Mobile account losing admin rights off network

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 5
Registered: ‎06-02-2014
#1 of 7 6,995

Mobile account losing admin rights off network

I converted my account to be a mobile account.  However when I'm offline from our network, it seems to lose the admin rights.  Then when I come back into the office, it comes back.  Is this normal, or a setting I need to modify?

Posts: 532
Kudos: 210
Blog Posts: 24
Solutions: 25
Registered: ‎04-19-2012
#2 of 7 6,987

Re: Mobile account losing admin rights off network

Hi Nick,

 

What versions of OS X and Centrify is your Mac on? (You can find the Centrify version by running adinfo -v at the Terminal)

 

Also - approximately how many AD groups is your AD account a member of?

It's possible you may have run into a Mavericks bug we recently discovered...

 

Kind regards,

Brian

Participant III
Posts: 5
Registered: ‎06-02-2014
#3 of 7 6,974

Re: Mobile account losing admin rights off network

OS X 10.9.3 and CentrifyDC 5.1.3-482

 

I checked and my account is a member of about 75 groups and distributions.

Posts: 532
Kudos: 210
Blog Posts: 24
Solutions: 25
Registered: ‎04-19-2012
#4 of 7 6,972

Re: Mobile account losing admin rights off network

Hi Nick,

 

It's very likely that you've run into the Mavericks bug:

 

When a user is a member of more than ~15 AD groups, it takes longer for a user to obtain the admin right: 

 

In OS X Mavericks, it appears the "time to live" interval of the System Cache has been shortened which in turn causes the cache to expire more frequently. When the cache expires and needs to be refreshed, can take between a few seconds to several minutes for the AD group list to be restored.

 

If it does not get the AD group list in time, then it may not see the group that you're mapping into the Local Admin group on the Mac. Since your machine is off the network, it may not be able to refresh it's AD group memberships fully and so never restores that local admin group mapping fully while offline.

 

Please note that this is an Apple bug - they have been made aware and acknowledged the bug into their system - the same issue can also be reproduced on Apple's own default AD plugin.

 

 

A possible workaround to this is to add the user directly into the Local Admin group - login as a true Local Admin, open the Terminal and run:

 

  sudo dseditgroup -o edit -a [username] -t user admin 

 
For example if the AD username was "bob", then the command would be: 
 
  sudo dseditgroup -o edit -a bob -t user admin 
 
 
This should allow your AD user to retain their admin status even when offline.
 
Kind regards,
Brian
 

 

Participant III
Posts: 5
Registered: ‎06-02-2014
#5 of 7 6,955

Re: Mobile account losing admin rights off network

thanks.  Is it possible to use dseditgroup to add an AD group to the local admin group?  Has apple responded to the bug?

Posts: 532
Kudos: 210
Blog Posts: 24
Solutions: 25
Registered: ‎04-19-2012
#6 of 7 6,953

Re: Mobile account losing admin rights off network

HI Nick,

 

The problem is that if the Mac cannot see the AD group in the first place, then it won't be able to add it into the local admin group.

 

So while it is possible using this command sequence..:

 

dseditgroup -o edit -f n admin

dseditgroup -o edit -a macadmin -t group admin

 

(Where "macadmin" is the UNIX group name of the AD group)

 

...it's not an effective workaround for this bug.

 

The latest information I have is that Apple are aware and are working on this, but we don't have any other information beyond that.

 

Kind regards,

Brian

 

Posts: 952
Topics: 3
Kudos: 262
Blog Posts: 6
Ideas: 0
Solutions: 125
Registered: ‎07-06-2010
#7 of 7 6,951

Re: Mobile account losing admin rights off network

Another possible option is to use the Centrify "auto.schema.groups" option to reduce the number of AD groups that are UNIX enabled on the Mac.  By reducing the number of groups, you're likely to work around the Apple bug.

 

Full explanation can be found in the /etc/centrifydc/centrifydc.conf.  Here's a snippet.

 

#
# This parameter specifies the Active Directory groups to be included in Auto
# Zone.
#
# By default all Active Directory groups are included. When you specify one or
# more groups in this parameter, the groups specified are assigned a group ID
# on this computer.
#
# Note: If an Active Directory user specified in "auto.schema.allow.users" is a
# member of a group and that group is NOT specified in "auto.schema.groups",
# that group is ignored.
#
# Any groups listed under "auto.schema.groups" can be domain local, global or
# universal groups. They must be security groups; however, distribution groups
# are not supported.
#
# You specify groups by name or you can list the group names in a file. The
# group name can be specified in any of the following formats:
# - SAM account name: sAMAccountName@domain.com
#   (specify the domain if the group is not in the current domain)
# - User Principal Name: name@domain.com
# - NTLM: DOMAIN+sAMAccountName
# - Full DN: CN=commonName,...,DC=domain_component,DC=domain_component
# - Canonical Name: domain.com/container/cn
#
# If a name contains space characters, you can put the name in double quotes or
# escape the space characters using backslashes:
# e.g. "Domain Admins", Domain\ Users
#
# adclient writes any name that is not recognized to the Centrify DirectControl
# log file.
#
# You can enter the list of groups separated by comma, for example:
# auto.schema.groups: centrify_groups, "Domain Admins", Domain\ Users, group1, group2@domain.com, DOMAIN+group3, CN=group4\,CN=Users\,DC=domain\,DC=com, domain.com/Users/group5
#
# You can also use a file to specify groups, for example:
# auto.schema.groups: file:/etc/centrifydc/auto_groups.allow
#
# In the file, enter each name line by line. You can mix name formats, for
# example:
# centrify_groups
# "Domain Admins"
# Domain Users
# group1
# group2@domain.com
# DOMAIN+group3
# CN=group4,CN=Users,DC=domain,DC=com
# domain.com/Users/group5
#
# Default is empty, i.e. all AD groups are included in Auto Zone.
#
# Controlled by group policy under the setting
#      "Computer Configuration"
#      -> "Centrify Settings"
#         -> "DirectControl Settings"
#            -> "Adclient Settings"
#               -> "Specify AD groups allowed in Auto Zone"
#
# auto.schema.groups:

 

With Centrify's Standard Edition, these parameters can be managed via GPO, along with 200+ other settings.

 

Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: