You're a genius. That's the answer. The "primary group" must remain as "Administrators" with "Read Only" access.
At first, I couldn't figure out how to set it back correctly so I unshared a folder, renamed it, created a new one with old name, moved the files, and shared the new folder. The primary group comes up as "Administrators" with "Read Only.
But instead of doing this with about 10 shares, I figured it out. Under "View" in the Server app, select "Show System Accounts". Now you can restore the primary group to "Administrators" and set "Read Only". Make sure to add in the group you had as primary.
Inheritance problems are over for me. Thanks so much.
There are a few options that you can try.
1) Use the built-in options Apple provides in the Sharing panel of System Preferences.
2) Use a free utility like BatChmod to help manage privs.
3) Learn a few Terminal commands and tinker around that way.
4) Open the purse strings and purchase Mountain Lion 10.8 upgrade for $19.99, plus the Server application for $19.99, as well.
This issuse has been driving me bannanas but the reason I am working on it at 2:00 am is becasue I need my file server running correctly tomorrow.
Darryl C's solution didn't quite work for me, but the issue is I am running LDAP on 2 different servers than this particular file server. One LDAP server is 10.6.8 and the other 10.7.1
Inherited permissions were not working for network users and groups, but by serendipidy I created a local user and permissions were inherited correctly for local users and groups.
This fixed it for me:
I created a local group and set inherited ACL permissions for that group in the server pane. Add your network group to this and the permissions propogate.
So how do I fix this on 10.6.8.
It does not appear to have the Server app.
I am so tired of constantly having to "propogate permission" I am about to throw that uselsss MAC server out of the window and migrate the data onto a Microsoft Windows 2008 server and have the MAC users map to a windows machine, a solution that I am pretty sure will work way better than using a MAC server.
Sorry but that MAC server does not impress me one little bit!!!
One of the companies that I support purchased a brand new top of the line MAC server and I was tasked with getting it set up on their mostly Windows domain.
This is EXACTLY the same issue that I ran into and I spent hours and hours setting and resetting all of the settings on the MAC server EXACTLY as recommended by APPLE....but nothing worked.
It appears that even Apple is not aware of this flaw.
- Anyway...here is a link to a solution that worked PERFECTLY and has now been working for the whole domain for over a year:
To make a long story short....
You simply turn OFF Macintosh's "AFP (Apple File Protocol)" and use Microsoft's "SMB (a Microsoft sharing protocol going back over twenty years) which is a MUCH better protocol.
And I know all you DIE HARD Mac people out there are going to hate this solution but I guarantee you it works PERFECTLY.
Unfortunately, that solution works fine for PCs, but it fails miserably on Macs. There are serious issues and ramifications by having Macs use the SMB protocol. I'll list a couple of problems that I personally ran into by doing this...
• Directory listings don't get pushed out properly and Mac clients are left with incomplete file listings. At times, folders would appear incomplete or empty, when in actuality they were loaded with files.
• Microsoft Office freaks out by using SMB. Word and Excel files continually open as "Read Only" and it becomes a nightmare to save files back to the server.
• Side bar links in the Finder just break. They'll work for a while, but if you restart or log out, they will generally stop working.
These are just a few of the problems I ran into, but it's enough to say, NEVER AGAIN.
BUT, the issues that I ran into with SMB was with 10.7.5 Server. I have not tried it in 10.8.2 Server. Hopefully Apple fixed all the SMB issues in 10.8. All I can say is, good luck!
OS X 10.8.3 Server
Same symptons: Wrong inheritance … sometimes … somewhere …
I don't like the idea of disabling AFP. That's not a solution. (You could call it a temporary walkaraound.)
I like the solution of kalmicka: creating new folder and new shares of these folders without touching the initial rights. seems to solve thing, but …
new folders have these rights:
Finder info (10.8.3):
same folder in Server.app (2.2.1) / Storage
a freshly created share point under file sharing looks like this (system accounts viewable):
So – following the advise of kalmicka – "Staff" (which is the primary group) is the group to be untouched by you. (Only member of group "Staff" is "System Administrator" aka root.)
The problem with this solutions is, that as long there is "staff: read only" this volume/share point is viewable by any user on the network:
though this user has no rights, he can see everything on this volume/sharepoint.
What must be done to keep their eyes away from this sharepoint/volume – without changing the primary group "Staff" to "no access"?
Thanks in advance!