Trying to configure a SharePoint on a Lion Server machine.
The directory is created by the local server admin (serveradmin) and has rwxr-x---
given to it.
The serveradmin user belongs to the local staff group so
serveradmin readwrite
staff group read
Others none
We have an OD group for all the employees (Workers) . Using the Server tool we've given Full Control to the SharePoint:
Workers Full Control
serveradmin readwrite
staff group read
Others none
We would assume that Workers could then do what they want on the share but that doesn't seem to be the case. It appears the POSIX permissions take over the ACL permissions for Worker.
If I change the staff permission to readwrite then the Workers can create a file or folder in SharePoint.
I would think the ACL should take over but it doesn't, posix always win, rendering ACL useless.
Furthermore, if I leave the readwrite permission for staff and take Write permission away for the Workers group then the posix group still wins. Essentially the Workers ACL does absolutely nothing.
There are reports of similar problems in this Apple forum thread: https://discussions.apple.com/thread/3722901
The directory nesting fix suggested there doesn't work for us.
Has anyone had similar issues and know how to fix this?
Edit: in Workgroup Manager the employees user are set to primary group staff and given the additional OD group Workers. Changing their primary group doesn't help, it only shifts the problem onto Others taking over rights (logically)
Edit 2: Ok, this is interesting, adding OD Users to the share's ACL works totally fine
I'm going to post this as an answer because this workaround fixes all access issues for us.
We've basically stopped trying OD Groups for permissions altogether.
It works perfectly if we add OD Users to the share and propagate down (after resetting all ACL to clean up the previous mess).
When we give permissions based on Users everything works fine as expected and the ACL takes over the posix permissions.
Really not sure why the group doesn't work. We thought it might be because the OD group doesn't match a local group on the respective client machine but creating an explicit local group doesn't seem to fix it (though we only tried matching the group name, not the gid).
Anyway, hope this helps someone.
A side note: It use to work perfectly fine on Snow Leopard server, this is just on Lion server.