GreenITSolutions

Q: OSx Lion Server permissions not inheriting

The problem:

 

Within the large share when a user creates a file or folder only that user is able to make changes.  Users are not able to make permissions changes to folder or file either.  Our work around has been to grab the entire share directory (or the folder with the problem) and apply permissions to enclosed items.  We do this 4 to 5 times daily if not more.

 

Sometimes a user will even copy a file up to a folder and loose access entirely to the folder for file (the little red circle of doom)

 

In the file share settings we have both AFP and SMB turned on as there are a large number of PC's that also need access to the share.  We have tried turning off AFP and only using SMB but this only compounds the problem.

 

Our Permissions are as follows on the entire folder:

 

sysadmin : read & write <-- first account setup on server

backupuser : read & write <-- local user for cloud backup

Fetching... : read & write <---  this is the DOMAIN\Group account that all users who need access to the share are in within active directory.  It always says fetching

_spotlight : read only

_spotlight : custom <-- not sure why there are two

administrator : read & write

everyone : read & write <-- an attempt to solve the problem permanently

 

Under the share settings (in the server app) the permissions are the same but there is one more added which is:

Domain Users (primary group) : no access <-- not sure why this is here it was added by default, but we need to limit the PC users so that they don't screw with the folders.

 

The layout:

 

OSx Server 10.8.5 with Promise Pegasus attached storage.

Windows Server 2008r2 running Active Directory

Both Mac server and all mac clients joined to AD for log on server.

All mac clients running latest mavericks OS release.

1 large share with AD group containing 20 or so users given full rights over single file share on Mac.

 

It seems as if there should be some sort of 'automatically inherent these permissions" setting, but there does not seem to be.  We are at a point where we are about to migrate back to a windows server as these problems do not arise from a windows environment. (we have others mainly encrypted zip files and adobe saving issues).

 

Another option would seem to be to create one generic Mac user that everyone authenticates with.

 

Another oddity that we have noticed is that windows users are not able to change permissions (even from the domain administrator account).  Also repair permissions is not available on the Pegasus volume for some reason.

 

Help?

Mac mini, OS X Mountain Lion (10.8.5), OSX server

Posted on Aug 25, 2014 10:53 AM