macOS Mojave with server 5.7.1file sharing Group permissions problem :-(

Hi

Thanks to everyone for searching. I also tried with 2 shared folders: 1st on the Mac Mini (APFS) and 2nd on external drive (HFS+). Still have permission problems.

I tried both with SMB and AFP and I still have the problem.

Can you help me?

Hey guys I found this related information from high sierra server that helped me and it appears to work for keeping inherited permissions.

Firstly enable ACL permissions for SMB shares with the following command.

Sharing modification via terminal to engage ACLs

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

Then set up inheritance permissions on the parent holder with the following command. This should recursively go through your share and apply the relevant permissions.

sudo chmod -R +a "group:REPLACE_WITH_YOURGROUP_NAME:allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" REPLACE_WITH_PATH_TO_PARENT_SHARED_FOLDER

Hey Mark, run the first terminal command only once, but the second command you need to repeat for each group you want to maintain inherited permissions. So if you have Workgroup and Designgroup, You need to run

sudo chmod -R +a "group:Workgroup:allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" REPLACE_WITH_PATH_TO_PARENT_SHARED_FOLDER

then

sudo chmod -R +a "group:Designgroup:allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" REPLACE_WITH_PATH_TO_PARENT_SHARED_FOLDER

Then both groups with have read write privileges that will be inherited by any file added or modified within the folder of choice. I recommend having these folders at the root of your share drive, so that the permissions aren't nested inside another folder with its own permissions.

Ok, so I guess this is not going to work if the folders are on an external drive.

I'll try anyway, see what happens. If not I'll move the folders to the internal ssd.

Thanks a lot amigo! If it works you'll have saved me from a very sh... annoying situation.

Has anyone else tried my working solution of using an external HDD/SDD (non-RAID, but not sure yet if RAID makes a difference) and forcing clients to connect via AFP?

I don't think I mentioned that I was not using OD, just local accounts configured as sharing only.

Hi Ryan,

That's my setup right now. All files are on external drive formatted in HFS+ and connecting via AFP. Main drive in Mac Mini is 500Gb SSD formatted in apfs.

Still having permissions problems. Connections work well and are very fast though.

mark

Did you force the AFP connection via the connect to server function? You can't just click on the server in the Finder window sidebar. If you want to make sure the MacOS isn't tricking you into connecting via SMB, disable SMB on the server during testing.

AFP is faster, but less secure I suppose. Man in the middle attacks on a LAN isn't the biggest concern of my clients. A functional network comes first. So I stick with AFP.

What came first, the wheel or the brake? LOL.

Hi jlantrip,

I did the first command, entered correct password, then

sudo chmod -R +a "group:Programme\ ext:allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,

add_subdirectory,delete_child,file_inherit,directory_/Volumes/Shared\ Folders/Programmes\ ext

"Programmes ext" being the shared folder,

and it just hangs on >

Am I doing something wrong?

Mark it’s likely an issue with the group

name. You probably have a short name for that group like programmeext rather than including the space. I noticed an issue a couple times with the command not finding the proper group ID related to the name until I got the short name right.

also so I didn’t see the second quotation mark in your command can you verify that you have it there?

I had problems executing your great suggestion - bash on my install of Mojave didn't seem to like the way you used spaces. So I'm posting a correction for those who must experiment but aren't command line users. You must supply your own MyGroupName and your own /path/to/shared/folder:

sudo chmod -R +a "group:MyGroupName allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /path/to/shared/folder

Hello jlantrip,

This is the result I got today with what seems to be a "lesson" of how to enter the command line correctly... ;-)

serveur-korke:~ korke$ sudo chmod -R +a "group:programmesext allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit"/Volumes/Shared\ Folders/Programmes\ ext

usage: chmod [-fhv] [-R [-H | -L | -P]] [-a | +a | =a [i][# [ n]]] mode|entry file ...

chmod [-fhv] [-R [-H | -L | -P]] [-E | -C | -N | -i | -I] file ...

serveur-korke:~ korke$

Hey Guys. I think I figured out a problem with this discussion. Apple's comment tool is changing the syntax and dropping part of the end of an argument because I'm not very experienced with it, so everyone is trying to copy and paste but they're missing parts so the command fails. I'm trying to figure out the formatting into showing it correctly. THERE ARE NO CARRIAGE RETURNS IN THIS COMMAND:

sudo chmod -R +a "group:YourGroupHere allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /path/to/shared/folder

I'll dissect the command here:

sudo <- which means to run the chmod as root - this is what makes it prompt you for an admin password

chmod <- this is the main command for changing file permissions in a unix environment

-R <- this is an argument for the chmod command that tells it to effect files recursively through subfolders

+a <- I believe this effectively tells chmod to include ACLs too (this is an oversimplification)

" <- quote marks surround the entire set of "settings" that you want chmod to apply to each file and folder

group:MyGroupName <- is the group you're granting permissions for, formatted properly for chmod

allow <- you want to grant the group the following permissions for each file and folder (as opposed to deny)

readattr through directory_inherit <- these are all the specific permissions you want to grant. No spaces, spelling is important

" <- close the quote, then a space, then

/path/to/shared/folder <- this is the directory you want to apply the settings to.

NOTE that most of the problems I've seen in replies are syntax errors caused by the helpful posters' comments being manipulated. Sorry about that, but it won't let me go back and edit. :( Quote marks are important. Spaces are important. LACK of spaces are important. Unfortunately, this forum doesn't seem to allow me to paste a command as a single line.

There is NOT a carriage return after the word "allow" but there is a space. There is also a space after the last quote mark.

Any spaces in the directory path MUST be represented by a backslash and a space. In unix, spaces separate lots of things like commands and arguments. If you leave the space, the unix command will believe that the path ends at the space. The backslash means "take the next character as a character at face value." So in this example, we humans see the path as

/Volumes/Promise Pegasus/Current Jobs

BUT it must be formatted unix friendly so we use

/Volumes/Promise\ Pegasus/Current\ Jobs

So here's my example with the group called designers and a directory called Current Jobs. This is all one line.

sudo chmod -R +a "group:designers allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Current\ Jobs

I hope this helps. And thanks again Benny2g for the real work!

YES! It worked! The formatting was maintained and the example shows up perfectly! Here it is again:

So here's my example with the group called designers and a directory on an external RAID called Current Jobs. This is all one line:

sudo chmod -R +a "group:designers allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/Promise\ Pegasus/Current\ Jobs

As a note to those who were trying to help but whose syntax was corrupted, I highlited my command text and clicked the button <> at the bottom of the edit pane. Apparently, that's how you format a Unix command.

Awesome to hear all that detail, its also extremely coincidental that my issues were born from a very similar upgrade, from a 2009 Mac pro, internal RAID to a mac mini 2018 external raid. Glad to see all is holding up and I have also stopped receiving phone calls haha.