Friday, April 13, 2007

OS X: Creating a "parents only" shared folder

It began innocently enough.

I needed to move the family share off an old XP box and onto our iMac. We needed a Parents-only folder that would be shared on the network and accessible for each Parental-unit on the iMac. Print services are via a networked Brother MFC and the 802.11b/g Airport Extreme, they would not change.

The journey passed through dark places. Along the way I learned:
  • Mac Classic, and Windows 95, 98, ME, NT and 2K, were all better designed for small network file sharing than OS X. I'm not sure even XP Pro isn't better designed than OS X for this particular task. The Users and Groups functionality of Mac Classic is only available in OS X server. (Same thing happened to that function between Windows 98 and XP.)

  • You can't share the Shared Folder. (!) (Unless you use SharePoints, see below.)

  • The NetInfo Manager is largely undocumented and the user interface is broken (are you sure you know what you're deleting? Do you know when there's a confirmation dialog and when there isn't). (The only documentation I could find was Apple's PDF. [1]

  • The 10.2 edition of David Pogue's Mac OS X The Missing Manual has dangerously incorrect advice for using NetInfo Manager

  • SharePoints is a bit crude and it's dangerous, but it works well for adding a Parent group. When I donate I'll suggest some UI tweaks. The author's web site has an Amazon donation box.

  • If you want to do this the authorized way you either need to buy OS X server (!) or, maybe, you can buy the new Airport Extreme and a USB share (slow, slow, slow).
This is what I thought I'd do:
  • Create a Group called "parents" and add the two parental users to it using NetInfo Manager per Pogue's explanations
  • Create a folder in the Shared Folder called "Parents" and change the Group access to Parents with read/write privileges.
This is the next best thing I came up with:
  • Created a folder called "Parents" in the Public folder associated with my wife's account on the iMac
  • Used SharePoints to create a Group called "parents" with two user members.
  • Used Get Info to give the group "parents" read/write access to the folder "Parents"
To access Parents I need to authenticate with the iMac using my wife's username and password. That would be a problem if she wanted control over her own password. In that case I'd have to either use SharePoints to create a new common networked share (point) or I'd have to create a new user with a password we could share and make the Public folder read/write.


BTW, here's the problem with the 10.2 edition of David Pogue's Mac OS X The Missing Manual. In that edition he recommends duplicating the Administrator group as the starting point for a new share. The problem is that the Administrator group has some extra attributes associated with it that, I suspect, are used by AFP file sharing. They aren't part of a standard Group created by SharePoints or OS X server. The result is that any user member of the new, derived, group has occult admin privileges. If they try to access a denied folder, they have the right to authenticate as an admin. This is bad. Of course maybe it did work safely in 10.2, I don't have the 10.4 edition of his book. I'll write and ask him if it's been fixed.

[1] I've been reading through the PDF. NetInfo Manager is an antique. It uses sequential integers as user IDs rather than GUIDs (globally unique identifiers) and advises strategies like "reserve range". Brrrr. Reminds me of Disco. I've read blase responses to Apple's 10.5 shipping delay, but I think the reactions are too complacent. OS X still has one foot firmly stuck in the 1970s, it needs some serious upgrades.

Update 4/14/07: It was nasty to setup (thank you SharePoints), but it is sweet. The Mac clients connect pretty seamlessly to the server, with no sleep/wake connection issues. I enabled SMB sharing for my OS X account (only) and that works very well. Interestingly OS X 10.4.9 Sharing specifies an IP address for the iMac, but while I was playing around with browsing the workgroup from my XP box the server appeared as if by magic. I'm not quite sure how that happened. The iMac shows up as \\BIGMAC\jfaughnan, probably because I'd installed Apple's Bonjour on the XP box. (Note I'd previously set the Mac to use my SMB workgroup name, using the obscure setting in the extraordinarily obscure Directory Access utility.

No comments: