After upgrading a file sharing server to macOS 10.15.3 and Server 5.9, we can mount our shared volumes via AFP but can not open them because of permissions.
We can access them through SMB but are then having a very old issue (documented somewhere else in this forum I think) where ACL's have to be propagated again up to 10 times a day.
Remote access to the shares with SMB is also complicated due to classic 445 port issues that we don't have with AFP (port 549).
What I have tried:
-
Propagated permissions via "view info" screen
-
Propagated permissions with TinkerTool
-
Removed permissions with TinkerTool
-
Again propagated permissions with TinkerTool
-
Removed, restarted then reinstated all the shares/users-groups in File Sharing/prefs panel.
-
Restarted server several times
To no avail, problem is still there. What other things should I try?
Best Answer
The problem has been solved after investigating the sharing, groups & users and permissions setup with a remote desktop app.
All shared folders resided on an external drive which was an old system drive. Remnants could be found like a /bin, /sbin, /usr the usual symlink suspects and some other files and folders (all invisible). The groups & users were properly set up. Permissions for the disk and file & folders were set (but rather unclear to me).
The basic problem/bug could't be found, because time was short (and I was lazy).
My proposal was: building everything from scratch
(sudo) chown ... -R ...
to reset all major folders and their content to adminuser:adminCreate as adminuser a main folder Shared on the drive:
Copy all major subfolders back to /Volumes/ExternalDrive/Shared
Example/Result:
Apply chmod 750 to the main subfolders:
Apply group ACLs (I named the dev group develop and the fin group finance - like the folders)
Examples (the example ACL allows full access to all sub-subfolders - every user of the respective group can really do anything, so be aware/fine tune it):
Result:
Enable (AFP) sharing for the Shared folder or share each main subfolder (i.e. develop, finance etc.)
In the first case all users can access the Shared but have no or restricted access to subfolders. Example (member of the develop group opens the share - other groups' members have no access at all, except if a user is member of several groups and develop is one of it)
In the second case (e.g. sharing develop and logging in as member of the develop group)
AFP-Sharing worked again afterwards.