Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: 1Adam12
1Adam12 Author
User level: Level 1
0 points

ACLs Seem to be Ignored

Hi,
I have an XServe running 10.5.6 server. We were having sporadic permissions issues so I followed Gerrit's procedure from here:

http://discussions.apple.com/thread.jspa?messageID=8452409&#8452409

to completely reset and rebuild them from scratch for the shares (which are folders, not the vol root) on the data volume.

All seemed OK for a bit but now we are starting to get the same 'cannot save because you don't have permission' errors again - especially with MS Office 2004.

The effective permissions inspector shows correct (looks to me anyway) permissions. The volume supports ACLs as reported by command line.

Files saved report POSIX permissions per Gerrit's summary and the ACL entries are there but it seems like they are being ignored by the AFP client - i.e., the POSIX permissions are the ones being respected and the ACL entries ignored.

Ideas? Thanks!

too many, Mac OS X (10.5.6)

Posted on Feb 23, 2009 8:08 AM

Reply
6 replies
User profile for user: Gerrit DeWitt
Gerrit DeWitt
User level: Level 4
3,900 points

Mar 29, 2009 12:35 PM in response to 1Adam12

Try this: On the affected share point, look for a folder called .TemporaryItems (name begins with a dot, so it's hidden). This folder is used by some applications - MS Office for instance - when saving. Unfortunately, that folder probably wasn't there when the share point was empty, so Office created it for you. The catch is that, even with inheritable ACLs, an application can ask Folder Manager to create a new folder with a specific set of permissions. And that's what Office does - it creates the .TemporaryItems folder without any ACLs, even when they're set to be inherited.

You can fix this by manually changing the permissions of .TemporaryItems on the share point on your server. At the server, let's say that the share point is Projects, located at /Volumes/Data/Projects.

Here's what to do, with nobody connected to the share point:

1. Strip any existing ACLs from it: *chmod -R -N /Volumes/Data/Projects/.TemporaryItems*

2. Remove any POSIX special permissions (like sticky bits): *chmod -R 0755 /Volumes/Data/Projects/.TemporaryItems*

3. Add an ACL to the .TemporaryItems folder that grants read/write access to the necessary group. Let's say that group is designers:

*chmod -R +ai "group:designers allow readattr,readextattr,readsecurity,list,search,read,execute,*
writeattr,writeextattr,delete,deletechild,add_file,addsubdirectory,write,append,
*file inherit,directoryinherit" /Volumes/Data/Projects/.TemporaryItems*

--Gerrit

Message was edited by: Gerrit DeWitt

Message was edited by: Gerrit DeWitt
Reply
User profile for user: 1Adam12
1Adam12 Author
User level: Level 1
0 points

Apr 8, 2009 4:04 AM in response to Gerrit DeWitt

Thanks, Gerritt. I will try that out this Friday and report back. I'm fairly certain that .TemporaryItems exists as I've checked for it's presence but I don't think I examined the ACLs on it.

But, I know that we are still having issues with folder creation that ignores ACLs as well. This just happened last week. A user with 10.5.6 client created a folder on the share that had her as the owner and everyone else was read only. This is where things get really frustrating as it truly seems like the server isn't honoring what the permission model should be.
Reply
User profile for user: rkovelman
rkovelman
User level: Level 2
320 points

May 6, 2009 9:02 PM in response to Gerrit DeWitt

Gerrit,
great post, but question for someone to answer:

Mac - connects via SMB with a user for a shared called "private" This user has in ACL and in POSIX permission to read and write as well as the the group she belongs in for POSIX. When connecting to the share she has no access.

Mac - connects via AFP no issues.

I am guessing the info you provided would solve this issue? This user(s) is not binded to the server, just want to know if Gerrits response would solve this issue and if this is what people are having issues with.

Thanks
Reply
User profile for user: rkovelman
rkovelman
User level: Level 2
320 points

May 19, 2009 12:41 PM in response to Gerrit DeWitt

Gerrit,
I checked and mine already says "no". I am assuming that 10.5.5, which is what I have, by default has this setting. Again this was a Mac user connecting over SMB, not a windows user connecting. I believe 10.4 and 10.5 samba is different versions correct? Which is different then the Windows XP version as well? On a further note this is a 10.4 computer connecting to a 10.5 server. Both use different versions of Samba. any further ideas?

Thanks
Reply

ACLs Seem to be Ignored

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up