Solved

Permissions on a W2K server

Posted on 2004-09-03
15
289 Views
Last Modified: 2013-11-17
We have a Win2K server that has mactinosh file shares.  We have a share setup called Hand-In and this share is used for students to connect and hand-in assignments.  Because we have many students attaching to this share we want to be able to have students write to the folder but not be able to read anything.  We have the share set so that students have r/w rights and security setup for list folder and write.  We have the same thing setup for PC shares and this works like a champ.  The problem comes when a macintosh workstation connects up.  We connect using smb://servername and then use the students AD login name and password.  They then click on the share Hand-In.  When they try to write a file up to the server they will get an error message stating that they do not have sufficient priviliges.  We have tried special priviligies to allow this but it will not work until we give them the read right.  However, we cannot do this because they then can read all other documents up there.  I have seen many links on this issue but have never seen a resolution.  We are desparate as we do not want  to setup a Macintosh file server and recreate all of our student accounts.  
0
Comment
Question by:lbogus
15 Comments
 
LVL 7

Expert Comment

by:njxbean
Comment Utility
So you have mac shares and pc shares from this win2k server?  If you are connecting viz smb, why do you need a mac(appletalk) share?  What if they connect to the pc share using smb?  does it work?  on the other side of the coin, what if they connect to the mac share using appletalk?  Does it work then?
0
 

Author Comment

by:lbogus
Comment Utility
You are right we don't need the appletalk share when conneting via smb.  I have done some testing on the PC share and I still will get the same results that I get access privilige errors.  I have even gotten to the point now where I have give a user full control and they are still getting access privilige erros.  Can a mac do some type of caching wherein it remembered what was set up previously and is holding that information?
0
 
LVL 7

Expert Comment

by:njxbean
Comment Utility
are you connecting to this share from the same user?  does this happen from any mac?  Im not quite sure what you mean by your caching question.  
0
 

Author Comment

by:lbogus
Comment Utility
Yes, I am always trying as the same user on my test mac.  My caching question was in regard to the mac that I'm on, is it possible that since I keep using this one mac and this same user that it is holding something in cache?
0
 

Author Comment

by:lbogus
Comment Utility
I guess I should ask this very simple question....given the scenario of what we want to accomplish....mac and pc users only being able to write files to this share and not being able to read any files...should my permissions be set to list folder contents and write as the security?
0
 
LVL 7

Expert Comment

by:njxbean
Comment Utility
to answer the first question.  I dont think it is holding any user info in cache.  You can however trash the tcp/ip preferences to make sure.  I would let it list the folder contents and see if that works.
0
 

Author Comment

by:lbogus
Comment Utility
We have tried the list folder contest and that will not work.  When I create the share and have list and write rights the PCs function perfectly.  The macs cannot write to the shared folder until we give them everything but full control.  This is not even a possiblity as the PCs then also have all access as well as the macs.  Have we missed something completely?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:njxbean
Comment Utility
hmm, i cant test this right now because i am not at work, but on tuesday i will be able to test and hopefully figure this out.
0
 

Author Comment

by:lbogus
Comment Utility
I appreciate any help you can provide...this is so frustrating!
0
 
LVL 7

Expert Comment

by:njxbean
Comment Utility
been there buddy!  been there!  and it always ends up being something simply overlooked.  Hey have you trieded setting up a new share and trying this?  what version of Mac os are you using to connecT?
0
 

Author Comment

by:lbogus
Comment Utility
I have tried many different shares and different security options to no avail.  We are using Mac OS 10.3.3.  I finally got mad enough to call good old Microsoft and fork over the $245 to find a fix.   Should have known that would get me know where.  I first spoke with the Macintosh services group.   They had me test a share and give everyone full control.  Which then does allow a mac user to write a file up to that server, but then they can also look at all the other files up there.  Not an option as we cannot have students looking at each others assignments.  So, the mac guy got the Windows NTFS permission people on the phone.  I told them the deal that I have both Windows and Mac users that get to the same share and I want them to only be able to write files to the share.  He said we should use just list and write rights, which works just fine for the Windows users but not the Macs.  That's when the mac guy piped in and said that macs have to have the read&execute, read, list and write rights in order to be able to have enough access to write a file to a share.  Imagine my thoughts at that time.  That is not a workable solution at all since that would in effect give everyone the ability to see everything on that share....hmmm...students might really like this option!  So, unless you have something else up your sleeve I think I'm in a world of hurt over here!  I would love it if you actually had some magic to work in order to make this a doable option but I feel that glimmer of hope has just faded.  I at least wanted to update you on what Microsoft has told me.
0
 
LVL 7

Expert Comment

by:njxbean
Comment Utility
thanks.  that is very interesting and good to know.  I cant think of any tricks.  Only thing i can think of is to use a Mac to serve that particular share and it should work.  Other than that i cant think of anything.  You may want to try the mac networking area or win2k server area.  maybe they will know some tricks.  If you ever do figure out a workaround, definilty let me know.  Good luck!
0
 
LVL 23

Accepted Solution

by:
brettmjohnson earned 500 total points
Comment Utility
I would set up a Mac act as a "Turn-In" server for Macintosh clients.
Mac OS X can authenticate its users against an Active Directory domain,
so you won't have to duplication all the accounts.

I would also configure the Mac with a FolderAction, or rsync to automatcally
synchronize its "Turn-In" folder with the one on the Window's server.

Or you could set up the Mac to be the Turn-in server for both Macs and PCs.  

0
 
LVL 8

Expert Comment

by:Andrew Duffy
Comment Utility
Alternatively, if you have access to any web programmers you could set up a simple web page allowing students to browse files on their computer, select their document(s) and then 'submit' them to a dedicated area on the server. You would effectively be providing a 'front end' for the traditional file-copying routine. Considering your main issue here is a lack of platform compatibility, use a platform both Macs and PCs are compatible with and bingo, it works.

It also means you get to store all the files in one location - PC users could continue to use the traditional method or they could use the web system too. I hope this is workable.
0
 

Author Comment

by:lbogus
Comment Utility
It looks like our only solution will be to use the Mac server for the hand-in hand-out.  It was something we want to avoid as it is just another piece in the puzzle and we thought we could do it all with Microsoft, but not to be.  Thanks to everyone for the suggestions and help.  I will not that Apple does have a web dav solution for all of this called Universal Locker.  We are in pilot testing currently and it will become our overall solution, we needed an short term solution in the meantime, but Microsoft couldn't come through.  I'm sure if anyone is interested in seeing more about Universal Locker you could look on Apple's website....I think this will really become an effective solution for many schools.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Information security is a multi-billion dollar industry. Just as lucrative is the black market industry which trades stolen identities, credit card numbers and software exploits all over the world. Nothing is hack-proof. The best one can do is make …
There is a security feature on iOS devices that is nearly impenetrable when it has been activated.  This article will provide some possible solutions as well as necessary steps to take to ensure you do not end up with a locked device.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now