Brother Numsey
Level 1 (125 points)

Q: Propagating permissions not working properly

I am trying to clean up the permissions on my server, our last migration messed them a bit. However I am running into the following problem:

 

When modifying the permissions in the server.app I modify the permissions of a folder and try to propagate the new permissions. However it only propagates new entries to the ACL down the folder tree. For example:

 

Root

     Education                     (Marketing Department has Read/Write Access)

          - Sub Folder 1         (Marketing Department has Read/Write Access)

          - Sub Folder 2         (Marketing Department has Read/Write Access)

 

Now a new dept. (education) has been created so they should be the only ones to have read/write access to this folder. After modifying the permissions of the education folder to allow only the education departmant Read/Write access this is what the permissions look like:

 

Root

     Education                     (Education Department has Read/Write Access)

          - Sub Folder 1         (BOTH Education Department AND Marketing Department have Read/Write Access)

          - Sub Folder 2         (BOTH Education Department AND Marketing Department have Read/Write Access)

 

I can't seem to figure out how to properly configure the propagation of these permissions. Am I missing something here? Some help would be greatly appeciated.

Mac mini, OS X Server

Posted on Jul 31, 2013 6:47 AM

Close
Brother Numsey

Q: Propagating permissions not working properly

  • All replies
  • Helpful answers

  • by Brother Numsey,

    Brother Numsey Brother Numsey Nov 21, 2013 4:48 AM in response to Brother Numsey
    Level 1 (125 points)
    Nov 21, 2013 4:48 AM in response to Brother Numsey

    I know this is an old topic. The issue is still unresolved however. I managed to wing it by having the top folders set up right. So lower down the permissions matter less. However, still haven't found a fix. Anyone got any ideas?

  • by infinite vortex,

    infinite vortex infinite vortex Nov 24, 2013 6:05 AM in response to Brother Numsey
    Level 7 (21,405 points)
    Nov 24, 2013 6:05 AM in response to Brother Numsey

    How are you trying to set the permissions? The simplest way is to use Server.app > select server hardware > Storage > select directory you wish to manage > Edit Permissions…. First get your permissions right at the top level folder you want to change like this…

     

    Screen Shot 2013-11-24 at 15.02.13.png

    … and then use "Propagate Permissions…" to propagate them. Be sure that you only propagate EITHER the POSIX permissions or the ACLs at any one time. Do not try to propagate both as it won't do it right. If you wish to propagate both do it twice, once for each permission type.

  • by Brother Numsey,

    Brother Numsey Brother Numsey Jan 23, 2014 6:38 AM in response to infinite vortex
    Level 1 (125 points)
    Jan 23, 2014 6:38 AM in response to infinite vortex

    I've tried 3 ways.

     

    - Through the Server.app only setting ACL's. Just as your showing. However, when propagating (only ACL's), like described. It doesn't remove permissions from subfolder when deleted in the tree above. It only adds the new permissions.

     

    - I tried the POSIX route, both via the server.app and through the terminal. It messed up my permissions for Windows users so then I went forward with ACL's only.

  • by infinite vortex,

    infinite vortex infinite vortex Jan 23, 2014 7:42 AM in response to Brother Numsey
    Level 7 (21,405 points)
    Jan 23, 2014 7:42 AM in response to Brother Numsey

    Then in Terminal, at the top level of the folder do this…

     

    sudo chmod -R -N [directory path]

     

    Be aware that doing this will remove ALL ACLs from the defined directory downwards, including on the directory itself. You will need to replace all ACLs as required from scratch. Doing this is indiscriminate so use a lot of caution with it. Maybe try it on an unimportant directory first before messing with live data.

  • by Raymond Shaw,

    Raymond Shaw Raymond Shaw Feb 10, 2014 9:05 AM in response to infinite vortex
    Level 1 (5 points)
    Feb 10, 2014 9:05 AM in response to infinite vortex

    I don't know if my question is related to this one or not. I have a folder that is shared to both windows and Mac users. We all can copy stuff to it, and we can open the files on it. Our problem is, that everytime we create a new file, or MSword / excell re-creates a new file, only the person creating it has access to it. So several times a day I log into the server, select on the folder and "get info" and choose to "apply to all enclosed folders" and it makes all the files in all the folders usable again for everyone. I know that there is a way to fix this. I went in and turned on ACL's using the terminal, I have gone into server/storage/folder and propogated the permissions, but still... every new file added has to be redone. Is there a way to have a folder that if something is put into it... everyone can open it? If this is the wrong topic to post this in, could someone point me to the one I need? I have searched the forums and I just cannot find the solution. (running 10.7.5 server on a MacMini)

  • by infinite vortex,

    infinite vortex infinite vortex Feb 10, 2014 10:05 AM in response to Raymond Shaw
    Level 7 (21,405 points)
    Feb 10, 2014 10:05 AM in response to Raymond Shaw

    Check your inheritance ACLs at the top level. More than likely it's an issue where the inherited prperties aren't set right. While you may not use permissions as loose as I've got mine for the Workgroup group all inheritance options should be enabled. NB - The Workgroup and Spotlight permissions are ACLs where the 3 at the bottom are POSIX permissions and this should be applied from the root of the shared folder (not necessarily from the actual Share Point - this example is for a "workgroup" directory within my Groups Share Point)…

     

    acl.png

  • by brycesteiner,

    brycesteiner brycesteiner Apr 4, 2016 11:51 AM in response to infinite vortex
    Level 1 (25 points)
    Mac OS X
    Apr 4, 2016 11:51 AM in response to infinite vortex

    I have the exact same problem. I am running 10.11.4 and 5.1 on server.

    I have the permissions I set:

    Screen Shot 2016-04-04 at 2.32.14 PM.png

    My intention is that All who are in the Users group can

    1. create and edit each others files with no problem

    2. delete files and folders without restrictions

    3. copy or paste files whether windows or Mac

    4. People who are not in the Users group have no access

    5. ownership/permissions is the same as specified in the parent folder.

     

    There are no problems when people edit and save files.

    Good:

    Screen Shot 2016-04-04 at 2.45.14 PM.png

    The problems arise when people create new files. That user takes over ownership even though they are not an admin:

    Bad:

    Screen Shot 2016-04-04 at 2.44.35 PM.png

    When POSIX takes over with these permissions, even the backups don't work right until it's all changed.

    I don't understand the point of inheritance if a newly created file doesn't inherit permissions. Is there a setting that needs changed in the first picture of "write" or "inheritance"?

     

    I ask in the server forums but I get no response there. Since this has the exact same issue I deal with everyday, I thought I would ask here.

     

    Thanks for any help.