PDA

View Full Version : Mac Share Permissions Help!




2fs2ns
Jul 9, 2009, 09:54 AM
We've got an XServe setup for our mac file shares. The security is integrated with our Active Directory (windows) servers. We created a security group in Active Directory for all of the users that need access to those file shares.

In the workgroup manager on the server, the security group is setup on that file share with Read/Write permissions, and Everyone is setup with Read/Write permissions.

However when we save a file into that share from a PC, the Everyone permission is set to None, so some of the mac's over there cannot access the files she saves.

Is there a way in the workgroup manager to reset that Everyone permission setting to Read/Write instead of None?



yellow
Jul 9, 2009, 10:06 AM
Which version of Mac OS X Server are you running? Must be 10.4.x, since Sharing was moved to Server Admin in 10.5.

In WorkGroup manager you can propagate permissions to children from the gear menu at the bottom right.

So, can I assume that this AD group is in the ACL for the share? You might want to consider "Full Control" for the group's permissions, rather than R/W and leave the Everyone POSIX permissions are None. If you've bothered to create a security group in AD with specified users for the share, setting Everyone to R/W pretty much throws your security out the window.

2fs2ns
Jul 9, 2009, 10:18 AM
Max OS X Server
10.4.11

Just a little background...I'm a Windows/PC guy, the Mac guru got let go and this was all dropped in my lap. Doing my best to figure it out...

In the Workgroup manager, when I click the share point, I can see the Access permissions on the right side of the screen.

The first box is Owner - currently that is set to admin, with permissions of Read/Write.
The second box is Group, that is set to domain\serveraccessgroup, with permissions of Read/Write.
The third item is Everyone, with permissions of Read/Write.

The Access Control List below is empty.

Also, when I propagate permissions on the folders, it fixes the Everyone permission from None to Read/Write, allowing the mac users to see her files.
They are all members of that security group though. Does the Everyone permission group override the group permission level?

http://www.thehoffmanns.com/pics/sharescreenshot.jpg

yellow
Jul 9, 2009, 10:26 AM
Yeah, that's all POSIX stuff and really not helpful to you.
I suggest creating a local user & group, just to fill in those fields and have a static user/group for read/write.
Add your AD group to the POSIX group and it'll make your life easier.

Set Everyone to no access for safety.

Now in the Access Control List field, click the Users & Groups button, at the top of the slide window, there's a little world symbol that shows you what type of Directory it's attached to, probably the local default. Clicking on that should show your AD directory (if configured correctly). Switch to that and then find your "Security Group" in the AD groups (the tab with multiple people on it).
Drag & Drop that to the ACL field. Change the Permission field to "Full Control".
hit the Save button at the bottom of the Window.
Now hit the Gear icon at the bottom and choose "Propagate Permissions.."

Now the corrected POSIX ugo permissions, and ACL will be applied to the share and it's contents. Now all you have to manage is the users in the AD group and it'll always be correct on the Mac share without you constantly having to fiddle with permissions on the share.

Les Kern
Jul 9, 2009, 10:49 AM
Yeah, that's all POSIX stuff and really not helpful to you.
I suggest creating a local user & group, just to fill in those fields and have a static user/group for read/write.
Add your AD group to the POSIX group and it'll make your life easier.

Set Everyone to no access for safety.

Now in the Access Control List field, click the Users & Groups button, at the top of the slide window, there's a little world symbol that shows you what type of Directory it's attached to, probably the local default. Clicking on that should show your AD directory (if configured correctly). Switch to that and then find your "Security Group" in the AD groups (the tab with multiple people on it).
Drag & Drop that to the ACL field. Change the Permission field to "Full Control".
hit the Save button at the bottom of the Window.
Now hit the Gear icon at the bottom and choose "Propagate Permissions.."

Now the corrected POSIX ugo permissions, and ACL will be applied to the share and it's contents. Now all you have to manage is the users in the AD group and it'll always be correct on the Mac share without you constantly having to fiddle with permissions on the share.

PERFECTLY stated. I would merely add that it's really a good rule to always use ACL's and leave POSIX behind.

2fs2ns
Jul 9, 2009, 11:00 AM
I tried to drag/drop the AD security group into the ACL window, and it doesn't go.

Here are some of the other security settings...maybe they have something to do with that?

http://www.thehoffmanns.com/pics/windowsettings.jpg

http://www.thehoffmanns.com/pics/applefilesettings.jpg

PS: Thanks for the help!

yellow
Jul 9, 2009, 11:18 AM
No, the protocols don't matter for the moment and don't have any bearing on the permissions.

You need to make sure you're authenticated as a admin in WorkGroup Manager. And you're dragging and dropping from the Users & Groups window connected to the AD domain, right?

If you click on the General tab, "Share this item and it's contents" is checked, as is "Enable Access Control Lists on the Volume" (which is likely grayed out), right?

2fs2ns
Jul 9, 2009, 11:23 AM
Yeah, I'm logging into the workgroup manager as the admin. And yes, I'm dragging the group out of the AD list of groups. I even tried some user accounts, and they won't drop in either.

yellow
Jul 9, 2009, 11:26 AM
Yeah, I'm logging into the workgroup manager as the admin. And yes, I'm dragging the group out of the AD list of groups. I even tried some user accounts, and they won't drop in either.

Sorry I added this late to the last post.


If you click on the General tab, "Share this item and it's contents" is checked, as is "Enable Access Control Lists on the Volume" (which is likely grayed out), right?