Skip navigation
This discussion is archived

SMB connection ignores ACL permissions

4516 Views 7 Replies Latest reply: Jun 18, 2008 12:03 AM by Eric Guerin RSS
raydawg2000 Calculating status...
Currently Being Moderated
May 28, 2008 4:15 PM
When i connect to my SMB share, the filesystem is following the chmod permissions and not the ACL permissions.
I have this working on the following:

but 10.5 does not follow the ACL's. This is the ACL's for two files

This file I CAN access:
drwxrwx---+ 4 jamesl FSUsers 4096 May 27 18:43 Web Updates

# file: Web\040Updates
USER jamesl rwx rwx
GROUP FSUsers --- ---
group FSUsers rwx rwx
group admin rwx rwx
mask rwx rwx
other --- ---

I CANNOT access this file:
drwxrwx---+ 128 root root 4096 May 28 14:59 Web Development
# file: Web\040Development
USER root rwx rwx
GROUP root --- ---
group FSUsers rwx rwx
group admin rwx rwx
mask rwx rwx
other --- ---

as you can see...ACL wise they are identical. The only difference is the non-acl (chmod) permission values. Since I am in the FSUsers group I am allowed to access file #1....but since #2 is root.root I cannot even though FSUsers is listed in the ACL.

Like I mentioned earlier, everything works fine on the OS's listed above....just 10.5 seems to have issues. I came across the suggestion to use
"check acl permissions = no"
and that had no effect.

is this a bug or am I not seeing something here?
Mac OS X (10.5)
  • mike.habermeier Calculating status...
    Currently Being Moderated
    May 29, 2008 2:25 AM (in response to raydawg2000)
    I seems that we have the same problem. My problem is discussed here.

    I hope the new Update will fix this issue.
    MacPro, Mac OS X (10.5)
  • Joseph Delaney Level 3 Level 3 (515 points)
    Currently Being Moderated
    May 29, 2008 4:18 PM (in response to raydawg2000)
    try "sudo chown jamesl:FSUsers Web\ Development", or substitute a more appropriate user and group if you need to.

    I'm guessing the problem is that you have the owner and group set to "root", which probably is not the best practice, and if you used any other owner or group the ACLs might be picked up. This can be viewed as a bug or a feature, personally I wouldn't want root-owned files or folders to be editable over any kind of file sharing, regardless of whether the ACLs said they could - so in my view the real problem is that any client can edit that file all all.

    Are you sure the 10.5 client is connecting via SMB and not AFP? It could explain the difference.
    iMac, Mac OS X (10.5.3)
  • Gerrit DeWitt Level 4 Level 4 (3,900 points)
    Currently Being Moderated
    May 31, 2008 9:48 PM (in response to raydawg2000)
    I've noticed this problem where Windows clients seem to ignore (or partially ignore) Mac OS X Server 10.5 ACLs, and only rely on the POSIX permissions. This problem isn't unique to Mac OS X Server; Mac OS X 10.5 exhibits the same behavior if you use ACLs on shared folders via SMB/CIFS.

    However, I've found that making this adjustment solves the problem:

    1. Stop SMB services using Server Admin.

    2. Use nano or your favorite text editor to add the following text to the /etc/smb.conf file under the [global] section:

    *acl check permissions = no*

    3. Save the changes and start the SMB service again. Windows clients will need to reconnect; XP Home should reboot.

    Here's my answer to a similar question, which you may find helpful:

    Apple Certified System Administrator, License to Apple via Sec. 2.10. of Terms; CC 3.0/Attribution to Everyone Else
  • Eric Guerin Calculating status...
    Currently Being Moderated
    Jun 18, 2008 12:03 AM (in response to Gerrit DeWitt)
    Thanks for the response, but changing this setting:
    acl check permissions = no
    in the smb.config file did nothing for my situation.

    I have a Mac 10.5.3 running Apache 2, when someone edits a .php, .html etc file on the Mac everything is fine. When someone connects to my machine using SMB File Sharing (Windows File Sharing) and opens up say a text editor like Dreamweaver to edit the file, and they save, the file is no longer readable from the Apache Server.

    I have to use a utility called BatCHmod to clear the Leopard's Extra Permissions (ACLs). Each time I make a change over SMB this has to be done, it does not remember the previous permissions!

    This is incredibly frustrating and did not occur prior to Mac OS X 10.5.3

    Are there anyways to get the permissions permanently attached to the file, regardless of who is editing it and from what machine?
    iMac 20", Mac OS X (10.5.3), Did not occur prior to 10.5.3


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.