[OpenAFS] Mac 10.7 Finder issue with lookup-only access

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 02 May 2012 19:21:56 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDCDB1D07E858FE9DBB658B19
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This behavior is referred to as Access Based Enumeration.  This is a
feature of Microsoft Dfs which is controllable by a group policy in
Active Directory.    This is a feature which is frequently requested be
added to the Windows OpenAFS client as it ensures that applications
do not attempt to access files for which the user has no permissions.
This reduces the overhead cost of remote file systems and ensures that
a client cannot cause access denied storms by attempting to walk
directory trees that cannot

When Lion shipped one of the new features was Microsoft DFS support.
There were many blog postings about how it didn't work properly in
1.7.0.  Perhaps they have "fixed" things in later updates.

On Wednesday, May 02, 2012 6:45:19 PM, Richard Brittain wrote:
> We just figured out that what manifests as an OpenAFS problem is
> almost certainly a Mac Finder issue in 10.7 (testing with OpenAFS
> 1.6.1, but probably was true for earlier)
>
> It seems that the 10.7 Finder now wants 'r' ACL as well as 'l' ACL
> before it will show anything.  Browsing through a directory with 'l'
> only gives a blank screen (no permission error message), and you can't
> get any further. We had this situation on the top levels of volumes
> holding shared data.
>
> Apparently this Finder change also broke access to CIFS shares with
> the same permission layout - apparently there are equivalent ACLs in
> the CIFS world, and our Windows admins were muttering about the same
> problem.
>
> This might be old news, but I don't see it mentioned anywhere.
>
> Richard


--------------enigDCDB1D07E858FE9DBB658B19
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPocGWAAoJENxm1CNJffh49QgH/0f7omC1j/Z4qUFKXDj0WW0S
yTj3FhhBfRCFEtPvp3De9pu2HvO3We7mfOT3cB7qP2cWZZHLRnHObU711J9IjoHn
o7tri4OBCg2oO9RLJRAN0iegeaA1AIcT5+JvYUfsjrCizU2kZJKPWmEiqNJQy1f2
CFHLD7y+gGa7hRRHXGdjWbSpbUtrpZPS5z0Iv7mT61n5QwD/kD4qsvZ1MDq1YoqJ
KaL540Qs6HuBr6MhyJeOVR0DHsCYDQWUZ7JZnq2u2Q6j1mVNXsE9wdH6BQrwrq0V
oHgCnbsg1h6OTR4M9qNdjoBUa+aoZpj9C15Bx4yS87XUShLKbFLj3rSL4OEXRx0=
=cEQc
-----END PGP SIGNATURE-----

--------------enigDCDB1D07E858FE9DBB658B19--