[Samba] GPO / Sysvol problems

Rowland Penny rpenny at samba.org
Wed Jan 23 17:57:53 UTC 2019 

On Wed, 23 Jan 2019 09:51:02 -0800
Gregory Sloop via samba <samba at lists.samba.org> wrote:

> 
> RPvs> On Wed, 23 Jan 2019 09:17:33 -0800
> RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
> 
> >> So, some updates. 
> >> I started that email a couple of hours ago - but suddenly, without
> >> changing a thing, the test client/station is suddenly now getting
> >> the correct GPO details.
> 
> >> Yet, I've not synced the sysvol or done anything to change or
> >> update the GPO on either DC.
> 
> RPvs> Sometimes strange things happen ;-)
> 
> So, lets ignore the super long latency for now.
> I have run into this several times and always thought I'd setup the
> file/directory permissions wrong - but that's not what is happening.
> 
> The roaming profiles themselves are stored on a freenas box.
> The FreeNAS box is running Samba 4.7.0
> 
> It's acting, I believe, as a domain member.
> It does user/group lookups from the DC's to determine what "users"
> get access to which files/folders. This, as far as I can tell, works
> as designed.
> 
> What's going south is when the user creates their own "home" and
> "profile" directories. The create mask appears to be wrong. [I've
> explicitly set it to 0666 on files and 0777 on directories] But, when
> the Windows system creates the directory on first login, the
> permissions are kinda wonky.
> 
> Here's what the test user's profile directory permissions look like.
> drwx------+ 2 AD\sales01     AD\domain admins 2 Jan 23 09:24
> sales01.V6
> 
> Domain Admins should get the same rights as the user, but they're not.
> This looks like a creation mask problem, but perhaps it's something
> else.
> 
> Suggestions on where to look to control the default rights on folder
> creation? As noted: I've tweaked folder and files default masks 0666
> for files and 0777 for folders and that doesn't seem to have helped.
> I've also changed the permissions of the "Domain Users" in the root
> folder that the above profile gets held in - and changed the rights
> from the "normal" read/traverse/create-folder to even "full control"
> without any change. I'm just not sure where to look now.
> 
> -Greg

Have you read this:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

and possibly, this:

https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections

Rowland

More information about the samba mailing list