Office 2008 Files: Read Only, POSIX, ACLs Frustration!

[Decker 12]

We have a fully patched Leopard server with SMB sharepoints.

I'll create a new folder using my Leopard client, we'll call it PermTest.

I wish to lock down this folder, so I set POSIX permissions to Owner:
Decker12, Read/Write, Group: Sales, Read/Write, Everyone: None.

I'll drop some Word and Excel files in that folder, and propagate the
permissions. I'll use TinkerTool System and "ls -le" to verify that the
permissions are set correctly on the folder and all the documents contained
inside of it.

I verify that from the client, Decker12 and members of the Sales group can
connect to it and see the files. They can move, rename, add files to the
folder. Permissions look great.

However, any file (Word, excel, ppt, etc) that's in that folder will open up
as Read Only.

I am the only person experimenting with this (ie no other users will lock
the files up or create legitimate Read Only issues).

If I change the POSIX "Everyone" to Read/Write, and propagate, Office 2008
programs will open the files up correctly (ie, not Read-Only). This defeats
my security needs however.

I've been messing with this for hours, and have determined that this is an
Office 2008 specific problem, or some way that Office 2008 is mishandling
parts of Leopard's SMB implementation.

Regular file permission activities work as intended with the exact same
files in the folder as long as I use other programs. For instance, I can
rename the files, move them around, open and write and save to these
supposedly "read-only" files in Text Editor or Open Office. Only Office 2008
is reporting them as "read only". Again, Office 2008 is only happy if I set
the "Everyone" POSIX attribute to "Read/Write".

Some other notes: If I recreate these steps on a Windows 2003 server (ie
create a share, assing some privs to it, copy files to it), everything works
fine without the Read Only problem. Adding ACLs on top of POSIX permissions
do not make a difference - ie. explicitly defining Decker12 as Full Control
in an ACL does not fix the Read Only problem.

Any ideas what I should try next?

 

[William Smith [MVP]]

I wish to lock down this folder, so I set POSIX permissions to Owner:
Decker12, Read/Write, Group: Sales, Read/Write, Everyone: None.

This is what I do for my server permissions (recreating from memory at
home):

Owner: <a local account on the server>
Group: <a local group on the server>
Everyone: None

ACLs:
Full Control: <same local account on the server>
Read/Write: <any group>
Read/Write: <any group>
Read only: <any group>
Read only: <any group>
Read only: Everyone from directory service, not local (if needed)

ACLs should always override standard permissions.

The reason I have this setup is because no network user or group with
network users in it should *ever* have Full Control (Ownership) of any
files or folders or permissions problems will be prevalent for non-owners.

How are your permissions set? To illustrate your setup you can take a
screen shot and post it on <http://www.imageshack.us/> for free and
without creating an account.


--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Decker 12]

Thanks Bill for the info. In the morning I'll post the ACL list from the
server. However I do have some questions regarding your setup:

What do you mean by <any group>? A local group? An AD group? Or am I
supposed to fill in that blank with the group that I want to manage, for
example:

Mac HD:Sales Dept

Owner: LocalAdminAcct
Group: admin (ie the local admin group)
Everyone: None

ACLs:
Full Control: LocalAdminAcct (same as what's shown above in POSIX)
Read/Write: MYDOMAIN\Sales
Read/Write: MYDOMAIN\Domain Admins
Read Only: MYDOMAIN\Interns

I know this sounds like a simple question that I am asking you about (ie
setting permissions for a folder).. but I have just been going nuts regarding
this Read Only thing that only appears in Office 2008, which is why I'm
trying to dig a bit deeper to find out if the cause isn't simple POSIX and
ACL permissions, but instead something dastardly that Office 2008 is trying
to do.

However your statement that:

The reason I have this setup is because no network user or group with
network users in it should *ever* have Full Control (Ownership) of any
files or folders or permissions problems will be prevalent for non-owners.

DEFINITELY intrigues me because that is not a standard I have been following
with diagnosing this problem, so I'm going to give that a try when I get to
work in the morning. I have been a Full Control kinda tester with network
account access instead of a Read/Write tester so far.

 

[Decker 12]

Hi Bill,

Unfortunately, after coming in this morning and taking your suggestion, I'm
still at the Read-Only problem. Here's my POSIX and ACL:

Folder is "PermTest" and contains several files of types .docx, .doc, .xls

Owner: LocalAdmin (UID 501), Read/Write
Group: admin (GID 80), Read/Write
Everyone: None

ACL:
LocalAdmin (UID 501):
Allow, Full Control, Inherited No
Decker12 (UID 1351912 [This me, who is a network Active Directory User]):
Allow, Read and Write, Inherited No

I have applied these permissions and propagated them to all the files in the
folder. All of those documents still open up - remember in Office 2008 only!
- as Read Only. Again, if I open any of the files in Text Editor or another
non Office app, they are *not* Read Only and I can edit them.

It's almost like the Office products need to see some sort of goofy
permissions, maybe something related to how it locks/unlocks files, or
autosaves them, or something similar? Something that is maybe not supported
by the OSX implementation of SMB? If I copy the same files to a shared folder
on my Windows 2003 server (and set the same permissions), the Read Only
problem goes away.

 

[William Smith [MVP]]

My comments are inline with yours...

Thanks Bill for the info. In the morning I'll post the ACL list from the
server. However I do have some questions regarding your setup:

What do you mean by <any group>? A local group? An AD group? Or am I
supposed to fill in that blank with the group that I want to manage, for
example:

By <any group> I literally mean "any group" because ACLS aren't limited
by the number of groups you add. You might have just one group or your
might have multiple groups, each assigned with different ACLs.

Even on Mac OS X Server I like Microsoft's best practice for assigning
permissions to resources. Put users into Global groups and put Global
groups into local server groups. Then assign permissions to the local
groups.

Mac HD:Sales Dept

Owner: LocalAdminAcct
Group: admin (ie the local admin group)
Everyone: None

ACLs:
Full Control: LocalAdminAcct (same as what's shown above in POSIX)
Read/Write: MYDOMAIN\Sales
Read/Write: MYDOMAIN\Domain Admins
Read Only: MYDOMAIN\Interns

I think you should add the Everyone group here. ACLs will override the
standard Mac permissions. Try setting the standard permissions for
Everyone to Read/Write and then set the ACL for the Everyone group to None.

I know this sounds like a simple question that I am asking you about (ie
setting permissions for a folder).. but I have just been going nuts regarding
this Read Only thing that only appears in Office 2008, which is why I'm
trying to dig a bit deeper to find out if the cause isn't simple POSIX and
ACL permissions, but instead something dastardly that Office 2008 is trying
to do.

This may actually be a problem with Office but I always suspect
permissions first. Out of curiosity, what is your reason for using SMB
over AFP for your Macs?

However your statement that:


DEFINITELY intrigues me because that is not a standard I have been following
with diagnosing this problem, so I'm going to give that a try when I get to
work in the morning. I have been a Full Control kinda tester with network
account access instead of a Read/Write tester so far.

Giving any user or group Full Control enables those users to literally
buck all permissions that you've set at the share point and begin
creating their own. That's not to say the users will themselves be
malicious but if an application, like Office, is wonky then it too has
full control over the files. This is just a safety measure to prevent
applications from doing something under the user's account that you
don't want it to do.

That's my philosophy at least...

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[William Smith [MVP]]

My comments are inline with yours...

Hi Bill,

Unfortunately, after coming in this morning and taking your suggestion, I'm
still at the Read-Only problem. Here's my POSIX and ACL:

Folder is "PermTest" and contains several files of types .docx, .doc, .xls

Owner: LocalAdmin (UID 501), Read/Write
Group: admin (GID 80), Read/Write
Everyone: None

ACL:
LocalAdmin (UID 501):
Allow, Full Control, Inherited No
Decker12 (UID 1351912 [This me, who is a network Active Directory User]):
Allow, Read and Write, Inherited No

I mentioned in my reply to your prior message about adding the Everyone
group here to your ACL. Not sure how I've set mine up. Didn't think
about checking while at work yesterday.

I have applied these permissions and propagated them to all the files in the
folder. All of those documents still open up - remember in Office 2008 only!
- as Read Only. Again, if I open any of the files in Text Editor or another
non Office app, they are *not* Read Only and I can edit them.

Hmm... Thinking off the top of my head...

The Office 2008 file format is actually a zipped folder of more files
whereas a TextEdit document is actually a single file. However, you can
create a similar folder/file in TextEdit by adding a picture and saving
as an RTFD file.

Create the RTFD file and see if your permissions are the same as a
regular TextEdit file or an Office document. Likewise, you might try
saving an Office document in the older .doc, .xls or .ppt format, which
should be a single file as well.

It's almost like the Office products need to see some sort of goofy
permissions, maybe something related to how it locks/unlocks files, or
autosaves them, or something similar? Something that is maybe not supported
by the OSX implementation of SMB? If I copy the same files to a shared folder
on my Windows 2003 server (and set the same permissions), the Read Only
problem goes away.

While that's possible I'm surprised no one has seen this before. But
then again I think sharing SMB from a Mac OS X server to a Mac OS X
workstation may be more unusual than I thought.

Curious to see what you find. At this point I'm out of ideas unless you
find more information. If the above tests don't work then post back and
I can ask someone from MacBU to read this thread and try to reproduce
the situation in-house.

Good luck!

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Decker 12]

Unfortunately, we haven't made any progress on this problem. The RTFD files
open and save without a problem. I am pretty confident at this point that it
is not a permissions problem with the server, as the permissions behave
correctly in every other application with every other type of file. As stated
earlier, they even behave if I open these supposedly "read only" files with
Open Office or Text Editor. Basically, every program that I try can open the
files correctly, except for Office 2008 programs.

We are now looking to get away from Leopard server and instead use our
Windows 2003 file server. For whatever the reason, Leopard Server is just not
playing nice with Office 2008. We do not run a complicated network and yet
have had nothing but problems with Leopard Server since we've installed it a
month ago. It's my opinion that the product, while it may work for some,
simply isn't ready for prime time (yet).

I'm going to also setup a linux based test server, enable SMB, and see if I
have similar problems with these Office 2008 files. That should give me a
hint if it's the SMB protocol itself, or if it's something that Apple has
done to the SMB implementation that doesn't play well with Office 2008.

Thanks again for your ideas!

 

[William Smith [MVP]]

We are now looking to get away from Leopard server and instead use our
Windows 2003 file server. For whatever the reason, Leopard Server is just not
playing nice with Office 2008. We do not run a complicated network and yet
have had nothing but problems with Leopard Server since we've installed it a
month ago. It's my opinion that the product, while it may work for some,
simply isn't ready for prime time (yet).

So, again, why are you using SMB instead of AFP, which is Mac OS X's
native file sharing protocol? Do you have some reason you can't use it?

I doubt that the problem is the server itself but rather the file
sharing protocol. Using SMB for file sharing from a Mac server to a Mac
workstation is really working outside the norm (not that I'm saying you
shouldn't be able to do so).

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Decker 12]

Our corporate network uses both PCs and Macs, and with our old Tiger Xserve,
we've never had any problems running strictly SMB. One example I remember is
we had problems with file names and path lengths when using AFP (for our
Macs) and SMB (for our XP users). I also remember goofy file locking problems
when we were in situations where Mac and PC users are accessing the same
files.

That being said, using only SMB on Tiger Server has served us perfectly fine
in the past, and it was doing okay for the past 5 weeks we've been running
Leopard Server. It's only with this recent fiasco with Office 2008 have we
experienced problems.

We had some writing on the wall when we were basically forced by Apple to
upgrade to Leopard. Basically, we were hiring new people and Apple was only
shipping Leopard computers which you couldn't downgrade to Tiger. Leopard SMB
wasn't playing nicely with our Tiger Xserve SMB - we had to develops some
wacky workarounds in order to make SMB shares work with Leopard until we had
enough time and resources to upgrade the Tiger Server to Leopard Server.

When you add it all up, we must have put 200+ hours into figuring out the
workarounds for Leopard clients to Tiger Server, and then a bunch more
screwing around to deal with the quirks of Leopard server. For instance, when
you change any permissions to SMB shares in Leopard Server, it still silently
disconnects everyone and basically restarts the SMB service, requiring every
tiny bit of permission work to be done after hours. Another fun one: You
can't disable Home Directories in Leopard Server - the checkbox doesn't work.

Also, we must have re-installed Leopard server 5 times in a weekend before
we figured out the correct way to integrate Kerberos with AD and OD (the
AFP548 document proved to be invaluable, but there was definitely a voodoo
magic type of "if you don't do it in this exact order, and you won't know it
didn't work until you're already 10 steps past this point").

When you add it all up, that's kind of why we're just "done" with Leopard
Server. We can only throw so many resources and time into something that
should be working out of the box, before we look for another solution. We
gave it a real solid effort and it still can't do what we want it to.

Last weekend, on a whim, I turned on AFP for the shares and found that none
of my clients could authenticate to the shares using AFP. Kerberos is working
fine for the SMB shares on the exact same server, yet when I have a valid
Kerberos ticket, and connect to afp://mysever/accounting, I get username and
password prompts.. and it doesn't accept anything that I type in, either
local or network users! So THAT would be yet ANOTHER problem I'd have to dump
after-hour resources into fixing. You'd be amazed at just how simple my setup
(and our file serving needs in general) is with this Leopard Xserve, yet I
seem to struggle with getting even the most basic things to work.

Yes, I know that initial setup and configuration of AD and a Windows based
network would be as daunting as setting up a fresh Leopard server, however we
are fortunate that we already have a fully functional AD environment so we
can just piggy back our Mac file serving needs on top of that.

 

[William Smith [MVP]]

That being said, using only SMB on Tiger Server has served us perfectly fine
in the past, and it was doing okay for the past 5 weeks we've been running
Leopard Server. It's only with this recent fiasco with Office 2008 have we
experienced problems.

I hear ya on many of your other points from a been-there-done-that
perspective.

From all your posts I think you've probably exhausted all reasonable
attempts at getting this to work and fairly well pin-pointed Office as
the problem. I'll ask someone from Microsoft to review this thread.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>