ACL and Groups/Volume issue

[richserve]

This is a post I’ve mailed to Apple’s macos-x-server list, it doesn’t appeat to be posting there for some reason:

I’m running a modest Xserve setup for art staff and students. I recently enabled ACLs on two server volumes. I wanted to employ them for one shared directory only. In so doing I have a problem I want to solve and several questions raised so far.

In brief: Xserve G5 running 10.4.4 (updated yesterday), 3 volumes: Server HD (system), ART (network home folders), ART2 (network home folders). Last summer, the server was 10.3.9. I made an ASR image of Server HD, installed it on an iMac G5, tested an update of 10.4 Server. This worked OK so I Archived and Exported the LDAP database from the iMac 10.4 updated server.

Clean installed 10.4 onto the Xserve, set up Open Directory (Master) and AFP. DNS/DHCP comes from our Windows PDC. There is a reverse FQDN entry for the Xserve. Finally I imported the LDAP database, set up the sharepoint back to the ART volume for home folders (ART/homes) and everything was OK for the users generated previously under 10.3.9.

I then installed the second volume ART2 and set up a share for home folders for new users (ART2/intake2005). New users since Sept 2005 have home folders here.

There is an ArtStaff group, a Technicians group and several groups based on courses i.e. NDMedia, NDGraphics, NDDesign etc. All staff are either ArtStaff or Technicians, all students are in a course group. No one is a member of more than one group, so all group membership is primary.

I’ve decided to employ ACLs to control access to a shared directory which lives in ART/homes alongside the home folders: ART/homes/art&design.

The problem I’m hitting seems to be that new users whose home is on ART2/intake2005 do not have ACL permissions enforced, but users whose home is on the ART/homes volume (i.e. users originally created under 10.3.9) do have ACL permissions enforced.

The ACLs are for the art&design folder and it’s sub folders. Simply: ArtStaff and Technicians Full Control (inherited across all). All student groups have no ACE for the art&design shared folder itself which means POSIX Everybody only allows Read. Good. Within the art&design folder are folders for each course (hence for each group, but they’re not system ‘Group Folders’) i.e. NDMedia has an NDMEDIA folder. There is an ACE for each course folder for the relevant course to Read/Write. This works for every group member whose home is stored on ART/homes but not for group members of the same group with a home in the newer ART2/intake2005.

I’m stuck now. The Effective Permissions Inspector shows working ACE permissions for everyone, regardless of home folder location, but the user experience is different as outlined above. I’ve added two new test users to a group, one with a home in ART/homes and one in ART2/intake2005. The issue prevails.

One thing I noticed in the WGM/Inspector for Users is that the users created under 10.3.9 who were upgraded to 10.4 then exported/imported to the clean sever install of 10.4 have no FirstName attribute and their LastName attribute entry is 99. Users created directly under 10.4 (homes on ART2/intake2005) have a correct FirstName / LastName entry.

Thanks for any comments/support

[Author]

Posts