NTFS Permissions with a Macintosh

lager100 · Mar 7, 2007

Hi,

I currently have folders shared on a windows server with Share permissions set to "Full control" to "everyone", however the NTFS permissions restrict access down to individual users.

I have noticed when a mac user (logging in with a local user account on the mac) uses the "connect to server" option and connects to this server, they are assigned the "full control" permissions to the share points and totally ignore the NTFS permissions.

How can I force these permissions to Apply? Will creating accounts in Active Directory for the Mac users fix this? Currently they log on with local accounts on the mac.

If I can block the "connect to server" option for certain IP addresses this will resolve the problem too. But how?

Cheers

cwa107 · Mar 7, 2007

lager100 said:
Hi,

I currently have folders shared on a windows server with Share permissions set to "Full control" to "everyone", however the NTFS permissions restrict access down to individual users.

I have noticed when a mac user (logging in with a local user account on the mac) uses the "connect to server" option and connects to this server, they are assigned the "full control" permissions to the share points and totally ignore the NTFS permissions.

How can I force these permissions to Apply? Will creating accounts in Active Directory for the Mac users fix this? Currently they log on with local accounts on the mac.

If I can block the "connect to server" option for certain IP addresses this will resolve the problem too. But how?

Cheers

Interesting. NTFS/File level permissions should always override share level permissions on any version of NT server. Check that ACL and make sure there are no entries for local groups. Also check to see what credentials the Mac users are entering when they connect to the share.

I administer an Active Directory/Microsoft network, all of our shares are built in the manner you describe (all users have full access at the share level, we set NTFS permissions at the folder level) - I'm home from work at the moment, but the next time I have my MacBook Pro in the office, I'll try to duplicate the behavior and see if I can replicate it.

lager100 · Mar 7, 2007

Hi,

*should* is the operative word there

after a bit of researching, it seems that the Mac doesnt actually *ignore* the NTFS ACL, but rather uses the least restrictive permission set for that account.. i.e. if you have a full control on the share and a read only on the ntfs, the full control will apply on a mac, where as the read only will apply on a windows machine.

its a bit of a worry really since all my home users folders are shared up with full control to everyone and then refined down to individual users on the specific folders.. however i was able to use a mac to delete these folders with an account that has no access to that folder (even though the contents would not be displayed).

cwa107 · Mar 7, 2007

lager100 said:
Hi,

*should* is the operative word there

after a bit of researching, it seems that the Mac doesnt actually *ignore* the NTFS ACL, but rather uses the least restrictive permission set for that account.. i.e. if you have a full control on the share and a read only on the ntfs, the full control will apply on a mac, where as the read only will apply on a windows machine.

its a bit of a worry really since all my home users folders are shared up with full control to everyone and then refined down to individual users on the specific folders.. however i was able to use a mac to delete these folders with an account that has no access to that folder (even though the contents would not be displayed).

Interesting - and a definite security risk. Where did you find that info?

lager100 · Mar 7, 2007

Permission Translation
The set of permissions that are available for Windows 2000 users differs from the set of permissions that are available for the Macintosh. Services for Macintosh automatically translates permissions so that permissions are enforced for both Windows 2000 and Macintosh users.

The Windows 2000 Server administrator account always has Modify permissions on Services for Macintosh volumes.

Permissions that are set in Macintosh networks behave differently from those that are set in Windows 2000 Server networks, including Macintosh-style permissions. From the Macintosh computer, a right that is assigned to everyone overrides more restrictive rights that are set on the owner or a group. From Windows 2000, permissions that are assigned to everyone do not override permissions that are set on the owner or group.

The built-in Everyone group on a Macintosh client only understands limited permissions. If you want to deny the Everyone group from a Macintosh client share, you must set the permissions on Windows 2000 by not explicitly setting deny but matching the no-access setting that Macintosh uses. To do this, set the Advanced Security properties to allow Read Attributes and Read Permissions for the Everyone group. On the Macintosh side you see a belt around the folder for those users who do not have explicit rights. If you do not do this, the Everyone group receives Read and Execute, List Folders and Read, plus any additional settings that you have checked for the Everyone group.

http://support.microsoft.com/kb/320215

cwa107 · Mar 7, 2007

lager100 said:
Permission Translation
The set of permissions that are available for Windows 2000 users differs from the set of permissions that are available for the Macintosh. Services for Macintosh automatically translates permissions so that permissions are enforced for both Windows 2000 and Macintosh users.

The Windows 2000 Server administrator account always has Modify permissions on Services for Macintosh volumes.

Permissions that are set in Macintosh networks behave differently from those that are set in Windows 2000 Server networks, including Macintosh-style permissions. From the Macintosh computer, a right that is assigned to everyone overrides more restrictive rights that are set on the owner or a group. From Windows 2000, permissions that are assigned to everyone do not override permissions that are set on the owner or group.

The built-in Everyone group on a Macintosh client only understands limited permissions. If you want to deny the Everyone group from a Macintosh client share, you must set the permissions on Windows 2000 by not explicitly setting deny but matching the no-access setting that Macintosh uses. To do this, set the Advanced Security properties to allow Read Attributes and Read Permissions for the Everyone group. On the Macintosh side you see a belt around the folder for those users who do not have explicit rights. If you do not do this, the Everyone group receives Read and Execute, List Folders and Read, plus any additional settings that you have checked for the Everyone group.

http://support.microsoft.com/kb/320215

OK, so you guys are running Services for Macintosh. I assumed you were just using SMB.

lager100 · Mar 7, 2007

cwa107 said:
OK, so you guys are running Services for Macintosh. I assumed you were just using SMB.

SMB only

cwa107 · Mar 7, 2007

lager100 said:
SMB only

Interesting. Thanks for bringing this to my attention. What's weird is that the practice of setting Full Control for all users for the share permission and then setting the actual permissions at the folder level is a Microsoft "best practice". If the security is that lax as to allow another client OS to default to the less restrictive security setting, that is very concerning.

I'll have to play with this tomorrow at work and bring it up with IT management. We don't employ Macs anywhere in our infrastructure, but Linux machines also use SAMBA for SMB connectivity, so the same should apply there.

Again, great thread and thanks for posting your findings.

lager100 · Mar 8, 2007

Did you get a chance to test it at work?

cwa107 · Mar 8, 2007

lager100 said:
Did you get a chance to test it at work?

I did, but I didn't have the same results. Just to give you a little background - we have a single domain Active Directory. There are about 600 servers and 9000 clients. Most of the servers are 2003, some are still 2000. All of the clients are XP.

On one of my local F&P servers, I have about 30 shares. Each is shared in the way you describe, being Everyone has Full Control share permission. Then, the NTFS permissions are defined as Local Administrators have Full Control (Domain Admins are a member of local Administrators group), then there are individual AD Global groups that have more granular permissions.

My MacBook Pro is not a member of the AD domain, I connect using SMB in the standard way. I'm prompted for credentials and I use a domain account that is a test account. It is literally a member of no groups aside from Domain Users. It does not have any NTFS permissions whatsoever. When I attempt to connect, the share comes up but there are no contents viewable. On an XP machine, I would have gotten an access denied, but rather than do that, it just showed no available folders.

I tried various other servers that have shares configured in the same way, with identical results. I did not attempt to use any local credentials, although thinking back on it, I probably should have tried.

When you were prompted to authenticate, did you use a local account?

lager100 · Mar 8, 2007

600 servers! That should be fun

I have a pitiful 28 for 2000 users.

I think I can see where the difference in our setup is and where I messed up.

In the root folder, say i.e. called "Share 1" I have full control on the share and the NTFS for Everyone. Then inside the Share 1 folder the user folders are located that are all hidden shares themselves with Share permission of Full control everyone, but NTFS permission of the User full control, Administrator Full and Management group Read.

Once connected through SMB to the Share 1 folder, I can see all users home folders since they are shared too - however I can not see any contents inside those folders - BUT I can still delete the folder. The account used to connect through SMB is a test account that belongs no group listed in the ACL for the users own folder.

Im wondering if I change Full control of Everyone on the Share 1 NTFS permission if this will fix it.

Make sense?

cwa107 · Mar 8, 2007

I should have mentioned that about 1/3 of those clients are thinclients. Roughly a 1/4 of those are Citrix/Terminal Servers. Many (about 100) are virtualized.

Your proposal absolutely makes sense. I think our folder structures are just a bit different. I wonder if that's what it is (not that NT should allow any client to do that - my understanding is that the most restrictive permission wins, always).

Let me know what happens when you make that change.

lager100 · Mar 12, 2007

got it working properly now.

the root folder has a share permission of full to everyone, and ntfs of administrator full and nothing else. inside that folder, the shared folders have permissions of share full to everyone, and ntfs to full administrator and full to the user. this setup allows for the user to write to the home folder, but denies write or even read permission to anyone but the owner/administrator on the home folders.

previously, 'everyone' was listed on full control ntfs on the root folder which seems to propogate through to the users folder, even though 'everyone' was not listed on the ntfs for the users folder. with this setup, using smb connecting to the root folder share, they could see all user folders, but nothing inside them. however they were able to delete the folder.

cwa107 · Mar 12, 2007

Cool beans, glad to hear you've got it squared away - and thanks for the tip-off.