Jolts and Joys of 10.14 (mac oS Mojave) "Server" (Server.app 5.7.x)
With the most recent version of mac OS (10.14, aka "mac OS Mojave"), and Apple's server offerings, there have been a great many changes, most of which result in the loss of many long-known, available, and/or even beloved services.
In case you somehow missed it, please see Apple's article, Prepare for changes to macOS Server 5.7.1
I made an interesting discovery with mac OS 10.14.3 and Server 5.7.1, when using the still-available Open Directory service: There are two service ACLs (managed via system groups) that are of interest but that are not created by default:
It appears that the _afp ACL actually has no bearing on Open Directory users' access to a share that is available via AFP. Keep in mind of course that shares cannot be made available/offered via AFP from a 10.14-native formatted filesystem, meaning APFS (recommended reading about APFS: https://arstechnica.com/gadgets/2016/06/digging-into-the-dev-documentation-for-apfs-apples-new-file-system )
So, if you have ensured that you've preserved or created a drive or volume specifically formatted HFSJ+ (HFS+ with Journaling), you/one can provide shares from the same via AFP. This works nicely and OD users (on a bound mac OS client computer), are not prompted for credentials.
If you setup shares intended for use via SMB, and connecting as an OD user appears to fail, you'll want to ensure that the desired user(s) are added to the local system group, com.apple.access_smb
OD users - as of this writing - do not appear to be automatically added to said service ACL.
However, if you take an existing OD user, and add them to said ACL (uname & GUID to GroupMembership & GroupMembers, respectively), and then make a template out of said user, and make a new user based on said template, then the new user IS automagically added to the service ACL. Nice to know and somewhat helpful.
Published Feb. 20, 2019 by David Haines,