Admin no longer has access to all volumes on the Mac

Question

Level 1

0 points

Admin no longer has access to all volumes on the Mac

Before OSX Server I used the filesharing in El Capitan to share one folder for some users. As it is written only listed users have access to this folder. But ADMINS have access to ALL volumes on this computer. As well to the folders which are not entered in the filesharing dialog.

This worked as it was described.

Now I installed OSX Server (I'm in testing mode 😉) I only use the filesharing option. But I deleted/changed some entries in "Server / My Mac mini / access"

Now I (admin) have only access to the one shared folder when connecting from different device and to my user folder. But there is a volume (external USB drive with enabled rights management) to which I have no access after installing the Server and change something I did not realy understand at this point.

Mac mini, OS X Server

Posted on Jan 25, 2016 1:03 PM

Reply

Answer 1

FamilyJens Author

Level 1

0 points

Jan 30, 2016 3:48 PM in response to FamilyJens

Could no one help? With I have to set everything as a share in the filesharing option. I don't know why I (admin) no longer have access to all drives.

Reply

Answer 2

Leopardus

Level 4

1,303 points

Jan 31, 2016 1:33 PM in response to FamilyJens

Servers by nature require much higher security than client stations. Just think about it, if compromised, the data of a complete community or group could be compromised and exploited to their detriment. In OS X Server, your highest authority is with the original administrator, but actually it is also not! ..... Since the introduction of SID as a further protection layer, and even before, we have seen that the admin user is only allowed to make changes within a specific framework. Best is to read a bit and more about the subject. There are lots available : The blogs of Jesus Vigo with TechRepublic, Rich Trouton from DerFlounder and of course it will help to read the books from Reid Bondonis and use them as a practical tool whilst setting up and learning. Also worth watching are the videos from Todd Olthoff on Server.

In short, when more access is required, consider it carefully, plan for what, when, where and the duration. And Backups, plenty thereof. You might make more than one mistake, with the subsequent restores. Also have a look at this discussion: How do I set privileges on shared folders so complete workgroups has r/w access to all folders?

Leo

Reply

Answer 3

FamilyJens Author

Level 1

0 points

Feb 5, 2016 1:51 PM in response to Leopardus

I read something about SIP and your posted link. Thank you for it.

I understand the reason to make a system more safer also for the admin user.

But my main problem maybe not SIP.

I had standard OS X El Capitan. I enabled file sharing. So with this when loged in as admin I could access all drives on my Mac. This is written in the filesharing menu too.

Standard users can access shared drives and admin users can access ALL drives.

So my problem is not that I can't access system files which are prevented by SIP. My problem is that I can't access the drives whichs are not prevented by SIP.

On my Mac

Macintosh HD (internal) contains MAC OS X

Harddisk "Pictures" (external USB)

Harddisk "Documents" (external USB)

When logged in as admin I can't access the external USB drives unless they are marked as shares in the filesharing dialog. But as I wrote in the quote and as it was functional before when logged in as admin I should get access to this drives without setting them up in the filesharing menu.

So I want to get this function back. It was the standard function before I played with OS X Server. 😉

Or is it a fuction of OSX Server that this does not wor any more and everything works right?

Reply

Answer 4

UptimeJeff

Level 4

3,479 points

Feb 6, 2016 11:23 PM in response to FamilyJens

You can enable the option with:

sudo serveradmin afp:admin31GetsSp=yes

Then restart AFP to activate the change

sudo serveradmin stop afp

sudo serveradmin start afp

Note: this works for AFP only, not for SMB.

OS X client defaults to SMB, so you either need to force AFP on the client or disable SMB on the server.

If SMB isn't required, I'd take the 'DIsable SMB' route:

sudo serveradmin stop smb

If you prefer to keep SMB running, the client should connect with and afp URL

ex: afp://10.0.0.2

hope that helps

jeff

Reply

Answer 5

FamilyJens Author

Level 1

0 points

Feb 8, 2016 11:06 AM in response to UptimeJeff

Thank you very much for your help Jeff,

I know before I installed the Server it was working with afp and smb. I just installed the Server and deleted many entries in the Server GUI. Maybe there was something that brings it to work.

I need the connection with smb because I use Apps like "Filebrowser" or "Fileexplorer" on iPhone/iPad. They can not handle afp.

Reply

Answer 6

UptimeJeff

Level 4

3,479 points

Feb 9, 2016 8:32 AM in response to FamilyJens

For SMB, enable administrators to see all volumes and shared folders with:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server VirtualAdminShares -bool YES

restart SMB

sudo serveradmin stop smb
sudo serveradmin start smb

Hopefully that does the trick :-)

Jeff

Reply

Answer 7

FamilyJens Author

Level 1

0 points

Feb 9, 2016 1:57 PM in response to UptimeJeff

Hello Jeff,

now it works. But I'm wondering why it keeps working when I use

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server VirtualAdminShares -bool NO 
sudo serveradmin stop smb
sudo serveradmin start smb

I thought this should disable this function. I did it only to understand the problem.

Reply

Answer 8

hunterdg

Level 1

19 points

Sep 6, 2016 3:10 PM in response to UptimeJeff

Thank you for pointing us in the right direction!

I wanted admin shares over AFP ONLY, with SMB disabled, but the solution above did not work so i did some digging.

The correct (TWO) settings are:

afp:SpecialAdminPrivs=yes

afp:admin31GetsSP=no

SpecialAdminPrivs - Grant administrator users root user read/write privileges. Default =no

admin31GetsSP - Set to yes to force administrator users on Mac OS X to see sharepoints instead of all volumes. Default =yes

also i had to append 'settings' after 'sudo serveradmin'

so:

sudo serveradmin settings afp:SpecialAdminPrivs=yes
sudo serveradmin settings afp:admin31GetsSp=no
sudo serveradmin stop afp
sudo serveradmin start afp

http://www.manualslib.com/manual/8664/Apple-Mac-Os-X-Server.html?page=137#manual

http://www.manualslib.com/manual/8664/Apple-Mac-Os-X-Server.html?page=140#manual

Reply

Answer 9

hunterdg

Level 1

19 points

Sep 6, 2016 3:30 PM in response to hunterdg

oops, forgot

afp:adminGetsSP=no

adminGetsSP - Set to yes to force administrator users on Mac OS 9 to see sharepoints instead of all volumes.Default =no

so:

sudo serveradmin settings afp:SpecialAdminPrivs=yes
sudo serveradmin settings afp:admin31GetsSp=no
sudo serveradmin settings afp:adminGetsSp=no
sudo serveradmin stop afp
sudo serveradmin start afp

Reply

Answer 10

hunterdg

Level 1

19 points

Sep 6, 2016 3:45 PM in response to hunterdg

AGH! it seems there is no way for AFP to show BOTH Root volumes AND defined share points at the same time (like default behavior), if Server.app is installed...

am i crazy or?

Reply

Answer 11

Sep 6, 2016 4:04 PM in response to hunterdg

OS X Server: Allowing administrators to access all volumes and shared folders over SMB - Apple Support

Agh, sorry, missed the AFP request. I'll leave this link here as it may be helpful for someone in the future.

Reply

Answer 12

hunterdg

Level 1

19 points

Sep 8, 2016 8:23 AM in response to hunterdg

AND, uninstalling server.app does NOT return the default behavior of showing BOTH root volumes AND share points over AFP! 😟

Reply