Mac Share Permissions Help!

Discussion in 'Mac OS X Server, Xserve, and Networking' started by 2fs2ns, Jul 9, 2009.

  1. macrumors newbie

    Joined:
    Oct 16, 2007
    #1
    We've got an XServe setup for our mac file shares. The security is integrated with our Active Directory (windows) servers. We created a security group in Active Directory for all of the users that need access to those file shares.

    In the workgroup manager on the server, the security group is setup on that file share with Read/Write permissions, and Everyone is setup with Read/Write permissions.

    However when we save a file into that share from a PC, the Everyone permission is set to None, so some of the mac's over there cannot access the files she saves.

    Is there a way in the workgroup manager to reset that Everyone permission setting to Read/Write instead of None?
     
  2. Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #2
    Which version of Mac OS X Server are you running? Must be 10.4.x, since Sharing was moved to Server Admin in 10.5.

    In WorkGroup manager you can propagate permissions to children from the gear menu at the bottom right.

    So, can I assume that this AD group is in the ACL for the share? You might want to consider "Full Control" for the group's permissions, rather than R/W and leave the Everyone POSIX permissions are None. If you've bothered to create a security group in AD with specified users for the share, setting Everyone to R/W pretty much throws your security out the window.
     
  3. thread starter macrumors newbie

    Joined:
    Oct 16, 2007
    #3
    Max OS X Server
    10.4.11

    Just a little background...I'm a Windows/PC guy, the Mac guru got let go and this was all dropped in my lap. Doing my best to figure it out...

    In the Workgroup manager, when I click the share point, I can see the Access permissions on the right side of the screen.

    The first box is Owner - currently that is set to admin, with permissions of Read/Write.
    The second box is Group, that is set to domain\serveraccessgroup, with permissions of Read/Write.
    The third item is Everyone, with permissions of Read/Write.

    The Access Control List below is empty.

    Also, when I propagate permissions on the folders, it fixes the Everyone permission from None to Read/Write, allowing the mac users to see her files.
    They are all members of that security group though. Does the Everyone permission group override the group permission level?

    [​IMG]
     
  4. Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #4
    Yeah, that's all POSIX stuff and really not helpful to you.
    I suggest creating a local user & group, just to fill in those fields and have a static user/group for read/write.
    Add your AD group to the POSIX group and it'll make your life easier.

    Set Everyone to no access for safety.

    Now in the Access Control List field, click the Users & Groups button, at the top of the slide window, there's a little world symbol that shows you what type of Directory it's attached to, probably the local default. Clicking on that should show your AD directory (if configured correctly). Switch to that and then find your "Security Group" in the AD groups (the tab with multiple people on it).
    Drag & Drop that to the ACL field. Change the Permission field to "Full Control".
    hit the Save button at the bottom of the Window.
    Now hit the Gear icon at the bottom and choose "Propagate Permissions.."

    Now the corrected POSIX ugo permissions, and ACL will be applied to the share and it's contents. Now all you have to manage is the users in the AD group and it'll always be correct on the Mac share without you constantly having to fiddle with permissions on the share.
     
  5. macrumors 68030

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #5
    PERFECTLY stated. I would merely add that it's really a good rule to always use ACL's and leave POSIX behind.
     
  6. thread starter macrumors newbie

    Joined:
    Oct 16, 2007
    #6
    I tried to drag/drop the AD security group into the ACL window, and it doesn't go.

    Here are some of the other security settings...maybe they have something to do with that?

    [​IMG]

    [​IMG]

    PS: Thanks for the help!
     
  7. Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #7
    No, the protocols don't matter for the moment and don't have any bearing on the permissions.

    You need to make sure you're authenticated as a admin in WorkGroup Manager. And you're dragging and dropping from the Users & Groups window connected to the AD domain, right?

    If you click on the General tab, "Share this item and it's contents" is checked, as is "Enable Access Control Lists on the Volume" (which is likely grayed out), right?
     

    Attached Files:

  8. thread starter macrumors newbie

    Joined:
    Oct 16, 2007
    #8
    Yeah, I'm logging into the workgroup manager as the admin. And yes, I'm dragging the group out of the AD list of groups. I even tried some user accounts, and they won't drop in either.
     
  9. Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #9
    Sorry I added this late to the last post.

     

Share This Page