macOS Mojave with server 5.7.1file sharing Group permissions problem :-(

Most of what Server.app had provided is deprecated and now gone, or has been migrated into the base macOS system and tools.

This particular file-sharing feature migrated into macOS with High Sierra.

Here, migrating to a NAS box might be an option, depending on local requirements and considerations.

Prepare for changes to macOS Server 5.7.1 - Apple Support

https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration- Guide.pdf

Yes... Apple loosing the right way. And this way doesnt contains any other solutions for pro users. This time apple is just a phone and tablet maker... if you hear us TIM help and give:

• macOS Ultimate Server Software
• mac Server hardware
• new macpro for pro users

And if you have a little bit more free time please give us your iCloud like a Office365

Thank You!

I thought I'd tell the whole story on my setup so my success may make more sense:

NOTE: You CANNOT use AFP to share a folder on an APFS formatted drive. My externals are all Mac OS Extended (Journaled) format. I do not share any folders on a startup disk.

I have a client that is a small advertising agency with 8 employees. 5 designers and 3 admins. They all use Apple computers connecting exclusively with AFP, except the accountant who uses a Windows 10 PC. Their old server was a 2009 MacPro running Sierra and Mac OS Server the old fashioned "still works" way. The Mac Pro had two 4TB drives in an Apple RAID inside the machine for storage, and an external USB Archive drive for archives, attached via a USB PCI card. The backup drives are external USB drives as well utilized in a rotating offsite backup. The shares were four folders on the internal raid and one folder on the external Archive drive. The account I use to administer the server is long name Administrator short name administrator.

They just got a new 2018 Mac Mini for a server and an external USB-C Pegasus RAID for main storage. Here's the outline of what I did to set this up as a new server (real names changed to protect the innocent). I didn't migrate any settings from the previous server because setting up 8 users and 5 shares from scratch was easy. I'm going to ignore the backups in this discussion, but don't worry. They're there. :)

1. I copied all of their main data from the 4TB internal RAID into four folders on the pegasus.
2. I attached the Archive drive to the mini.
3. I installed Server 5.7.1
4. I used Server to create 8 users and two groups: agencystaff and agencyadmin
5. I added all of the users to the group agencystaff but only the three admins to agencyadmin
6. I went to System Preferences > Sharing and turned on file sharing.
7. I clicked Options... and turned on AFP and SMB.
8. Under Windows File Sharing, I unchecked any user who would never connect using SMB. This required their passwords.
9. I used the free utility "BatChmod" on each of the respective folders to remove any legacy permissions: On each respective folder, I set Owner to administrator with RWX all checked, Group to agencystaff (or agencyadmin on that share) with RWX checked, then Everyone to RWX all UNchecked. I checked "Change ownership and privs", Unlock, Clear ACLs and Apply to enclosed. I hit apply and waited. This drilled down the entire folder structure changing each file's permissions and cleared out old users and groups from the old server setup.
10. Back in Sharing, I added each of the 5 folders to the Shared Folders panel in turn.
11. I gave administrator Read & Write to all shares. I gave Everyone No Access to all shares.
12. I added the group agencystaff with Read & Write to 4 of the 5 shares
13. I added the group agencyadmin to the admin share
14. In my subsequent testing, permissions were not being inherited on new folders. Kristy would create a folder that Ashley could not write to or delete from. And vice versa, etc. This is where all of the cursing and screaming happened. For quite some time. So I researched and eventually arrived at this discussion.
15. I added what I learned in this forum post to my experience with the Unix command-line to properly use chmod to set up each shared folder with its respective inherited permissions like these examples:

sudo chmod -R +a "group:agencystaff allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Design\ Jobs

sudo chmod -R +a "group:agencyadmin allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Admin

Each one took a few minutes to complete. After that, all of my testing worked perfectly. I was able to mount the appropriate drives using afp:// on each user's computer. I created multiple folders on the shares with multiple users on multiple computers and they were all able to properly read and write and delete new and old data.

And more importantly, NO ONE called me the next morning. I had successfully replaced the old server at the same IP address with the exact same share names and permissions, and the end-user couldn't tell the difference except it was faster. All of their aliases worked. All of the "recent documents" opened. All of the InDesign files opened without complaining that image links were broken. Success!

/whew

I had this problem myself and opened a ticket with Apple. It was escalated to Enterprise Support. Scenario was SMB Shares with OpenDirectory accounts connecting from non domain-bound Macs. Local accounts could connect to the shares no problem. No OD accounts would connect. After demonstrating the issue forwards and backwards, they had me run the Enterprise Data Collector after elevating debug logging. I replicated the issue and the Data Collector created a dmg of logs that I uploaded.

The issue was that SMB authentication was not available for authentication from OD accounts. Here are the steps:

1. Open Directory Utility.app.
2. Unlock.
3. Select Directory Editor.
4. From 'in node', select LDAPv3.
5. From 'Viewing', select Config.
6. On the left side, select dirserv.
7. Select the padlock next to 'in node' and authenticate with the Directory Administrator account.
8. On the right side, expand the attribute, 'dsAttrTypeNative:apple-enabled-auth-mech'
9. Click the plus next to WEBDAV-DIGEST to add another value.
10. Make the value 'SMB-NTLMv2'.
11. Click Save.
12. Restart.

Confirmed OD accounts could connect via SMB to the server where it could not prior. Apple said the authentication mechanism was removed in the latest version of Mojave (10.14.3). They didn't know if it would be put back in under the next update or not.

I followed These excellent instructions carefully. I am trying to share an external 1TB SSD drive "Myworkdir" formatted as APFS using smb. I am running a 2018 MacMini with Mojave 10.14.4 and I am not using Server 5.71.

1. created users and group MyWork
2. Turned on File Sharing by SMB
3. Used BatChmod to clear out old permissions, set Myadmin as owner with RWX, group MyWork with RWX, everyone else no access. unlock, clear ACLs. Applied— BatChmod claimed it was finished almost immediately.
4. In sys pref, shared volume MyWorkdir and added group Mywork with RW privileges.

Result:

MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  	wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity

Then Chmod:

MyIPAddr:volumes myadmin$ sudo chmod -R +a "group:Mywork allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /volumes/Myworkdir

chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted
chmod: /volumes/Myworkdir/.Spotlight-V100: Operation not permitted
chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted

Then set up sharing for group Mywork in sharing settings set to RWX

MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
MyIPAddr:volumes myadmin$ 

Mounting drive as one of the users in group Mywork by smb, I can work normally, but if I create a new folder or duplicate and existing folder, I am unable to delete the folder. I get "The operation couldn't be completed because an unexpected error occurred (error code -8072)"

Any suggestions? Thanks in advance.

I think TinkerTool has a GUI to adjust ACL permissions and enable inheritance. Does that replace the missing Server functionality? I am suffering the same problem (permissions not inherited; new files created by network users are read-only to other users). I have not yet tried TinkerTool but plan to next week.

Just noticed a rather obscure menu - if you right-click on a share name in the Sharing control panel, you can apply permissions to enclosed items. I don't know if this applies ACL and inheritance or not. does it? could this be the hidden option we've been searching for since 10.14 was released?? or is it the same as get-info a folder and apply to enclosed items (which does not apply inheritance).

Oh, hineswhim, I believe "content caching" = software update caching, plus iTunes media caching.

Running macOS 10.14.4 (no Server app) on an 11,3 MBP with no OD configured, just sharing accounts. Using the internal SSD (APFS) for the OS and to host FileMaker Pro databases. An external Thunderbolt HFS+ (Journaled) RAID5 consisting of rotational 7200RPM drives hosts the file shares and backup destinations. Another external rotational drive for the security software, also hosted on the server.

This setup is working well enough that I will now start upgrading clients from 10.11/10.12. Mac Pro towers make great servers on the cheap because adding drives is easy, but now, the 6Gbps interface is showing its age. (4) drives, striped, (24 Gpbs max). So the laptop and external RAID is a great setup! Built-in screen and keyboard/trackpad, built-in battery backup/power conditioner, whatever add-on you want and with an external RAID formatted as HFS+ Journaled, you still get lots of sharing power. I'd stay away from Thunderbolt 2 RAIDs and go with USB-3 if possible. Have had issues with Thunderbolt 2 and Macs sleeping when they aren't supposed to (use Amphetamine.app to keep awake), causing drive drop offs. Drives RAID5 crazy, RAID4 is more tolerant in that situation but USB-3 is best.

Connectivity is both AFP and SMB. For clients I tend to lock in AFP because Adobe apps are problematic with SMB and Adobe doesn't officially support working off file shares (unless you are using something like Facilis) so with no support from Adobe I stick with AFP and have no issues. The server has (2) NICs, each with their own VLAN. No issues.

No issues deleting folders/modifying files.

Here's a sample share point set up in the, Sharing, System Preference. Then configured using TinkerTool System.

Permissions for the Admin group.

Permissions for the Staff group.

With all of this, folders within the share can still have custom permissions. Such as having a project folder with staff access but that folder having a nested folder that only allows access to a specific user. Just like the macOS Sierra Server days! 😎

Same problem here, after user change it isn't possible to change the folders in the share. ACL is vanished from the folder. The folder gets the user name of the latest user who was changed/add it the first time. It seems to be that the folder gets only POSIX permissions.

The chmod and chown commands are the usual commands, at the command line. Often sudo chmod -r and sudo chown -r, to override and to propagate the changes.

In the GUI, the Get Info tool can be used to reset ownerships and protections.

Downside: mistakes here that are propagated to multiple files and directories and to unintended targets are difficult to recover from.

man chmod, and search for “inherit”.

Beyond the command line or a tool such as Dash.app, Apple’s man page documentation web pages and doc search engine are seemingly incommunicado, but there are copies elsewhere:

https://ss64.com/osx/chmod.html

Search further afield for examples of the file_inherit and directory_inherit acces control list entries.

https://apple.stackexchange.com/questions/31438/how-do-i-use-chmod-on-a-mac-to-m ake-new-files-inherit-parent-directory-permissio

https://apple.stackexchange.com/questions/117601/use-apples-server-admin-tools-t o-force-inherit-permissions