brycesteiner
Level 1 (25 points)
Mac OS X

Q: Are ACL's working correctly with 10.11.3?

I upgraded a few weeks ago to 10.11.3 on my Server and I noticed that new folders created from client computers (shares) are now owned by the creator instead of the group. They user isn't even listed in the ACL only the group is. Makes it so other users can't delete folders that need to be removed.

I'm using Server to change the permissions using ACL's and this worked great before, but after the upgrade it's just like using Finder to change permissions (POSIX) when I used to have all the problems.

Is there something I'm doing wrong? or something that needs cleared?

 

thanks for any help.

Mac mini, OS X El Capitan (10.11.2), 2011 Mac Mini Server

Posted on Feb 9, 2016 6:24 AM

Close
brycesteiner

Q: Are ACL's working correctly with 10.11.3?

  • All replies
  • Helpful answers

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 9, 2016 6:41 AM in response to brycesteiner
    Level 4 (3,477 points)
    Feb 9, 2016 6:41 AM in response to brycesteiner
    I noticed that new folders created from client computers (shares) are now owned by the creator instead of the group.

     

    A folder can never be owned by a group.

    The owner of any file/folder is always a 'user'.

     

    Are clients using AFP or SMB ?

    If SMB: Turn on ACLs for the SMB shared folders, execute this command on the server:

        sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server lock -bool YES

        sudo serveradmin stop smb

        sudo serveradmin start smb

     

    If you still have the problem, please create a folder then check/post the permissions of the new folder and it's parent.

       ls -lde /Path/Parent/NewFolder

       ls -lde /Path/Parent

     

    Jeff

  • by brycesteiner,

    brycesteiner brycesteiner Feb 9, 2016 7:14 AM in response to UptimeJeff
    Level 1 (25 points)
    Mac OS X
    Feb 9, 2016 7:14 AM in response to UptimeJeff

    Thanks Jeff for the response. I've noticed now it's also doing this with files after the windows computers save. We didn't have problems until the last update. Is this something I should report to bugreport?

    We are using both AFP and SMB. We are trying to make sure all clients use SMB since Apple is phasing it out. Sometimes the alias' switch back on their own.

    As for ownership, you are right. I was meaning "read & write" instead of ownership.

    When the computer saves the edited PDF it changes the read & write to none for the group instead of keeping what the ACL says. It also seems to happen from Windows 7 clients. It then won't allow files or folders to be modified in that subfolder by any other.

     

    Anyway, I've ran the commands and I'll let you know what's going on.

     

    thanks,

    bryce

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 9, 2016 8:12 AM in response to brycesteiner
    Level 4 (3,477 points)
    Feb 9, 2016 8:12 AM in response to brycesteiner

    I know it used to work... thats how the comuter biz goes:

    Everything that failed worked before it failed

     

    Apple should provide this setting as a default, but they don't.

     

    This setting addresses your exact issue and if its not enabled then you certainly should enable it.

    Open Terminal and paste this command (it changes nothing)

    sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

     

    If the command does NOT return a '1' or true, then you need to change the setting

    sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

    sudo serveradmin stop smb

    sudo serveradmin start smb

     

    Try it... let me know if this works.

     

    Jeff

     

    Only f the setting above does not fix the issue, I need a little more info:

     

    Using an SMB client connection, create a new folder then a file inside that folder.

    I need to see the permissions of the folder and test file, here's the best way (in Terminal of course)

     

    Open Terminal and type:

    sudo ls -ale

    # put a space after the "-ale", but don't hit return yet.

     

    # now drag the test folder into the Terminal window and you should end up with

    sudo ls -ale /Path/toYour/Folder

     

    The output will look something like this

     

    $ sudo ls -ale /Path/ToFolder

    total 0

    drwxr-xr-x@  7 root        staff   238 Feb  8 09:11 .

    0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

    1: group:staff allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,file_inherit,directory_inherit

    drwx------@ 68 uptimejeff  staff  2312 Feb  8 08:56 ..

    0: group:com.apple.sharepoint.group.5 allow search

    -rw-r--r--@  1 uptimejeff  staff     0 Feb  8 09:11 file-1.txt

    0: user:_spotlight inherited allow read,execute

    1: group:staff inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity

     

     

    Thats what I need to see to assist more.

     

    Jeff

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 9, 2016 8:22 AM in response to brycesteiner
    Level 4 (3,477 points)
    Feb 9, 2016 8:22 AM in response to brycesteiner

    Correction to previous response:

     

    Check the SMB/ACL Setting with:

    sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled

     

    If above does not return a 1, true or yes -  then set ACLsEnabled with:

    sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
    

    sudo serveradmin stop smb
    

    sudo serveradmin start smb

     

    Here is apple KB article on this topic

    OS X Server: When saving files on SMB shares, the permissions might be changed so that only the owner can read or write …

  • by brycesteiner,

    brycesteiner brycesteiner Feb 9, 2016 12:05 PM in response to UptimeJeff
    Level 1 (25 points)
    Mac OS X
    Feb 9, 2016 12:05 PM in response to UptimeJeff

    Here is the response from the first command

     

    Password:

    2016-02-09 15:01:10.702 defaults[9607:5271968]

    The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AclsEnabled) does not exist

     

    Strangely enough it only seems to be Windows computers. The files they created can only be opened by that computer. the Macs are effected because they cannot open them but they don't seem to be making it so other computers cannot open the files.

  • by brycesteiner,

    brycesteiner brycesteiner Feb 9, 2016 12:14 PM in response to brycesteiner
    Level 1 (25 points)
    Mac OS X
    Feb 9, 2016 12:14 PM in response to brycesteiner

    I removed the space that I think I must have copied and now I'm returned with a "1"

     

    So that's good, but I'm still having the same issue. I can go into Server and propagate settings again, but I have to do that each time so others can access files.

  • by brycesteiner,

    brycesteiner brycesteiner Feb 9, 2016 3:53 PM in response to brycesteiner
    Level 1 (25 points)
    Mac OS X
    Feb 9, 2016 3:53 PM in response to brycesteiner

    I went back and uninstalled Server then deleted it's preferences and /Library/Server folder and restarted. Then reinstalled and I still had the exact same issues. I'm not sure where it's all stored but the sharing and all of that was still intact after reinstalling.

     

    I enabled "ignore ownership" on the volume just to get me through the day. That works fine, but the group access is still not right but at least it lets everyone get their job done.

  • by Jeff at K2,

    Jeff at K2 Jeff at K2 Apr 25, 2016 7:51 AM in response to brycesteiner
    Level 1 (14 points)
    Mac OS X
    Apr 25, 2016 7:51 AM in response to brycesteiner

    HI,

    I know this is a few months old but I'm having a similar issue with 10.11.4.  I'm getting the same "does not exist" error when trying to read the setting.  But I'm also not sure I would need to do this.  The Server app reports that ACLs are working on my SMB shares.  And when users log in they see only the shares they are allowed to, based on the ACLs.  But when I make a new folder in one of the shares, it makes me the owner, not the owner of the enclosing folder.  But the ACLs of the newly made folder seem correct.

     

    Would applying the above "write" command risk breaking any currently working connections/ACLs?  I'll try it to see if it fixes my problem, but I don't want to boot anyone out.

     

    Thanks,

     

    Jeff

  • by brycesteiner,

    brycesteiner brycesteiner Apr 25, 2016 9:44 AM in response to Jeff at K2
    Level 1 (25 points)
    Mac OS X
    Apr 25, 2016 9:44 AM in response to Jeff at K2

    HI Jeff,

     

    I finally did get my problems solved. After doing a lot of research, testing and reinstalling I figured it out (for now). Here are my notes:

     

    REINSTALLING SERVER SHARES

    After reinstalling and setting up shares it was still having the same issues even with the new drives. The problem: Computers that save new files to Data (or any other share) take ownership and don’t allow other users or computers to edit files. Backups also fail.

    Several things that I did to make it work:

    1. Create folders to become shares WITHIN server>>”storage” section   AFTER setting up permissions for ACL’s in the gear icon >> edit permissions. Make sure that the administrator is in the user group too.
    2. File sharing>>then add the new folder created in server/storage area. The user group that was added to to the share ACL will now be added along with any admins. Everyone is disabled.
    3. Be sure that the guest account is disabled for security.

    This should be what it takes to make the server work without users taking over and locking files.