I am using Active Directory. At one of my schools, I bound a Snow Leopard server as a home directory server. It works well, however, any user can see what's inside everyone else's home directories if they mount the share point. How do I set permissions so this doesn't happen?
17" MacBook Pro 5,2, Mac OS X (10.5.6), 4 GB RAM, anti glare
The main folder that stores the data should have the group to R/W that is all. When each folder is created for each user, it should be that the user is the owner, group is set to none and so is everyone. Did you ever do a propagate permission by accident to all the folders?
The main folder share point POSIX are admin r+w, group read, everyone read. No accidental propogate permission. If I leave it with just those permissions, the AD-bound OS X Server will not allow a user to sign on. It comes up with, "You are unable to log in to the user account at this time. Logging in to the account failed because an error occured." Instead if I create the user folder in the share & assign it an ACL of the user, it works. Meanwhile if I add domain admins to the ACL with r+w, the user can log in but again they can see all of the data inside the user folder.
By the way, it's Windows Server 2008 R2 AD with 10.6.7 server.
If the group is the same as the users and it is set to read, then it will create tons of issues. You should never create the folder for the user, it should auto populate when the user logs in for the first time. I am not sure of your setup entirely, but the Mac Server should just use AD for authentication usage. On the Mac server you should use Server Admin to set the permissions on the folder to be shared out. The group folder that all users are in should have R/W access to the main folder. Its either a permission issue or something is incorrect on the mobile account setup.
I figured it out!!! Boy do I feel dumb though! When I bound the server with the terminal, I copied it from a text file I had used for our teacher laptops. I had allowed admin by domain admins, enterprise admins, and a group I made in AD called faculty. Sure enough as soon as I deleted faculty from the allowed admins, the home folder permissions were correct & no one can see into each others folders now. D'oh!
AD Server with OS X Server for Home Directories?
