6 Replies Latest reply: Aug 27, 2010 10:49 AM by MuddyBulldog
Darren_W Level 1 Level 1 (0 points)
Hopefully someone will be able to help with this issue.

I am trying to setup a permission structure for folders on an AFP Share on an xServe running 10.6.4.

I would like to Deny access to all folders for the Everyone Group then allow access to folders to explicit groups. This kind of works but I am having issues with users that are given explicit read write access in that they are able to create folders but unable to name or rename them?

Is this a bug or am I going about this the wrong way?

Regards,
Darren

xServe, Mac OS X (10.6.4)
  • Churnd Level 1 Level 1 (5 points)
    I'm assuming these people are using Windows XP? If so, check this blog post: http://chrishearn.wordpress.com/2010/04/07/os-x-server-smb-problems/

    Specifically, this part:

    ; Fix ACL's for Windows XP Users
    acl check permissions = no
    nt acl support = no
  • Darren_W Level 1 Level 1 (0 points)
    Thanks for the reply.

    Its a good link but unfortunately only related to SMB share, I am only sharing and connecting via AFP. This problem is actually not windows related at all. Clients are connecting to the AFP share via Mac's running 10.6.4.
  • Churnd Level 1 Level 1 (5 points)
    Ah I see. Try removing the deny ACL and restrict the allow ACL to just the people you want. I never use deny ACL's... in my opinion they are more trouble than they're worth. From what I can tell, would only want to use them if you have an allow ACL inherited that you want to circumvent for a specific directory or file.
  • MuddyBulldog Level 2 Level 2 (215 points)
    Agreed. Deny ACLs (on any platform) as exceptions to allow rules usually are best left avoided if they can be. Much easier to evaluate "this is what is allowed" then "this is what is allowed, except in this instance, or that one, or this other one".
  • Darren_W Level 1 Level 1 (0 points)
    Hey Guys, Thanks heaps for your input.

    I guess I am going about this the wrong way, I will have a think about the best way to complete this task.

    Does any one have any suggestions as to the best way to do this?

    I wish to create a share with several folders inside that I want to be hidden unless the user is in a group with rights to read the folder?

    I have been successful in doing this using POSIX permissions however the folders are not hidden, just displayed with the no access symbol.

    Regards,
    Darren
  • MuddyBulldog Level 2 Level 2 (215 points)
    I've always gone with the philosophy that if you have two folders in one share that need different permissions what you actually need is two shares.

    as opposed to:

    afp://server/share/folder1
    afp://server/share/folder2
    afp://server/share/folder3

    where all 3 folders are accessed via 'afp://server/share',
    create

    afp://server/share1
    afp://server/share2
    afp://server/share3

    users that don't have access to a particular share won't see it should they open

    afp://server