[joelbruner]

Did a big write up and explanation of this bug:
[url]http://www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error-41/[/url]

It’s all in Finder’s mishandling of inherited ACLs

[joelbruner]

Cross posting (for maximum viewing and hopefully action from Sys Admins) from the duplicate thread @
[url]http://discussions.apple.com/thread.jspa?messageID=12924897[/url]

Actually it doesn’t even need to to be copied to/from the server, just try duplicating with Finder on the server! I’ve filed a big too since I was getting really nervous that 10.6.7 might not fix this, so I just filed mine #9160099 (an earlier poster referenced his bug #8816661, that 343,438 bug reports later!)

I got it down to the bare minumum on a clean OS X Server install, not AD bound or anything extraneous. Just AFP running on a server with an IP with forward reverse lookup. I made a share, added admin (501) to the ACL (as Read only), touched a file and duplicated it in Finder, locally on the server.

10.6-10.6.2 functioned fine. 10.6.3 and 10.6.4 added bizarre behavior where a WRITE ACE was added to the ACL, but the ACEs weren’t “stacking up”, 10.6.5 and 10.6.6 added the redundant ACEs that when you tried copying/duplicating packages and apps with Finder would result in insane amounts of duplication, try Chess.app you’ll get 18 ACEs deep in one Finder copy!

So get reporting folks, 10.6.7 might be the last Snow Leopard update, and even if it isn’t I’m getting pretty tired of dealing with this bug and don’t want to wait until 10.6.8!

[url]http://bugreporter.apple.com[/url]

[joelbruner]

Well at the company I work for the Mac users’ machines are not bound to AD (thank god — they have infinite lockout after 3 attempts!) and they hardly ever log into the MS file servers (using Xinet) — BUT all the intranet web services they use are tied into AD and soon we are going from Notes to Exchange/Entourage — so you can see why I am working on a solution pronto!.
So what I’ve come up with is a solution with three parts:
1.) User run Applescript that queries an AD bound Mac OS X server via command line curl to a 2.) php file that runs a 3.) shell script that uses dscl to look up the users info.
Here’s some of the guts to figure this out on an AD bound Mac:
[code]
#escape the space in All Domains or use FQDN if the AD plugin does not allow authentication from any domain in the forest
ADdomain=”All\ Domains”
user=`whoami`
userRecord=`dscl localhost -read /Active\ Directory/$ADdomain/Users/$user`
lastpwdMS=`echo “$userRecord” | grep -i pwdLastSet | sed ‘s/pwdLastSet: //’`
todayUnix=`date “+%s”`
# this formula from http://support.citrix.com/article/CTX109645
lastpwdUnix=`expr $lastpwdMS / 10000000 – 11644473600`
diffUnix=`expr $todayUnix – $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
[/code]
[url=http://www.brunerd.com/software/ADexpire/ADexpire.zip]http://brunerd.com/software/ADexpire/ADexpire.zip[/url]
It’s commented and has readme’s for implementation specifics
[img]http://www.brunerd.com/software/ADexpire/screenshot.gif[/img]
So a brief description of what it does:
The user will be alerted to their password expiration and given three buttons…
Clicking Help takes you to a help page URL
Dismiss will close the window (it time out after 30 seconds also)
Change will take them to the IIS Password Change Page (this is implemented in the ADexpire2 app included)
It’s still has some polishing, I’ve seen a way uses rpcclient (macscripter.net has a script that uses this) to get the exact expiration date, but haven’t tried this method yet. Still, I hope this might provide a workable solution to those in the same boat as me. I saw some cool demos of this concept at WWDC this year, but no one would give up the code readily — so here’s a stab at it for all of us to share and improve… 🙂

[Author]

Posts