0 Replies Latest reply: Dec 19, 2012 2:42 PM by Marc Marshall
Marc Marshall Level 1 Level 1 (45 points)

I'm having a maddening issue with a Mini server running 10.6.8 (all updates installed, configuration imported from a 10.5 XServe, recently did a full reinstall of the OS due to some odd behavior and Server Admin errors/slowness).

 

It is sharing a few volumes on an external drive via AFP and SMB, with relatively simple permissions configured via ACLs.  For practical purposes, users are in two groups:  Staff and Bookkeepers (I'm simplifying names, but they're not the stock system groups).  All employees are in the Staff group, a few are also in the Bookkeepers one.

 

A couple of folders on one share have "deny : full control" set for the Staff group, and "allow : full control" set for the Bookkeepers group above that.  The intent is to allow bookkeepers access to the folder, and not general staff.

 

This has worked as expected for years.

 

 

Then, for no readily apparent reason, a few days ago some users lost the ability to delete folders they created within the restricted folders (other folders on the share were fine).  I spent a while going around as to why this was, eventually deciding that something was wrong with either the ACLs or the groups themselves.

 

My final solution was to completely remove the ACL from the restricted folder via the command line, then delete both groups, create two new groups, NewStaff and NewBookkeepers (with new GIDs and shortnames), then re-add the correct ACL to the restricted folder, and propagate permissions down (done with Server Admin and Workgroup Manager, latest versions, running on a 10.6.8 workstation).  I also rebooted the server and cycled AFP.

 

 

Now the problem is only slighgtly different:

 

Within those restricted folders, users can create new folders, but cannot rename or move any existing or newly-created folders, although now they CAN delete either. The "Effective Permissions" browser in Server Admin shows my user as having full permissions for the folder in question to do everything, I've logged out and back on to make sure it's not a cache issue, and I've run out of ideas short of an OS reinstall.

 

 

The command line says the Bookkeepers group has the following permissions for one of the folders within a restricted directory, which I cannot rename or move:

 

inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit

 

versus this for a folder I CAN edit, outside one of the restricted folders:

 

inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_i nherit

 

...the notable difference in there being lack of "delete" permissions on the problem directories. Which is bizarre, because that group is set to "full control", and I CAN delete it--just not move or rename. (Perhaps that's the "delete_child" of the parent directory allowing me to do that?)

 

(Unix permission is: rwxrwx---   admin admin Others)

 

Notably, when directly accessing the server, the Finder also suffers from this problem--if I try to move a folder, I'm prompted to enter an admin password before I'm allowed to, so the issue isn't restricted to just AFP.  I just can't figure out where the weird permission is propagating from, or how to get rid of it.

 

 

What the heck is going on here?  Any suggestions on how I might try to fix it?  I'm about to upgrade to 10.8 Server, and if that doesn't work reformat the external RAID array, which will be a huge pain.