I guess I wasn't clear above. If they are using Ganesha, they cannot set auth.reject or auth.allow options. This means they must not do Playbook 1 Step 2, Playbook 2 Step 1, or Playbook 2 Step 2.