So, I've seen several threads about this, but can't seem to find a way to resolve it. [None of the discussions I saw really discussed what fixed it, if anything.]
I most notice [find it annoying] in profiles.
FreeNAS is joined to a Samba 4 AD domain.
I'm using domain users/groups for ACL control/access.
At the root of the roaming profile directory, the general starting ACL's are as MS recommends. [Inheritance is off.]
Admin, domain admins, system have full control.
Domain users has the rights (in this folder only) to
---
Traverse folder
Read Att
Read Ext Att
Create Folder
Read permissions
[I also set Write att / Write ext att - because of some of my testing. Not sure if I'm granting excessive rights or not.]
---
Creator owner (in sub folder and files)
Has full control
---
Now the problem.
When the user logs in - the GPO has the users system work to create a folder for their roaming profile [/mnt/some-freenas-path/%USERNAME%]
They have the rights to create a folder and that succeeds.
They then become the owner, and thus have full rights to the folder.
This all works great. The profile gets stored and appears to be held properly and read back to the machine the next time it logs in.
However a user with Administrator/Domain Admin privs can't see the directory or any of the files created by the user, while setting up the profile.
Logged in to the console at the CLI a "ls -al /mnt/some-freenas-path/" shows it all there.
Is there a known good method for setting the ACL's so the admin equivalent accounts can see these directories/files?
[I'll be perfectly glad to document it all, and write up a how-to, if someone can help me work my way through this.]
-Greg
	
		
			
		
		
	
			
			I most notice [find it annoying] in profiles.
FreeNAS is joined to a Samba 4 AD domain.
I'm using domain users/groups for ACL control/access.
At the root of the roaming profile directory, the general starting ACL's are as MS recommends. [Inheritance is off.]
Admin, domain admins, system have full control.
Domain users has the rights (in this folder only) to
---
Traverse folder
Read Att
Read Ext Att
Create Folder
Read permissions
[I also set Write att / Write ext att - because of some of my testing. Not sure if I'm granting excessive rights or not.]
---
Creator owner (in sub folder and files)
Has full control
---
Now the problem.
When the user logs in - the GPO has the users system work to create a folder for their roaming profile [/mnt/some-freenas-path/%USERNAME%]
They have the rights to create a folder and that succeeds.
They then become the owner, and thus have full rights to the folder.
This all works great. The profile gets stored and appears to be held properly and read back to the machine the next time it logs in.
However a user with Administrator/Domain Admin privs can't see the directory or any of the files created by the user, while setting up the profile.
Logged in to the console at the CLI a "ls -al /mnt/some-freenas-path/" shows it all there.
Is there a known good method for setting the ACL's so the admin equivalent accounts can see these directories/files?
[I'll be perfectly glad to document it all, and write up a how-to, if someone can help me work my way through this.]
-Greg
 
				