I recently upgraded a 10.4 Server install to 10.5. This is mainly a fileserver for about 20 people, including a few Windows XP boxes and the rest on 10.4 or 10.5. The upgrade went quite smoothly, and I like the new Admin tools, but I've been fighting with permissions issues since doing the upgrade.
Specifically, I always had the option under previous versions of OSXServer set to create new files with permissions inherited from the parent. The file structure is one large shared volume with a couple of folders with permissions restricted to a specific Group, and the rest R/W-able for the main staff group. I have no need nor desire for users to be able to override their own permissions granularly--I just want to inherit appropriately from the parent folder. Under 10.3 and 10.4, files/folders created or copied by users always had the correct permissions, and I had no complaints from anybody.
Now, however, Apple seems to have removed that override for AFP from the admin tools (I still have the SMB "inherit" box checked, and it seems to work correctly).
The documentation I found searching indicated that I should be using ACLs to deal with this, but despite creating top-level ACLs with the appropriate settings and set to apply to all decedents, then stripping ACLs off of all sub-folders and setting the POSIX permissions to what I want, some of the time newly created files/folders will end up with the wrong POSIX permissions and the parent ACL will not override this.
So basically some one will create a folder that is, for whatever reason, set as R/W for their POSIX user, and R-only (or no-access) for POSIX group and everyone. Since the parent ACL isn't overriding this, nobody else can modify this file until I go in via the admin tools and fix the permissions.
Am I doing something wrong here? What settings should I be using to replicate the (simpler) functionality I had under 10.3/10.4?
Specifically, I always had the option under previous versions of OSXServer set to create new files with permissions inherited from the parent. The file structure is one large shared volume with a couple of folders with permissions restricted to a specific Group, and the rest R/W-able for the main staff group. I have no need nor desire for users to be able to override their own permissions granularly--I just want to inherit appropriately from the parent folder. Under 10.3 and 10.4, files/folders created or copied by users always had the correct permissions, and I had no complaints from anybody.
Now, however, Apple seems to have removed that override for AFP from the admin tools (I still have the SMB "inherit" box checked, and it seems to work correctly).
The documentation I found searching indicated that I should be using ACLs to deal with this, but despite creating top-level ACLs with the appropriate settings and set to apply to all decedents, then stripping ACLs off of all sub-folders and setting the POSIX permissions to what I want, some of the time newly created files/folders will end up with the wrong POSIX permissions and the parent ACL will not override this.
So basically some one will create a folder that is, for whatever reason, set as R/W for their POSIX user, and R-only (or no-access) for POSIX group and everyone. Since the parent ACL isn't overriding this, nobody else can modify this file until I go in via the admin tools and fix the permissions.
Am I doing something wrong here? What settings should I be using to replicate the (simpler) functionality I had under 10.3/10.4?