macOS Mojave with server 5.7.1file sharing Group permissions problem :-(

ahawkes, thanks for the nice job you did on this and the very clear explanations.

I've tried your command and am getting the resposne herafter, but the issue is still there. Folder "Programe ext" is on an external HFS+ formatted drive directly connected to the Macmini. "pool" is a group composed of 8 users with read/write permissions.

Last login: Thu Jan 24 12:47:06 on ttys000

serveur-korke:~ korke$ sudo chmod -R +a "group:pool allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit"/Volumes/Shared\ Folders/Programmes\ ext

Password:

usage: chmod [-fhv] [-R [-H | -L | -P]] [-a | +a | =a [i][# [ n]]] mode|entry file ...

chmod [-fhv] [-R [-H | -L | -P]] [-E | -C | -N | -i | -I] file ...

serveur-korke:~ korke$

Mark,

Looks like you may have used the "incorrect" example to build your command, or your command is being altered here too. But either way, it's not working because of incorrect syntax. When working in this forum, don't forget to select any commands in your comment and click the <> button below to format it correctly. Here's your command, though you MUST change the path to the Programmes ext because I can't see its entire path in your post. Note that you can drag the folder itself into terminal and terminal will drop in the full path to the folder. Just don't forget the space between directory_inherit" and the start of the path. I think that's what you missed before.

sudo chmod -R +a "group:pool allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/MyExternalDrive/Folders/Programmes\ ext

I don't think that's what we're looking for. That looks more like a replacement for the "propagate permissions" tool in Server. While it's nice to see that, I don't think it solves our problem. However, ddssg1 provided a suggestion that I tested... TinkerTool System ($14) has a section that includes the ability to set up inheritance on shares in 10.14 Mojave.

Apple's focus is no longer the server, as everyone is really going to store in the cloud. But if you still want to stay with local data server and have problems only with legacy ACLs it is easy to solution or purchase the TinkerTool or apply the command via Terminal that will definitely solve.

sudo chmod -R +a "group:stagio allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit"

I followed These excellent instructions carefully. I am trying to share an external 1TB SSD drive "Myworkdir" formatted as APFS using smb. I am running a 2018 MacMini with Mojave 10.14.4 and I am not using Server 5.71.

1. created users and group MyWork
2. Turned on File Sharing by SMB
3. Used BatChmod to clear out old permissions, set Myadmin as owner with RWX, group MyWork with RWX, everyone else no access. unlock, clear ACLs. Applied— BatChmod claimed it was finished almost immediately.
4. In sys pref, shared volume MyWorkdir and added group Mywork with RW privileges.

Result:

MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  	wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity

Then Chmod:

MyIPAddr:volumes myadmin$ sudo chmod -R +a "group:Mywork allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /volumes/Myworkdir

chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted
chmod: /volumes/Myworkdir/.Spotlight-V100: Operation not permitted
chmod: Failed to set ACL on file '.Spotlight-V100': Operation not permitted

Then set up sharing for group Mywork in sharing settings set to RWX

MyIPAddr:volumes myadmin$ ls -le
total 0
lrwxr-xr-x   1 root  wheel     1 Apr 21 08:37 Macintosh HD -> /
drwxrwx---+ 32 myadmin  staff  1024 Apr 21 08:46 Myworkdir
 0: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: group:Mywork allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
MyIPAddr:volumes myadmin$ 

Mounting drive as one of the users in group Mywork by smb, I can work normally, but if I create a new folder or duplicate and existing folder, I am unable to delete the folder. I get "The operation couldn't be completed because an unexpected error occurred (error code -8072)"

Any suggestions? Thanks in advance.

First of all, I'd suggest that you put your data into a folder on that disk instead of sharing the entire volume. That will give you more flexibility in the future and also avoid the .Spotlight-V100 error.

And if I understand correctly, you did the chmod command THEN set up sharing in the Sharing Preference Pane?

I think you should set up the sharing FIRST, then do the chmod -R +a command to modify those sharing settings.

Hopefully it really is that simple...

Here's my guess after 10 years of working in and with Apple. I am sure file sharing will continue in the same way that it does with Windows. It will always be part of the OS, but the administration tools are already gone. AFP hasn't been updated in forever, and will eventually disappear. SMB will not receive any real development resources, so it will probably work okay for basic needs. Essentially, relying on a Mac file server for any more than five or so users is a fool's errand.

At this point, we plan to phase out larger deployments of Mac file servers and replace them with Synology NAS's. These devices present their own problems and idiosyncrasies, but the Mac platform is dying (no, it really is), and Mac file sharing has already received some death blows. At least we know Synology will always be committed to local file sharing!

Long live cloud-connected iOS devices for everything! (rolls eyes emoji)

OK so I buy TinkerTool and run the ACL Permissions section. About 15 minutes later, about 1/3 of the way done I get an error, "The operating system was unable to change the rights for a file system object via an Access Control List." "The cause of this problem is: The operation couldn't be completed. Operation not permitted."

The file it stopped on was a PDF. Nothing special.

Has anyone run into this?

Yes I know this is an error thrown by TinckerTool. Just wanted to check here before going to TT support.

Thanks in advance.

I would also consider turning off SIP while you're solving any problems with permissions. SIP reduces root's ability to make changes to certain system folders and could be interfering, even if your tools are using sudo.

Boot into recovery mode and open terminal. It will ask for an admin password. In the terminal enter

csrutil disable <return>

reboot <return>

You can undo this with

csrutil enable

hello all,

Ok, so now everything is working fine. Permissions are ok.

But when someone adds a file to a folder with set permissions, it doesn't automatically inherit the permissions from the folder. Even after resetting all the permissions of the folder and files, if I add a file this file just keeps the initial creator's permissions, and doesn't inherit the parent folder's permissions.

Anyone know why that is?

Ok thanks. The folder is shared correctly from there and oddly it works for 2 users fine. It's a similar issue I found previously when some users had their passwords changed and couldn't see the shares. The fix then was to grant 'everyone' read access to the top level but this is random that it works for 2 users on AFP/SMB but then this one user, she only sees it if she connects via SMB.

Problem is they can't use Spotlight correctly using SMB

You can disable sharing via SMB in the Sharing system preference. Who knows - maybe that's important to workaround this issue...

Also, had no luck getting AFP sharing working on an APFS formatted drive. Had to use SMB.