[Samba] GPO / Sysvol problems

[Gregory Sloop]

RPvs> On Wed, 23 Jan 2019 09:17:33 -0800
RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:

>> So, some updates. 
>> I started that email a couple of hours ago - but suddenly, without
>> changing a thing, the test client/station is suddenly now getting the
>> correct GPO details.

>> Yet, I've not synced the sysvol or done anything to change or update
>> the GPO on either DC.

RPvs> Sometimes strange things happen ;-)

So, lets ignore the super long latency for now.
I have run into this several times and always thought I'd setup the file/directory permissions wrong - but that's not what is happening.

The roaming profiles themselves are stored on a freenas box.
The FreeNAS box is running Samba 4.7.0

It's acting, I believe, as a domain member.
It does user/group lookups from the DC's to determine what "users" get access to which files/folders.
This, as far as I can tell, works as designed.

What's going south is when the user creates their own "home" and "profile" directories.
The create mask appears to be wrong. [I've explicitly set it to 0666 on files and 0777 on directories] 
But, when the Windows system creates the directory on first login, the permissions are kinda wonky.

Here's what the test user's profile directory permissions look like.
drwx------+ 2 AD\sales01     AD\domain admins 2 Jan 23 09:24 sales01.V6

Domain Admins should get the same rights as the user, but they're not.
This looks like a creation mask problem, but perhaps it's something else.

Suggestions on where to look to control the default rights on folder creation?
As noted: I've tweaked folder and files default masks 0666 for files and 0777 for folders and that doesn't seem to have helped.
I've also changed the permissions of the "Domain Users" in the root folder that the above profile gets held in - and changed the rights from the "normal" read/traverse/create-folder to even "full control" without any change.
I'm just not sure where to look now.

-Greg