Sonoma File Sharing anomalies

I’m in the process of replacing an old MacOS Server machine with a Mac Mini running Sonoma and File Sharing via the System Settings (a really horrible experience).

I created a few users and proceeded to Share several folders - some on the local drives and some on a thunderbolt attached OWC Express 4M2 RAID enclosure (RAID 1 using Softraid).

I hop onto another machine on the network and test what’s visible and, much to my surprise, all the folders on the RAID drives are visible to all users - despite them not have been added to the list of authorised sharers. Worse still, they all have universal read/write access.

Strangely, the shared folders residing on the internal drive work as expected, respecting the permissions allocated. I should add Guest Access is OFF for all Shares.

Is anyone aware of an issue where sharing on external drives is broken? Alternatively, could this be an issue with SoftRaid drives where they somehow don’t respect Sharing permissions (I’ll be writing to SoftRaid also)?

OSX Server allowed wonderful, granular permissions - the Sharing control panel is simply rubbish and only suitable for the most basic of basic tasks. In fact right now I can’t even get it doing the basics at all.

It sounds like you’ve got ownership checks disabled on your external volumes (default). So in Terminal you do sudo diskutil EnableOwnership /Volumes/SomeVolume to switch them on. Reboot, and see if it worked.

Other things to spot check: that the client users are not admins which always have all access to all volumes, that the permissions of your share points and their contents are correct for their respective users, that full disk access is on for the SMB server smbd.

Good luck …

1 Like

Doh, thanks - that sounds an obvious answer but I never considered it as I’m not looking at the Get Info window - just going through the sharing. Hopefully it’s that simple, won’t know till I get back in and test it.

1 Like

As a further note, the Get Info windows allow all the granular permissions control that the Server app used to. While the Sharing preference pane is limited compared to Server’s settings, they were just a front end to the same thing you can do in Get Info (or the command line if you know what you’re doing!).

1 Like

Is this right? I do recall thinking so at some point, but I just looked now and AFAICS there’s no way to build an ACL in the Get Info window. It’s not a biggie but there was definitely a time when the client macOS really couldn’t be used as the file server because all those flags couldn’t (easily) be done graphically. I’d love to be wrong about this but Apple’s frustrating lack of documentation since the great castration of macOS Server has been basically nonexistent and for a while I was essentially reliant on third-hand information about which plist files to tweak and which command tools to use. For example, right now I see no way to turn off the virtual admin shares except by tweaking the relevant smbd plist. This seems like it would be easy for Apple to add to the Sharing pref pane but they haven’t.

All being said, it’s how I’ve been rolling for a while now and there’s much to recommend it, especially with a Silicon Mini and fast Thunderbolt storage. Gimme that over a NAS for power and flexibility any day of the week.

Problem solved with turning off the default “Ignore permissions”. I don’t recall that ever being a default so I’m genuinely surprised. Why that’s not an option in the Sharing panel is also a mystery.

Everything is working now but trying to do permissions through the Get Info is horrid. Why don’t Apple allow the window to be resized to you can see more than 5 entries?

2 Likes

I’m pretty sure that the permissions you set in Get Info are ACLs. You can also set the standard Unix user/group permissions by selecting one of the entries and choosing Make “Name” the owner, but by default any user or group you add there is an ACL. But it obviously doesn’t provide a way to configure more complex ACLs.

It would be great if there were a 3rd-party app that could edit and manage ACLs with a graphical interface, but I’m not aware of one. There used to be an app called ‘Sandbox’, but it seems to be long gone. I wonder if anyone (@randy2?) knows of a current alternative?

https://web.archive.org/web/20150201081136/http://mikey-san.net/sandbox/

1 Like

“It would be great if there were a 3rd-party app that could edit and manage ACLs with a graphical interface”

TinkerTool System can do this plus much more, $17. You still need to understand ACLs, but the manual has a summary.

3 Likes

I’ve had Tinker Tool for years but didn’t know about TT System. Will definitely take a look at it.

1 Like

Yes, you’re right. If you add additional entries they will be in an ACL. I’m really thinking of cases where that alone won’t be enough, as you say more options where each discrete permission (not just rwx) is controlled, and inheritance for new objects so you can e.g. implement a group-writable folder that operates automatically even when file ownership isn’t changed or where files are updated atomically instead of overwriting as is the norm on desktop macOS. I think the Server app, when we had it, took care of all this nonsense for you, and that’s why people are missing it for setting up credible file shares.

1 Like

GUI? We don’ need no steenkin’ GUI…

If you don’t mind getting your hands dirty with some good ol’ command line voodoo, there’s always

ls -ale [ -d ] file

to list out any available ACLs for a file/folder and

chmod [ -a | +a | =a ] ACE file

to remove/add/set ACLs for a file

man ls and man chmod are also your friends to help you figure out how to build ACLs…

2 Likes

After years of programing on ibm mainframes, never had much exposure to Unix. Now the brain is too slow to become competent with Unix commands. Last year when I stuffed up the permissions on a folder containing hundreds of sub folders and thousands of files ( duplicate permissions for everyone and custom access) Tinker Tool System’s gui fixed the problems in minutes! For those who don’t like the command line I would recommend it.

3 Likes

I’ve just taken a look at Tinker Tool System and the ACL options.

Encouragingly, it has virtually all the settings available in Mac OS Server so I’ve just bought a couple of copies. Seems easy to use despite not having looked at the manual.

I’m happy to support this type of developer producing this sort of software. Thank you @gastropod for the suggestion.

2 Likes

We went live with the new ‘server’ a couple of weeks ago. Last week I was in the office to do a few things and the number of crazy things is killing me.

  1. permissions seeming to have a mind of their own. A (Windows) machine is happily sharing files then suddenly can’t - from the same directory. I check permissions and everything looks right. I delete the share, recreate it and it works again - with no change to permissions.

  2. I can’t assign a tag to any file on the server. Finder asks for permission, I grant it, then it refuses saying no permission to edit file - despite having admin privileges and Everyone having Read/Write. If I propagate permissions on the folder to which the tag was refused, it suddenly has a tag.

  3. Some files and folders aren’t inheriting permissions from the parent folder correctly.

  4. There is terrible lag across the network. Folders of files appear empty, then suddenly full. Files disappear then re-appear when saving.

I’m not sure whether the issue is Sonoma, SMB or some other culprit but I can say the experience has been miserable. We ran for close to 20 years on OS X Server/AFP. We had virtually no issues with reliability, lagging, permissions or anything else - it was rock solid. This new system - supposedly a replacement for Server app - is a horrible disaster.

1 Like

I really hate complaining about this but it’s beyond horrible.
Users spontaneously can’t save a file they have opened seconds earlier.
A single user this morning couldn’t log in with her credentials; nor could I log her in with my admin credentials despite using them to log in from other machines (saying User Denied Access). The only way we could get her connected was to allow Guest access.
InDesign intermittently loses links despite the volumes being mounted correctly and the images available.
I couldn’t log in with my laptop then 3 minutes later had no issue.
If a user logs in with a domain name and then again using the IP address they get the same volume mounted as two volumes - with the same name (not even Volume, Volume-1).
Folders regularly open with zero items regardless of the number of files.

The sharing on Sonoma is incredibly poor. Right now the only way we can affectively share documents is to make the entire system insecure and vulnerable. For Apple to suggest this is any sort of alternative to macOS X Server is nothing short of shameful.

If this keeps up I can see no option but to move this over to Linux. Sadly this will necessitate a move away from the Softraid we’re using.

1 Like

Yes, I’d been meaning to follow up on this. Guess things haven’t been going well for you so far. Sorry to hear that! Here are a few off-the-cuff suggestions for things you might try:

You say you’re getting flaky connectivity and interruptions. Is there any pattern to this? What type of connections and what are their speeds? I think that’s the first order of business to solve. If you could stick to Ethernet for everything, 1 Gbps or better for preference, at least whilst you’re troubleshooting, you might be able to identify a root cause more easily if you can determine exactly when your connection goes awry.

Then there’s the question of access privileges and seemingly disappearing objects. Before you look at applications and the Finder, can you use Terminal to reproduce the access issues you’re having? This is significant because Finder, especially in column view, makes a large number of requests to enumerate directory contents, and it would be easy to mistake such slowness for a permissions problem, especially if you miss the progress spinner in the status bar. So use Terminal to see if you can list, read and write files in a directory, create and delete files and directories, etc. Commands like touch, cat, cd, ls, rm, echo, mkdir, rmdir, and a bit of shell redirection should help you establish whether what you’re looking at is actually a permissions problem, or a problem of SMB more generally and inefficient Finder accesses through SMB in particular (which, FTR, really shouldn’t be exacting the sort of toll you’re paying on a Mac-to-Mac setup).

Finally the authentication failures. Especially with various versions of Windows in the mix, it is unfortunately the case that SMB is a bit of a hairy beast because various dialects/versions of the protocol support varying degrees of authentication and signing/encryption. Can you confirm that every Windows user who has an account has had their NTLMv2 credential stored? You do this by pressing the “Options …” button in the File Sharing details panel in Sharing settings, ticking the box for the user concerned, and typing in their password again. You only have to do this once. Then if you right-click each shared folder, open the advanced settings, and make sure mandatory signing and encryption are off. Does your situation now improve? Regrettably, ever since Apple moved to their own SMB implementation (from Samba, which Linux-based NAS boxes use), things have never been truly great for Windows, but they should at least be possible to configure to connect and expose the file share, with each user attaining his/her respective permissions.

Let us know what happens, and good luck. And sure, if it doesn’t go well, there are lots and lots of vendors selling boxes to make your life easier, all running real server operating system kernels. :grinning:

It’s all cat 6 wired ethernet in a building less than 2 years old. It’s been very stable.

It’s very inconsistent and hard to pin down. I’m only working one day a week so it makes it very hard to isolate the issues. Next time I’m in I might try Forklift or Pathfinder to see if they suffer similar issues.

Yes we did that although it took a little while to work it out as the Apple docs aren’t great. We only have one Windows machine and the issue is it just stops working. It can be working fine then later in the day it will stop responding and the only solution seems to be deleting the connection and recreating it.

I have a couple of spare machines so I’m going to look at a dual boot option with either Linux Mint, ElementaryOS (although in reading yesterday it sounds like EOS might not be as polished as some other distros) or Asahi Linux (which runs natively on Apple Silicon). I’m not a Linux geek so it’s a voyage into the unknown.

1 Like

Concerning the last point, I appreciate that it’s a learning curve, but learning Linux really will prove to be of use to you, not only in having another OS to run your server on, but also on macOS itself with its *NIX-ish underpinnings. It’s a shame Server is gone, but even if you can run a Linux VM on an Apple Silicon Mac to use Linux for certain work, it’ll expand the available software you can run and make it a lot easier to install and maintain, to boot. Microsoft absolutely was onto something when it brought Linux workflows into the Windows ecosystem with WSL, and although the experience isn’t quite the same as using Terminal on macOS, it’s close enough in many respects to be a serious contender for many devops workflows.