phospholipid77
Level 1 (4 points)
Mac OS X

Q: Server 5.0.15, Windows 7, permissions problem

Thanks in advance for any help.

 

I have a problem we're trying to figure out with an Apple Server. We had a problem where when files/folders were created from the Windows machine, everybody else was locked out. That was with a Lion server. So, as of today...

 

...I have a BRAND NEW server installation on a brand new installation of Yosemite (10.10.5--I find Finder to be more stable).

 

Our current problem is kind of minor, but it bothers me and I don't want to risk future complications. If a directory is created from a Mac client, all is well. But if a directory is created from the Windows 7 client, the Server Admin is prohibited from entry.

 

Here's how that panned out.

 

1) I created a ShareUser on the server for just services.

2) I created a folder called FolderB on an external directory.

3) I added that folder via File Sharing in the server, and I added the ShareUser to the permissions.

4) I walked over to the Windows 7 machine and connected to FolderB with that ShareUser's credentials.

 

So far so good.

 

6) Inside of FolderB created a new folder called FolderX and dropped a bunch of crap in there.

7) I walked over to a Mac client and connected to FolderB with the same ShareUser credentials.

8) The new FolderX popped up and I could get into it. Great!

 

But...

 

9) When trying to add things, I got Finder error -36. Adding and deleting things behaved very strangely.

 

And

 

10) When I went over to the server, FolderX had a prohibitory sign. But when I checked the permissions the Server Admin was listed as the owner. So, Server Admin was the owner, but was somehow locked out. What???

 

So then I read about turning on ACLs for SMB shares. This article seemed to specifically address my issue: OS X Server: When saving files on SMB shares, the permissions might be changed so that only the owner can read or write …

 

So, I did that. Then I repeated steps 2 though 8, and when I got to step 9, everything was great. I could add, delete, make new folders... everything appears to be lovely across the CLIENT machines. AWESOME!!

 

However, I still have one odd quirk.

 

When I am on the server and I navigate to shared FolderB, I can see in there, but FolderX will have a prohibitory sign if it is created from the Windows client. If FolderX is made from a Mac client, all is well.

 

Any thoughts?

Posted on Jan 3, 2016 4:49 PM

Close
phospholipid77

Q: Server 5.0.15, Windows 7, permissions problem

  • All replies
  • Helpful answers

  • by phospholipid77,

    phospholipid77 phospholipid77 Jan 18, 2016 11:23 AM in response to phospholipid77
    Level 1 (4 points)
    Mac OS X
    Jan 18, 2016 11:23 AM in response to phospholipid77

    Sooo...

     

    Things were going decently with this setup. Save the weird fact that the Server Admin sees a prohibitory sign on folders created with the common share user from the Windows terminal, everything was functional. However, something odd has been happening. If the folder is created on the Windows machine,and the share user on a Mac terminal empties the contents, the folder then throws up a prohibitory sign and only the person working at the Windows terminal can delete the folder. Very strange to me.

     

    I was talking to a colleague and he offered this advice:

    "I would check that the Windows client is a Standard user and does may have

    admin access on the server. Also, Is the user a Local or OD user? Where

    you usually see a server admin losing access to a folder, it's when

    another local user creates or modifies a folder because they are

    modifying the POSIX permissions. OD users don't normally cause such

    issues since they only work in the ACE domain. I recommend going OD if

    you can. The only weird thing is recognizing that you have to

    authenticate in the Users pane to get the right access. Confusing for

    people used to WGM."

     

     

     

    What does anything think if this advice. I was a little apprehensive to go ahead with it since this article suggests I could run into problems in a mixed environment. Specifically the article warns:

     

    "Another missing feature (one that has been missing since Snow Leopard) is the
    ability to bind Windows computers to an Open Directory server. For mixed
    networks of Windows and OS X computers, Apple now tells server admins
    to bind Macs to both an Active Directory server and an Open
    Directory server, a configuration it calls a "magic triangle"—the Active
    Directory server handles authentication and settings for the Windows
    computers and authentication for the Macs, while the Open Directory
    server controls settings for Macs. It's a pretty big feature to lose,
    though in practice most businesses aren't going to notice. Active
    Directory is more or less ubiquitous in the enterprise, so it's usually
    enough for OS X Server to be able to integrate with those existing
    directories rather than trying to supplant them."

     

    At this point, I'm a little bit lost. I haven't touched this kind of thing since 2010 on 10.6 and I have *completely* forgotten everything I knew. So, what is the best way to make this mixed environment work with a 5.0.15.

     

    Thanks so much.