Mac OS X 10.5 (Leopard) AFP Issues
- Document Type:
A number of issues have been found with the Mac OS X Leopard AFP client. Unfortunately the majority of the issues are bugs in the Leopard client that affect connections to all AFP servers including Mac OS X Tiger and ExtremeZ-IP. These client side issues have to be resolved by Apple. All ExtremeZ-IP specific issues are resolved in the latest versions of ExtremeZ-IP. The remaining Mac OS X client issues have been filed as bugs with Apple. Group Logic recommends all users moving to Leopard use ExtremeZ-IP 5.1.2. Details about the specific issues we discovered can be found below.
Below is the list of the known issues with the Leopard AFP client starting with those issues that impact the Mac OS X 10.4 Tiger server and followed by those issues that were fixed with ExtremeZ-IP 5.1.x. As Group Logic continues to do more testing and Apple updates Leopard; this article will be updated.
New behavior in Leopard
- Cleartext passwords – Cleartext passwords are no longer enabled by default. This was done deliberately in Leopard because cleartext is insecure and is a huge security hole. Permitting cleartext passwords allows anyone to post a bogus AFP server that only supports cleartext UAM to harvest passwords. Cleartext password support can be re-enabled if someone absolutely has to have it but it is strongly discouraged.
Outstanding Issues found with Leopard client connecting to any AFP server
- Home Directories – Some Active Directory users with AFP home directories hang at the login screen with a Leopard client but those same users have no problems when they use a Tiger client.
- AFP Volume Search – The Leopard client only displays a subset of the files returned by the server. As a result, no search from a Leopard client to an AFP server other than Leopard server can be considered reliable.
- List view – In a Finder window that is set to a list view, the “Kind” column only intermittently displays the Kind of a file. A refresh of the window usually causes the Kind to display properly.
- Leopard Sidebar logins – Connecting to a server using the new Leopard Sidebar authenticates differently than using the Connect to Server menu. With the Connect to Server window, if you mount a volume using an Active Directory account, a Kerberos ticket will be auto created. If you use the Leopard Sidebar, a Kerberos ticket will not be auto created. This means that if the server is set to only allow Kerberos logins, mounting a server will fail. Finally the Sidebar seems to default to using IPv4 addresses whereas the Connect to Server window and Zidget™ default to IPv6 addresses.
- AFP Messages – In Mac OS X 10.5.0–10.5.6, 2 minutes after mounting a volume a Leopard client stops accepting messages sent from the server. This corresponds with the crash of Leopard’s check_afp process. After this process crashes no more broadcast messages are displayed on the client. Apple resolved this problem in Mac OS X 10.5.7, released May 12, 2009.
- Permissions cannot be changed – A Leopard client cannot change permissions on a file that is on an AFP volume using the Get Info window.
- Search failures from 10.5.6 clients – Clients issuing search requests against the root of an AFP volume will fail to find any search results. This problem only affects clients running Mac OS version 10.5.6, and with any AFP server that does not support Network Spotlight searches: ExtremeZ-IP, Mac OS X Server versions 10.4.x and Mac OS X Server versions 10.5.x where Spotlight support has been disabled. More information can be found in “Related Articles” below.
- Other issues – A number of minor UI issues have been observed during our testing which do not affect the use of the server. A number of other issues were only seen once or could not be reliably reproduced. We will report these bugs to Apple or try to resolve them ourselves where possible.
Outstanding Leopard printing issues
- PPD changes – The location of some printing related files have changed on Leopard, which can cause printers that were originally created on Tiger to fail after a Leopard upgrade. For example Hewlett-Packard printers may fail to print because they cannot find the hppostprocessing filter specified in the PPD. A workaround for this issue can be found on the Using HP PPDs with Leopard and Tiger KB article.
- Unicode Printer Names – Leopard doesn’t display the URL of a print queue in GUI if it contains Unicode characters. Nevertheless the queue will work fine.
- Adding Printers in 10.5.2 The custom ExtremeZ-IP Printer Browse Module (PBM) stopped working with the release of Mac OS X 10.5.2. Appletalk, Bonjour, and the Zidget all continue to work. This problem will be resolved in the next release of ExtremeZ-IP.
Leopard issues resolved in ExtremeZ-IP 5.1.3 (Hotfix)
- Kerberos Login – 10.5.2 introduced a change in Kerberos where fully qualified SPNs (Server Principal Names) are now required. You can use the setspn command to re-register fully qualified server principle names or simply hotfix to the latest ExtremeZ-IP version 5.1.3 which was created to address this change by registering the fully qualified server principle name automatically: http://www.grouplogic.com/files/glidownload/verify.asp?version=EZ513×03.
Leopard issues resolved in ExtremeZ-IP 5.1.2
- File / Folder Enumeration – Incorrectly accepted requests caused the Leopard Finder to stop issuing enumeration requests which lead to folders appearing empty.
Leopard issues resolved in ExtremeZ-IP 5.1.1
- Bad password error – If a user enters an invalid password, a server connection error is displayed instead of the more specific bad password error. Other than being slightly misleading there were no repercussions due to this bug.
- Zidget™ PPD issue – Because Apple moved the location of the default PPD on Leopard, adding an ExtremeZ-IP queue that did not have a server side PPD would fail when it is added using Zidget.
- New Printers are shared on the Mac – Queues added by Zidget were re-shared by the Mac. This is due the default behavior of the Apple lpadmin command on Leopard setting up queues as shared. In ExtremeZ-IP 5.1.1 the Zidget will explicitly set the printer as non-shared.
- ExtremeZ-IP Printer Browse Module broken – The Add Printer window did not properly display the custom ExtremeZ-IP Printer Browse Module. The printer browse module now works in Leopard but, because Apple has reduced the size of the custom area in the new Print and Fax pane of System Preference, we don’t suggest using it. Customers are encouraged to use the new ExtremeZ-IP Zidget Dashboard Widget to setup printers instead.
- Print Accounting – In ExtremeZ-IP 5.1, the UI for print accounting code browsing was off-center and the OK button was too small. The user could still validate a print job with the server but it did not send the approved job to the server. These issues were fixed in ExtremeZ-IP 5.1.1. Unfortunately the issue where the user now has to manually select the Print Accounting pane in the print dialog box is a result of a change that Apple made which we cannot workaround.