
Samba as profiles resource responses owner ACL for profile directory:
Owner: S-1-5-21-2951980089-3660375505-290094901-1224
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-2951980089-3660375505-290094901
RID: 1224
Windows as profiles resource responses owner ACL for profile directory:
Owner: S-1-5-21-2951980089
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-2951980089
Even profile's owner is a valid domain user with accessible permissions
on all files/directories in profile directory, Windows clients would
disallow to access to profiles, and terminate to send incoming requests
for loading profiles.
Since Windows 2K/XP clients have a registry value to control if to check
owner ACL for profile directories. I used it to not check ownership. Go
to Group policy/Local Computer Configuration/Administrative
templates/System/Logon for Windows 2K/XP, and enable "Do not Check for
User Ownership of Roaming Profiles Folders". The default value is "Not
configured". This works to me.
Thanks.
-Ying
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
