I've finally found out how to use roaming profiles in domain level. Samba2.2 and 3.0 always checks owner's ACL for profile directories. But Samba returns correct owner ACL in a little bit different format with Windows. For example: Samba as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089-3660375505-290094901-1224 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089-3660375505-290094901 RID: 1224 Windows as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089
Even profile's owner is a valid domain user with accessible permissions on all files/directories in profile directory, Windows clients would disallow to access to profiles, and terminate to send incoming requests for loading profiles. Since Windows 2K/XP clients have a registry value to control if to check owner ACL for profile directories. I used it to not check ownership. Go to Group policy/Local Computer Configuration/Administrative templates/System/Logon for Windows 2K/XP, and enable "Do not Check for User Ownership of Roaming Profiles Folders". The default value is "Not configured". This works to me. Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba