Acronis ExtremeZ-IP Seamless Integration of Macs into Windows Infrastructure

Reader problem with OS X and special ACL permissions

Harry Fahey has a problem with Macs with certain ACL file sharing permissions on an Active Directory network. The Macs can't write to shares even though they have write permissions for files. The problem appears only from the Finder -- not from Terminal or when the same user is logged in from a Windows PC.

We don't know if this is related to a previously reported ACL issue with Mavericks (see Tip: Workaround for Mavericks ACL permission bug). If you have a suggestion, . Here's Fahey's report:

I have had a frustrating few hours delving into a problem with OS X's (Lion thru Mavericks) interpretation of SMB ACL's from a Windows network share. In our Windows Active Directory network we have a particular staff accessible share that the small number of Mac clients access along with many Windows clients. We have limited staff access essentially read/write permissions MINUS the ability to create folders/append data. With this configuration the Mac clients do not seem to honour ANY write ACL's and thus cannot write to the share.

From a Mac client via Get Info > Permissions it tells me I have read/write access, however I cannot copy/create a document on the share.

I can confirm that Terminal access respects all permissions, it is only the Finder that does not.

The ACL structure seems OK as I can get access as the same user on a Windows domain joined machine, but as the same user I have issues on the Mac domain joined machine on both 10.7.5 and 10.9.2.

Further to that, we have staff accessible folders on the same windows share that have exactly the same permissions for staff EXCEPT they are allowed to "create folders/append data" which work fine for staff.

We have had no issues with this specifically until recently when we changed our permissions to disallow (removed the Allow - not an explicit Deny) for staff to create folders/append data. I know that this is an option within OS X ACL's so I canŐt understand why OS X looks to be not mapping the SMB ACL correctly. It seems to be defaulting back to basic read/write/execute permissions and a lowest common denominator of the write permissions is a not allow.

There seem to be plenty of workarounds for Linux file servers (smb.conf edits mostly - "unix extensions = no" etc) but as our file server is windows I am struggling to find any workarounds at all!

Below is an extract of a Terminal session doing a ls -le on a sample folder with issues. I am a user in the STAFF GROUP. Note that the STAFF GROUP permissions are missing the "append" permission- which is correct when compared to Windows share permissions.


total 1992

-rwx------+ 1 086xxxxx

0: group:*snip ADMIN GROUP 1* inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity

1: user: *snip ADMIN USER 1* inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown

2: user: *snip ADMIN USER 2* inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity

3: user: *snip ROOT USER* inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown

4: group: *snip STAFF GROUP* inherited allow read,write,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity

5: group: *snip ADMIN GROUP 2* inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown


If I add the append permissions (via Windows AD/share permissions) to the staff group I am given write access to the folder from the Mac. Remove it and I only have read/execute permissions.

If you have an idea of what's going on .