Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OS X Lion Users cannot access _some_ Windows File Shares

Posted on 2012-12-20
3
Medium Priority
?
428 Views
Last Modified: 2013-07-01
I have 3 users in my environment who run Mac's.  Prior to upgrading a few months ago to Lion, they could access our network share drives without (to many) issues.  Now, they are unable to access a few critical file shares.  

The computers are bound to AD.

They need to connect to shares on 2 machines:

1 - the department manager who uses Windows 7 and we have a folder shared on her computer, they can access this share with no problem.

2 - our primary file storage server which is where we are having some issues.  There are three shares that are needed:
     \\myserver\data
      \\myserver\home\additionalpath\username
      \\myserver\advertising


The group in question, and the users of the Mac’s, all have full control over the advertising share at the NTFS level and via the share permissions.  The Mac’s can connect to this share without any problems hassle or difficulty.  

\\myserver\data      Share permissions allow all domain users to have full control over the share, NTFS permissions are significantly different.  They allow domain users to list folders and read files but they cannot open the majority of folders.  We have some “common use” folders on this share which everybody has access to, some are read everything, some are read/write everything, but you only have access to the folders that your department group has been given access to.  In the case of all the users and machines in question, they should be able (and used to before upgrading to Lion) see the folders, look in the ones they had access to and there is an additional “Advertising” folder under data which they have full control over.  Not only can we not use finder to access \\myserver\data, we cannot use connect to server and jump / mount directly to \\myserver\data\advertising.

\\myserver\home\...\username -- this share is even more restricted,  users are not allowed to access anything other than their directory and they do not have list permissions.  Our windows logon scripts (and Active directory home directory mappings) drill all the way down to the users home directory.  The … indicates location number, department.  In the case of these users their full path would be \\myserver\home\98\B\adv\username   the users have full control over their direcoty but again, we cannot use “connect to server” and open the directory.  I would not expect finder to allow you to drill up or down since users do not have list permissions.

Again, this stuff worked fine before we switched to Lion.

I’m not sure if there are additional modules I need to install on either the macs or on my server.  If the user logs into a windows PC, they have access to everything they need on these shares.  In the past I have had some issues with Macs and non windows clients communicating with file shares if the shares were hosted on domain controllers but that is not the case here and both the macs and file server are domain members.

If I reset the user’s domain password that password has to be used on the macs so I know that they’re authenticing and our web proxies and web filters see valid logon events from the macs hitting the DC’s for logon events which is how they associate traffic to users so I’m pretty confident that the macs are getting their authentication tokens properly.

I’m not sure of my next steps to even check,  Apple support is no help.  Granting full control of the share to this group is not a solution.

Any ideas?
      .
0
Comment
Question by:LappiMA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Expert Comment

by:schaps
ID: 38711803
There was a change in the behavior with Mac OS X 10.7 with a change in permissions needed to have the same result when opening an SMB share. I can't explain it any better than this Apple document outlines: http://support.apple.com/kb/HT4829

If that does not help you, I'll try further.
0
 

Accepted Solution

by:
Mark_Verhyden earned 1500 total points
ID: 38717413
Apple had used their version Samba up to and including 10.6 for it's smb sharing.  Due to licensing issues with the Samba that changed.  To date I have not had to mess around with this in an AD environment but that will change very shortly.  I've got a customer where we are setting up a 10.8 Server to authenticate against AD and then share the 10.8 and 2008R2 resources with the clients.  Currently they are using 10.6 clients directly to the 2008R2.  This issue, when jumping from 10.6 to 10.7, was a major problem but most people were able to get things running by insuring all updates were applied and then re-authenticating against the domain.  A couple of articles about the switch.

http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-lion/

http://appleinsider.com/articles/11/03/23/inside_mac_os_x_10_7_lion_server_apple_replaces_samba_for_windows_networking_services.html
0
 

Author Comment

by:LappiMA
ID: 38718955
I've not had a chance to try the terminal command in the KB from schaps, I hope to on Wednesday.  I think that the KB accurately describes the issue that I'm having.

Mark_V... - All updates are installed and their authentication seems to be working fine for the most part except for one other problem which I'll open a separate thread on.  they can use shares on the file server where they have full access to the root level shares, but that is not the way 90% of our network is setup.

--Mark
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question