Avatar of LappiMA
LappiMA
Flag for United States of America asked on

OS X Lion Users cannot access _some_ Windows File Shares

I have 3 users in my environment who run Mac's.  Prior to upgrading a few months ago to Lion, they could access our network share drives without (to many) issues.  Now, they are unable to access a few critical file shares.  

The computers are bound to AD.

They need to connect to shares on 2 machines:

1 - the department manager who uses Windows 7 and we have a folder shared on her computer, they can access this share with no problem.

2 - our primary file storage server which is where we are having some issues.  There are three shares that are needed:
     \\myserver\data
      \\myserver\home\additionalpath\username
      \\myserver\advertising


The group in question, and the users of the Mac’s, all have full control over the advertising share at the NTFS level and via the share permissions.  The Mac’s can connect to this share without any problems hassle or difficulty.  

\\myserver\data      Share permissions allow all domain users to have full control over the share, NTFS permissions are significantly different.  They allow domain users to list folders and read files but they cannot open the majority of folders.  We have some “common use” folders on this share which everybody has access to, some are read everything, some are read/write everything, but you only have access to the folders that your department group has been given access to.  In the case of all the users and machines in question, they should be able (and used to before upgrading to Lion) see the folders, look in the ones they had access to and there is an additional “Advertising” folder under data which they have full control over.  Not only can we not use finder to access \\myserver\data, we cannot use connect to server and jump / mount directly to \\myserver\data\advertising.

\\myserver\home\...\username -- this share is even more restricted,  users are not allowed to access anything other than their directory and they do not have list permissions.  Our windows logon scripts (and Active directory home directory mappings) drill all the way down to the users home directory.  The … indicates location number, department.  In the case of these users their full path would be \\myserver\home\98\B\adv\username   the users have full control over their direcoty but again, we cannot use “connect to server” and open the directory.  I would not expect finder to allow you to drill up or down since users do not have list permissions.

Again, this stuff worked fine before we switched to Lion.

I’m not sure if there are additional modules I need to install on either the macs or on my server.  If the user logs into a windows PC, they have access to everything they need on these shares.  In the past I have had some issues with Macs and non windows clients communicating with file shares if the shares were hosted on domain controllers but that is not the case here and both the macs and file server are domain members.

If I reset the user’s domain password that password has to be used on the macs so I know that they’re authenticing and our web proxies and web filters see valid logon events from the macs hitting the DC’s for logon events which is how they associate traffic to users so I’m pretty confident that the macs are getting their authentication tokens properly.

I’m not sure of my next steps to even check,  Apple support is no help.  Granting full control of the share to this group is not a solution.

Any ideas?
      .
Windows Server 2008Mac OS XMicrosoft Server OS

Avatar of undefined
Last Comment
LappiMA

8/22/2022 - Mon
schaps

There was a change in the behavior with Mac OS X 10.7 with a change in permissions needed to have the same result when opening an SMB share. I can't explain it any better than this Apple document outlines: http://support.apple.com/kb/HT4829

If that does not help you, I'll try further.
ASKER CERTIFIED SOLUTION
Mark_Verhyden

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
LappiMA

ASKER
I've not had a chance to try the terminal command in the KB from schaps, I hope to on Wednesday.  I think that the KB accurately describes the issue that I'm having.

Mark_V... - All updates are installed and their authentication seems to be working fine for the most part except for one other problem which I'll open a separate thread on.  they can use shares on the file server where they have full access to the root level shares, but that is not the way 90% of our network is setup.

--Mark
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes