Mac Thread, Repair Permissions in Technical; All my Mac users have lost their write access to their home folders on our Mac network!
This means that ...
24th February 2009, 10:32 AM #1
All my Mac users have lost their write access to their home folders on our Mac network!
This means that whilst they can log in, they can't save any work to their home drive.
I have no idea how this happened, but I think I can see where the problem is. Under "Get Info" for each home folder, the permissions don't include the user.
If I create a new user, the permissions DO include that user.
So, somewhere, the permissions for all the folders have had the user removed, thus they only get read access to their own folders.
Is their a 'repair permissions' utility that I can use? Or am I going to have to reset each and every folder's permissions manually?
I understand the permissions should be set to :
System - [username] - (read/write)
Group - staff - read
Everyone - read
...and then I should be able to set this to all folders/files within, but it won't propagate to files/folders contained therein.
Thanks in advance.
IDG Tech News
24th February 2009, 10:34 AM #2
Disk utility has the "repair disk permissions" option, try that ?
24th February 2009, 10:37 AM #3
All our Home folders are on a Data partition, and Disk Utility won't give me access to the 'repair' facility when Dat is highlighted - permission tasks are greyed out.
Originally Posted by pooley
I can only access Boot volume for these.
Notwithstanding, I ran the repair permissions on boot, and repaired those that it found required repairing, but this has had no effect on the overall problem.
24th February 2009, 10:50 AM #4
Are you not able to restore from a back up from when it was last working? or have changes been made since then?
24th February 2009, 11:02 AM #5
Possibly, but we are at the bottom of a very steep learning curve here, and our 'solutions' provider has really left us in the lurch - a mess I can't really go into more detail over.
Originally Posted by rolfea
For the purposes of this exercise, we are going to have to assume restoring is not an option at this stage.
24th February 2009, 08:06 PM #6
Assuming this is a 'classic' Open Directory deployment then whatever folder/directory is being shared for User Home Folder creation the default POSIX permissions should be:
Owner: admin or root R/W
Group: admin R/W
Depending on how you created the folder/directory (using the finder or the application) you'll either see root or admin. Either will do.
For individual User's Parent Homes:
Owner: User's name R/W
Group: staff R
When you look at the individual folders themselves they should all belong to the User who should have full Read/Write privileges. The Group should be staff with No Access as should Everyone. All of the folders should have these permissions apart from Public and Sites. These two folders will have the same permissions as the the User's Parent directory.
You can't repair permissions on a volume/drive that does not have a valid OS installed.
What I've sometimes seen is an overzealous teacher or IT admin get confused about the permissions models available? They assign ownership at the Parent folder level to a different user and propagate downwards from there using the POSIX model. End result students don't get access to their homes or have read access only. Not good.
It might be best to explain the Permissions Models available so as a greater understanding can be achieved? Essentially there are two - there is a third. Access Control Lists (ACLs) and standard POSIX. ACLs are similar to what is available on the Windows platform and have been available since 10.4. In 10.4 you have to enable ACLs for a given volume followed by a restart. This is for the Server. The Client OS still used POSIX. ACLs supercede or worked in conjunction with standard POSIX. You had to be careful as a deny in both models could lock you out with dire consequences.
Standard POSIX are limited (no support for multiple groups for example) in their scope whereas ACLs are far wider and more 'granular'. You have to be careful with ACLs as things can soon get complicated. However once you begin to understand how they work there is not much you can't achieve. For example ACLs can traverse directories.
With 10.5 ACLs are used by default in both the Server and Client OS. Standard POSIX is deprecated in favour of ACLs. Apart from special users reserved for the system and home folder creation only ACLs are honoured.
However this is not perfect - what a surprise!
On OSX Server you should never 'fiddle' with permissions using the Finder. Its okay to do it with the Client OS although it can go wrong sometimes. Better to use the relevant application on the Server OS or the command line on both. Consult the manual pages for chown and chmod for examples and usage. The above is especially true for 10.5.
For your problem and unless someone comes up with something else - a script with relevant variables included possibly? I think you are really looking at 'resetting' each individual users home parent folder and propagating from there. As mentioned you should only be using standard POSIX to achieve this. It's easier to troubleshoot that way.
If you want to provide access for a teacher or group of teachers or members of the IT staff do so using an overriding ACL. The third permissions model available are SACLs (Service Access Control Lists). These can be set and defined using Server Admin. In practice you generally leave them at their defaults.
Antonio Rocco (ACSA)
Last edited by AntonioRocco; 24th February 2009 at 08:12 PM.
Thanks to AntonioRocco from:
24th February 2009, 10:25 PM #7
provided the users network home folders are named with the user's shortname, passenger is the tool you require.
the splendid batch permissions facility does not even require registration
Passenger: The Mac Server Account Creation Utility
12th October 2009, 05:27 PM #8
- Rep Power
Thanks for the tip, This worked brillently.
We had an issue where it was saying that the users where already logged in when nobody was and if we turned on simontanious log on our students could log in but as soon as we turned it off nothing.
used passenger to reset the permissons on the home folders and then the users could log straight in.
That has saved me a huge head ache and a reinstall of OS X server.
27th January 2010, 04:02 PM #9
They are set as their shortname, but I have looked at this program and can't really fathom it.
Originally Posted by manxdan
Is their ANY chance someone could 'walk' me through this?
I am now at point desperation, I really am
By theeldergeek in forum Mac
Last Post: 24th February 2009, 09:54 AM
By Grommit in forum Windows
Last Post: 28th January 2008, 12:51 AM
By witch in forum Hardware
Last Post: 12th February 2007, 12:12 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)