We've discovered a bug/vulnerability in the current AFP when interacting
with Macintosh OS X version 10.4.6, not earilier versions. This has been
reported to Novell through their bug website, but I wanted to hear if
anyone else discovered this issue and how they resolved it.

Users who updated their Tiger OS to version 10.4.6 (through Software
Updates, so we can't control users in this aspect) reported not being able
to create folders or make modifications. Looking at the folders through
ConsoleOne, we verified that users had full rights and should not have a
problem, thus we deemed it a workstation issue.

On the workstation, we looked at the properties of the parent folder.
There, we saw the folder was "locked." In previous versions, "locked" was
greyed out.

Then we made some interesting discoveries...

"Locked" was generated when you added the delete inhibit and rename inhibit
attributes to the folder via ConsoleOne. If a user had supervisor rights,
they could uncheck the "locked" option on their Macintosh 10.4.6 machine
and it would remove the delete inhibit and rename inhibit attributes.

Fortunately, you can only do this if you have Supervisor rights, and no
one, other than administrators and help desk personnel have supervisor rights.

However, we cannot impede users from working, and so we have to remove
these attributes. At that moment, our data becomes vulnerable because
users can now delete entire parent directories. Loss of data will be
catastrophic. And no, don't say that's what backup tapes are for. Backup
restores take a long time and don't restore files created since the last
backup the night before.

So, has anyone else encountered this and if so, how did you resolve this?
Seems that Apple released a new version of AFP with 10.4.6 and other
vendors have yet to catch up with this new version. I'm using the latest
and greatest Novell AFPTCP from NSS5a.