Propagating permissions not working properly

@brycesteiner: Were you ever able to resolve this issue? I'm noticing the same thing in our new environment running 10.12.3 with server version 5.2.

Rights just don't seem to be propagating to newly created files and folder properly.

Actually yes.

Here are my notes:

If the server has to be set up again and the sharing is causing problems because the creator becomes the owner it’s because ACL’s are not being used and POSIX is.

SUMMARY: Finder should never setup the POSIX (permissions Get Info). It is screwy and doesn’t work right. This is why I was having problems and could not figure out whether to assign in Server or at the Volume level and which overload the other. ACL’s should always override POSIX. Turn off file sharing. Set them up in Server in the First Tab and then make sure they propagate by having all 6 boxes checked from owner to group.

The summary above is what needs to happen. The rest is an explanation.

Excellent explanation:

DETAILS: http://www.edugeek.net/forums/mac/37563-acl-posix-permissions.html

Prior to 10.4 Server you only ever had Standard UNIX (or POSIX-style) Permissions. This was a permissions model that, although effective, was limited in its scope.

Apple changed this with 10.4 Server. Access Control Lists were introduced and they worked in conjunction with the default standard POSIX model. To utilize ACLs you had to enable them on the volume first followed by a restart. ACLs take precedence over standard POSIX. A deny in both models blocks access to the specified directory/file. A deny in POSIX but an allow in ACL means users can access the directory/file once the correct authentication details are entered.

On the client side all directory/files carry with them standard POSIX permissions and these are honored. In other words locally applied permissions 'follows' the file/folder.

For example user Johnny creates a TextEdit Document on his 10.4 Client Mac. Locally on his Mac the OS will apply the standard POSIX Model. He automatically becomes the owner with full access. Anyone in the local admin group is assigned read only access as well as the local everyone group being assigned the same permission. Johnny copies the file over to a designated share on his 10.4 Server which has not had ACLs enabled. However this share has been configured to allow Everyone full access using the standard POSIX model. The file once copied 'acquires' the share's given permissions. Suzy comes along and accesses the share point and has full access to the file created by Johnny. Full access on the standard POSIX model means read, write, delete.

Now apply ACLs to the volume on the 10.4 Server. This time you define an ACL to the same share denying the ability to delete any files/folders. When Suzy or Johnny access the share they can still read and write but can't now delete. As you can see both models are in effect but the ACL has superseded standard POSIX.

Thanks for the info @brycesteiner. It's good to know someone found a solution to this issue. I'm unfamiliar with POSIX, though I think I have a little better understanding of it given your notes. That link had a great description as well.

I'm just trying to wrap my head around this practically. We have a production file server (OSX 10.12 // Server 5.2) where, when new files are created, the creator becomes owner. I'm chewing on how to remedy this with as little down time as possible. So, tell me if this process sounds right:

All steps performed in Server App GUI...

1. Disable File Sharing
2. Set/reset ACLs in File Server > Storage > [Folder]

3. Propagate permissions

4. RESTART

5. Enable File Sharing

6. Cross fingers and hope permissions propagate correctly for new files

One of the issues I pulled from the reading was that the permissions could have been set at the storage level (via Get Info) and not via the Server App. This (as I understand it) sets POSIX permissions on the share and not ACLs. ACLs can only be set if using the Server app (or CLI). Am I close?

That sounds right. I know that when you set permissions via Get Info it's a problem. Why it doesn't change ACL's rather than POSIX, which is a problem, I don't know.

I haven't had any issues since doing this.

I think this should solve your problems too.

In your 6 steps to resolving this you may need to make sure that ACL's are turned on. I'm assuming they are on automatically.

How are you trying to set the permissions? The simplest way is to use Server.app > select server hardware > Storage > select directory you wish to manage > Edit Permissions…. First get your permissions right at the top level folder you want to change like this…

… and then use "Propagate Permissions…" to propagate them. Be sure that you only propagate EITHER the POSIX permissions or the ACLs at any one time. Do not try to propagate both as it won't do it right. If you wish to propagate both do it twice, once for each permission type.

Then in Terminal, at the top level of the folder do this…

sudo chmod -R -N [directory path]

Be aware that doing this will remove ALL ACLs from the defined directory downwards, including on the directory itself. You will need to replace all ACLs as required from scratch. Doing this is indiscriminate so use a lot of caution with it. Maybe try it on an unimportant directory first before messing with live data.

I don't know if my question is related to this one or not. I have a folder that is shared to both windows and Mac users. We all can copy stuff to it, and we can open the files on it. Our problem is, that everytime we create a new file, or MSword / excell re-creates a new file, only the person creating it has access to it. So several times a day I log into the server, select on the folder and "get info" and choose to "apply to all enclosed folders" and it makes all the files in all the folders usable again for everyone. I know that there is a way to fix this. I went in and turned on ACL's using the terminal, I have gone into server/storage/folder and propogated the permissions, but still... every new file added has to be redone. Is there a way to have a folder that if something is put into it... everyone can open it? If this is the wrong topic to post this in, could someone point me to the one I need? I have searched the forums and I just cannot find the solution. (running 10.7.5 server on a MacMini)

Check your inheritance ACLs at the top level. More than likely it's an issue where the inherited prperties aren't set right. While you may not use permissions as loose as I've got mine for the Workgroup group all inheritance options should be enabled. NB - The Workgroup and Spotlight permissions are ACLs where the 3 at the bottom are POSIX permissions and this should be applied from the root of the shared folder (not necessarily from the actual Share Point - this example is for a "workgroup" directory within my Groups Share Point)…

I have the exact same problem. I am running 10.11.4 and 5.1 on server.

I have the permissions I set:

My intention is that All who are in the Users group can

1. create and edit each others files with no problem

2. delete files and folders without restrictions

3. copy or paste files whether windows or Mac

4. People who are not in the Users group have no access

5. ownership/permissions is the same as specified in the parent folder.

There are no problems when people edit and save files.

Good:

The problems arise when people create new files. That user takes over ownership even though they are not an admin:

Bad:

When POSIX takes over with these permissions, even the backups don't work right until it's all changed.

I don't understand the point of inheritance if a newly created file doesn't inherit permissions. Is there a setting that needs changed in the first picture of "write" or "inheritance"?

I ask in the server forums but I get no response there. Since this has the exact same issue I deal with everyday, I thought I would ask here.

Thanks for any help.

I just wanted to pop back in and say thanks again for the help @byrcesteiner. I applied the fix to our FS and rights appear to be propagating correctly now.

Glad to hear you have made progress. I have had no real issues with my server since this and I hope I don't because I don't really remember now what to do it's been so long. 😁