So, some updates. I started that email a couple of hours ago - but suddenly, without changing a thing, the test client/station is suddenly now getting the correct GPO details. Yet, I've not synced the sysvol or done anything to change or update the GPO on either DC. See inline... RPvs> On Wed, 23 Jan 2019 08:40:55 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> So, I'm seeing some very odd behavior. >> I may have multiple issues - so I'm simply starting holding the >> thread of the problem and working my way back.>> So, the root symptom I'm having is that a GPO isn't applying >> correctly. [Roaming profiles namely.] I have two DC's. I change the >> GPO on one DC and rsync the update to the other DC. I can see that >> the files get updated.RPvs> How are you setting the GPO ? by computer or user ? RPvs> Are you modifying either of the two default policies, or creating a new RPvs> policy ? I've got some policies that are computer based and some user based. [Roaming profiles is a computer policy.] I'm creating new policies/GPO's.>> Yet when I login to the domain from a test Windows workstation, it's >> not seeing the updated GPO data. [I'm changing the directory where >> the roaming profiles are to be stored.]RPvs> Where are the roaming policies stored / The GPO is stored on the Samba DC's. [Your terminology is super vague, IMO. I'm not sure if you're asking where the GPO (the actual "policy") is, or if you're asking where the roaming profile for the computer/user is stored. I'm not at all sure what a "roaming policy" is supposed to be. --- I'll follow this up with a new message - because while this latency in GPO/policy application/availability is a problem, I've now run into a problem that's been cropping up and I'm lost as how to deal with it. RPvs> Rowland -- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x82 EMail: gregs at sloop.net http://www.sloop.net ---
On Wed, 23 Jan 2019 09:17:33 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> So, some updates. > I started that email a couple of hours ago - but suddenly, without > changing a thing, the test client/station is suddenly now getting the > correct GPO details. > > Yet, I've not synced the sysvol or done anything to change or update > the GPO on either DC.Sometimes strange things happen ;-)> > See inline... > > RPvs> On Wed, 23 Jan 2019 08:40:55 -0800 > RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote: > > >> So, I'm seeing some very odd behavior. > >> I may have multiple issues - so I'm simply starting holding the > >> thread of the problem and working my way back. > > >> So, the root symptom I'm having is that a GPO isn't applying > >> correctly. [Roaming profiles namely.] I have two DC's. I change the > >> GPO on one DC and rsync the update to the other DC. I can see that > >> the files get updated. > > RPvs> How are you setting the GPO ? by computer or user ? > RPvs> Are you modifying either of the two default policies, or > RPvs> creating a new policy ? > > I've got some policies that are computer based and some user based. > [Roaming profiles is a computer policy.] I'm creating new > policies/GPO's.Good, sometimes people start by modifying the default policies, this isn't allowed.> > > >> Yet when I login to the domain from a test Windows workstation, > >> it's not seeing the updated GPO data. [I'm changing the directory > >> where the roaming profiles are to be stored.] > > > RPvs> Where are the roaming policies stored / > > The GPO is stored on the Samba DC's. [Your terminology is super > vague,That's because my fingers got away from my brain ;-) It should have been 'profiles' not 'policies'>IMO. I'm not sure if you're asking where the GPO (the actual > "policy") is, or if you're asking where the roaming profile for the > computer/user is stored. I'm not at all sure what a "roaming policy" > is supposed to be.No, I don't either LOL Rowland
RPvs> On Wed, 23 Jan 2019 09:17:33 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> So, some updates. >> I started that email a couple of hours ago - but suddenly, without >> changing a thing, the test client/station is suddenly now getting the >> correct GPO details.>> Yet, I've not synced the sysvol or done anything to change or update >> the GPO on either DC.RPvs> Sometimes strange things happen ;-) So, lets ignore the super long latency for now. I have run into this several times and always thought I'd setup the file/directory permissions wrong - but that's not what is happening. The roaming profiles themselves are stored on a freenas box. The FreeNAS box is running Samba 4.7.0 It's acting, I believe, as a domain member. It does user/group lookups from the DC's to determine what "users" get access to which files/folders. This, as far as I can tell, works as designed. What's going south is when the user creates their own "home" and "profile" directories. The create mask appears to be wrong. [I've explicitly set it to 0666 on files and 0777 on directories] But, when the Windows system creates the directory on first login, the permissions are kinda wonky. Here's what the test user's profile directory permissions look like. drwx------+ 2 AD\sales01 AD\domain admins 2 Jan 23 09:24 sales01.V6 Domain Admins should get the same rights as the user, but they're not. This looks like a creation mask problem, but perhaps it's something else. Suggestions on where to look to control the default rights on folder creation? As noted: I've tweaked folder and files default masks 0666 for files and 0777 for folders and that doesn't seem to have helped. I've also changed the permissions of the "Domain Users" in the root folder that the above profile gets held in - and changed the rights from the "normal" read/traverse/create-folder to even "full control" without any change. I'm just not sure where to look now. -Greg