macOS Server 5.4 - File Sharing Difficulties

Dear Apple,

The new (missing and fundamentally broken) implementation of SMB/AFP file sharing in macOS Server 5.4 is nothing short of catastrophic for anyone who's found themselves in a similar situation to myself over the past several days.

This is the first and only occasion I've deliberately and willingly downgraded from a particular version of Apple's software. Will summarise the situation in more detail below, but the net result of an entire weekend's work has been to go from macOS 10.13.x High Sierra back to macOS 10.12.x Sierra and its corresponding version of the Server app... just to regain what most would consider basic file sharing functionality.

Background

It is worth noting that the recent security update from Apple that 'broke' file sharing didn't necessarily contribute to our difficulties, as a) the update was installed after these problems occurred and b) the problems continued even following a complete reinstall of the system as you'll see below. The basic system configuration is as follows:

• The server in question is managed for a small local business with 5-10 user accounts, 3 groups, and a handful of shared folders.
• It was deployed in late 2016.
• It is a Mac mini running relatively high specifications including an SSD for primary storage.
• Other basic network infrastructure includes a gigabit switch, Time Capsule and dedicated fibre connection via an ISP provided modem and router.

Initial Issues

Cracks started to appear on site within the last several weeks, notably when the server could not be accessed via the known administrator credentials. This resulted in the Mac mini being taken off site for said credentials to be reset as we weren't easily able to connect a display, keyboard and mouse where it was located, nor were we able to access the Mac via screen sharing. At this stage of the job, the status was as follows:

• Following an administrator account reset, the server was updated to macOS 10.13.x High Sierra while it was easily accessed via dedicated peripherals.
• Remote access was restored via the new credentials and assigned to a Team Viewer account as a backup means of access.

No known cause was discovered for the credentials not working, and is most likely user error unrelated to the issues presented later.

Post-Update Difficulties

Immediately following the update to High Sierra, the client began complaining that access was sporadic, some accounts weren't working and file permissions were all over the place. We began investigating the symptoms and quickly realised this was a fairly complex issue and we again needed direct access to the server and client Macs to test the problems and find a solution. The following troubleshooting steps were taken:

• Removal and recreation of all pre-existing accounts and groups.
• Recursive and non-recursive permission adjustments both via Finder and Terminal.
• Disk repartitioned with a dedicated volume for shared data.
• Disk repaired and verified, both via Disk Utility and Single User Mode.

None of these steps resulted in a scenario where the server behaved as expected, even for basic file sharing. A partial list of the issues we ran into is as follows:

• Settings to individual Shared Folders within the Sharing pane of System Preferences (this is the new location for file sharing settings after they were inexplicably removed from the Server app) would not save, and permissions would revert to the default set upon closing and reopening the window.
• Access permissions did not translate to real-world behaviour; a connecting user would either be granted complete access to all shared folders or would fail to authenticate entirely.
• Within a given shared folder, read and write permissions were inconsistent with those set in the Sharing pane.
• Ignore Ownership on a volume seemingly had no effect on access rights.
• The local hostname would frequently fail to save or display an old and conflicting version of itself.

At this stage it was clear that whatever the problem was had deep roots and we opted to restore the boot volume with a clean install of macOS seeing as the data had been safely relocated to another volume on the same disk. Due to the APFS file system's handling of local Time Machine snapshots, we also had to remove chunks of hidden data via Terminal to free up enough space for the aforementioned repartitioning to take place. This left us with:

• A fresh install of macOS on a disk containing two APFS volumes; a 175GB boot volume and a 325GB data volume.
• Default file permissions on all files within the data volume as if they'd been created locally by the administrator.

However, this clean install left us with the same scenario where access privileges were inconsistent. This was the case for all files shared by the system irrespective of location. We tested locally on both volumes both inside and outside of the administrator's Home Folder and with an external drive freshly formatted. At this point I could eliminate the data as the culprit, as even a newly created folder dragged into the Shared Folders section of the Sharing pane in system preferences would behave as expected. Client devices of all types would frequently fail to authenticate, or make data visible to the user logging in that should have been prohibited based on the permissions that had been set.

Solution

Countless hours into what should have been a simple job and I made the decision to fall back to macOS 10.12.x Sierra. Issues restoring the disk back to a non-APFS file system notwithstanding, the reinstall went smoothly and upon a brief configuration of the 'old' version of the Server app, file sharing suddenly started behaving as it should have. Literally, with zero configuration beyond creating a single test user and shared folder the problems appeared to have been solved.

I'll stop short of drawing conclusions here as to why this happened or what motivated Apple to remove the settings specific to AFP/SMB file sharing from the Server app, but it has not been well received based on the considerable amount of reading I did online during this job.

I'd encourage Apple's macOS development team to revisit this decision as it will undoubtably affect many other administrators, perhaps to a lesser degree than it has for me this past week, but enough to erode the confidence in software that was once regarded as sound and reliable.

My suggestions to my client now include plans to augment the server with cloud-based solutions and eventually migrate towards a scenario where the local file server is no longer required.

(Post edited for clarity and ease of reading)