PDA

View Full Version : Configuring Share Point ACLs...




Boarder981
Mar 14, 2008, 06:19 PM
Ok, please tell me if I'm crazy, or perhaps even stupid ... :(

So I've been supporting Macs in a large enterprise environment for some time. I'm ACHDS certified (10.4) and just recently got my ACTC certification (10.4). I got a copy of Tiger server, setup a small internal network with a few Macs, read the entire Mac OS X Server Essentials book by Peachpit Press and did all the activities, so at least I know all this stuff *in theory*.

Anyway, I'm setting up a basic file sharing server (AFP & SMB) at work using OS X Server 10.4.11 and seem to be having some problems with ACLs. For the groups I have setup with read/write permissions, they seem to be fine. They can download files from the server and modify/delete the files without any problems once on the local machine.

However, groups with read-only access can download files from the server, but get an admin authentication prompt when trying to modify or delete the files. Isn't there a way to configure it so that when a user downloads the file, the ownership changes to them?

Anyway, I know this may not be a very detailed description (not at work right now, don't have the server in front of me), but wondering if there are any quick tips to look out for when configuring ACLs in OS X Server. I have already propogated permissions and inheritance is enabled, so I'm not sure what's happening.

Any input would be appreciated.



Les Kern
Mar 16, 2008, 12:11 AM
You may not have ACL set up. Make sure at the server admin you have enabled ACL's, then make it "look" like the attached pic. Be sure to propagate afterwards to change what's already there. From then on all items will be able to be modded by all users in the group regardless of what an individual file is set at. ACL's are GOD.
Good luck

Boarder981
Mar 16, 2008, 03:03 PM
Thanks for the image, looks the same on my server. I even went back and re-read parts of my OS X Server Essentials book because I thought I was going nuts.

Like I said, the groups with read&write permissions don't have any trouble, but the groups with read-only permissions need to authenticate as admin when trying to delete files/folders that were downloaded from the server. I'll have to test some more this week at work, then post some more details.

Les Kern
Mar 16, 2008, 09:34 PM
Thanks for the image, looks the same on my server. I even went back and re-read parts of my OS X Server Essentials book because I thought I was going nuts.

Like I said, the groups with read&write permissions don't have any trouble, but the groups with read-only permissions need to authenticate as admin when trying to delete files/folders that were downloaded from the server. I'll have to test some more this week at work, then post some more details.

But that sound right to me??

pezza
Mar 17, 2008, 05:23 AM
But that sound right to me??

It does sound right, but I'm guessing that the OP wants the connected read only users to be able to delete the files from their desktop after reading them without administrator involvement?

Can ACL's be set this granular, I haven't got a system handy to test, if not perhaps if acl's aren't set and the regular permissions are enforced this error/feature will be resolved. I haven't come across this before so it must be something to do with setup.

regards

Les Kern
Mar 17, 2008, 07:40 AM
It does sound right, but I'm guessing that the OP wants the connected read only users to be able to delete the files from their desktop after reading them without administrator involvement?

Can ACL's be set this granular, I haven't got a system handy to test, if not perhaps if acl's aren't set and the regular permissions are enforced this error/feature will be resolved. I haven't come across this before so it must be something to do with setup.

regards

Indeed. I haven't been able to replicate but I will try again today. Kind of a nice diversion from my regular duties, and it might come in handy. :)

Boarder981
Mar 17, 2008, 09:00 AM
<<It does sound right, but I'm guessing that the OP wants the connected read only users to be able to delete the files from their desktop after reading them without administrator involvement?>>

Yes, that's exactly right, sorry I should have specified. I would like users with read-only access to be able to download files from the server and not require admin authentication to delete the files. Basically I want the user to become the owner of the copy of the file they download. Not sure if this is possible ... ?

By the way, thanks for your help guys ... I really appreciate it!

wrldwzrd89
Mar 17, 2008, 09:19 AM
Actually, UNIX permissions support this feature with the sticky bit. I'm not sure if you can set something equivalent to the sticky bit on an ACL entry, though.

Boarder981
Mar 21, 2008, 07:08 AM
Well, the server seems to be working as intended now. Users in the read-only group can download files to their HD and then delete them without authenticating as admin. Folders, on the other hand, still require admin rights to trash, but this is to be expected.

I'm not even sure what I did to fix it, to be honest. In fact, the server was rebooted so I think this may have been it :o

Anyway, thanks for all the help!