Mac OS X Mavericks causing problems with Windows 2012 R2 server shares

mlmslex
mlmslex used Ask the Experts™
on
Have new Microsoft Server 2012 network with about 45 pre-existing Mac OS X Mavericks machines.

Macs are connecting via SMB 1 (we had to turn off SMB 2 on the Windows servers)

Macs are NOT bound to Active Directory

"Employees" group has Full Control access to network share "Projects" - propagated from the top level down through inheritance.  Domain "administrators" group has ownership of all files / folders in the share.

When a Mac user edits/renames a file, then saves it, the following happens:

The file "thinks" it's still inheriting, yet permissions change to: user logged in from Mac gets "full control", "users" gets read-only ("users" wasn't even in the previous permissions list), "administrators" maintain full control.

Ownership of the file is changed to the user name logged in from the Mac.

Other users (obviously) are unable to make changes to the file.

We can "repair" the permissions but the very next edit breaks them again.

We've thought of just removing "Full Control" from the "Employees" group (we know it's bad practice anyway but have allowed lately in other environments due to some apps not working right without full control)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nappy_dThere are a 1000 ways to skin the technology cat.

Commented:
I would definitely say that you should remove Full Control from your NTFS permissions for non-administrators.  SImply giving the users Modify permissions is really all they should need to change/create/delete/read files and directories.

As you have experienced, giving full control gives them permission to modify NTFS security.

Also, to help your Macs with respecting the security you have set, you should have your users logon with with their AD credentials.

Author

Commented:
Thanks, nappy_d.  We've removed "Full Control" from the file permissions and changed the share permissions to "Change" from Full Control.

We'll see in the next couple of days whether these changes resolve the problem while still allowing them to work.

Author

Commented:
OK - so changed file/share permissions so that these AD Users do not have rights to change permissions / ownership.

From a Windows box, these restrictions are obeyed.

From a Mac running OS X 10.9.2, connected via SMB or CIFS, it makes NO difference.  Creating/modifying a file gives ownership to that AD user (logged in from the Mac).

A TEMP fix for this has been to add the Employees group to the domain ADMINISTRATORS group - allows folks to work but is obviously and unsafe fix.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nappy_dThere are a 1000 ways to skin the technology cat.

Commented:
Can you post a screenshot of what your permissions on a directory looks like?

Author

Commented:
I've uploaded 3 screen shots...BEFORE (Parent folder and file rights), AFTER (file rights).

As you can see, "Administrators" remains able to read/modify docs so temporarily (so they can work), I've added the entire CSIEmployees group to the Administrators group (I haven't TOLD them that)...this obviously is not a long term solution.

I've tried tools that prevent the Mac from adding the .DS_Store files - No Difference

I've turned OFF SMB1 and re-enabled SMB2/3 - No Difference
ParentFolder-BeforeAccess.JPG
FileRights-BeforeAccess.JPG
FileRights-AfterAccess.JPG
nappy_dThere are a 1000 ways to skin the technology cat.

Commented:
The .DS_store files is a different issue but I will help you fix that one after.

Let's do this:
- create new share
- on the Share permissions tab give everyone full control(See Pic1)
- Now use the NTFS tab to set the permission(See Pic2)
- Do not make any of your test users have access to full control permissions on the test share, they should only have modify.
- Test and let me know if the same issue occurs

 Pic1
Pic2
Commented:
So, we were able to resolve this ourselves, after much frustration...

In the root of a Windows file share, Macs create a ".TemporaryItems" hidden folder.  When any Macs accessing this file share save/modify/create a file, it gets the permissions which are assigned to THIS folder, instead of inheriting file permissions as it should.

In our scenario, due to some restrictions in place by other server software, we had read-only permissions assigned to the folder which was shared...rights were assigned to the TOP LEVEL folders which existed in the root (this again had to do with the client's specific data structure).  As the .TemporaryItems folder was IN that same folder, rather than UNDER any folders with the appropriate permissions, the files the Macs touched were getting READ-ONLY permissions.

I view this as a SERIOUS breach in protocol by the Macs and is just further evidence they have no place in a business environment.

Author

Commented:
This was tremendously frustrating and took a great deal of research to answer, specifically because our scenario was a "perfect storm" of circumstances...we could only find a few others out there with similar problems and even fewer with workable solutions.

Commented:
This issue is occurring again.. regardless of subfolder permissions.. inheritance is not being preserved..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial