The following information has been tested in and is applicable to Open Directory, NetInfo and Active Directory (AD).
I am presenting it as it relates to AD and OS X 10.3.x.
OS X Clients logged into a directory system such as Active Directory are only aware of 15 domain groups.
To recreate the problem:
Log into an OS X client that is bound to an Active Directory domain.
Open terminal and type the ‘id’ command. This will show your UID and GID for any groups you are a member of.
The list will only include 15 groups. If you are a member of more than 15 Active Directory Domain groups they will not be displayed or recognized.
The OS X client will acknowledge the group memberships of the groups listed in ‘id,’ but not any other groups you may be a member of.
The biggest impact this has is on OS X Servers that are joined to an Active Directory domain. If the user’s short-name and UID match on the client and on the server (meaning the username/UID the user connects to the AFP server with), the AFP server assumes that the client shares the same directory services as the server, and hands off enforcement of user/group/other permissions to the client. However if you are a member of more than 15 AD groups it might or might not work.
The Active Directory schema here was modified two weeks ago to include information for Exchange 2003. Now Active Directory sees all the email distribution lists as Membership groups. When you include the AD Security groups with the newly-added Membership groups, most of my OS X clients exceed the 15 group limit. This has broken our OS X server group permissions for AFP shares.
And it took two weeks to figure it out.
Any Thoughts?
Eric Benfer
ITSD – IDS
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd
Laurel, MD 20723
[email protected]
443-778-4248 Balto.
240-228-4248 DC
.
.
Comments are closed