You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Lion Server 10.7.3 file sharing permissions

I'm having really strange issues with Lion Server. Since upgrading to 10.7.3 I no longer have permissions to modify files on Share Points that I was once able to in 10.7.2. When I go to modify certain files or folders I get "The operation can’t be completed because you don’t have permission to modify some items."

Mac mini, Mac OS X (10.7.3)

Posted on Feb 9, 2012 2:48 AM

Reply
26 replies

Feb 17, 2012 5:50 AM in response to Marco V

I see this as well. I spent a ton of time recreating groups and ACLs last weekend after they suddenly stopped working; it worked for 4 days and then failed at midnight last night. What I see is that an OD group used in an ACL is suddenly ignored. This even applies if I log in a user directly to the server.


So, for example, lets say I make a directory "testdir" owned by root and with rx permissions for the group testgroup. I add an ACL, the only ACL, to the directory granting that group full permissions. The ACL is ignored—the user cannot create a file in the directory. If I grant write permissions via the POSIX bit to the group, write permissions return. If I create a new OD group and add an ACL using it, or add an ACL using a local group like staff, it works. Again, all of this is being tested locally on the server (of course it fails over shares, too).

Apr 3, 2012 5:06 AM in response to Brian Landy

I fixed my problem.


I m using a Promise Raid as external Raid via Thunderbolt.


I had all my volumes at the root Layer of the Drive


!!! This did not work !!!!!

for example:

/Volumes/promiseraid/share1

/Volumes/promiseraid/share2

/Volumes/promiseraid/share3


!!! This works !!!!!

/Volumes/promiseraid/data/share1

/Volumes/promiseraid/data/share2

/Volumes/promiseraid/data/share3


Dont ask me why but with one folder layer in between it worked pretty well!

Apr 22, 2012 6:38 AM in response to Brian Landy

Brian your solution worked for me. From all the rumors 10.7.4 is due to release soon.


As I think more about it this issue might be related to another one I am having with groups. When I select user in the new Server app I cann see the individual groups which each member belongs to. However when I look at each group, no member is listed underneath it. Brian if you have some time, can you look to see if you are having the same behavior?

May 14, 2012 9:32 PM in response to gmbinom

Background

Access Control Lists (ACLs) are applied to folders and files to define user (and group) access privileges.


I have setup two Mac mini Servers at our company – one in our Melbourne office and one in our Sydney office. Each file server is made up of the following hardware:

1x Mac mini Server (with Lion Server).

2x Promise Pegasus 12TB (6x2TB) R6 RAID System (thunderbolt) in RAID5 configuration. The two Pegasus unit are mirrored (RAID1) using SoftRAID.


Users and Groups are replicated between the two servers via Open Directory.


The PeachPit book "OS X Lion Server Essentials" is the best book I've found that explains OS X Server services and configuration. It has a good explanation of POSIX and ACLs.


The Problem

It seems there is a bug in Lion Server that causes ACLs be ignored. A couple of times I've managed to fix the problem using these steps:

1. Remove the share-point.

2. Setup up the share-point. /Volumes/promiseraid/work

3. Apply an ACL to a folder.

5. Propagate the ACL to sub-folders.


When ACLs are not applied to a folder the older POSIX permission define access privileges. With POSIX mechanism the user, group and other access privileges applied to new files and folders is defined in the 'unmask' value. The default 'unmask' value sets file/folder group to read-only access. The upshot is when POSIX mechanism is used and a member of staff creates a file or folder it is read-only to colleagues. System Administrators shouldn't need to change the 'unmask' value – too technical. Apple documentation encourages System Administrators to use ACLs to define access privileges – use ACLs to overcome the limitations of POSIX.


The workarounds I've been considering

  1. Stick with Lion Server, apply POSIX read&write (group and others) permissions to all folders at regular intervals (daily) and wait for Mac Apple to fix the problem.
  2. Abandon Lion Server (10.7) and revert to Snow Leopard Server (10.6).
  3. Abandon Lion Server (10.7) and setup a Microsoft Windows Server solution.


A solution?

Scanning the several threads here I think I discovered a "fix". Mac OS Lion doesn't seem to honour ACLs if

  1. it is a volume is being shared (AFP and/or SMB), or
  2. it a folder at the root level of the volume is being shared (AFP and/or SMB).


However, if the folder being shared is at least one folder deep ACLs seem to be honoured!


!!! This did not work – ACLs are not honoured !!!!!

/Volumes/promiseraid

/Volumes/promiseraid

/Volumes/promiseraid


!!! This did not work – ACLs are not honoured !!!!!

/Volumes/promiseraid/share1

/Volumes/promiseraid/share2

/Volumes/promiseraid/share3


!!! This works – ACLs are honoured !!!!!

/Volumes/promiseraid/shareditems/share1

/Volumes/promiseraid/shareditems/share2

/Volumes/promiseraid/shareditems/share3


Acknowledgement

I should acknowledge gmbion for his time troubleshooting this and reporting his findings to this thread.


A response from Apple

It would be good if Apple could address this limitation with either:

  1. A note from Apple acknowledging this limitation ("undocumented feature") witch advice to not share a volume or a folder at the root level of a volulme. Instead, share a folder at least one level deep; or
  2. Fix Lion Server so that any volume or folder can be shared and ACLs will be honoured.

May 18, 2012 5:30 PM in response to Sam Venning

Thanks everyone for your troubleshooting. We are going to upgrade our client systems to Lion.


The Mac Mini server now runs Lion 10.7.4 Server and users reported issues with File shares permissions.

The shares are also stored on a Promise Raid connected with thunderbolt.


Would the thunderbolt connection have any influence on that issue ? I know it doesn't seem to be a hardware issue at all, but I just noticed we were having this issue on Promise Raid systems conencted with Thunderbolt.

Lion Server 10.7.3 file sharing permissions

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.