mickleroy
Level 1 (0 points)

Q: Allowing clients to access AFP file share using Active Directory Credentials

Hi,

 

We've set up Active Directory on our Mac OSX Lion (10.7.4) server using Apple's Directory Utility plugin.

 

Current state:

- we can successfully id active directory usernames

- we can successfully su to active directory accounts

- clients (all running 10.7.4) are able to authenticate using ssh to access the server when the username is added to

   the Remote Management section of the Sharing Preferences

 

We'd like to be able to use AD credentials to access the AFP/SMB file share on our Mac OSX Lion server but authentication attempts have been unsuccessful. As a result, we allow guest access to the file share, which is undesirable.

 

We tried prepending the domain to the username (DOMAIN\username) at the login window but that didn't work.

 

The server logs tend to print out the following error when attempting login:

AppleFileServer[67073]: received message with invalid client_id 2427

 

No errors are logged on the client side.

 

Could this be related to the static vs dynamic UID mapping issue outlined in this article?

http://www.macworld.com/article/1056791/activedirectory.html

 

Thanks for your help

Mac OS X (10.7.4)

Posted on Jun 11, 2012 5:06 PM

by brianfromcamarillo,Solvedanswer
brianfromcamarillo brianfromcamarillo
Level 1 (10 points)
A:

Well then, you're in luck because I figured it out last night, but was too tired to come back here and update.

 

By changing a particular plist (for the file sharing daemon, whose name escapes me at the moment) to log accesses via AFP (not just errors), I was able to find that the SACL (Service ACL) for AFP was denying our logins.

 

So, what you need to do is download the Server Admin Tools for Lion (not the same as Server.app - http://support.apple.com/kb/DL1419), and click your server on the left side. Click Access at the top, and verify that your AD users are permitted to log in. (Mine was set to only allow my local admin account; I changed it to DOMAIN\Domain Users.)

 

I'm not 100% sure this is your problem, but it fixed it for me.

Posted on Jun 21, 2012 5:12 PM

Close
mickleroy

Q: Allowing clients to access AFP file share using Active Directory Credentials

  • All replies
  • Helpful answers

  • by brianfromcamarillo,

    brianfromcamarillo brianfromcamarillo Jun 20, 2012 11:25 PM in response to mickleroy
    Level 1 (10 points)
    Jun 20, 2012 11:25 PM in response to mickleroy

    Did you ever find the resolution to this issue? We're having the same problem, and it's driving me bonkers. I can id & su all day long, but no AFP/SMB.

     

    The catch, at least in my case, was it worked at one time. Then, yesterday, I tried re-binding the server to the directory while fiddling around with setting up Profile Manager, and now I'm stuck.

  • by mickleroy,

    mickleroy mickleroy Jun 21, 2012 4:59 PM in response to brianfromcamarillo
    Level 1 (0 points)
    Jun 21, 2012 4:59 PM in response to brianfromcamarillo

    Unfortunately no, we're still running our file share with guest user access enabled.

  • by brianfromcamarillo,Solvedanswer

    brianfromcamarillo brianfromcamarillo Jun 21, 2012 5:12 PM in response to mickleroy
    Level 1 (10 points)
    Jun 21, 2012 5:12 PM in response to mickleroy

    Well then, you're in luck because I figured it out last night, but was too tired to come back here and update.

     

    By changing a particular plist (for the file sharing daemon, whose name escapes me at the moment) to log accesses via AFP (not just errors), I was able to find that the SACL (Service ACL) for AFP was denying our logins.

     

    So, what you need to do is download the Server Admin Tools for Lion (not the same as Server.app - http://support.apple.com/kb/DL1419), and click your server on the left side. Click Access at the top, and verify that your AD users are permitted to log in. (Mine was set to only allow my local admin account; I changed it to DOMAIN\Domain Users.)

     

    I'm not 100% sure this is your problem, but it fixed it for me.

  • by mickleroy,

    mickleroy mickleroy Jun 21, 2012 9:44 PM in response to brianfromcamarillo
    Level 1 (0 points)
    Jun 21, 2012 9:44 PM in response to brianfromcamarillo

    That did the trick! You sir, are awesome!

  • by mickleroy,

    mickleroy mickleroy Jun 26, 2012 2:46 AM in response to brianfromcamarillo
    Level 1 (0 points)
    Jun 26, 2012 2:46 AM in response to brianfromcamarillo

    This is quite annoying but we're  now getting issues where our AD users can't write to the file share..

    Accessing the file share through our AD credentials works flawlessly now.

     

    I've allowed our network group of users to read & write using the File Sharing management section of the Server application. I've even allowed "everyone" to read & write and that didn't work. For some odd reason, guests are capable to read & write.

     

    Are there any "hidden" settings you know about to ensure users are able to write to the file shares?

  • by Ade_lante,

    Ade_lante Ade_lante Jan 23, 2014 5:39 PM in response to mickleroy
    Level 1 (0 points)
    Jan 23, 2014 5:39 PM in response to mickleroy

    Hi

    We have the same problem but in 10.8.5.  Since there is no Server Admin App where do I go to correct this issue?


    Regards