After Catalina upgrade and server to 5.9, AFP ACL access locked, SMB access ok
The problem has been solved after investigating the sharing, groups & users and permissions setup with a remote desktop app.
All shared folders resided on an external drive which was an old system drive. Remnants could be found like a /bin, /sbin, /usr the usual symlink suspects and some other files and folders (all invisible). The groups & users were properly set up. Permissions for the disk and file & folders were set (but rather unclear to me).
The basic problem/bug could't be found, because time was short (and I was lazy).
My proposal was: building everything from scratch
- Add an admin to each sharing group (if not done already)
- Disable sharing for the drive (or the shared folders)
- Copy all shared folders to a second external drive, remove all ACLs and use
(sudo) chown ... -R ...
to reset all major folders and their content to adminuser:admin - Format the external drive to JHFS+
-
Create as adminuser a main folder Shared on the drive:
mkdir /Volumes/ExternalDrive/Shared ls -ale /Volumes/ExternalDrive/Shared total 0 drwxr-xr-x 2 adminuser admin 68 Feb 11 18:55 . drwxrwxr-x 10 root admin 408 Feb 11 18:55 ..
-
Copy all major subfolders back to /Volumes/ExternalDrive/Shared
Example/Result:
ls -ale /Volumes/ExternalDrive/Shared total 0 drwxr-xr-x 4 adminuser admin 136 Feb 11 19:10 . drwxrwxr-x 10 root admin 408 Feb 11 18:55 .. drwxr-xr-x 2 adminuser admin 68 Feb 11 19:10 develop drwxr-xr-x 2 adminuser admin 68 Feb 11 19:10 finance
-
Apply chmod 750 to the main subfolders:
chmod 750 /Volumes/ExternalDrive/Shared/develop chmod 750 /Volumes/ExternalDrive/Shared/finance
-
Apply group ACLs (I named the dev group develop and the fin group finance - like the folders)
Examples (the example ACL allows full access to all sub-subfolders - every user of the respective group can really do anything, so be aware/fine tune it):
chmod -R +a "group:develop allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/develop chmod -R +a "group:finance allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/ExternalDrive/Shared/finance
Result:
ls -ale /Volumes/ExternalDrive/Shared total 0 drwxr-xr-x 4 adminuser admin 136 Feb 11 19:10 . drwxrwxr-x 10 root admin 408 Feb 11 18:55 .. drwxr-x---+ 2 adminuser admin 68 Feb 11 19:10 develop 0: group:develop allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit drwxr-x---+ 2 adminuser admin 68 Feb 11 19:10 finance 0: group:finance allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
-
Enable (AFP) sharing for the Shared folder or share each main subfolder (i.e. develop, finance etc.)
In the first case all users can access the Shared but have no or restricted access to subfolders. Example (member of the develop group opens the share - other groups' members have no access at all, except if a user is member of several groups and develop is one of it)
In the second case (e.g. sharing develop and logging in as member of the develop group)
- If you need to have personalized sub-subfolders (access for one user of the group only), you have to stop the "global" group ACL and add a new user ACL.
AFP-Sharing worked again afterwards.