Solved

MACs using Windows shares; permissions issues

Posted on 2013-01-03
10
4,945 Views
Last Modified: 2013-02-24
Hello. Have a new location that is a mix of MAC and Windows, but mostly MAC. They have a Windows server (2012) that is hosting file shares. The MAC users need to be able to create, delete, edit, rename, etc. folders and files under these MAC shares. Currently, when using the Command + K to connect to the smb shares via smb://machinenamehere/sharename.  When prompted for credentials, we are entering the users windows network account name, like "deb" for example; and then her windows password. The issuse is that the MAC users are getting blocked from editing files, folders, etc. under the Windows share. Really need help getting this fixed; it is driving the client, and me mad!  Thanks for insight from those who have MAC/Win mixed environment experience.
0
Comment
Question by:StewartTechnologies
  • 6
  • 3
10 Comments
 
LVL 8

Expert Comment

by:s3e3
Comment Utility
Hi
You will need to modify the NTFS permissions on the Windows 2012 server. In your example make sure user Deb has MODIFY permission to the files/folders.

Other than editing the NTFS/Active Directory account it's not different from windows file share admin.

Hope that helps.
0
 

Author Comment

by:StewartTechnologies
Comment Utility
Hello. Thank you for the comment.  The user/users do have full access to the shares via the windows file sharing security /rights.  I agree that it should be no different than NTFS/AD shares and security, and yet, I am having these access issues.
0
 
LVL 8

Assisted Solution

by:s3e3
s3e3 earned 200 total points
Comment Utility
Check the Windows Server Event Log. Do you seen any errors you can share ?

I had to do the follow a while back however this was on a Windows 2008 server:

Disable SMB Signing

Microsoft network client: Digitally sign communications (always) set to disabled
Microsoft network server: Digitally sign communications (always) set to disabled

    Goto to the file server

    Start

    Run

    type gpedit.msc and hit OK

    Within GPEDIT go to Computer Configuration

    Windows Settings

    Security Options

    Local Policies

    Find the aforementioned policies in the right hand pane and set them to disabled
0
 

Author Comment

by:StewartTechnologies
Comment Utility
Thank you again for this good info. I have already done this edit as part of my troubleshooting.  Keep those ideas coming!
0
 
LVL 8

Expert Comment

by:s3e3
Comment Utility
Make sure you reboot the windows server after the registry change.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:StewartTechnologies
Comment Utility
My thought on this...
The issue appears to be the the Windows users are not passing thru (or vice versa) to the mac finder, connections. When attempting to rename a folder, for example; I am getting error "finder wants to make changes - type your password to allow this"  The prefilled username is not the users windows name but the mac machine name.  Even if I type in the windows name and correct password, I'm still not able to make the changes. Then, I get a "you don't have permission to rename the item <insert folder name here>" error.
0
 
LVL 12

Accepted Solution

by:
Justin Pierce earned 300 total points
Comment Utility
Hi Stewart,

   As I was reading your question I was swiftly taken back to the days of making tons of edits with file permissions and propagating them down from parent to child. Anyways, please read this Microsoft forum:

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/76e50b7d-40b2-4198-a2e2-23cf26f08761

cverrier is the post that you are looking for. It is the second box down.

Your problem is most likely the permissions with the folders that your users are accessing, as well as the permissions with everything inside that folder. In short, it is not your Macs but the MS server that is the problem.

Hope this helps.
0
 

Author Comment

by:StewartTechnologies
Comment Utility
Hi MacGuy47.  Thank you for your comments / input. I have checked and rechecked the folder permissions and security.  I did review the link you sent, and I appreciate that info. I will double-check these details again, just to be sure.

I just want to stress that the errors are only occurring when Mac users are accessing shares. Those same user accounts (and others), when accessing the same shares via Windows PCs are not having any issues.
0
 

Author Comment

by:StewartTechnologies
Comment Utility
** update ** I may have had a break through here. I had always felt like the issue was that the AD permissions were not 'passing thru' to the MACs or vice-versa, and that's why the users were not able to edit/get to what they needed. I just didn't know how to explain that, or ask where those credentials go in a MAC 'mapping' to a windows share.

After getting NO help with Apple Care, I called in some MAC resources.  One of them suggested unbinding and rebinding the machines to the Active Directory. Once I got into this process, I realized that even though the 'bind' was showing a greeen dot, they were not really bound.  Once I unbound and rebound, then I was getting the active directory pass-thru I was expecting.  

See link here for general instructions on the binding. http://www.trainsignal.com/blog/join-mac-to-windows-domain.

Once I did that, it was looking better. Removed entry from keychain for the shared resource. Connected again. Didn't get prompted for credentials because they were coming thru from AD!!!  So, I think these permissions items are 95% resolved now. We could still have some minor issues, but that might be more closely related to MACguy47's posting.

Also, unrelated, but related to this, the weird ownership changes (another layer of an issues) I am seeing may be coming from a backup to a NAS device run from one of the MACs. Note the warning message highlighted towards the bottom of the first image. The second snip is the results / or 'unknown' account an it's permissions meddling.
LaCieDevice.PNG
DenyAccount-Marked.PNG
0
 

Author Closing Comment

by:StewartTechnologies
Comment Utility
Thanks to all that contributed.
So, how did this all shake out?  We ended up getting Microsoft involved after days of not being able to resolve permissions issues. It turns out that Microsoft was also perplexed by our continued permissions issues and they are involved in trying to figure out what is going on. The server was decommisioned (and replaced with a MAC server), and Microsoft will be testing the 'troublesome server'. Right now, they are only saying it is 'unexpected behavior'. Seems to be related to migration from SBS 2003 to Server Essentials 2012. What a nightmare this was!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now