Group folders write-protected on client — but not on server

[tomster]

thanks to joels excellent tip re guest acces to enable automounting (and thus group folders) i finally got it set up:

users with networked home folders and groups with group folders in /Groups all in netinfo/root — cool.

users log in and not only can find their desktop patterns and other settings but can also navigate /Network/Servers/… to find the group folder pre-mounted — no more endless ‘apple-k’ sessions everytime to get to the server, yippi.

however, the folders are write-protected!

my first response was, of course to check the permissions: but

a) each user in question is in fact a member of the appropriate group
b) each and every file and folder within the group folder is owned by the group and the group has write-access as well as execution rights on the folders
c) doing a su – in the terminal i cd’ed into the directory and all was swell: deleted a few files, created some new ones (touch foo.txt)

one big reason to actually set up group folders was that my users shouldn’t need to manually give group-write-rights to each file they create — and now they don’t even have write-access to their own files…

any hints?

tia,

tom[/code]

[waterman]

Tomster,

I think I have a similar problem with my set up too. I’m sharing a few sharepoints under the Shared Items folder in the path:

/Network/Servers/Xserve1/”Shared Items”/

Depending on the user that logs in, s/he should have access to different folders in the Shared Items. But, as it is now, the appropriate permissions are not being given. For example, I have a Producers folder that is set to autmount for users in the Producers group, and Support folder for members of the Support group. The owner of these sharepoints is root and the appropriate groups are given rw permission for the folders. But, when I log in as, say, a member of the Producers group, I don’t have access to the Producers folder (ie, it says there are 0 items in that folder). Strangely, I do have access to two other folders that I shouldn’t even have permission to view!

This feature is going to be very much appreciated by the people at work here once I get the bugs worked out.

[tomster]

[quote:0f2ab5718e=”waterman”]But, as it is now, the appropriate permissions are not being given. For example, I have a Producers folder that is set to autmount for users in the Producers group, and Support folder for members of the Support group. The owner of these sharepoints is root and the appropriate groups are given rw permission for the folders. But, when I log in as, say, a member of the Producers group, I don’t have access to the Producers folder (ie, it says there are 0 items in that folder). Strangely, I do have access to two other folders that I shouldn’t even have permission to view![/quote:0f2ab5718e]

ack. i think we’re experiencing similar symptoms with an identical cause, something i would call user mismatch. apparently, it’s a big issue even on apple’s own developer lists… without knowing yet, what it is exactly in your case (or mine) the principle is this:

user ‘admin’ on system ‘server’ has the id ‘501’, user ‘johndoe’ has id ‘502’.

now: user ‘johndoe’ on system ‘client’ happens to have id ‘501’…

now what happens, when johndoe logs onto the server? the answer (seemingly) is “it depends[tm]”…

in my case, when i’m logged into the server the permissions are as follows:

[code:1:0f2ab5718e]
> ssh jana@highflyer
jana@highflyer’s password:
Welcome to Darwin!
sh-2.05a$ cd /Volumes/Copper/Groups/grafik/
sh-2.05a$ ls -la
total 25112
drwxrwxrwx 13 grafik grafik 442 Nov 25 02:00 .
drwxrwxr-x 9 root staff 306 Nov 25 00:49 ..
drwxrwxrwx 12 grafik grafik 408 Nov 23 15:54 currrent
drwxrwxrwx 32 grafik grafik 1088 Nov 12 12:24 fonts
-rw-rw-r– 1 grafik grafik 0 Nov 21 16:32 foo.txt
sh-2.05a$ touch jana.txt
sh-2.05a$ ls -la jana.txt
-rw-r–r– 1 jana grafik 0 Nov 25 02:02 jana.txt
sh-2.05a$ ls -lan jana.txt
-rw-r–r– 1 1034 1026 0 Nov 25 02:02 jana.txt
sh-2.05a$ exit
logout
Connection to highflyer closed.
[/code:1:0f2ab5718e]

now, when i log onto a client with the same account (i.e the user is not defined locally but exists in the same domain — netinfo/root) i get this:

[code:1:0f2ab5718e]
> ssh jana@mediadesk
jana@mediadesk’s password:
Welcome to Darwin!
sh-2.05a$ cd /Network/Servers/Highflyer/Volumes/Copper/Groups/grafik/
sh-2.05a$ ls -la
total 25184
drwxrwxrwx 14 admin unknown 432 Nov 25 02:02 .
dr-xr-xr-x 9 admin unknown 264 Nov 25 00:49 ..
drwxrwxrwx 12 admin unknown 364 Nov 23 15:54 currrent
drwxrwxrwx 32 admin unknown 1044 Nov 12 12:24 fonts
-r–r–r– 1 admin unknown 0 Nov 21 16:32 foo.txt
-r–r–r– 1 admin unknown 0 Nov 25 02:02 jana.txt
sh-2.05a$ ls -lan
total 25184
drwxrwxrwx 14 501 99 432 Nov 25 02:02 .
dr-xr-xr-x 9 501 99 264 Nov 25 00:49 ..
drwxrwxrwx 12 501 99 364 Nov 23 15:54 currrent
drwxrwxrwx 32 501 99 1044 Nov 12 12:24 fonts
-r–r–r– 1 501 99 0 Nov 21 16:32 foo.txt
-r–r–r– 1 501 99 0 Nov 25 02:02 jana.txt
sh-2.05a$
[/code:1:0f2ab5718e]

see, not only is the ownership different (i.e. admin/501 instead of jana/1034) but so are the permissions!! (i.e. -r–r–r– instead of -rw-r–r–)

wtf? i’m totally puzzled, this is not at all, what i expected… and the manual is just no help…

perhaps somebody round here?

still hoping,

tom

[Anonymous]

[quote:8b9d2bbcfb=”MacTroll”]You are getting to the heart of this issue in the last post.[/quote:8b9d2bbcfb]

yes, it always helps to ask the right question, doesn’t it? and thanks to waterman for showing me that i was asking the wrong one! i just love, the way helping each other even works by asking and not only answering… 😉

[quote:8b9d2bbcfb=”MacTroll”]So the moral of all this is if you want a read/write space for a group, don’t define it yourself but let the server do the work. Otherwise use the automounting sharepoints for read only things, like fonts, or for items that everyone should be able to read/write just set the permissions accordingly.[/quote:8b9d2bbcfb]

in anticipation of some such answer 😉 i wisely set up a ‘Test Group’ / testgrp yesterday before posting my question to see whether the server will do some ‘overnight creation magic’ and lo and behold, look what happened while i was sleeping:

[code:1:8b9d2bbcfb]
Highflyer:/Volumes/Copper/Groups] admin% ll
total 16
drwxrwxrwx 14 grafik grafik 476 Nov 25 02:02 grafik
drwxrwxrwx 22 0x0A 0x5 redaktio 748 Nov 24 23:13 redaktion
drwxr-xr-x 5 tomholio testgrp 170 Nov 25 03:15 testgrp
[Highflyer:/Volumes/Copper/Groups] admin% ll testgrp/
total 0
drwxr-xr-x 5 tomholio testgrp 170 Nov 25 03:15 .
drwxrwxr-x 10 root staff 340 Nov 25 03:15 ..
drwxr-x— 2 tomholio testgrp 68 Nov 25 03:15 Documents
drwxr-x— 2 tomholio testgrp 68 Nov 25 03:15 Library
drwxrwxr-x 3 tomholio testgrp 102 Nov 25 03:15 Public
[Highflyer:/Volumes/Copper/Groups] admin%
[/code:1:8b9d2bbcfb]

of, course, when i log in from a client, i’m still just a guest. but i’ll try turning off automount and/or guest acess on the /Groups folder.

but for now i.e. today when the editors are coming in for work (yes, this is a production system…) i’ll set the folders in question to world-writeable, then they (as guests) should be able to edit their files, i hope…

[quote:8b9d2bbcfb=”MacTroll”]Again, I believe that the wonderful engineers at Apple are currently discussing this issue and coming up with a comprehensive solution. Much like the default umask and the lack of configuration options, but that is another story.[/quote:8b9d2bbcfb]

i personally can’t help but think, that something so basic as user and group rights should have been thought through to the end before launching a commercial product — this is 10.2 fcol! oh, well: love it or leave it (and no, i won’t leave it…) *eg*

oh, but do tell me more about that ‘default umask’!!! so far i’ve f found out (‘man umask’…) that it does what i want(i.e. umask 002 gives me the desired effect) but not where, i.e. a) only in the terminal and b) only for the currently logged in user.

got any wisdom on that?

thanks for your great post and the time you took to write it!

tom

[Author]

Posts