Network home Folder not working over AFP when AD user is in more then 12 groups

[tdassel]

Hello,
We are on 10.4.3. server and client.
We are just pulling our hair out, when trying to get network home folders to work with users that log into their Macs using their Active Directory account.
They have the path to their home in their AD profile.
Now comes the part, were AFP seems to have a bug.
If a user belongs to more then 12 groups in AD ( Member of … ) he gets the annoying message that the home folder is located on a afp or smb volume that he can’t be logged in at this time.
Remove any group and it works like a charm if you are below 12 group memberships.
As 12 is not exactly a natural border ( like 8, 16, 32, 64… ) we simply don’t know what is wrong with AFP.
If you do the same with the settings in Directory Services changed to SMB, everythings works, no mater how many groups you are a member of.
If you have a Profile Path set ( in AD: Profile -> User Profile ) you will not get far either, as this will result in the same message.
The problem to nail down the problem, because the logs are not really helping ( or am I locking in the wrong places ? )

Anybody who has the same problem ?

Is there a complete list of causes for the homeshare on afp / smb share ” bug ?

[tdassel]

Hello,

some update on this one.
Despite the fact that being in more than 12 groups prevents the user to log in using the afp protocol ( smb works ! ) there also seem to be certain groups where the membership prevents the mounting of the network home folder via afp.
So if you have the same problem, perhaps it helps to remove all AD group memberships ( you can’t remove the default group ) and try to log on then. If this is successful simply add one group after the other to see if the log in still works and try to dig out which group(s) are the “bad” ones.
We are still trying to figure out what causes the bahaviour and will analyse the groups in question next.

Greetings

Thomas

[Author]

Posts