Having issues with group memberships on mobile accounts?
Read on for one method of solving this.If you’re running with Mobile User accounts in your area, you may have noticed that every so often a Mobile User is unable to access a folder on an AFP share that they should have access to.
Basically the bug is that under certain circumstances only the primary group membership is cached, so if you have an area where the user is being granted permission via a non-primary group membership, the Finder thinks that you don’t have access. You’ll notice that if you connect to the same share via SMB or with the command line, the user has the correct access privileges.
Logging out and back in usually resolves the issue if the machine is connected to a wired network, but if your users are on a wireless connection, it often doesn’t.
My fix for this was to have a LoginHook that trashed the local MCX cache. So far this hasn’t had any negative side effects and has resolved this issue for my staff, but as always, YMMV and you should test this with your setup before deploying…
The LoginHook shell script looks like:
<code> #!/bin/sh /usr/bin/niutil -destroy . /config/mcx_cache </code>
Save this somewhere, I keep mine at:
Make it executable, and then execute:
<code> sudo defaults write com.apple.loginwindow LoginHook /Library/LoginHooks/loginhook.sh </code>
(if you put the script somewhere else, change the path in the above command to reflect this)
From now on, when a user logs in, the script runs, destroying the local cache, so that it gets forced to be refreshed with the correct group memberships.