Parallels Desktop 9 for Mac lets you seamlessly run Windows and Mac applications side-by-sid

Mavericks breaks ACLs in Active Directory, 10.9.2 made it worse

Jared Hendrickson reports that OS X 10.9.2 made file sharing worse on his Active Directory network. Mavericks bound to Active Directory broke ACL permissions when the permissions are viewed from the Mac. (Apple acknowledges this in a tech article.) Hendrickson found a workaround, but it stopped working with 10.9.2. The update also prevented Windows users from accessing folders that had permissions altered. His only workaround now is to unbind the Macs from Active Directory. Here is Hendrickson 's report:

SMB2 is better and worse on 10.9.2. On our enterprise network, we watched as AD-bound OS X 10.9 machines burned down the permissions on any folder on which the permissions were viewed -- even if the user didn't have permission to ALTER permissions. The SMB2 implementation somehow managed to corrupt the entire directory's permissions from that point down. Permissions would corrupt by doing a Get Info in the Finder, clicking on a user in the permissions section, and looking at the permissions applied to that user. You didn't have to try and change them, but you did have to click and view them for a specific user or group.

Apple apparently negotiates SMB2 by default. The way to avoid this permissions mutilation WAS to connect via SMB1 by specifying "CIFS://server/share" in the Finder.

The global way to fix this was to place a new file on the Mac in /etc/ called "nsmb.conf". The contents of this nsmb.conf file should read only: smb_neg=smb1_only

Reboot, and this effectively forced all SMB connections to be the same as CIFS (SMB1), meaning you could use SMB:// and still only negotiate an SMB1 connection.

10.9.2 has now broken this solution also. Whether it has altered the way SMB1 connects, I donÕt know, but even connecting explicitly using the CIFS protocol does not protect the share from permissions problems. However, simply viewing permissions no longer appears to alter them, but actually attempting to change a permissions did some damage using CIFS, where it hadnÕt in 10.9 and 10.9.1.

Now, connecting via SMB:// still botches a bunch of visible permissions on the Mac side. Connecting via CIFS:// does not appear to from the Mac side Š however Š we found that Windows users could no longer get into shares that we attempted to alter permissions on using CIFS, even though the Macs maintained access! So, this is better, in that permissions are not being altered by simply viewing them, and altered permissions can be reset from a Windows machine without a call to storage services to do any command line work on the server side... however, the reliability of CIFS or SMB1 has decreased, which is bad news for thousands in our context.

At this point, on 10.9.2, the only safe way we can interact with the file server is to UNBIND from AD. In an unbound state, the Macs cannot parse AD groups/user permissions, and donÕt attempt to.

As for Apple's statement on what has been changed in 10.9.2 with regards to SMB2, it would be limited to this:

Finder

Available for: OS X Mavericks 10.9 and 10.9.1

Impact: Accessing a file's ACL via Finder may lead to other users gaining unauthorized access to files

Description: Accessing a file's ACL via Finder may corrupt the ACLs on the file. This issue was addressed through improved handling of ACLs.

CVE-ID

CVE-2014-1264

If you've seen this problem or have a suggestion .

For more on OS X 10.9 file sharing, see Mavericks File Sharing Tips and Reports.

TIP: Workaround for Mavericks ACL permission bug

Jared Hendrickson followed up his report from yesterday about Mavericks breaking ACL permissions of shared folders in Active Directory. Unbinding the Macs from Active Directory was the only way to prevent corruptions of permission. Today, he reports a new workaround that allows the Macs remain bound… (Read entire story.)