PDA

View Full Version : Permissions not propagating on share




Karatehero
Apr 1, 2010, 05:09 PM
Greetings all!

I'm sure this is some stupid noob issue - and regretfully I am mostly a windows guy so maybe I'm just not getting the big picture here.

I am running server 10.6.2 - I have this machine setup as a OD Master and a windows PDC with AFP, DNS, iChat, OD, and SMB all turned on. This is the only server on the network.

I have a folder I'll call 'Public'. I have a group called 'Users' and I have several users one of which is me, 'karatehero'. When I look at my user entry, I see that I am a member of the 'Users' group, and only the users group.

I went into Server Admin and shared my 'Public' directory to 'Users' and gave that group full control. When I look at the share in Server Admin now, I see

ACL
Workgroup - Permissions: Custom - Applies to: This folder, Child folders, Child files, All Descendants
Users - Permissions: Full Control - Applies to: This folder, Child folders, Child files, All Descendants
Spotlight - Permissions: Custom - Applies to: Child folders, Child files, All Descendants
POSIX
Root - Read & Write - Apples to: This folder
wheel - Read & Write - Apples to: This folder
others - Read & Write - Apples to: This folder

My goal was to have all the users in the 'Users' group have full control of all the items and subfolders in that file.

This worked initially, but now I see that when I map that drive as myself via SMB, most but not all of the folders have the red '-' next to them. When I look at that folder from the server, I see the following permissions:
workgroup - custom
users - custom
_spotlight - custom
admin (me) - Read & write
admin - Read & write
everyone - no access

I would imagine that is setup correctly, and I shoudl be able to get into the folder, but I can't. If this were the windows world, I would scratch my head and reformat. I'm not sure why this happened to all these files. Why my permissions are setup on the share as 'Full Control' and the subfolders are 'custom' is strange to me.

I notice there is a 'propagate permissions' option when I highlight my share and click the gear. Shoudl I do that? Why would I need to?

Thanks in advance all! I'm kinda stuck here!



talmy
Apr 2, 2010, 09:18 AM
I found that the order of the ACL permissions is important. The first group ACL permission a user is in determines their permission. So since you have Workgroup above Users, the Workgroup permission prevails. (Note that unless you do otherwise, everyone is a member of "Workgroup").

Since you aren't using Workgroup, you should just delete the Workgroup permission and then propagate the permissions to update your existing subfolders.

Karatehero
Apr 4, 2010, 09:03 PM
I'm just curious, where did that come from? I never added it, how did something like that get there?

I will try that and update.

Thanks!

talmy
Apr 5, 2010, 10:22 AM
"Workgroup" is created by default at installation. You probably didn't need to add the group "Users" as "Workgroup" would have done the same thing.

Karatehero
Apr 5, 2010, 05:05 PM
OK. Although, how does the 'Users' group get added if the Workgroup group is there? I mean, Users coudl have been named 'CoalMiners' or something - I never associated it.

Either way - I reordered the groups to make "users" at the top of the list, and made sure it was set to full control - and I still can't get into certain folders and items. No change.

I guess what I'm wondering is if I propagate my ACLs to all subfolders - shouldn't all permissions be the same for all children if set that way?

BTW - I've also noticed that the groups that are giving me issues when I look at their get info has a group at the top of the access list. The group is above 'users' and is named 704224ee-fdff-....... and has a custom level of control. This wasn't there before I propagated things, but nothing has changed.

Am I missing something?

Thanks!

Karatehero
Apr 5, 2010, 07:33 PM
Am I propagating the wrong thing? I'm only propagating ACLs. Should I propagate more than that? Groups, owners?

calderone
Apr 5, 2010, 09:09 PM
To the OP:

1. Get a book on permissions or OS X Server
2. There are two very important tool you are not using: Effective Permissions Inspector and Sort Access Control Lists Canonically
3. I don't see much of a point to controlling the share via ACL when you have Read and Write for others.

To get you started here is the precedence for POSIX and ACL:
1. No ACL? POSIX applies
2. If there in an ACL, ACE order applies. Use "Sort Access Control Lists Canonically" to sort the ACEs in the way they would be be applied.
3. ACL evaluation: The first ACE is evaluated, if there is no entry that applies it moves on until it find one for the requested action, allow or deny.

***THIS IS IMPORTANT****
It does not matter if you have allowed a user via a group ACE if there is a deny ACE preceding it. That is why you should use: "Sort Access Control Lists Canonically"

4. A POSIX deny does not override an ACE allow
5. If there is no ACE that applies, POSIX rules

It does not matter if you reorder the list, it needs to be sorted canonically.

I am not at your server, so I can only point you to the tools you need to use to figure it out. This should get you going in the right direction.

"Workgroup" is created by default at installation. You probably didn't need to add the group "Users" as "Workgroup" would have done the same thing.

Workgroup is not created on installation (see below), it is created when a user is added via Server Preferences.

This may depend on the options you choose during installation, for example choosing "Create Users and Groups" (a novice install) may create the "Workgroup" group, but it is not created on a manual install.

Karatehero
Apr 5, 2010, 09:28 PM
Thanks so much for the reply!

I had a feeling thats how it worked - I wasn't sure how the ACL and Posix fought it out, so thanks for detailing that for me!

Thing I'm confused on is this - I picked a sub folder in that share. Right now when I connect to it via go -> connect to server -> smb://server/share and I put in my creds, the sub folder says I have no permissions. When I look at it in the Effective permission inspector and put myself in, it says I have full control of the sub folder.

Is there some magic with the SMB share that I'm not aware of?

calderone
Apr 5, 2010, 09:32 PM
What are the permission on the containing folder or volume? You may have permission on the sub folder, but if you don't have at least read on the container it doesn't matter.

Karatehero
Apr 5, 2010, 10:09 PM
On the root share I have all permissions but delete. That share is listed as Shared Items/Public

On the drive, I have read only premissions via the inspector.

For the subfolder I have full permissions. That woudl be Shared Items/Public/folder

talmy
Apr 6, 2010, 02:33 PM
To the OP:
Workgroup is not created on installation (see below), it is created when a user is added via Server Preferences.

This may depend on the options you choose during installation, for example choosing "Create Users and Groups" (a novice install) may create the "Workgroup" group, but it is not created on a manual install.

Ah. I did the "novice install" first, found out that nothing was right, and then basically overrode everything, but I kept the Workgroup group as it was convenient.

Karatehero
Apr 6, 2010, 06:23 PM
Well, I'm guess then that my share and/or server is fubar'd. That really stinks being as I just built it and got them moved to it only a few months ago.

I mean, if the permission inspector says I shoudl have full access to a folder, and when I go to it, it says I have none - I would think something is wrong there.

Any last ditch thoughts?

calderone
Apr 6, 2010, 06:54 PM
Get a book and learn permissions?

There is no way for it to be "fubar'd." You are doing something wrong and you need to figure it out.

Karatehero
Apr 6, 2010, 09:20 PM
Well, I got one book already and read everything it said about ACEs ACLs and POSIX stuff. I read all about inheritance, and went all through the demos they gave you. Thats exactly what I have now - and it doesn't match up.

For some reason my permission inspector and the actual permissions I'm getting don't match up. I've went to apple already, and their suggestion is the same as always, reformat and start over. Obviously, for a company that has billions in reserve, thats a great idea, but for the rest of the world.

As I said, it appears to be fubar'd. I wouldn't be here if I didn't need help. If thats it, I honestly thank you for all your time. I just don't know where else to go.

No sarcasm intended, but honestly, thanks for helping! I just might trash all my shares and start over. I dont' know what else to do!

Karatehero
Apr 6, 2010, 09:44 PM
I got it.

OSX doesn't connect to a SMB share the same way that a windows machine does. When I connect with my windows machine, it works fine. When I connect with my mac machine, its all screwed up.

I'm going to share those files via AFP also, so my mac users can get into them and all should be good!

Thanks for the help, I really do apprecaite it! I never would have thought that was the problem. Apple didn't even know!

Thanks again!

calderone
Apr 6, 2010, 11:52 PM
There are some issues in 10.6 client when connecting to SMB shares. Although I personally haven't had issues.