G.Willi

Q: Lion Server 10.7.3 file sharing permissions

I'm having really strange issues with Lion Server. Since upgrading to 10.7.3 I no longer have permissions to modify files on Share Points that I was once able to in 10.7.2. When I go to modify certain files or folders I get "The operation can’t be completed because you don’t have permission to modify some items."

Mac mini, Mac OS X (10.7.3)

Posted on Feb 9, 2012 2:48 AM

Close

Q: Lion Server 10.7.3 file sharing permissions

  • All replies
  • Helpful answers

Page 1 Next
  • by Marco V,

    Marco V Marco V Feb 12, 2012 2:21 PM in response to G.Willi
    Level 1 (0 points)
    Feb 12, 2012 2:21 PM in response to G.Willi

    How do you manage the permissions?

     

    Are you assigning permissions to groups of which you are a member or do you assing permissions on user level?

     

    If you are assigning them on group level try to see what happens when you add an user with the proper permissions to see if the server is mis interpretting the group ACL

  • by Brian Landy,

    Brian Landy Brian Landy Feb 17, 2012 5:50 AM in response to Marco V
    Level 1 (24 points)
    Servers Enterprise
    Feb 17, 2012 5:50 AM in response to Marco V

    I see this as well.  I spent a ton of time recreating groups and ACLs last weekend after they suddenly stopped working; it worked for 4 days and then failed at midnight last night.  What I see is that an OD group used in an ACL is suddenly ignored.  This even applies if I log in a user directly to the server.

     

    So, for example, lets say I make a directory "testdir" owned by root and with rx permissions for the group testgroup.  I add an ACL, the only ACL, to the directory granting that group full permissions.  The ACL is ignored—the user cannot create a file in the directory.  If I grant write permissions via the POSIX bit to the group, write permissions return.  If I create a new OD group and add an ACL using it, or add an ACL using a local group like staff, it works. Again, all of this is being tested locally on the server (of course it fails over shares, too).

  • by gmbinom,

    gmbinom gmbinom Mar 5, 2012 5:24 AM in response to G.Willi
    Level 1 (0 points)
    Mar 5, 2012 5:24 AM in response to G.Willi

    I have an equal issue.

     

    It seems leike the Server does the ACL inheritance right but die "File sharing" Service doesnt like them and ignores them.

     

    Anyone a guess?

  • by 7winkie,

    7winkie 7winkie Apr 3, 2012 1:13 AM in response to G.Willi
    Level 1 (0 points)
    Apr 3, 2012 1:13 AM in response to G.Willi

    same problem here, anybody found a solution?

  • by Brian Landy,

    Brian Landy Brian Landy Apr 3, 2012 4:39 AM in response to 7winkie
    Level 1 (24 points)
    Servers Enterprise
    Apr 3, 2012 4:39 AM in response to 7winkie

    My workaround is to create local (not OD) groups on the server via Workgroup Manager, and only use the local group in ACEs. Then put the OD group into the local group, and users into the OD group.  This has been working fine for me for over a month now.

  • by 7winkie,

    7winkie 7winkie Apr 3, 2012 4:47 AM in response to Brian Landy
    Level 1 (0 points)
    Apr 3, 2012 4:47 AM in response to Brian Landy

    ok, that works, thx. a pitty nobody found the reason for this behaviour. od users work, only group ace´s are ignored. when creating a new od group and adding a user, the ace is honoured until reboot. kind of odd...

  • by Brian Landy,

    Brian Landy Brian Landy Apr 3, 2012 4:48 AM in response to 7winkie
    Level 1 (24 points)
    Servers Enterprise
    Apr 3, 2012 4:48 AM in response to 7winkie

    I have a bug report open with Apple on it and they actually followed up a couple of days ago.  So hopefully it gets fixed.

  • by gmbinom,

    gmbinom gmbinom Apr 3, 2012 5:06 AM in response to Brian Landy
    Level 1 (0 points)
    Apr 3, 2012 5:06 AM in response to Brian Landy

    I fixed my problem.

     

    I m using a Promise Raid as external Raid via Thunderbolt.

     

    I had all my volumes at the root Layer of the Drive

     

    !!! This did not work !!!!!

    for example:

    /Volumes/promiseraid/share1

    /Volumes/promiseraid/share2

    /Volumes/promiseraid/share3

     

    !!! This works !!!!!

    /Volumes/promiseraid/data/share1

    /Volumes/promiseraid/data/share2

    /Volumes/promiseraid/data/share3

     

    Dont ask me why but with one folder layer in between it worked pretty well!

  • by 7winkie,

    7winkie 7winkie Apr 20, 2012 1:06 AM in response to Brian Landy
    Level 1 (0 points)
    Apr 20, 2012 1:06 AM in response to Brian Landy

    any news?

  • by Dave Razorsek,

    Dave Razorsek Dave Razorsek Apr 22, 2012 6:38 AM in response to Brian Landy
    Level 1 (22 points)
    Apple Watch
    Apr 22, 2012 6:38 AM in response to Brian Landy

    Brian your solution worked for me.  From all the rumors 10.7.4 is due to release soon.

     

    As I think more about it this issue might be related to another one I am having with groups.  When I select user in the new Server app I cann see the individual groups which each member belongs to.  However when I look at each group, no member is listed underneath it.  Brian if you have some time, can you look to see if you are having the same behavior?

  • by Brian Landy,

    Brian Landy Brian Landy Apr 22, 2012 7:24 PM in response to Dave Razorsek
    Level 1 (24 points)
    Servers Enterprise
    Apr 22, 2012 7:24 PM in response to Dave Razorsek

    Hi Dave, I'm glad it worked for you too.  However I just checked Server.app and the impacted groups do correctly list their members.

  • by Dave Razorsek,

    Dave Razorsek Dave Razorsek Apr 24, 2012 11:14 AM in response to Brian Landy
    Level 1 (22 points)
    Apple Watch
    Apr 24, 2012 11:14 AM in response to Brian Landy

    Thanks for checking Brian.  I was hoping there was some pattern or relation to the two problems.

     

    --Dave

  • by jochen80,

    jochen80 jochen80 May 10, 2012 4:29 PM in response to Brian Landy
    Level 1 (0 points)
    May 10, 2012 4:29 PM in response to Brian Landy

    hi!

    thanks brian for the workaround!

    i had the same problem with 10.7.3 and i hoped 10.7.4 will get this work. but i updated today and nothing changed. it ignores one od-group all others works fine. strange.

    jochen

  • by Sam Venning,

    Sam Venning Sam Venning May 14, 2012 9:32 PM in response to gmbinom
    Level 1 (5 points)
    May 14, 2012 9:32 PM in response to gmbinom

    Background

    Access Control Lists (ACLs) are  applied to folders and files to define user (and group) access privileges.

     

    I have setup two Mac mini Servers at our company – one in our Melbourne office and one in our Sydney office. Each file server is made up of the following hardware:

    1x Mac mini Server (with Lion Server).

    2x Promise Pegasus 12TB (6x2TB) R6 RAID System (thunderbolt) in RAID5 configuration. The two Pegasus unit are mirrored (RAID1) using SoftRAID.

     

    Users and Groups are replicated between the two servers via Open Directory.

     

    The PeachPit book "OS X Lion Server Essentials" is the best book I've found that explains OS X Server services and configuration. It has a  good explanation of POSIX and ACLs.

     

    The Problem

    It seems there is a bug in Lion Server that causes ACLs be ignored. A couple of times I've managed to fix the problem using these steps:

       1. Remove the share-point.

       2. Setup up the share-point. /Volumes/promiseraid/work

       3. Apply an ACL to a folder.

       5. Propagate the ACL to sub-folders.

     

    When ACLs are not applied to a folder the older POSIX permission define access privileges. With POSIX mechanism the user, group and other access privileges applied to new files and folders is defined in the 'unmask' value. The default 'unmask' value sets file/folder group to read-only access. The upshot is when POSIX mechanism is used and a member of staff creates a file or folder it is read-only to colleagues. System Administrators shouldn't need to change the 'unmask' value – too technical. Apple documentation encourages System Administrators to use ACLs to define access privileges – use ACLs to overcome the limitations of POSIX.

     

    The workarounds I've been considering

    1. Stick with Lion Server, apply POSIX read&write (group and others) permissions to all folders at regular intervals (daily) and wait for Mac Apple to fix the problem.
    2. Abandon Lion Server (10.7) and revert to Snow Leopard Server (10.6).
    3. Abandon Lion Server (10.7) and setup a Microsoft Windows Server solution.

     

    A solution?

    Scanning the several threads here I think I discovered a "fix". Mac OS Lion doesn't seem to honour ACLs if

    1. it is a volume is being shared (AFP and/or SMB), or
    2. it a folder at the root level of the volume is being shared (AFP and/or SMB).

     

    However, if the folder being shared is at least one folder deep ACLs seem to be honoured!

     

        !!! This did not work – ACLs are not honoured !!!!!

        /Volumes/promiseraid

        /Volumes/promiseraid

        /Volumes/promiseraid

     

        !!! This did not work – ACLs are not honoured !!!!!

        /Volumes/promiseraid/share1

        /Volumes/promiseraid/share2

        /Volumes/promiseraid/share3

     

        !!! This works – ACLs are honoured !!!!!

        /Volumes/promiseraid/shareditems/share1

        /Volumes/promiseraid/shareditems/share2

        /Volumes/promiseraid/shareditems/share3

     

    Acknowledgement

    I should acknowledge gmbion for his time troubleshooting this and reporting his findings to this thread.

     

    A response from Apple

    It would be good if Apple could address this limitation with either:

    1. A note from Apple acknowledging this limitation ("undocumented feature") witch advice to not share a volume or a folder at the root level of a volulme. Instead, share a folder at least one level deep; or
    2. Fix Lion Server so that any volume or folder can be shared and ACLs will be honoured.
Page 1 Next