Solved

OS X Lion Users cannot access _some_ Windows File Shares

Posted on 2012-12-20
3
420 Views
Last Modified: 2013-07-01
I have 3 users in my environment who run Mac's.  Prior to upgrading a few months ago to Lion, they could access our network share drives without (to many) issues.  Now, they are unable to access a few critical file shares.  

The computers are bound to AD.

They need to connect to shares on 2 machines:

1 - the department manager who uses Windows 7 and we have a folder shared on her computer, they can access this share with no problem.

2 - our primary file storage server which is where we are having some issues.  There are three shares that are needed:
     \\myserver\data
      \\myserver\home\additionalpath\username
      \\myserver\advertising


The group in question, and the users of the Mac’s, all have full control over the advertising share at the NTFS level and via the share permissions.  The Mac’s can connect to this share without any problems hassle or difficulty.  

\\myserver\data      Share permissions allow all domain users to have full control over the share, NTFS permissions are significantly different.  They allow domain users to list folders and read files but they cannot open the majority of folders.  We have some “common use” folders on this share which everybody has access to, some are read everything, some are read/write everything, but you only have access to the folders that your department group has been given access to.  In the case of all the users and machines in question, they should be able (and used to before upgrading to Lion) see the folders, look in the ones they had access to and there is an additional “Advertising” folder under data which they have full control over.  Not only can we not use finder to access \\myserver\data, we cannot use connect to server and jump / mount directly to \\myserver\data\advertising.

\\myserver\home\...\username -- this share is even more restricted,  users are not allowed to access anything other than their directory and they do not have list permissions.  Our windows logon scripts (and Active directory home directory mappings) drill all the way down to the users home directory.  The … indicates location number, department.  In the case of these users their full path would be \\myserver\home\98\B\adv\username   the users have full control over their direcoty but again, we cannot use “connect to server” and open the directory.  I would not expect finder to allow you to drill up or down since users do not have list permissions.

Again, this stuff worked fine before we switched to Lion.

I’m not sure if there are additional modules I need to install on either the macs or on my server.  If the user logs into a windows PC, they have access to everything they need on these shares.  In the past I have had some issues with Macs and non windows clients communicating with file shares if the shares were hosted on domain controllers but that is not the case here and both the macs and file server are domain members.

If I reset the user’s domain password that password has to be used on the macs so I know that they’re authenticing and our web proxies and web filters see valid logon events from the macs hitting the DC’s for logon events which is how they associate traffic to users so I’m pretty confident that the macs are getting their authentication tokens properly.

I’m not sure of my next steps to even check,  Apple support is no help.  Granting full control of the share to this group is not a solution.

Any ideas?
      .
0
Comment
Question by:LappiMA
3 Comments
 
LVL 10

Expert Comment

by:schaps
ID: 38711803
There was a change in the behavior with Mac OS X 10.7 with a change in permissions needed to have the same result when opening an SMB share. I can't explain it any better than this Apple document outlines: http://support.apple.com/kb/HT4829

If that does not help you, I'll try further.
0
 

Accepted Solution

by:
Mark_Verhyden earned 500 total points
ID: 38717413
Apple had used their version Samba up to and including 10.6 for it's smb sharing.  Due to licensing issues with the Samba that changed.  To date I have not had to mess around with this in an AD environment but that will change very shortly.  I've got a customer where we are setting up a 10.8 Server to authenticate against AD and then share the 10.8 and 2008R2 resources with the clients.  Currently they are using 10.6 clients directly to the 2008R2.  This issue, when jumping from 10.6 to 10.7, was a major problem but most people were able to get things running by insuring all updates were applied and then re-authenticating against the domain.  A couple of articles about the switch.

http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-lion/

http://appleinsider.com/articles/11/03/23/inside_mac_os_x_10_7_lion_server_apple_replaces_samba_for_windows_networking_services.html
0
 

Author Comment

by:LappiMA
ID: 38718955
I've not had a chance to try the terminal command in the KB from schaps, I hope to on Wednesday.  I think that the KB accurately describes the issue that I'm having.

Mark_V... - All updates are installed and their authentication seems to be working fine for the most part except for one other problem which I'll open a separate thread on.  they can use shares on the file server where they have full access to the root level shares, but that is not the way 90% of our network is setup.

--Mark
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now