After Catalina upgrade and server to 5.9, AFP ACL access locked, SMB access ok

The problem has been solved after investigating the sharing, groups & users and permissions setup with a remote desktop app.


All shared folders resided on an external drive which was an old system drive. Remnants could be found like a /bin, /sbin, /usr the usual symlink suspects and some other files and folders (all invisible). The groups & users were properly set up. Permissions for the disk and file & folders were set (but rather unclear to me).

The basic problem/bug could't be found, because time was short (and I was lazy).


My proposal was: building everything from scratch

  1. Add an admin to each sharing group (if not done already)
  2. Disable sharing for the drive (or the shared folders)
  3. Copy all shared folders to a second external drive, remove all ACLs and use (sudo) chown ... -R ... to reset all major folders and their content to adminuser:admin
  4. Format the external drive to JHFS+
  5. Create as adminuser a main folder Shared on the drive:

    mkdir /Volumes/ExternalDrive/Shared
    ls -ale /Volumes/ExternalDrive/Shared
    total 0
    drwxr-xr-x   2 adminuser  admin   68 Feb 11 18:55 .
    drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..
    
  6. Copy all major subfolders back to /Volumes/ExternalDrive/Shared

    Example/Result:

    ls -ale /Volumes/ExternalDrive/Shared    
    total 0
    drwxr-xr-x   4 adminuser  admin  136 Feb 11 19:10 .
    drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..
    drwxr-xr-x   2 adminuser  admin   68 Feb 11 19:10 develop
    drwxr-xr-x   2 adminuser  admin   68 Feb 11 19:10 finance
    
  7. Apply chmod 750 to the main subfolders:

    chmod 750 /Volumes/ExternalDrive/Shared/develop
    chmod 750 /Volumes/ExternalDrive/Shared/finance
    
  8. Apply group ACLs (I named the dev group develop and the fin group finance - like the folders)

    Examples (the example ACL allows full access to all sub-subfolders - every user of the respective group can really do anything, so be aware/fine tune it):

    chmod -R +a "group:develop allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/develop
    chmod -R +a "group:finance allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/finance
    

    Result:

    ls -ale /Volumes/ExternalDrive/Shared
    total 0
    drwxr-xr-x   4 adminuser  admin  136 Feb 11 19:10 .
    drwxrwxr-x  10 root       admin  408 Feb 11 18:55 ..
    drwxr-x---+  2 adminuser  admin   68 Feb 11 19:10 develop
     0: group:develop allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
    drwxr-x---+  2 adminuser  admin   68 Feb 11 19:10 finance
     0: group:finance allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
    
  9. Enable (AFP) sharing for the Shared folder or share each main subfolder (i.e. develop, finance etc.)

    In the first case all users can access the Shared but have no or restricted access to subfolders. Example (member of the develop group opens the share - other groups' members have no access at all, except if a user is member of several groups and develop is one of it)

    Shared/develop

    In the second case (e.g. sharing develop and logging in as member of the develop group)

    develop

  10. If you need to have personalized sub-subfolders (access for one user of the group only), you have to stop the "global" group ACL and add a new user ACL.

AFP-Sharing worked again afterwards.