AFP support for DHX2 authentication mechanism on OES

  • 7008683
  • 01-Jun-2011
  • 15-Nov-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
AFP
Novell NetWare 6.5 SP 8

Situation

Mac OS 10.7 "Lion" and later requires DHX2 Authentication
Error: "The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem".
Unable to mount AFP shares

Resolution

DHX2 support has been added to OES 2 SP 3 and later; simply accept the channel updates for AFP to ensure compatibility (for systems running OES Linux).  To ensure you are running DHX2, look in:

/etc/opt/novell/afptcpd/afptcpd.conf

AUTH_UAM               DHX2

If necessary, change it so it shows DHX2 and restart AFP.  Take care not to get in a condition where DHX2 has been enabled, but you have followed the following steps previously.


For OES Netware:

Disable DHX2 authentication on the MAC 10.7 or later workstations.

Steps to disable DHX2 on the MAC workstation:
- Using terminal, enter:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array DHX2


Unless you are logged in as the root user, you will be prompted for a password.

Now Mac OS X Lion (10.7) and later will be able to mount AFP volumes on NetWare 6.5 SP8 just as it did before the Lion update.

Status

Reported to Engineering

Additional Information

MAC 10.7 added a new authentication mechanism (DHX2) that was/is not supported by AFP on NetWare.
By default, MAC 10.7 tries to authenticate with DHX2.

Please note that the workaround for NetWare mentioned above essentially removes the 'typical' disabled UAM's (Cleartext, Two-Way Random Number Exchange)  and replaces them to disable DHX2 only. This means that IF the administrator has enabled Cleartext on the server-side (not default); it is possible that it will be used.  Special care should be taken to ensure the server-side AFP system is set to allow the most 'secure' method of authentication that is feasible for your environment.  
 
Some users have reported that in addition to this TID, the steps outlined in the following Cool Solutions Documentation were also necessary in order to get the client to successfully connect to the NetWare server over AFP: https://www.novell.com/communities/node/13155/afp-changes-osx-lion

If you'd like to roll back these changes, and return to a 'default' setup, execute the following command:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange" "DHCAST128"


More information can also be found at:  http://support.apple.com/kb/HT4700