Our thinking

Fixing Windows File Sharing (SMB) Permissions on OS X Server

With Apple hiding a lot of the more useful and fine-grained controls over the services on OS X Server, the SMB Service is one area that has suffered.

There is no longer any control whatsoever over Windows file sharing, other than having a checkbox to turn it on or off on each sharepoint.

As it turns out, there’s a big problem with Windows file sharing on OS X Server, newly created files are given default permissions such that all ACL inheritance is ignored, the permissions on the containing folder are ignored and the file is created such that it can only be accessed by the owner of the file. There is no access by other members of the group, or by anyone else.

In previous versions of OS X Server, there were configuration panes for Windows file sharing so you could accept the default behaviour, or set explicitly the permissions to be used for new files and folders.

Now that Apple has ditched Samba in Lion and Mountain Lion, none of the tweaks that have been applied previously are of any use.

In Lion Server and Mountain Lion Server, there’s a command-line option that restores some sanity to SMBX, Apples SMB Service. The following command, to be executed from Terminal on the OS X Server, will enable ACL inheritance for files and folders accessed via SMB:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

More information is available in Apple Knowledge Base Article TS4149.


Leave a Reply