Strange ACL inheritance behaviour

[sparrowhawk]

We recently implemented a dual directory environment using OD on 10.6 Server and AD on Windows Server 2008 R2. We have an Xserve running 10.6.8 which is the OD master and also the main fileserver. Files are shared using AFP for the Macs and SMB for the PCs. When we deployed AD we had to recreate all permissions and ACLs on the fileserver, due to the new users and groups.

However, since doing this, Macs and Windows users can no longer share files, effectively. If a Windows user opens a file first, the ACLs become corrupted and they get sole ownership, so no one else can open it. If a Mac user then tries to open the file, they get ‘The application can’t be found’ followed by ‘The operation can’t be completed error -43’.

If a Mac opens it first, then a Windows user tries to open it, they get ‘access denied contact administrator’, then if they choose not to save the file, the original file is gone leaving a temp file.

I have some screen shots of the ACLs but can’t see a way of attaching them. The initial ACLs are a restricted group who are allowed r/w and then the rest of the staff who are denied full control.

However, when the file is saved on a PC, an ACL is inserted for the user and the inherited group is put to the bottom of the canonical list. Therefore, the deny all staff access rule is second, so only the user who modified the file can access it.

Has anyone seen this behaviour before?

[Author]

Posts