You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

macOS Mojave with server 5.7.1file sharing Group permissions problem :-(

hi

i have macOS Mojave with server 5.7.1 on Mac pro(Late 2013).

I'm running an updated server for the latest version.

To my question I did not find an answer through Google ...


I do several tests before moving the server to work.

The test on the server is performed from several computers, mainly from operating system 10.12.


I set up 3 users (A + B + C) and 2 groups (E + F) to check permissions Unfortunately permissions do not work properly.

And there seems to be a problem with the ACL and the permissions do not pass automatically.

The entrance was examined in two situations: AFP + SMB.


for example:

When User A logs on to the server and builds a folder / file, checking permissions on the file from the server is saved to User A and not to the Group Name (Group E).

Group: wheel - Permission: read only

All: everyone - permission: read only.


When user B enters the server and builds a folder / file, checking permissions on the file from the server is saved to user name B and not to the group name (group E).

Group: wheel - Permission: read only

All: everyone - permission: read only.



Arrange permissions through: System Prepernces / File Sharing and manual permissions changes: Apple Premissions to Enclosed Items.

Everything works out ... until the next user change.


I would be happy for help an experienced server user


Best regards

Benny

MacBook Air, macOS Sierra (10.12.6), Macintosh Plus,PB 400Hhz black, PB 867, iMac G3, OSX Server5

Posted on Oct 8, 2018 9:18 AM

Reply
Question marked as Top-ranking reply

Posted on Oct 9, 2018 6:01 AM

After searching Google I found:

That version 5.4 had a "storage" tab that could be modified to ACL permissions. Unfortunately in version 5.7.1 the tab no longer exists.


version 5.7.1:

User uploaded file


version 5.4(pict from google 5.3.55):

User uploaded file


If there is a "server specialist"?

I would be happy to help


Best regards

Benny

118 replies
Question marked as Top-ranking reply

Oct 9, 2018 6:01 AM in response to Benny2g

After searching Google I found:

That version 5.4 had a "storage" tab that could be modified to ACL permissions. Unfortunately in version 5.7.1 the tab no longer exists.


version 5.7.1:

User uploaded file


version 5.4(pict from google 5.3.55):

User uploaded file


If there is a "server specialist"?

I would be happy to help


Best regards

Benny

Oct 15, 2018 2:36 AM in response to MrHoffman

Hi MrHoffman

The terminal looks like the solution to the problem 🙂


The command line:

sudo chmod -R + a "group: REPLACE_WITH_YOURGROUP_NAME: allow readattr, writeattr, readextattr, writeextattr, readsecurity, list, search, add_file, add_subdirectory, delete_child, file_inherit, directory_inherit" REPLACE_WITH_PATH_TO_PARENT_SHARED_FOLDER



This seems to make it possible to maintain ACL permissions.


Do not understand why but now another problem has been created, the AFP connection is not possible ...😠


Continues to do tests to check that there are no additional problems with 3rd party software


Best regards

Benny

Oct 14, 2018 10:51 AM in response to Benny2g

Most of what Server.app had provided is deprecated and now gone, or has been migrated into the base macOS system and tools.


This particular file-sharing feature migrated into macOS with High Sierra.


Here, migrating to a NAS box might be an option, depending on local requirements and considerations.


Prepare for changes to macOS Server 5.7.1 - Apple Support

https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration- Guide.pdf

Dec 19, 2018 2:11 PM in response to Ryan Burkholder

Yes... Apple loosing the right way. And this way doesnt contains any other solutions for pro users. This time apple is just a phone and tablet maker... if you hear us TIM help and give:

  • macOS Ultimate Server Software
  • mac Server hardware
  • new macpro for pro users

And if you have a little bit more free time please give us your iCloud like a Office365

Thank You!

Jan 22, 2019 9:59 PM in response to ahawkes

I thought I'd tell the whole story on my setup so my success may make more sense:


NOTE: You CANNOT use AFP to share a folder on an APFS formatted drive. My externals are all Mac OS Extended (Journaled) format. I do not share any folders on a startup disk.


I have a client that is a small advertising agency with 8 employees. 5 designers and 3 admins. They all use Apple computers connecting exclusively with AFP, except the accountant who uses a Windows 10 PC. Their old server was a 2009 MacPro running Sierra and Mac OS Server the old fashioned "still works" way. The Mac Pro had two 4TB drives in an Apple RAID inside the machine for storage, and an external USB Archive drive for archives, attached via a USB PCI card. The backup drives are external USB drives as well utilized in a rotating offsite backup. The shares were four folders on the internal raid and one folder on the external Archive drive. The account I use to administer the server is long name Administrator short name administrator.


They just got a new 2018 Mac Mini for a server and an external USB-C Pegasus RAID for main storage. Here's the outline of what I did to set this up as a new server (real names changed to protect the innocent). I didn't migrate any settings from the previous server because setting up 8 users and 5 shares from scratch was easy. I'm going to ignore the backups in this discussion, but don't worry. They're there. :)


  1. I copied all of their main data from the 4TB internal RAID into four folders on the pegasus.
  2. I attached the Archive drive to the mini.
  3. I installed Server 5.7.1
  4. I used Server to create 8 users and two groups: agencystaff and agencyadmin
  5. I added all of the users to the group agencystaff but only the three admins to agencyadmin
  6. I went to System Preferences > Sharing and turned on file sharing.
  7. I clicked Options... and turned on AFP and SMB.
  8. Under Windows File Sharing, I unchecked any user who would never connect using SMB. This required their passwords.
  9. I used the free utility "BatChmod" on each of the respective folders to remove any legacy permissions: On each respective folder, I set Owner to administrator with RWX all checked, Group to agencystaff (or agencyadmin on that share) with RWX checked, then Everyone to RWX all UNchecked. I checked "Change ownership and privs", Unlock, Clear ACLs and Apply to enclosed. I hit apply and waited. This drilled down the entire folder structure changing each file's permissions and cleared out old users and groups from the old server setup.
  10. Back in Sharing, I added each of the 5 folders to the Shared Folders panel in turn.
  11. I gave administrator Read & Write to all shares. I gave Everyone No Access to all shares.
  12. I added the group agencystaff with Read & Write to 4 of the 5 shares
  13. I added the group agencyadmin to the admin share
  14. In my subsequent testing, permissions were not being inherited on new folders. Kristy would create a folder that Ashley could not write to or delete from. And vice versa, etc. This is where all of the cursing and screaming happened. For quite some time. So I researched and eventually arrived at this discussion.
  15. I added what I learned in this forum post to my experience with the Unix command-line to properly use chmod to set up each shared folder with its respective inherited permissions like these examples:
sudo chmod -R +a "group:agencystaff allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Design\ Jobs


sudo chmod -R +a "group:agencyadmin allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Admin


Each one took a few minutes to complete. After that, all of my testing worked perfectly. I was able to mount the appropriate drives using afp:// on each user's computer. I created multiple folders on the shares with multiple users on multiple computers and they were all able to properly read and write and delete new and old data.


And more importantly, NO ONE called me the next morning. I had successfully replaced the old server at the same IP address with the exact same share names and permissions, and the end-user couldn't tell the difference except it was faster. All of their aliases worked. All of the "recent documents" opened. All of the InDesign files opened without complaining that image links were broken. Success!


/whew

Feb 6, 2019 10:43 AM in response to Mark Dannau

I had this problem myself and opened a ticket with Apple. It was escalated to Enterprise Support. Scenario was SMB Shares with OpenDirectory accounts connecting from non domain-bound Macs. Local accounts could connect to the shares no problem. No OD accounts would connect. After demonstrating the issue forwards and backwards, they had me run the Enterprise Data Collector after elevating debug logging. I replicated the issue and the Data Collector created a dmg of logs that I uploaded.


The issue was that SMB authentication was not available for authentication from OD accounts. Here are the steps:

  1. Open Directory Utility.app.
  2. Unlock.
  3. Select Directory Editor.
  4. From 'in node', select LDAPv3.
  5. From 'Viewing', select Config.
  6. On the left side, select dirserv.
  7. Select the padlock next to 'in node' and authenticate with the Directory Administrator account.
  8. On the right side, expand the attribute, 'dsAttrTypeNative:apple-enabled-auth-mech'
  9. Click the plus next to WEBDAV-DIGEST to add another value.
  10. Make the value 'SMB-NTLMv2'.
  11. Click Save.
  12. Restart.


Confirmed OD accounts could connect via SMB to the server where it could not prior. Apple said the authentication mechanism was removed in the latest version of Mojave (10.14.3). They didn't know if it would be put back in under the next update or not.

Apr 21, 2019 1:31 PM in response to ahawkes

I followed These excellent instructions carefully. I am trying to share an external 1TB SSD drive "Myworkdir" formatted as APFS using smb. I am running a 2018 MacMini with Mojave 10.14.4 and I am not using Server 5.71.


  1. created users and group MyWork
  2. Turned on File Sharing by SMB
  3. Used BatChmod to clear out old permissions, set Myadmin as owner with RWX, group MyWork with RWX, everyone else no access. unlock, clear ACLs. Applied— BatChmod claimed it was finished almost immediately.
  4. In sys pref, shared volume MyWorkdir and added group Mywork with RW privileges.


Result:

MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  	wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity


Then Chmod:

MyIPAddr:volumes myadmin$ sudo chmod -R +a "group:Mywork allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /volumes/Myworkdir

chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted
chmod: /volumes/Myworkdir/.Spotlight-V100: Operation not permitted
chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted


Then set up sharing for group Mywork in sharing settings set to RWX


MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
MyIPAddr:volumes myadmin$ 


Mounting drive as one of the users in group Mywork by smb, I can work normally, but if I create a new folder or duplicate and existing folder, I am unable to delete the folder. I get "The operation couldn't be completed because an unexpected error occurred (error code -8072)"


Any suggestions? Thanks in advance.


Mar 26, 2019 7:23 AM in response to hineswhim

Just noticed a rather obscure menu - if you right-click on a share name in the Sharing control panel, you can apply permissions to enclosed items. I don't know if this applies ACL and inheritance or not. does it? could this be the hidden option we've been searching for since 10.14 was released?? or is it the same as get-info a folder and apply to enclosed items (which does not apply inheritance).


Oh, hineswhim, I believe "content caching" = software update caching, plus iTunes media caching.


May 23, 2019 1:18 PM in response to carlsb

Running macOS 10.14.4 (no Server app) on an 11,3 MBP with no OD configured, just sharing accounts. Using the internal SSD (APFS) for the OS and to host FileMaker Pro databases. An external Thunderbolt HFS+ (Journaled) RAID5 consisting of rotational 7200RPM drives hosts the file shares and backup destinations. Another external rotational drive for the security software, also hosted on the server.


This setup is working well enough that I will now start upgrading clients from 10.11/10.12. Mac Pro towers make great servers on the cheap because adding drives is easy, but now, the 6Gbps interface is showing its age. (4) drives, striped, (24 Gpbs max). So the laptop and external RAID is a great setup! Built-in screen and keyboard/trackpad, built-in battery backup/power conditioner, whatever add-on you want and with an external RAID formatted as HFS+ Journaled, you still get lots of sharing power. I'd stay away from Thunderbolt 2 RAIDs and go with USB-3 if possible. Have had issues with Thunderbolt 2 and Macs sleeping when they aren't supposed to (use Amphetamine.app to keep awake), causing drive drop offs. Drives RAID5 crazy, RAID4 is more tolerant in that situation but USB-3 is best.


Connectivity is both AFP and SMB. For clients I tend to lock in AFP because Adobe apps are problematic with SMB and Adobe doesn't officially support working off file shares (unless you are using something like Facilis) so with no support from Adobe I stick with AFP and have no issues. The server has (2) NICs, each with their own VLAN. No issues.


No issues deleting folders/modifying files.


Here's a sample share point set up in the, Sharing, System Preference. Then configured using TinkerTool System.


Permissions for the Admin group.


Permissions for the Staff group.


With all of this, folders within the share can still have custom permissions. Such as having a project folder with staff access but that folder having a nested folder that only allows access to a specific user. Just like the macOS Sierra Server days! 😎

Oct 14, 2018 12:12 PM in response to MrHoffman

Hi MrHoffman

Thanks for the reply.


unfortunately transfer to NAS is not an option.

Since there are Promise storage units, which were purchased with quite a bit of money that were not considered in upgrading the system.

Unfortunately my experience with NAS units from a number of companies was difficult and disappointing.


Question: Is ACL supported in moving the service to their system?

Maybe there are terminal commands for a fix I can run?


Thanks for the pdf file.


More ideas?


Best regards

Benny

Oct 14, 2018 12:54 PM in response to Benny2g

The chmod and chown commands are the usual commands, at the command line. Often sudo chmod -r and sudo chown -r, to override and to propagate the changes.


In the GUI, the Get Info tool can be used to reset ownerships and protections.


Downside: mistakes here that are propagated to multiple files and directories and to unintended targets are difficult to recover from.

Oct 14, 2018 1:16 PM in response to MrHoffman

Hi

Yes, I know the commands They do not help.

They are not saved after the user's change and again the permissions issue is repeated.

If the ACL was correct, the permissions were saved.


In the old OS 9 we would place a command on the kernel according to time in order to change the permissions ...

We went back in time 😟

Oct 14, 2018 3:46 PM in response to Benny2g

man chmod, and search for “inherit”.


Beyond the command line or a tool such as Dash.app, Apple’s man page documentation web pages and doc search engine are seemingly incommunicado, but there are copies elsewhere:

https://ss64.com/osx/chmod.html


Search further afield for examples of the file_inherit and directory_inherit acces control list entries.

https://apple.stackexchange.com/questions/31438/how-do-i-use-chmod-on-a-mac-to-m ake-new-files-inherit-parent-directory-permissio

https://apple.stackexchange.com/questions/117601/use-apples-server-admin-tools-t o-force-inherit-permissions

macOS Mojave with server 5.7.1file sharing Group permissions problem :-(

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.