10.4 AFP Group Permissions

I just got off the phone with Apple and they are aware that some setups have issues with "inherit permision behaviour" not working as it should.

I was asked to send in my system.log file of client and server.

I suggest that other people do the same thing as this helps Apple to find out why some setups are having this problem.

So I guess the 10.4.1 Server update is not ready for prime time...I've gone back to my 10.2.8 setup until this gets resolved. I have a Peachtree database on our Xserve and when it posts it take forever on 10.4. Something is not right...

I'm still running 10.3.9. Don't really want to be a 10.4 Guinea pig.

We do have some problems with permissions under 10.3.9. I have found these things help somewhat...

1: Don't use the built-in unix groups like 'staff'. I've never been able to get those to work. Instead I have a custom group 'designers' and added everyone to that.

2: I have a cron job that runs every 15 minutes that fixes any stragglers with permissions with chown like this..
chown -R admin:designers artFolder

3: If anything gets restored off backup, I usually need to use chown and chmod since files on backup still have old permissions.

4: Sometimes I need to run chflags for some of the folders to make sure none of them are locked. Permissions won't change for locked folders!

Hope this helps a bit.

Have the same problem here on my new G5 xServe! (10.4 Server)

Last nigth i installed the 10.4.1 update and hoped that solved the problem but
.......arghhhhh...... still the same permision problems!

I have got the same problem
on one xserve the problem solved itself, after i unchecked apple talk in the ethernet preferences, restarted the system and it was gone
I was not able to fix it on any other machine

- Harald

I think I may have found out what it is all about. My setup is Active Directory integrated and it works fine except I also saw the problems with permissions.
I cannot choose between Default permissions on the Protocols/Apple File tab.
But what solved it here is that one has to forget about Posix permissions and rely solely on the new ACLs.

Sorry. I still have the problem. When a user creates a file it assumes rw-r--r-- regardless of the enclosing folder.
Still cannot set options on Protocols/Apple File tab.

It seems to me that this has been a problem at every .x release!

I can substantiate your problem.

First off, for those new to this topic, Mac OS X 10.4 Server (Tiger Server) offers two access control models for file services: Access Control Lists (ACLs) and POSIX permissions (owner, group, and everyone else or world).

For share points that reside on volumes where ACLs are disabled (which is the default), the POSIX access control model has two permissions models for new file creation: standard POSIX behavior (or standard UNIX behavior) and Inherit Permissions from Parent. With standard POSIX behavior, the client's umask is consulted. For Mac OS X, the umask is 0022, which is subtracted from 0777, yielding 0755, which corresponds to the following: owner - read, write, and execute; group and everyone else - read and execute. (The initial bit is for set UID or sticky bits, which are off-topic here. See man chmod for more about these.) Inherit Permissions applies to the AFP server by setting the afp use_parentpermissions property to value 1 to the share point record in the server's local directory domain. When this is the case (and it was in Mac OS X 10.3.x) the umask is not to be consulted for new file creation; instead, privilege information should be copied from the enclosing folder, whatever that information may be.

New file creation includes duplicating existing files on the share point, copying files to the share point, or saving files to the share point.

One good example implementation of the POSIX access control model with the Inherit Permissions permission model is the creation of a share point to which everyone can read and write. In this case, you want new files created to inherit the 777 permissions from their parent, allowing one user to create a file and another user to delete, rename, or append data to it. With standard POSIX behavior, the umask for the new file would give it 755 permissions where other users (besides the owner) could read the file or copy it elsewhere.

However, I have noticed two bugs in the Mac OS X 10.4 Finder which make diagnosing and applying the Inherit Permissions model very frustrating.

1. First of all, try this: as per the example above, create a share point whose container privileges are 777 with Inherit Permissions enabled, and ACLs turned off. Set the owner and group of the share point to root and admin respectively, although it doesn't matter since we want everyone to read and write to this example share point. Then, mount the share point (ex. this_share) as one user (user A) and copy a test file to it. This should complete successfully. Check the permissions via the Finder's Get Info window, and you'll see that the privileges are correct, although the owner and group listed may be wrong. Check the permissions via "ls -l" in Terminal on the mounted directory (/Volumes/this_share).

Now, duplicate this file via Finder. (Terminal duplication via "cp" or similar will work without error.) Tiger clients will show one of the following errors (wording similar to the following):

a. Sorry, the operation could not be completed because an unexpected error occured (error -50).

b. The operation could not be completed because you do not have sufficient privileges (for item whatever).

c. You may need to enter a name and password before you can copy (this item)...

Dismiss the error and look at the privileges for the original file via the Get Info window. They've changed to show 755, but "ls -l" still shows that the original file has privileges 777! If the Finder duplication operation did create a duplicate file (case a), the duplicate will have privileges 755, which clearly violates the Inherit Permissions model.

continued...

This tells me two things: 1. The Finder is not correctly reading the Inherit Permissions model since it reflects 755 privileges instead of 777 privileges for the original duplicate file, despite the Terminal showing the correct 777 ones. 2. The Finder is not correctly respecting the Inherit Permissions model since the new duplicate file, if it's created has permissions 755. This is a Finder problem as the Terminal can correctly perform the duplication.

2. Second, even for share points that just use standard POSIX access and standard POSIX permissions (such as user home directories), the same is true!

Do this: Log in from a Tiger client as a user whose home directory resides on an AFP share on your Open Directory master. Make a new file on the user's desktop (privileges will be 755, correctly respecting the umask). Duplicate the file. You'll see the "error -50" again.

Clearly the Finder has some serious problem reading POSIX permissions and correctly representing them in Info windows.

Does anyone else have thoughts to add?

Thank you for your crontab suggestion. That solution certainly is valid, but, respectfully, this is a problem that is new in Mac OS X Server 10.4 and 10.4.1.

The Inherit Permissions model via POSIX access did work in Mac OS X Server 10.3.x, regardless of what the group or owner were. This means that new files created (via duplicate, copy, or save) on or to the share point obtain the permission bits of their enclosing folders. Inherit Permissions does not (is not supposed to, never did) automatically apply privileges to files already copied to the share point before Inherit Permissions was turned on. In other words, Inherit Permissions does not apply permissions like chown; rather it supersedes the umask for creating new files.

Choosing the Inherit Permissions from Parent in the AFP access or protocols section of Workgroup Manager sets an afp use_parentprivs record with value 1 (true) for the share point's record in the server's local directory domain. This worked in Mac OS X Server 10.3.x, but:

1. Mac OS X 10.4 and 10.4.1 clients' Finders appear to be always using umask and not respecting Inherit Permissions (even when accessing files on 10.3.x servers), and
2. Mac OS X Server versions 10.4 and 10.4.1 may not be correctly implementing them (as new files created revert to umask on certain clients).

--Gerrit DeWitt
Apple Certified System Administrator

yep same problems here... so add me (and my servers 🙂 to the list 😟

I switched a small workgroup (10 people) over the weekend from 10.3 to 10.4 server.

I made a fresh install to stay as clean as possible and luckily I partitioned the "old" startupdrive in two equals.

Today - monday morning - my phone didn't stop ringing, customers where complaining that no files can be edited, saved, moved or deleted if they are not the owners or creators of the original files...

grrr... I had to reorganize my whole day to troubleshoot, then found there is no fix for this Apple-fault and went back and installed a fresh 10.3.9 Server on the second startup partition.

3 hours later up and running smoothly, with correct permissions.

thanks Apple for having me as a betatester

my two cents
Rocket Rob

We're happily running a mixed Macintosh office: one OSX10.3.9 Server, a half-dozen OSX10.3.x clients, and 20 OS9.2.2 clients.

Under OSX10.3.9 Server, we've had rare occasions (maybe 5 times in the last year) where a new file saved to a share point has permissions of rw-r--r--, with the user as owner (instead of rw-rw----, with admin as owner). This was a simple fix with CHOP.

Just started testing a clean install of Tiger on a new G5. We created a new list of users, made a copy of our data files, created the share points and set the permissions. In all instances, admin is the owner, and each share point has a unique group associated with it (ie. for share point called Ad Work, owner is admin, group is Ads)

I'm having the same problem with permissions everyone else is having; the only difference seems to be that I'm testing from a Panther client. I haven't tried connecting to the server from an OS9 client yet, because we want to upgrade those users to OSX when we implement Tiger.

As per Gerritt's suggestion, I've tried copying files from my client to the server's share point using Terminal, but that doesn't seem to work either. Get Info and ls -l show the same thing: permissions on the file are rw-r--r--. I get the same result from both the client and the server.

Thankfully we're in no rush to move to Tiger.

- Andrew

Thank you, Rob and Andrew!

Please keep working to make Apple fix this:

Rate posts by clicking the plus button (not the plus button on the bookmark). This brings this tread to the top of the discussions list here.

If you have time, please send your posting or a more detailed note over to MacFixit: late-breakers@macfixit.com I'm doing that, too.

Thanks for your help!

--Gerrit DeWitt
Apple Certified System Administrator

This might be off topic...
just in case you guys are interesed (another reason not to switch to tiger server).

But if you are housing a Leonardo Card SP or XP in your tiger server be aware these cards are not supported anymore from the german developer Hermstedt.

This is a major bummer because they were supported and running fine unter panther server.

You have to buy a brand new card Leonardos X4 or USB to get Leonardo Internet Express or Grand Central to work again with Tiger...

Woho, what a way to live on hardware money... 😟

Rob

Just a quick update:

Okay, so User_1 saves a file to share point Ad Work. Get Info and ls -l both show that file permissions are rw-r--r--, with User_1 as the owner.

Now User_2, also a member of the Ads group, connects to share point Ad Work, and even though he only has read permission, deletes the file.

Alternatively, User_2 connects to share point Ad Work, opens the read-only file, makes changes, hits save, and is given the option to overwrite the file. Overwriting the file retains the changes, and changes the owner to User_2, with everyone else having read-only access.

User_3 then connects, opens the read-only file, makes changes, and overwrites the file, becoming the new owner.

So what the **** are the permissions, really?

- Andrew