From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 7 Aug 2017 15:31:13 +0000 (+0200)
Subject: docs-xml: remove deprecated 'profile acls' option
X-Git-Tag: talloc-2.1.11~212
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19ba1b7503b9d554b63f613b3c78bdc3b21e189f;p=thirdparty%2Fsamba.git

docs-xml: remove deprecated 'profile acls' option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml
deleted file mode 100644
index a660c528a69..00000000000
--- a/docs-xml/smbdotconf/protocol/profileacls.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<samba:parameter name="profile acls"
-                 context="S"
-                 type="boolean"
-                 deprecated="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-	<para>
-	As most system support support posix acls and extended attributes
-	today. The "acl_xattr" vfs module should be used instead of
-	using <smbconfoption name="profile acls">yes</smbconfoption>.
-	Using an vfs module that provides nfs4 acls may also work.
-	</para>
-
-	<para>
-	With modern clients (as of 2017) it's not possible to
-	use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
-	</para>
-
-	<para>
-	This boolean parameter was added to fix the problems that people have been
-	having with storing user profiles on Samba shares from Windows 2000 or
-	Windows XP clients. New versions of Windows 2000 or Windows XP service
-	packs do security ACL checking on the owner and ability to write of the
-	profile directory stored on a local workstation when copied from a Samba
-	share.
-	</para>
-
-	<para>
-	When not in domain mode with winbindd then the security info copied
-	onto the local workstation has no meaning to the logged in user (SID) on
-	that workstation so the profile storing fails. Adding this parameter
-	onto a share used for profile storage changes two things about the
-	returned Windows ACL. Firstly it changes the owner and group owner
-	of all reported files and directories to be BUILTIN\\Administrators,
-	BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
-	it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
-	every returned ACL. This will allow any Windows 2000 or XP workstation
-	user to access the profile.
-	</para>
-
-	<para>
-	Note that if you have multiple users logging
-	on to a workstation then in order to prevent them from being able to access
-	each others profiles you must remove the "Bypass traverse checking" advanced
-	user right. This will prevent access to other users profile directories as
-	the top level profile directory (named after the user) is created by the
-	workstation profile code and has an ACL restricting entry to the directory
-	tree to the owning user.
-	</para>
-
-	<para>
-	Note that this parameter should be set to yes on dedicated profile shares only.
-	On other shares, it might cause incorrect file ownerships.
-	</para>
-
-	<para>
-	This parameter is deprecated with Samba 4.7 and will be removed in future versions.
-	</para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5853c8f70c0..a2fcc4246c9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -229,7 +229,6 @@ static const struct loadparm_service _sDefault =
 	.nt_acl_support = true,
 	.force_unknown_acl_user = false,
 	._use_sendfile = false,
-	.profile_acls = false,
 	.map_acl_inherit = false,
 	.afs_share = false,
 	.ea_support = false,