failed logins using AD groups on AFP share

[Leander]

Hi,

this week I set up an XServe + XServe RAID. The RAID is to be shared to Mac OS9 clients using AFP over TCP/IP. Authentication is done against Active Directory.

The share /Volumes/data is owned (read/write access) by a local user (arch01). The AD-group afd_dis has read-only rights on it.
The problem is that only some users in the group afd_dis are able to access the share from their OS9 clients. There seems to be no obvious difference between the accounts of users that can and can’t connect.

I see the following in /var/log/system.log on the XServe when a failed mount occurs:

PasswordService: client response doesn't match what we generated

In /Library/Logs/AppleFileServiceAccess.log I see:

IP 10.50.9.123 - - [01/Oct/2004:17:43:17 0100] "Login user1" 0 0 0
<snip>
IP 10.50.9.123 - - [01/Oct/2004:17:43:39 0100] "Login user2" -5023 0 0

Both users are in AD-group afd_dis.
user1 can access the share and, whereas user2 can’t. I’m guessing the -5023 entry in the accesslog is some sort of error code. On the client, it says the password was incorrect, but I’m sure that the password was typed in correctly. Both logins shown above were from the same machine, so the problem is probably not client-side.

I’m quite stuck at the moment. I’ve been staring at this for a couple of days and am running out of ideas

Any suggestions?

[MDhaliwal]

Well, -5023 is a bad password error number…

I’ll see if I can dig anything up in my notes at work from my implementations for you tomorrow.

[a]

bpo

[Author]

Posts