Control of some protocol elements are in the /Library/Preferences/com.apple.AppleShareClient.plist, which doesn't seem to be created in a default installation of OS X 10.7 Lion. I tried copying the file from a Snow Leopard system at first, but then the configuration is different than what you would create in this process. So I deleted the file, then rebooted, and started from scratch.
To turn on DHCAST128:
- Launch Terminal and enter:# This enables the changes to the .plist files
sudo chmod o+w /Library/Preferences
# This creates the Library/Preferences/com.apple.AppleShareClient.plist file
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_host_prefs_version -int 1
Restart the computer for the system to read the plist file.
2. Try to Connect to an AFP server. The system won't connect, so I stopped the attempt, but this will cause the AFP Client to create the preferences file.
3. Launch Terminal again and enter:
#This re-writes the entry for what gets disabled. So by NOT listing DHCAST128, we enable that component for running AFP.
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange"
# This disables changes to the .plist files
sudo chmod o-w /Library/Preferences
Restart your computer again.
I didn't have any success with this modification, until this morning. I found some additional information pertaining to our NAS, which indicated Netgear is using an older version of Netatalk to implement AFP, which uses DHCAST128 as opposed to DHX2. I also found some info on Netatalk, which is now up to 2.2 -beta4.
When I spoke to my associate yesterday, regarding the AFP issue, he said he was able to connect via our fieldtech (managed admin account), but not our workstation (standard) or root accounts. This started me thinking about another issue I see from time to time in the Mac OS. Sometimes after logging into an account, selecting an item on the dock doesn't yield a response, until you open an application directly from the Application folder. Or the menu bar doesn't show, until you click on something, then the system works as it should. This indicates initially something in the GUI doesn't load properly or fully.
After following the com.apple.AppleShareClient.plist modification, I tried to login to our NAS from the workstation and root accounts, with a failure as I had experienced previously. As the workstation and root accounts seem to be able to cover everything I need for testing, many times I forego the fieldtech account until final testing. This time I followed my associate's experience and sure enough, I was able to login (and mount) afp://Lab_NAS/ITS_Lab.
Next I decided to leave the volume mounted and use fast user switching to login to workstation, where I saw the ITS_Lab volume, but with the "no access permission" indicator. I tried to mount the volume as I would normally, giving the correct authorization credentials. It worked! I was able to mount and access the volume. I then dismounted the volume, logged out of the workstation account, and into the root account. I was able to access the volume, without the additional authorization.
I then dismounted the volume and logged back into the fieldtech account. Then from the Apple menu I selected Restart, but the system did not reboot. I then dismounted the volume and again tried to reboot from the menu option. This time the system responded by rebooting. In each account, once the volume was mounted, I put a short-cut in the dock for easy access. After the system rebooted, I went directly to the workstation account, selected the short-cut from the dock, entered my credentials and mounted the volume. I was able to access the folders and files, copy to and from the volume as I would normally expect.
In considering the difference between accounts, the root account has more permissions than any other account, so it didn't seem that permissions would be the issue. The one thing that seemed suspect is when we installed (clean) OS X Lion, the fieldtech account is created by the wizard, hence it is the first account created, through which root must be enabled and is used to create workstation via the System Preferences > Accounts. Next step was to try and access some of our servers via AFP. I was successful with one of our Linux servers. With 2 of our Netware servers (no DHX2), access was only via SMB on one, but not the other.
Hopefully this helps someone and maybe it will yield something more form someone else. I welcome any thoughts on the subject, because there are missing pieces to the puzzle, hence some of this doesn't make sense just yet.
If this is helpful to you