Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3338: Copying files on Windows shares does not retain inherited permissions

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl on Mac OS X

Question:

When working with files over a network share, copying files from one location to another does not retain the security permissions of the original file.

Upon further investigation, the following behaviour is found:
  • Copying a file from a Mac to the network share inherits the correct permissions.
  • Copying or duplicating a file from one part of the share directly to another part of the share does not inherit the permissions.

Why does this happen?

Answer:

This issue may occur to the Mac systems that are joined in either of the following environments:
  • Zone Mode
  • Auto Zone while using the auto.schema.groups parameter
    (A standard set up does not use this. It is also used when the "Specify AD groups allowed in Auto Zone" GP is enabled)

If the Security settings of a shared folder or file contains an AD group or user which cannot be resolved by the Mac - then the copy operation will not include that group or user in the destination file/folder's permissions. This is an OS X issue and is not Centrify-related.

To ensure that the full Security settings are correctly copied over - make sure any groups that are specified in the Security permissions can also be resolved by the Mac:
  • For Zone Mode: Add the AD group into the relevant Centrify Zone
  • For Auto Zone: Make sure the AD group is also included in the auto.schema.groups filter.

After the groups have been added into the Zones, go to the Mac and as a user with Local Admin privileges - run the following Terminal command:

  sudo adflush

When this completes, the Mac will be able to copy files on network shares correctly.



Keywords: SMB security permissions mount read write groups 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.