SMB and ACLs still not fixed with Yosemite
Hello!
I hoped that the buggy smbd from 10.7 to 10.9 would be fixed with 10.10, but I just stumbled over a new bug. Looks like smbd still ignores ACLs or doing something I do not understand with ACLs and Windows clients.
This is what I found out a few minutes ago - customer has trouble accessing file with the Windows computers from a share for weeks now.
The server is a 10.10.1 with a share configured with ACLs and POSIX rights but when a Windows program is started that has its data files at that share it throws lots of errors with "can not access file XYZ". The program has a button to retry and this never worked - until today.
Today my customer called again and I looked at the troubled file named "AUFNAHME.DBT". This is what was setup:
ls -le AUFNAHME.DBT
-rwxrwxrwx+ 1 root mitarbeiterderpraxis 46018816 10 Dez 14:08 AUFNAHME.DBT
0: user:_spotlight inherited allow read,execute
1: group:kfomitarbeiter inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
2: user:kfogruppe inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
3: user:kforaum inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
The Windows clients login with the name "kforaum"(ACL item 3) - as every one can see you can not get more access rights!
For curiosity I removed the ACL from the file and click retry at the windows program - it worked immediately!
So to me this still looks like a bug within the smbd. I had a horrible time with Mavericks server and Windows file sharing the last year. Because of this I setup a test server with Yosemite and tested smb with a different Windows program - with Mavericks server the program crashed after about 20 minutes of idle time. This bug was fixed with Yosemite.
I setup smb with ACLs enabled.
sudo serveradmin settings smb
Password:
smb:ServerDescription = "Server2"
smb:VirtualAdminShares = no
smb:EnabledServices = _empty_array
smb:NetBIOSName = "server2"
smb:AclsEnabled = yes
smb:AllowGuestAccess = yes
smb:LocalKerberosRealm = "LKDC:SHA1.246365D8C9CAB4635A83105F48BAF65CA14FF831"
smb:wins server:_array_index:0 = _empty_dictionary
smb:DOSCodePage = "437"
If anyone has the same problem, write a bug report for Apple.
If you have a solution or workaround - post it here.
Bye, thanks,
Christoph
Mac mini, OS X Server