Re: [Samba] GPO / Sysvol problems
- Date: Wed, 23 Jan 2019 17:57:53 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] GPO / Sysvol problems
On Wed, 23 Jan 2019 09:51:02 -0800
Gregory Sloop via samba <samba@xxxxxxxxxxxxxxx> wrote:
> RPvs> On Wed, 23 Jan 2019 09:17:33 -0800
> RPvs> Gregory Sloop via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> So, some updates.
> >> I started that email a couple of hours ago - but suddenly, without
> >> changing a thing, the test client/station is suddenly now getting
> >> the correct GPO details.
> >> Yet, I've not synced the sysvol or done anything to change or
> >> update the GPO on either DC.
> RPvs> Sometimes strange things happen ;-)
> So, lets ignore the super long latency for now.
> I have run into this several times and always thought I'd setup the
> file/directory permissions wrong - but that's not what is happening.
> The roaming profiles themselves are stored on a freenas box.
> The FreeNAS box is running Samba 4.7.0
> It's acting, I believe, as a domain member.
> It does user/group lookups from the DC's to determine what "users"
> get access to which files/folders. This, as far as I can tell, works
> as designed.
> What's going south is when the user creates their own "home" and
> "profile" directories. The create mask appears to be wrong. [I've
> explicitly set it to 0666 on files and 0777 on directories] But, when
> the Windows system creates the directory on first login, the
> permissions are kinda wonky.
> Here's what the test user's profile directory permissions look like.
> drwx------+ 2 AD\sales01 AD\domain admins 2 Jan 23 09:24
> Domain Admins should get the same rights as the user, but they're not.
> This looks like a creation mask problem, but perhaps it's something
> Suggestions on where to look to control the default rights on folder
> creation? As noted: I've tweaked folder and files default masks 0666
> for files and 0777 for folders and that doesn't seem to have helped.
> I've also changed the permissions of the "Domain Users" in the root
> folder that the above profile gets held in - and changed the rights
> from the "normal" read/traverse/create-folder to even "full control"
> without any change. I'm just not sure where to look now.
Have you read this:
and possibly, this:
To unsubscribe from this list go to the following URL and read the