After Catalina upgrade and server to 5.9, AFP ACL access locked, SMB access ok

afpfile-sharingNetworkpermissionserver.app

After upgrading a file sharing server to macOS 10.15.3 and Server 5.9, we can mount our shared volumes via AFP but can not open them because of permissions.

We can access them through SMB but are then having a very old issue (documented somewhere else in this forum I think) where ACL's have to be propagated again up to 10 times a day.

Remote access to the shares with SMB is also complicated due to classic 445 port issues that we don't have with AFP (port 549).

What I have tried:

Propagated permissions via "view info" screen
Propagated permissions with TinkerTool
Removed permissions with TinkerTool
Again propagated permissions with TinkerTool
Removed, restarted then reinstated all the shares/users-groups in File Sharing/prefs panel.
Restarted server several times

To no avail, problem is still there. What other things should I try?

Best Answer

The problem has been solved after investigating the sharing, groups & users and permissions setup with a remote desktop app.

All shared folders resided on an external drive which was an old system drive. Remnants could be found like a /bin, /sbin, /usr the usual symlink suspects and some other files and folders (all invisible). The groups & users were properly set up. Permissions for the disk and file & folders were set (but rather unclear to me).

The basic problem/bug could't be found, because time was short (and I was lazy).

My proposal was: building everything from scratch

Add an admin to each sharing group (if not done already)
Disable sharing for the drive (or the shared folders)
Copy all shared folders to a second external drive, remove all ACLs and use (sudo) chown ... -R ... to reset all major folders and their content to adminuser:admin
Format the external drive to JHFS+

Create as adminuser a main folder Shared on the drive:

mkdir /Volumes/ExternalDrive/Shared
ls -ale /Volumes/ExternalDrive/Shared
total 0
drwxr-xr-x   2 adminuser  admin   68 Feb 11 18:55 .
drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..

Copy all major subfolders back to /Volumes/ExternalDrive/Shared

Example/Result:

ls -ale /Volumes/ExternalDrive/Shared    
total 0
drwxr-xr-x   4 adminuser  admin  136 Feb 11 19:10 .
drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..
drwxr-xr-x   2 adminuser  admin   68 Feb 11 19:10 develop
drwxr-xr-x   2 adminuser  admin   68 Feb 11 19:10 finance

Apply chmod 750 to the main subfolders:

chmod 750 /Volumes/ExternalDrive/Shared/develop
chmod 750 /Volumes/ExternalDrive/Shared/finance

Apply group ACLs (I named the dev group develop and the fin group finance - like the folders)

Examples (the example ACL allows full access to all sub-subfolders - every user of the respective group can really do anything, so be aware/fine tune it):

chmod -R +a "group:develop allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/develop
chmod -R +a "group:finance allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/finance

Result:

ls -ale /Volumes/ExternalDrive/Shared
total 0
drwxr-xr-x   4 adminuser  admin  136 Feb 11 19:10 .
drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..
drwxr-x---+  2 adminuser  admin   68 Feb 11 19:10 develop
 0: group:develop allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-x---+  2 adminuser  admin   68 Feb 11 19:10 finance
 0: group:finance allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit

Enable (AFP) sharing for the Shared folder or share each main subfolder (i.e. develop, finance etc.)

In the first case all users can access the Shared but have no or restricted access to subfolders. Example (member of the develop group opens the share - other groups' members have no access at all, except if a user is member of several groups and develop is one of it)

In the second case (e.g. sharing develop and logging in as member of the develop group)
If you need to have personalized sub-subfolders (access for one user of the group only), you have to stop the "global" group ACL and add a new user ACL.

AFP-Sharing worked again afterwards.

Related Solutions

Network Shares disappeared after adding shared volume to boot items

Well this turns out not to be a Mac issue after all!

Restarting my router fixes the problem. It seems to have DNS issues every now and then.

MacOS – Files created by Windows on Lion SMB shares have 600 permissions

I think this could be a bug. I'm seeing the same behaviour in Mountain Lion too.

I've ensured that the file sharing settings are correct. Go to the folder in Finder and verify that the user has correct permissions, including creating files locally, which result in the correct (644) permissions. Go to System Preferences -> Sharing and select the share, and verify the user is in the list with read&write permissions.

Using the command line tool:

$ dscl localhost -list /Local/Default/SharePoints

to list shares, and:

$ dscl localhost -read /Local/Default/SharePoints/<sharename>

I can see:

dsAttrTypeNative:smb_createmask: 644
dsAttrTypeNative:smb_directorymask: 755

Yet files created by windows users end up with 600 permissions and are not readable by others.

While not an answer, hopefully it will give someone a step closer to finding it.

Best Answer

Related Solutions

Network Shares disappeared after adding shared volume to boot items

MacOS – Files created by Windows on Lion SMB shares have 600 permissions

Related Question