10.4 AFP Group Permissions

This issue is dogging me as well...

Same problem here. Come on Apple....

Same problem here...

regards,
Hendrik

I'm experiencing the same problems. Tested thoroughly with 10.3 Server, now not working with 10.4.

Same problems here. tried upgrading a server and on a clean install.

Add me to the list.

I am having similar issues with Quark 3, 4, & 5 files from OS 9 machines. The folders are showing Read/Write access to everyone. When I try to save a Quark document back to the server the users receive a -5000 permission error which corrupts the Quark file. I don't have this problem with Quark 6.1 on a 10.3.9 machine. So far it seems that Quark is the only program with this problem but I need to check illustrator since I have one report from a user which I haven't ruled out a folder permission issue.

I have heard about the Quark permission problem before with others but have not had it myself. The only thing I have changed is upgrading from 10.3.X to 10.4 server. I have to think that there is some issue with my upgrade. I am going to do a clean install of the server as I don't have too many user accounts to transfer or recreate.

I am hoping that a clean install will solve my issues.

After more wasted time today than I care to divulge, here's what fixed it for us: creating new user groups with DIFFERENT names than the ones from our Panther install. For whatever reason, it seemed that the old BSD permission group names from Panther were somehow confusing Tiger.

I recreated the groups when I first noticed the problem (even after choosing 'convert legacy groups'), but it wasn't until I recreated them with entirely different names later in the day that the problem was resolved.

The odd thing is I wasn't even keen on using ACLs at first since Retrospect doesn't honor that particular metadata yet, so when I first started this ordeal I turned them completely off. But, as it turns out, whether I was using ACL or BSD permissions, the outcome was the same - permissions simply would not automatically propagate from the parent directory to new files and folders correctly until I used a renamed group. Incidentally, I haven't tried it yet with the old BSD permissions - it's working now and I'm afraid to touch it!

Here's the kicker... unfortunately, it wouldn't resolve for me until I manually propagated the ACE of the newly-renamed group down from the root share. This was a fairly painless process for us, as our permission scheme is pretty straightforward and simple, but I can see where this might be problematic if you have more complicated scenarios.

If y'all are having the same problem I am, this may work out for you if your permission setup is pretty simple, other than that you may want to wait on a more definitive statement from Apple. All I can say is that this worked for me.

Good luck
Danny

Well, I have to update my post from last night. What fixed out problems seems to have lost its charm. All permissions on new files and folders were working great last night after creating the new accounts. Different users on different workstations could create new files and share them without problem. Everything was as it should be, but... I come in this morning to find that it is broken again.

So, sorry for the misinformation, I'm left to believe that it is just plain buggy, and there may be no way around it for the time being. I am reverting back to our cloned Panther server installation and will wait this one out.

Again, sorry to cry wolf - it was working great... for a while. If anyone has any information, please post it. I would love to hear of any fixes.

Danny

Well, here is what I have found.

It sure would be nice to be able to post screen grabs.

Anyway, using ACL on the share I have the share owner as myself (myname) RW, the group as Art (art) RW and Everyone set to none. I added the group Art (art) ACL with RW.

Get Info on files and folder show the user that created it as (owner) RW, the group as (art) R, Others as R. That said, anyone actually in the (art) group can RW.

ls -l in Terminal shows this:
drwx------ 9 scottsla unknown 264 29 Dec 09:52 25864 Market Street Mortgage

I'm always the owner and the group is always unknown...

Strange indeed...

The issue is the umask which set at 022, it needs to be changed to 002, the easist solution used to be cocktail, under 10.3 you could run cocktail and set the umask to what ever you wanted.
I just donwloaded the 10.4 version and the feature is gone.

I have my permission set to Inherit permission from perent but that not working and that would only work from a connected AFP user.

The directories I'm having issues with are being created by an application running on the server.

Does anyone know where the umask is stored for a user under 10.4

thanks
Dean

Hi All,

I have fix so that your files a written we correct permissions.

This works, I have 10.4 tiger and all folder files created on the server are now
rw rw r

You will need an application from the dev tools disk, its also on the DVD that came with Tiger
"Property List Editor"

the file you need to edit is an xml file but its hidden and its in binary

First things first,
You can make this edit for all user's of the system or only certain user's

to make edit's for all user you need to alter this file, but stop read all first

/Library/Preferences/.GlobalPreferences.plist

tomake edits for a user use this file

/Users/USERNAME/Library/Preferences/.GlobalPreferences.plist

Openup terminal and navgate to the file

CD /Users/USERNAME/Library/Preferences/

ls -al at the top you should see this file
.GlobalPreferences.plist

Now make a backup

sudo cp .GlobalPreferences.plist .GlobalPreferences.plist.**

now we will move the file to the current desktop so we can edit it

sudo cp .GlobalPreferences.plist /User/USERNAME/Desktop/my.plist

open my.plist in Property List Editor

once opened click on the root arrow, we need to add a new child do not add a new sibling

add new child,
change name to: NSUmask
change type: string to number
and enter value 2 (decimal for octal 002) you could enter 0 for rw rw rw

save the file and recopy it back to the preferences

cp /User/USERNAME/Desktop/my.plist .GlobalPreferences.plist

Log out and back in as the user and now any folder file made on the server will allow group read and write.

If it breaks, just replace the .GlobalPreferences.plist with .GlobalPreferences.plist.** and simly logout and in again.

I hope this helps, don't blame me if it doesn't work
Warning, if you worried about doing this don't
backup, backup verify backup and then backup again

Dean

I am seeing this same problem with 10.3.9 as well. It became apparent when we had users sharing the same Microsoft Access database stored on an Xserve file share. The first user to open the database creates a lock file in the folder where the database is stored. All subsequent/concurrent users of the database get an error on open stating that they cannot access the lock file. A look at the lock file from the server reveals that the lock file is read only for all users excepting the one that opened the DB. I have been manually changing the permissions when the file is opened each day.

I tried the fix offered by Dean below, but the issue still persists.

Reyes,

Just out of instrest, if your on the server, not via AFP but on the server itself as the user whom the database access is running. And you create a folder what are the folder permission, name and group and what is the database lock files name and group and permissions

also how did you creat the folder, sitting at your sever, ARD or command line
Dean

You can add me to the list as well.

It dont matter if I have the share set to POSIX or Inheret behaviour, both give me the same result, the permisions of the parent folder are NOT being inherited.

I made a carbon copy of the old server on a spare external drive, when I bout from that it's all fine. The older server was running 10.2.8, the new one is a clean 10.4 install, users and groups re-created from scratch.