10.4.8 Server, AFP and ACLs

Similar Messages

• OS X Server, AFP and Logic 8

  Hi,
  I'm looking to buy OS X Server for our school. We run Logic Studio 8 at the moment and currently have a share on a NAS that the users can save their files to (login accounts local to computers.) The problem I had was that Logic files refused to save to the share when the transfer protocol was AFP, yet it worked perfectly over SMB.
  I know Server will run user accounts and network Home folders over AFP (which we want to do), so will the Logic files not save if we ran Server? This would be a major problem if it's the case.
  The issue with AFP and Logic has always been present, Samba being the only option since as far back as I can remember, yet Apple have done nothing that I know of about this serious limitation.
  Thanks in advance for any help,
  Andy
  PS: If this is better in the Server forum please move the post.

  Hi Andy,
  Our school is running OS X Server with Network Home Directories. We have no problems with students saving Logic 8 to their respective directories. If your doing sequencing with Virtural instruments and the like this will prove a good system for you. We also have the stock EXS samples served up on an automount groups folder. If you have good network infrastructure you will find that an easy way of maintaining your stock sample libraries for all your students.
  We're using OS X 10.4.11 Server with 10.4.11 clients.
  Hope this helps
  Regards,
  James

• 10.6 Server AFP - ACL Permissions Edit Window Shows No Options

  Hello, I'm trying to add a group to the ACL of an AFP share. I can add the group but when I want to edit/modify ACL options the window looks like this:
  That's about as far as I've gotten. The Edit window has nothing to edit.

  I solved use to finder menu connect server to and use complete name server with domain example:
  afp://nameserver.domain.com and connected with kerberos

• Os x serve 4 and windows users

  Hello,
  just migrated one of my servers to Yosemite 10.10.1 and Server 4.0.
  the objective is a share files between mac and windows users within a group (meaning all of them can see, read and write all files within the sharepoint).
  the directory is shared with AFP and SMB, the group of users has read/write access on the directory (users and group are managed in OD).
  I added ACLs on the directory : the group of users is full control on the sharepoint. And I propageted all permissions to subfolders and files.
  Everything works fine for Mac users, but not for Windows users : when they open a file they got a message saying that the file is already opened by an another application. Same issue if the windows user write a new file on the server.
  If i look at the permission on a subfolder, there is the full control for the group. If I look at a file (whatever from a mac or windows), there is a special access.
  I think the problem is there, but how to solve.
  Does somebody knows any magic command line to force propagation of ACL and permissions to files ? or any tips to solve that issue ?
  Thanks for any help
  Regards, Thomas

  Hi
  OK I have tried pritty much all the suggestions so far...the MAC has no problem connecting to the PC (there's no surprise! - it worked straight away but the PC cannot connect to the mac - here's what happens:
  I have the correct IP address and when I enter in the IP address and my short username, the PC prompts me with a username and password box as you would expect...but when I enter in the details, it just throws up another username and password dialog box and has changed the username to PCCOMPUTER/the-username-I-just-entered - so I click ok again, and it just throws the dialog box up again. I feel like I am so close, yet so far to connecting the PC to the Mac - it seems to get stuck in a loop at the last moment. Any ideas what could solve the problem?
  It doesn't seem to be a firewall problem as I turned them all off - and still got the same problem.
  Any other ideas?

• Solutions to Some DNS, OD, AFP, CalDAV, AFP, and Spotlight Issues

  I recently upgraded our aging Xserve (1.3GHz G4, yeah baby!) to Leopard Server from Tiger Server so everything in the office would all be on the same OS. This server hosts all our in-use files via an Xserve RAID, and our dead files are on the internal 3-disk striped array. It's also the Open Directory master and hosts the office's DNS (I wanted to put OD and DNS on the new Xeon Xserve that hosts our FileMaker database, Retrospect backup, and our Squid web proxy, but something in its DNS configuration is broken and I gave up on that since OD and DNS don't really put any additional stress on the G4). Anyway, with all the hoopla of configuring, reconfiguring, and fixing, I've learned some things that may help others.
  *DNS, Open Directory, and AFP*
  I had some trouble with groups and ACL permissions, inability to get CalDAV working, and general strangeness with OD and Workgroup Manager. Demoting the server from an OD master to standalone took care of most of these. Part of the problem was an incorrect LDAP search base, which can only be corrected by blowing away the OD master and making sure DNS is set up properly. We only have about 20 users (we don't host network homes or anything like that), so when I did the demotion I just let it destroy all the accounts, and after promoting the server back to an OD master, I recreated the users and groups from scratch. So with freshly created users and groups, and after resetting the ACL's and propagating permissions on the network shares, that cleared up the permissions problems. The corrected LDAP search base fixed the Directory application too, which wasn't showing any contacts before, and it got Kerberos working as well.
  iCal/CalDAV
  All this work also got CalDAV/iCal calendar sharing running, and when I enable calendaring for a user, it stays enabled in WGM. Before, whenever I'd switch to another user and come back, calendaring would be turned off in WGM, although it was in fact still enabled. I haven't tested calendaring much yet, and adding an account in iCal is still a bit flakey. Our DNS is just internal, so in Server Admin I un-checked "fully-qualified" for our few DNS hostnames. If I mark the server's DNS hostname as fully-qualified, auto-discovery of the address in iCal won't work. iCal rejects my passwords if Kerberos authentication is used in either case, even if I manually point it to the IP address, but it connects fine without Kerberos.
  *Spotlight and AFP*
  Another problem I had after upgrading the server was stale spotlight searches. I used Server Admin to turn spotlight searching on and off for the two shares, and I tried any number of mdutil commands and System Preferences "privacy" settings to turn indexing on and off and to rebuild the indexes. With the old machine and about a terabyte of data, indexing would take all night, so I couldn't really try a lot of things. Every time the index was rebuilt, it would propagate out to the office just fine, but it would never update from then on. The solution to that was changing the permissions on the volumes the shares are on. The shares themselves had the correct permissions and ACL's, but the volumes need their POSIX permissions set to:
  owner: root: read/write/execute
  group: admin: read/write/execute
  everyone: read/execute
  Over the years those permissions had been changed (this server started out with OS X 10.2 Server btw, so there's been plenty of time for things to get b0rked), but Tiger Server apparently didn't care. Another thing I did (although I'm not sure if this was necessary) was to change the "Others" POSIX permission from None to Read Only. Once all that was changed, mdworker started chugging along to keep the spotlight index updated. However, it went nuts after the 10.5.6 Server update, constantly working with no sign of ever finishing. The update notes do make specific mention to Spotlight changes, which says you have to disable spotlight indexing for any shares in Server Admin, then re-enabled it to "take advantage of the new features." That started another night of indexing, but it's now done and updating properly. I noticed that a new inherited ACL for the user "Spotlight" showed up at the root level of each share point. I'm not going to touch that.
  I'll admit that I hate spotlight's interface and lack of control in Leopard (i.e. it always resets your search parameters, you can't change the results window's columns, and you have to already be in the folder you want to search, etc.). That being said, I can search for anything on the server and it finds the results almost instantly. Even a search that returns "more than 10,000" results only takes about 5 seconds. With Tiger or Panther server, ANY search would take several minutes and grind the server to a halt, making anyone else who tried to save a file or navigate the shared volumes get the spinning beach ball.
  Hopefully this will be of help to someone.

  Hi.
  You've not outlined your issues with AFP per se, having any ?
  DNS is critical for OS X Server, it's appropriately finicky about working forward & reverse DNS lookup for its FQDN.
  Certainly, Leopard Server may make assumptions contrary to your intent, if using the non-advanced setups, as it will attempt to use DNS and if not available, this may result in settings other than you desire.
  By default, hostnames entered in the Server Admin DNS settings, will be considered as part of the DNS zone you're editing.
  So:
  server
  would be for: server.yourfqdn.com
  If you mark that as fully qualified, well, then it's looking for: server
  which is not a FQDN
  As well, I believe Apple states it should no longer be necessary, but if you do need to change the hostname for your OD master, it is often possible via the Termina/command-line via:
  (sudo) changeip
  http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/changeip .8.html

• I tried "Upgrading" 10.6.8 Server to 10.8 Server. And failed.

  No question here, just a report for others to read.
  So far I have always succesfully upgraded OS X Server. I started with 10.3 server and (except the PPC to x86) I always 'upgraded' not 'migrated'. But this time, my simple server (AFP (with PHD), DNS, Firewall (ipfw), Mail with virtual domains, Web with realms) was too much for the upgrade process. Things I ran into:
  The upgrade process found out of date information (e.g. network settings that had been deleted from System Preferences) which it promoted to reality again.
  Mount points (AFP) upgraded properly
  DNS was upgraded properly. Funny thing, DNS even ran after the 10.6.8 Server had been upgraded to 10.8 Client.
  Upgrading postfix did not work. I got a strange mix of settings in /etc/postfix nd /Library/Server/Mail/Config/postfix which I was able to merge. But I never got amavisd and clamav to work. The refused to launch and I could not find the reason.
  I never got around to migrating web, Firewall, testing PHD.
  So I returned to my backup and am now back to 10.6.8 Server. Next attempt: building a clean 10.8 Server, rebuilding DNS and AFP by hand and importing Users, Groups, Machines, Machine Groups via Workspace Manager (which luckily still exists), adding Firewall (ipfw). I dread Web because I have a couple of virtual domains, webdav Realms and such.

  You might give a shout out on the OS X Server forum.

• AFP and Xserve RAID very SLOOOOW

  Recently we have been having problems with AFP pegging the Xserve RAID activity lights. Xserve RAID Disk access is very slow.
  Machine Specs:
  Dual 2.3 GHZ G5 Xserve
  1GB RAM (recently downgraded because of memory problems after a power outage)
  1x80GB Xserve drive module
  3TB Xserve RAID 5
  Xserve RAID has been upgraded to 1.5 FW and has both ethernet connections connected.
  The whole story is we had a power outage last week. The servers all came back up fine. Throughout the day we noticed that the file server was acting strange. We checked server monitor and it said that RAM slot 3&4 had problems. We opened up System Profiler and it reported that modules 2&3 were only 256MB! (These are 512MB modules). We brought the machine down and pulled the modules. The machine is now at 1GB of memory with more coming. The next day the machine was incredibly slow and the RAIDs access lights were pegged. Also something was pulling all free memory into inactive memory. After trial and error I've found that if I turn off AFP the RAID is no longer pegged and the memory goes back to normal. I thought AFP was the problem and did a complete rebuild of the server last night. This morning the same thing is happening. Also the logs show nothing is wrong.
  All of our Macintosh users are Mobile accounts over AFP. We have around 60 Macintosh users. All of our PC users connect using SMB. We have around 20 PC users. All of our network users work off of the file shares.
  Thanks for any and all help,
  -dustin

  Check so that the Xserve RAID diskcache settings are not reset/off.
  I have had to take apart the RAID controllers and putting them back togheter again to alleviate slowness/"malfunction" making a couple of RAIDs operating like normal again.
  I use Helios Lantest http://www.helios.de/ and XRG to measure/stress disks locally and over the network to see if they are working correctly.

• Iplanet web server 6.0 ACL question

  Hi,
  I am using ACLs to protect some of my URLs in iplanet web server 6.0.
  I am getting one problem. Its not a problem actually but would like to know how to avoid authenticating the users 2 times.
  In my ACL file, when ever I create an entry for a path, I am getting the following by default.
  authenticate (user,group) {
  database = "default";
  method = "basic";
  My entry is like this with the above lines.
  acl "path=/www/develop/itsecurity/admin";
  authenticate (user,group) {
  database = "default";
  method = "basic";
  allow absolute (all)
  (user = "modadmin");
  allow absolute (all)
  (user = "itsecadm");
  deny (all)
  (user = "anyone");
  Now if the entry is like this with
  authenticate (user,group) {
  database = "default";
  method = "basic";
  after the first line, then whenever that particulaar user "itsecadm" tries to access the URL, he gets userid and password dialogue box. After entring into the page, if he tries to access or click any other link, it is asking the userid and password again.If he gives this second time, next time onwards it is not asking userid and password.
  But When I remove the lines
  authenticate (user,group) {
  database = "default";
  method = "basic";
  from the file for that particular entry, it is not asking 2nd time userid/password.
  Could you please tel me why this happening. Why this entry is created whenever I am adding a new one into ACL file?
  Is any one facing the similar problem with iplanet web server 6.0 ACL files?
  Thanks & Regards
  Murthy

  Hi,
  Thank you for your suggestion. I have tried with your option also. Still I am getting the second time userid/password dialogue box.
  Is there any other solution to avoid the second time user authentication dialogue box?
  Do you want to see the ACL file?
  Thanks & Regards,
  Murthy

• Constand InDesign Crashing in a Mixed Server Environment and Undeletable Lock File

  Hello All,
  I have been running into a lot of problems with InDesign recently. I have been working on a 14 MB .indd file with approximately 50 MB of linked files with it. ID will crash with other files open, so it doesn't seem to be file specific. Here are some details about our operating environment:
  All files are located on a server running Mavericks with Server 3.0
  I am using ID CC 2014 on Windows 7
  2 other people are using OSX Mavericks and using ID CC 2014
  I will typically have this file open for hours at a time, making occasional changes and updates. Every once in a while I get a windows dialog message that says "The network connection was lost for the file "\\FILEPATH HERE", or the file was modified by another process."
  I have checked with my colleagues and they are nowhere near this directory and yet this error occurs.
  After I click OK on this box, a crash box occurs for InDesign saying that I must close it. The error details are as follows:
  Problem Event Name:                          APPCRASH
    Application Name:                             InDesign.exe
    Application Version:                           10.0.0.70
    Application Timestamp:                     5362b4ea
    Fault Module Name:                          FONT MANAGER.RPLN
    Fault Module Version:                        10.0.0.70
    Fault Module Timestamp:                  5362b876
    Exception Code:                                  c0000005
    Exception Offset:                                000000000006a0f5
    OS Version:                                          6.1.7601.2.1.0.256.48
    Locale ID:                                             1033
    Additional Information 1:                  0998
    Additional Information 2:                  0998b8aed818f5b46fe692b8d296550c
    Additional Information 3:                  8c1d
    Additional Information 4:                  8c1d1fbc0c17035401f6ecee77ab41da
  OR
  Problem Event Name:    BEX64
    Application Name:    InDesign.exe
    Application Version:    10.0.0.70
    Application Timestamp:    5362b4ea
    Fault Module Name:    StackHash_1dc2
    Fault Module Version:    0.0.0.0
    Fault Module Timestamp:    00000000
    Exception Offset:    0000000000000000
    Exception Code:    c0000005
    Exception Data:    0000000000000008
    OS Version:    6.1.7601.2.1.0.256.48
    Locale ID:    1033
    Additional Information 1:    1dc2
    Additional Information 2:    1dc22fb1de37d348f27e54dbb5278e7d
    Additional Information 3:    eae3
    Additional Information 4:    eae36a4b5ffb27c9d33117f4125a75c2
  These errors occur at random intervals, and sometimes when links are updated in AI or PS. Is there a connection there?
  In addition to this, I can no longer reopen the file, as the crash causes the ID lock file to remain there, giving no access to the .indd file. I cannot delete this file unless the administrator of the server deletes the file.
  Does anyone have any insights into these problems? Thank you in advance.

  Set up a new group called "Workers" or something like that and put in the Users into that group. Now go to Server.app and assign the Group to your share ADDITIONALLY (not by changing the group you see in the Posix permissions) by hit the "+" sign. Give READ & WRITE to the group. The go to Server > Hardware > Storage and propagate the permissons to the included files & folders.
  That should clear you problems by setting up and additional read & write permission by ACL, which is not overwritten, when a user saves a document to "The Box".

• Airdisk shows as Server: afp:// How do I change this to smb://?

  Hi.
  My HFS+ formatted Seagate 2 TB hard drive shows as an afp server and not a smb server. I want to change this so I can share files and access them from my WDTV Live streaming media player. The WDTV only has the options of smb/ctif or nfs.
  How can I change this drive to present itself as a smb server and not a afp server. Currently it appears as afp://<airportname>.afpovertcp.local/2TB_NW_drive
  Where 2TB_NW_drive is the name I've called the drive.
  Thanks for any help you can provide.

  Hi William. Yes it's connected to the Airport Extreme base station.
  When I look at the 'Get Info' of the hardrive via the Mac it shows as
  "Server: afp://<airport_name>/.afpovertcp.local/2TB_NW_drive". The folders on this hdd show as folders off this drive ie. afp://<airport_name>/.afpovertcp.local/2TB_NW_drive/<folder_name.
  I'm attempting to access this drive via WiFi from my WD TV Live Streaming Media Player and I'm guessing that the WD does not see this as an SMB server so therefore ignores it. My thinking (which could be wrong) is that if this drive were to appear as smb://<airport_name>... then the WD will see it and the folders within, as an smb server. WD TV supports SMB or NFS only.
  (BTW I can access the HDD from the WD if it's directly connected to my Mac, however the Mac connects Wifi to the AEBS so there are dual Wifi paths. Connecting the HDD to the AEBS direct means there's only one path and potentially better streaming capabilities.)
  Thanks for any advice you can give.

• Auditing for AFP and SMB

  Hello,
  I had post this same question before, but it has been archived. So I bring this back:
  We need to implement Auditing in File Sharing level. H
  Does anyone knows a tool besides the server logs?
  We prefer an opensource one, since Casper costs.
  Regards
  Kostas

  Kostas B wrote:
  Hello,
  I had post this same question before, but it has been archived. So I bring this back:
  We need to implement Auditing in File Sharing level. H
  Does anyone knows a tool besides the server logs?
  We prefer an opensource one, since Casper costs.
  Regards
  Kostas
  The only tools I have seen merely 'analyse' (i.e. don't really) and/or summarise the information in the Apple logs. As the Apple logs are almost completely useless for this purpose they do not help at all.
  For those unaware, the Apple logs for AFP and most other services record activity like this.
  1. User logs in, this is time stamped in the log and lists the user name and the MAC address of the computer logged in from.
  2. User then does activity on the AFP file server, this activity is also time stamped but only lists the MAC address and not the user name. Every single file open command, etc. can be recorded which if your using network home directories results in a vast number of entries.
  The result is that if you want to find who deleted a file, you need to find the log entry listing the file deletion and then laboriously read back through potentially tens of thousands of lines in the log(s) until you find the matching login for that MAC address so you can then determine WHO deleted the file rather than which computer. As these entries can span across more than one actual log file due to the logs being rotated when a size limit is reached this is a nightmare to do.
  In other words, the logs are almost completely useless for auditing.
  I have a law firm also looking for a similar solution.
  The best I can say so far would be to stop using Mac OS X as a file server and switch to something else which offers proper auditing.
  Note: This situation is a result of Apple not addressing the Enterprise market historically - with some justification. It would still be nice to have a solution especially now that Enterprise is taking Apple (a little bit) more seriously.
  PS. To make things worse, I am currently implementing a Mac terminal server, this will have multiple logins running at the same time which will be in turn logging in to a Mac AFP server. As these sessions are all running on the same physical (terminal) server, as far as the AFP server is concerned they will all have the exact same Ethernet MAC address! This will make it literally impossible to tell which user did an operation using Apple's current feeble logging.

• Difference between afp and smb

  I'm running OS X server 10.5.8. unlimited license with only file sharing enabled.
  When a large number of users (more than 7 or 8) try to log on the server at the same time, the server goes AWOL. A few users get on and that's it. When I check the server preferences, file sharing has turned off by itself. When I try to restart it, it just turns off again. After waiting a while, I can turn it on again, or it'll turn on again by itself after a good long while.
  This is in the setting of a computer lab. The users get on via afp. Would smb work better? What's the difference between the two?
  I'll appreciate any help or suggestions on this.
  Hans

  When I check the server preferences, file sharing has turned off by itself. When I try to restart it, it just turns off again
  That's clearly not normal. What do the logs have to say?
  The users get on via afp. Would smb work better? What's the difference between the two?
  AFP was designed by Apple and is the native file sharing protocol in Mac OS X.
  SMB was designed by Microsoft and is the native file sharing protocol in Windows.
  At one time Macs would use AFP, Windows systems would use SMB. That line is now blurred by the fact that Mac OS X can talk both AFP and SMB, and Windows machines can be persuaded to talk AFP.
  There are some under the hood differences and in general your Mac clients should use AFP if possible. Whether SMB is more or less reliable in your case depends on why the server is having these issues in the first place - if it's a resource issue (i.e. not enough memory/cpu/etc.) then enabling SMB is likely to make things worse since the server now has an additional process to keep running.

• New Server Accounts and Home Directories

  Greetings Everyone,
  Hoping someone here has enough patience to help me figure out what I'm sure is a realtively simple problem...
  I'm setting up a Mac Mini Server (10.6.8) in my Unviersity Lab and connecting 6 Mac Mini's (Snow Leopard). We have a bunch of people that need accounts, and obviously using a network account run from the server is the simplest and best option.
  As I'm not THAT familiar with servers and/or Mac's, I've spent quite a bit of time looking through the Workgroup Manager and Server Preferences, and have managed to set up accounts for everyone and tweak them to my desired preferences.
  However, when I try to login to a user network account from another computer, the login screen "shakes" and does not allow me to login. After some sleuthing through various forums, I've come to the conclusion that my "home Directories" are not set up properly.
  This is where I am confused. I understand the idea behind the home directory, but do not know what to type in the dialog box in the following fields:
  Mac OS X Server/Shar Point URL (afp?)
  Path to Home Folder
  Full Path
  I plan to make the home directories on the Mac Mini Server's Secondary Hardrive under a folder called "Lab group".
  Can anyone guide me to a tutorial or perhaps let me know what I should write in that field?
  Also, if anyone has any great resources on setting up servers, that would be fantastic.
  Many thanks (and apologies for such a silly question).
  Cheers.

  The first step is to define an AFP sharepoint in Server Admin, and check the box for "Enable Automount" (under the share point tab) which you then set for user home folders and group folders.
  Then, in WGM, on the Home tab for each of your users, you will see that sharepoint as an option. Simply select it, click "create home now" and then save.

• Iomega 2003 Storage Server AFP Shares not visible since upgrading to 10.5.6

  Iomega suggested that I post here. No AFP shares are visible since I installed the suggested 10.5.6 OSX upgrades. Nothing changed on the Iomega 2003 storage server side and it been running fine with the shares visible for over two years. What has changed in OSX? DO I need to open something up now for security purposes?? PLease advise as I am dying here!!
  Peace,
  DIGJOE

  After working with it some more...  Have figured out that the "lock" screen is a security measure from the server software.  somehow, I have it set [didn't mean to do this] to show that upon each reboot now, and I'm not sure how to disable it.  I'll get into the server manuals and have to research that. 
  It also seems that the server software sees each HD as another computer somehow...  and each partition as well.  Curious...  Anyway, once I got past the "loced" screen, the fresh install of the  server software was in effect, and the primary HD is showing both patitions. 
  All is happy...  [doing little apple happy dance]... 
  I zero'd out both of the new HD's, and am forgoing the install of the newer 10.5.6 on them.  My 10.4.11 server is just fine actually, had no problems with it until I tried to upgrade.  I suspect that the server software either wants only 10.4.11 server on everything, or somehow I must "tell " it to accept the other 10.5.6.  Not real sure how to do that, however will put  my muscles inbetween my ears in gear to think about for awhile.
  Thanks for your assistance.

• Trouble connecting to Lion server AFP shares after changing server's hostname

  Hello everyone,
  I recently changed hostname of my Lion server box (via Server application) and now my clients are having a problem when trying to connect to its AFP shares via aliases. It takes 160 seconds of "resolving alias to <sharename>" before it finally works. Aliases were created by navigating to the server, connecting with "Connect As", providing valid credentials, then navigating one level up and dragging the share icon (blue disk with three white people outlines) to the Desktop with Option-Command.
  What is interesting, if I create a new account on a client machine, create an alias, and click on it - it works without any delay, as it was for the clients that are having problems now; so I'm assuming some details about the previous server name got cached somewhere.
  The clients with long delay problems can access the shares quickly if they click on the server in the Finder window drawer, then "Connect As" and provide their login credentials - it works instantly then.
  I've been digging around quite a bit (deleting Keychain saved Network passwords for any and all references to the server I could find), and also by looking at kerberos logs on the server. What is interesting, the newly created clients I mention above who don't have delay with connecting, don't leave any records in the kerberos log file; but the ones that have 160 second delay do - there's nothing for 160 seconds, and then there is a flurry of activity, as the connection is finally established.
  When a client who has trouble connecting uses the "Connect As" method described above, entries in the Kerberos log are created instantly when client clicks connect.
  Probably also worth noting that renaming of the server was related to me setting up Open Directory on it.
  Any pointers would be greatly apprecited.

  I experienced almost exactly the problems you described. I also found that connecting via command line using mount_afp worked right away... and once the connection is established, mounting via finder was super fast.
  Tried all kinds of craziness on the client, even a full Time Machine restore.
  Tried fixing Open Directory.
  I was absolutely stumped by what was happening, but then thought, Hmm. I'm wondering if it's related to MobileMe going down? I noticed it started to happen after July 31...
  Success! That was it! Signing out of MobileMe in System Preferences made everything work the way it should!
  CDPlayer2: check if the clients are signed in to MobileMe, and if signing out fixes things - I'd appreciate it if you could post your results. Thanks.