We have a simple filesharing setup, where iMac users connect via AFP. This morning, one user could no longer access the base folder, despite no settings be changed.
There are standard POSIX and ACL permissions applied to the folder, and another user who is in the exact same groups as this one user can access the folder with no trouble.
Server is 10.6.8 (recently upgraded from 10.5; but, in the interim there had been no troubles of note). Using the filesharing pane of the Server admin tool, I verified that the "ok" user has complete Read access in the effective access viewer; while the "bad" user only has a subset of permissions (see attached image).
I also logged in directly to the server, and via su
confirmed that an error occurs when trying to access that particular directory. (no error when su
d as the "ok" user.
Posix permissions are set r-xr-x— where the group is an inherited group of the user's main group. (Same situation for both users). ACL permissions are set to allow an admin full control, and deny writes to everyone else.
Any ideas? Deleting the "deny writes" ACL might change things; but, even if it works, I'd like to understand -why-. this didn't work
Newly added info
Checking the membership via dsmemberutil checkmembership -U USERNAME -G GROUP
yields user is not a member of the group when it is run on the main OpenDirectory master. On clients, the same command yields user is a member of the group.
Best Answer
While still not understanding the reason this occurred, I was able to make the problem go away by explicitly adding the user to the inherited group in Workgroup Manager, verifying it with
dsmemberutil
, reconnecting to the AFP share, disconnecting, and then removing the explicit group assignment. After all that,dsmemberutil
still shows that the user is in the group.