Solve permission issues with MacOS and Samba File Servers

This article fixes permission issues, that I experienced when running a Samba 4 file server and a MacOS computer. Both joined to an Active Directory server.

Symptons:

  • Windows devices were able to connect properly to the Samba file server shares and read/write all files and folders correctly.
  • A specific MacOS device was able to connect to properly to the Samba file server.
  • MacOS was not able to read all folders from the home drive. They were shown but grayed out.
  • Folders created via Windows or the MacOS were able to be accessed by MacOS (not some folders that were copied otherwise)
This has been tried with the same user on both Windows and MacOS to rule out permission issues.
 
Other maybe relevant background:
  • I am not sure, whether there were issues on normal shared drivers.
  • The issues are with folders that were copied via rsync from another host directly onto the Samba file server.
 
So this is what I used to do to compare folders with issues and without:
  1. Ownership and permission
    1. ls -lAZ #   Show the ownership and permissions and compare them to a working folder.
    2. stat -c '%a %n' * # same as 1. above but numeric permissions
    3. chown <x>:<y> <not working folder> # Update ownership. x = owner; y = owner group; not working folder = the now working folder...
    4. chmod # use chmod to update the permissions as in 1. or 2.
  2. Linux ACL
    1. getfacl <working folder> # gets the ACL values for a working folder
    2. setfacl <not working folder> # set the ACL values for the non-working folders. You have to find the correct command line paramters yourself. I didn't go into this.
  3. Advanced attribures # you might have to install the package attr (dnf -y install attr)
    1. getfattr <working folder> # gets the attributes for a working folder
    2. getfattr <non-working folder> # compare the output to 1
    3. setfattr -x <name> <non-working folder> # delete the delta attributes between 1. and 2. (put them into <name>)
  4. SELINUX
    1. I did not go into SELINUX as I have not enabled it. But oyu might have to also go down this route.

 

I hope these steps were of some use for you and fixed your problem. For me, number 3 was the root cause.