Directory Services Problems:
I have a frustrating problem regarding OS X Directory Services.
Basic background info:
I have 200 Mac running OS X 10.3.7. They are bound to AD (running on Win2003 Server). All users are bound to AD (no local user accounts on the Macs, except for root and a local admin). I have 2 AFP servers running OS X Server 10.3.4 I do NOT use Macintosh Manager. Users have local home folders and do not have auto mounted AFP home folders. The Directory Access AD plug-in is configured with pretty generic settings ("Authenticate in any domain" is on, "local caching" is on (for laptop users, etc), a specific AD controller is specified, etc). No AD schema modifications have been made.
Problems:
Sometimes my Mac users will complain that when they log on to one of my AFP servers, the share point(s) will sometimes display one of 2 problems sometimes:
1) The Finder will incorrectly display "0 items" on certain AFP chare points or
2) Incorrectly tell the user that the "Don't Have Write Permissions" on certain share points.
The break down:
1) "0 Items" bug:
When looking at the problematic share point via the Finder, the share lists the contents with "0 items", but the "ls -l" command from the Terminal DOES display the proper files and folders as expected.
As a test, I can log in to the share from the same Mac as the problematic user, and the share points display perfectly. Likewise, I can log in with the users credentials who is having the problem from a different Mac, and the share point displays its contents fine! Thus, it MUST be a localized problem specific to the user's profile on the Mac itself. Binding and rebind to AD (and trashing the edu.mit.kerberos.plist file, etc) rarely works. I know for a fact that the problem is NOT on the AD side, or on the AFP server either. I have tested this issue 20 times now, and I can say without a doubt that this anomaly is specific to the user's local profile account. I have tried killing NetInfo caches, trashing Finder prefs, and even deleting user's entire ~/Library folders! Thats pretty drastic! And yes, the problem will return a few days later. Its not always the same share points that appear to have "0 items". Sometimes its multiple shares on different servers, other times its a single share. Very random. None of my users have long or illegal user names, and none of my users are in more tahn 16 AD groups (I have researched these limitations already). Sometimes running the "id" or "groups" command via Terminal shows an interesting result: Sometimes only "staff" shows up as the users only group membership, which is wrong according to AD, WGM and other Macs that run the same "id" and "groups" commands. I have tried running various "lookupd" command to try and troubleshoot, but Im still not comfortable with the "lookupd" command yet. The "lookupd -flushcache" command doesn't seem to do anything.My hunch is that it is related to some kind of local cache corruption. I still suspect the Keychain to be a culprit for some reason. So I delete the user's Keychain files and preferences too. Sometimes it works and sometimes it doesn't. This bug is a mystery.
2) "You Don't have Write Permissions" bug:
This is weird! When this happens, the Finder never shows the "no pencil" icon like one would expect. The server share permissions are correct. Active Directory also reflects the proper group info. So does OS X Server's WGM. The user has the proper user/group ownership permissions of the share point in question. I have been troubleshooting it just like problem 1) above. It is very similar. Sometimes I get a user who has both problems at the same time. They can see all the folders, and they can read files, but they just cant write or delete (even though they have explicit full rwx permissions on the server)
Has anyone ever seen these bugs? I have heard that the "0 items" bug is common with SMB servers. I have both OS X and Windows SMB servers, and I have NEVER seen the problem. Just my luck. LOL
Any feedback on how to solve this problem or even how to troubleshoot it better would be appreciated. I have spent 3 months on this problems and it is really a tough nut to crack. I cant call Apple for this problem. They consider it an "Enterprise" issue and I don't have a beefy Apple Care plan right now, thus its too expensive to fix.
Basic background info:
I have 200 Mac running OS X 10.3.7. They are bound to AD (running on Win2003 Server). All users are bound to AD (no local user accounts on the Macs, except for root and a local admin). I have 2 AFP servers running OS X Server 10.3.4 I do NOT use Macintosh Manager. Users have local home folders and do not have auto mounted AFP home folders. The Directory Access AD plug-in is configured with pretty generic settings ("Authenticate in any domain" is on, "local caching" is on (for laptop users, etc), a specific AD controller is specified, etc). No AD schema modifications have been made.
Problems:
Sometimes my Mac users will complain that when they log on to one of my AFP servers, the share point(s) will sometimes display one of 2 problems sometimes:
1) The Finder will incorrectly display "0 items" on certain AFP chare points or
2) Incorrectly tell the user that the "Don't Have Write Permissions" on certain share points.
The break down:
1) "0 Items" bug:
When looking at the problematic share point via the Finder, the share lists the contents with "0 items", but the "ls -l" command from the Terminal DOES display the proper files and folders as expected.
As a test, I can log in to the share from the same Mac as the problematic user, and the share points display perfectly. Likewise, I can log in with the users credentials who is having the problem from a different Mac, and the share point displays its contents fine! Thus, it MUST be a localized problem specific to the user's profile on the Mac itself. Binding and rebind to AD (and trashing the edu.mit.kerberos.plist file, etc) rarely works. I know for a fact that the problem is NOT on the AD side, or on the AFP server either. I have tested this issue 20 times now, and I can say without a doubt that this anomaly is specific to the user's local profile account. I have tried killing NetInfo caches, trashing Finder prefs, and even deleting user's entire ~/Library folders! Thats pretty drastic! And yes, the problem will return a few days later. Its not always the same share points that appear to have "0 items". Sometimes its multiple shares on different servers, other times its a single share. Very random. None of my users have long or illegal user names, and none of my users are in more tahn 16 AD groups (I have researched these limitations already). Sometimes running the "id" or "groups" command via Terminal shows an interesting result: Sometimes only "staff" shows up as the users only group membership, which is wrong according to AD, WGM and other Macs that run the same "id" and "groups" commands. I have tried running various "lookupd" command to try and troubleshoot, but Im still not comfortable with the "lookupd" command yet. The "lookupd -flushcache" command doesn't seem to do anything.My hunch is that it is related to some kind of local cache corruption. I still suspect the Keychain to be a culprit for some reason. So I delete the user's Keychain files and preferences too. Sometimes it works and sometimes it doesn't. This bug is a mystery.
2) "You Don't have Write Permissions" bug:
This is weird! When this happens, the Finder never shows the "no pencil" icon like one would expect. The server share permissions are correct. Active Directory also reflects the proper group info. So does OS X Server's WGM. The user has the proper user/group ownership permissions of the share point in question. I have been troubleshooting it just like problem 1) above. It is very similar. Sometimes I get a user who has both problems at the same time. They can see all the folders, and they can read files, but they just cant write or delete (even though they have explicit full rwx permissions on the server)
Has anyone ever seen these bugs? I have heard that the "0 items" bug is common with SMB servers. I have both OS X and Windows SMB servers, and I have NEVER seen the problem. Just my luck. LOL
Any feedback on how to solve this problem or even how to troubleshoot it better would be appreciated. I have spent 3 months on this problems and it is really a tough nut to crack. I cant call Apple for this problem. They consider it an "Enterprise" issue and I don't have a beefy Apple Care plan right now, thus its too expensive to fix.