[OpenAFS] Mac 10.7 Finder issue with lookup-only access

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 02 May 2012 19:21:56 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This behavior is referred to as Access Based Enumeration.  This is a
feature of Microsoft Dfs which is controllable by a group policy in
Active Directory.    This is a feature which is frequently requested be
added to the Windows OpenAFS client as it ensures that applications
do not attempt to access files for which the user has no permissions.
This reduces the overhead cost of remote file systems and ensures that
a client cannot cause access denied storms by attempting to walk
directory trees that cannot

When Lion shipped one of the new features was Microsoft DFS support.
There were many blog postings about how it didn't work properly in
1.7.0.  Perhaps they have "fixed" things in later updates.

On Wednesday, May 02, 2012 6:45:19 PM, Richard Brittain wrote:
> We just figured out that what manifests as an OpenAFS problem is
> almost certainly a Mac Finder issue in 10.7 (testing with OpenAFS
> 1.6.1, but probably was true for earlier)
> It seems that the 10.7 Finder now wants 'r' ACL as well as 'l' ACL
> before it will show anything.  Browsing through a directory with 'l'
> only gives a blank screen (no permission error message), and you can't
> get any further. We had this situation on the top levels of volumes
> holding shared data.
> Apparently this Finder change also broke access to CIFS shares with
> the same permission layout - apparently there are equivalent ACLs in
> the CIFS world, and our Windows admins were muttering about the same
> problem.
> This might be old news, but I don't see it mentioned anywhere.
> Richard

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)