User group permissions not being applied to new folder with a parent

Sorry for the confusion. "writeextatt" is one word. Everything should be on one line with no spaces in the segment "list,add_file,search,...,directory_inherit" I don't see a way of formatting a code block like this, so I am attaching a screen shot below.

Did you solved this somehow?

Having the same problem - Mac mini Server Late 2012 on High Sierra w. Server 5.4

2 x SSD disks converted to APFS, one for macOS and other for file sharing.

If user creates new files & folders inside File Share folder, other users will have "read only" access.

Permissions to File Share Folder are set: Administrator - Read & Write; User (Me) - Read & Write; Group - Read & Write; Staff - Read Write; Everyone - No Access.

In Server - Storage: Administrator - Full Control; Croup - Read & Write (unchecked Administration and under Write "Delete"; User - Read & Write; Staff - Read Write; Others - None.

Newly created files & folders inside File Share Folder will have: Group - Read & Write; User (who created the file) - Read & Write; Staff - Read Only; Everyone - Read Only.

On server machine you can manually reset the permissions:

In System Preferences - Sharing - Apply Permissions to Enclosed Items - all will be set to newly created files & folders rightfully, in the way it is set up for File Share folder. In Server app - Propagate Permissions have same effect - all will be set to newly created files & folders rightfully.

Does anyone know is it High Sierra or APFS related issue? Also, is there fix for it?

Actually not the final solution I guess.

We have deleted all the sharing in System Preferences, cleaned up, restarted and added sharing again to same (3) folders - just added the Grupp (without Administrator) and it automatically adds User, Staff, Everyone + Apply Permissions + in server app Propagate Permissions ...

The permissions on Server are set for main Shared Folder - System Preferences: User - Read & Write; Group - Read & Write; Staff - Read Write; Everyone - No Access. (On others Shared Folders: User - Read & Write; Group - Read & Write; Everyone - No Access.)

Now the permissions on Server in Finder for new files are: User - Fetching; Group - Read only; Everyone - Read Only.

And now the permissions on all Users laptops in Finder for new files are: User - Read & Write; Staff - Read Only; Everyone - Read Only.

So, seems that users can access the new files w. Read & Write permissions, just have not tested it out finally to confirm this as a workaround. Just feels that something is wrong with ACL and don't have a clue is it High Sierra or APFS related issue.

However, we have other problems on Server app as well w. Profile Manager (randomly not loading) and VPN (needs off / on). Have tried to reset the app by: sudo rm /var/db/.ServerSetupDone (http://krypted.com/mac-os-x-server/reset-unresponsive-macos-server-5-4/) and usually this helped.

You need to change the ACLs on that folder and all of the enclosed folders. Suppose your group is named "myGroup" and you want the group to have access to the folder "/Shared" and everything in it. You need to enter the following one-line command in Terminal:

chmod -R +ai "group:myGroup allow list, add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,wr iteextattr,readsecurity,file_inherit,directory_inherit" /Shared

The two very important pieces of this command are the "i" in "+ai" which makes the setting inheritable and "-R" which performs the setting recursively.

Tried even suggested command with result - chmod: Invalid permission type ' add_files'

By creating new Shared Folders and what ever we tested got same result - originally set permissions do not apply to newly created files!

The permissions on Server are set for Shared Folders:

User - Read & Write; Group - Read & Write; Staff - Read Write; Everyone - No Access.

User - Read & Write; Group - Read & Write; Everyone - No Access.

The permissions on all Users laptops in Finder for NEW FILES in server file share will be:

User - Read & Write; Staff - Read Only; Everyone - Read Only. (Before it was User - Read Only.)

Earlier created files have permissions:

User - Read & Write; Staff - Read & Write; Everyone - No Access.

Only if manually Propagate Permissions in Server app, System Preferences or in Finder will apply original permissions also to newly created files.

Guess it should not be like this.

If the result you obtained was really "chmod: Invalid permission type ' add_files'" (i.e., this isn't a typo in your reply), I think you might have inadvertently typed "add_files" instead of "add_file."

You can double-check that this is an allowed permission type by reading the man page for chmod. (Type "man chmod" in Terminal.) In the section entitled ACL Manipulation options, my man pages say:

The following permissions are applicable to directories:

list List entries.

search Look up files by name.

add_file

Add a file.

blah, blah, blah

Actually tried both "file" & "files" with same result. Any suggestions?

server:~ AL$ chmod -R +ai "group:pmdata allow list, add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,wr iteextattr,readsecurity,file_inherit,directory_inherit" /Volumes/PM\ Server/PM\ Data

chmod: Invalid permission type ' add_file'

I think I found the solution. I tried making a new directory on my laptop and then using the chmod incantation as described previously. Just like you, I got the 'Invalid permission type' error. To make this work, I had to do two things:

1. Get rid of the space between "list," and "add_file."

2. Use sudo.

I have no idea why the space caused a problem on my laptop (and your server), but not my server. Here is the output showing what worked and what didn't:

Shadowfax:/ mah$ cd /
Shadowfax:/ mah$ mkdir myTemp

mkdir: myTemp: Permission denied

Shadowfax:/ mah$ sudo mkdir myTemp

Shadowfax:/ mah$ chmod -R +ai "group:staff allow list, add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,wr iteextattr,readsecurity,file_inherit,directory_inherit" myTemp

chmod: Invalid permission type ' add_file'

Shadowfax:/ mah$ chmod -R +ai "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,file_inherit,directory_inherit" myTemp

chmod: Failed to set ACL on file 'myTemp': Operation not permitted

Shadowfax:/ mah$ sudo chmod -R +ai "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,file_inherit,directory_inherit" myTemp

Does not work for me yet ... tried 'wr iteextattr' & 'wr_iteextattr' w. same result. All your suggestions are welcomed.

server:~ AL$ sudo chmod -R +ai "group:pmdata allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,wr iteextattr,readsecurity,file_inherit,directory_inherit" /Volumes/PM\ Server/PM\ Data

chmod: Invalid permission type 'wr iteextattr'

Same result - originally set permissions do not apply to newly created files!

Only if manually Propagate Permissions in Server app, System Preferences, in Finder or w. Command line, it will apply originally set permissions also to newly created files. However, this usually leads (depending what method to use) to anomaly result when users can not access to folders even they have Read & Write permission, set tags to files etc.

If User creates in Server Shared Folder new files, the permissions for new files will be set: User - Read & Write; Staff - Read Only; Everyone - Read Only. Other Users can access to files, but can not example set or edit tags.

Tested with newly created Shared Folders on internal SSD (APFS) and on external HDD (Mac OS Extended Journaled).

Any recommendations?

Struggling w/ similar on a client’s server that was just upgraded from Yosemite. One workaround we’ve identified is, in Server > Storage (tab), highlight shared folder, click “gear” icon > Edit Permissions, if you dbl-click the “staff” entry and replace it with the server-side Group name that includes the users you want to have read/write access, permissions and propagation to new items seems to work.

Keep in mind, this is a workaround, the Server is basically letting you use a network group in the POSIX group owner designation.

This did not work for me either. It seems to have run without errors, but I did get a chmod usage display. I went back and created a new folder and it is still read-only for everyone except the person who created it. Was anyone able to find a resolution for this?

The fix is enabling OD on a clean install

And ensuring you do not use local accounts to auth over the network.

Beware! If you try and fix this after propagating local users access it will likely break further.

Back up all server data that is required that exists on the boot volume.

Erase the boot volume.

use Journaled (AFPS is buggy)

Download a clean copy of 10.13.3

Use createinstallmedia command to create installer disk

Install 10.13.3.

Setup Local Admin user.

Download server.app

Set local hostname.

STOP

Open server.app

Click view menu

Select Open Directory

Configure open directory and when prompted configure DNS automatically (modify later)

Configure NETWORK ACCOUNTS in server.app

In system prefs Set Shares (preference AFP and turn off SMB if no Windows devices)

Then add users in system prefs to shares (do not use server app)

No need to re propagate permissions.

Turn on sharing in system preferences.