Q: Admin no longer has access to all volumes on the Mac
-
Jan 31, 2016 1:33 PMby Leopardus,Servers by nature require much higher security than client stations. Just think about it, if compromised, the data of a complete community or group could be compromised and exploited to their detriment. In OS X Server, your highest authority is with the original administrator, but actually it is also not! ..... Since the introduction of SID as a further protection layer, and even before, we have seen that the admin user is only allowed to make changes within a specific framework. Best is to read a bit and more about the subject. There are lots available : The blogs of Jesus Vigo with TechRepublic, Rich Trouton from DerFlounder and of course it will help to read the books from Reid Bondonis and use them as a practical tool whilst setting up and learning. Also worth watching are the videos from Todd Olthoff on Server.
In short, when more access is required, consider it carefully, plan for what, when, where and the duration. And Backups, plenty thereof. You might make more than one mistake, with the subsequent restores. Also have a look at this discussion:
Leo
-
Feb 5, 2016 1:51 PMby FamilyJens,I read something about SIP and your posted link. Thank you for it.
I understand the reason to make a system more safer also for the admin user.
But my main problem maybe not SIP.
I had standard OS X El Capitan. I enabled file sharing. So with this when loged in as admin I could access all drives on my Mac. This is written in the filesharing menu too.
Standard users can access shared drives and admin users can access ALL drives.
So my problem is not that I can't access system files which are prevented by SIP. My problem is that I can't access the drives whichs are not prevented by SIP.
On my Mac
Macintosh HD (internal) contains MAC OS X
Harddisk "Pictures" (external USB)
Harddisk "Documents" (external USB)
When logged in as admin I can't access the external USB drives unless they are marked as shares in the filesharing dialog. But as I wrote in the quote and as it was functional before when logged in as admin I should get access to this drives without setting them up in the filesharing menu.
So I want to get this function back. It was the standard function before I played with OS X Server.
Or is it a fuction of OSX Server that this does not wor any more and everything works right?
-
Feb 6, 2016 11:23 PMby UptimeJeff,You can enable the option with:
sudo serveradmin afp:admin31GetsSp=yes
Then restart AFP to activate the change
sudo serveradmin stop afp
sudo serveradmin start afp
Note: this works for AFP only, not for SMB.
OS X client defaults to SMB, so you either need to force AFP on the client or disable SMB on the server.
If SMB isn't required, I'd take the 'DIsable SMB' route:
sudo serveradmin stop smb
If you prefer to keep SMB running, the client should connect with and afp URL
ex: afp://10.0.0.2
hope that helps
jeff
-
Feb 8, 2016 11:06 AMby FamilyJens,Thank you very much for your help Jeff,
I know before I installed the Server it was working with afp and smb. I just installed the Server and deleted many entries in the Server GUI. Maybe there was something that brings it to work.
I need the connection with smb because I use Apps like "Filebrowser" or "Fileexplorer" on iPhone/iPad. They can not handle afp.
-
Feb 9, 2016 8:32 AMby UptimeJeff,For SMB, enable administrators to see all volumes and shared folders with:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server VirtualAdminShares -bool YES
restart SMB
sudo serveradmin stop smb sudo serveradmin start smb
Hopefully that does the trick :-)
Jeff
-
Feb 9, 2016 1:57 PMby FamilyJens,Hello Jeff,
now it works. But I'm wondering why it keeps working when I use
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server VirtualAdminShares -bool NO sudo serveradmin stop smb sudo serveradmin start smb
I thought this should disable this function. I did it only to understand the problem.
-
Sep 6, 2016 3:10 PMby hunterdg,Thank you for pointing us in the right direction!
I wanted admin shares over AFP ONLY, with SMB disabled, but the solution above did not work so i did some digging.
The correct (TWO) settings are:
afp:SpecialAdminPrivs=yes
afp:admin31GetsSP=no
SpecialAdminPrivs - Grant administrator users root user read/write privileges. Default =no
admin31GetsSP - Set to yes to force administrator users on Mac OS X to see sharepoints instead of all volumes. Default =yes
also i had to append 'settings' after 'sudo serveradmin'
so:
sudo serveradmin settings afp:SpecialAdminPrivs=yes sudo serveradmin settings afp:admin31GetsSp=no sudo serveradmin stop afp sudo serveradmin start afp
http://www.manualslib.com/manual/8664/Apple-Mac-Os-X-Server.html?page=137#manual
http://www.manualslib.com/manual/8664/Apple-Mac-Os-X-Server.html?page=140#manual
-
Sep 6, 2016 3:30 PMby hunterdg,oops, forgot
afp:adminGetsSP=no
adminGetsSP - Set to yes to force administrator users on Mac OS 9 to see sharepoints instead of all volumes.Default =no
so:
sudo serveradmin settings afp:SpecialAdminPrivs=yes sudo serveradmin settings afp:admin31GetsSp=no sudo serveradmin settings afp:adminGetsSp=no sudo serveradmin stop afp sudo serveradmin start afp
