AFP548

AD Group Permissions Ignored

taco
My Setup- XServe G5 w/4GB RAM Mac OS X Server 10.4.8 XServe RAID - all shares here, only boot disk in XServe Bound to AD Qualified Domain Name Time Synced from Cisco NTP router Kerberized principals (AFP, SMB, Web, et.al) Using POSIX permissions, not ACLs 55 users on 10.3.9 and 10.4.8, all bound to AD using local homes. Using AD Groups and AD UIDs Use a PC to configure AD Groups and Users in my OU On AFP, I've got permissions set to inherit from enclosing folder. No AFP or SMB guest access My Problem - First I read the AFP 548 white paper on AD-OD integrattion. It's nice, but does not really address what's going on with me. I'm totally dependent on AD and am not using OD at all. Over time since I first bound this Xserve this Sept., I've noticed that AD groups are partially starting to get ignored. Owner and everyone rights are recognized. Where I restrict access to specific folders using different groups from the parent folder is where I'm seeing trouble. There is this one user who calls me daily saying he can get/see the contents of a share point from AFP, but under that the contents of nested folders look blank - like nothing is there. I've tried several things to remedy this. In WGM - -propagated permission over effected folders -checked with Effective Permissions Inspector From Terminal - -done the 'sudo managed -r' command to server clear group cache (this worked under a ODM server, but on AD, ?) -checked using the id command -- this showed weird results in that the server does not see the user's group from which I am assigning the folders. But if I go to a 10.3.9 Mac which is bound to AD and use the id command, I can see that that user is assigned to that group! Also WGM and the AD tool I use on a PC show that that user is assigned to that group. I read about something that when a user is assigned to 16 or more AD groups, Mac OS X Server goes ga ga. I'm going to count the groups this users has and report that here. This is a common problem with Mac OS X Server. I've read about it on afp548, but steps to fix are hard to find.
Exit mobile version