Mobile account losing admin rights off network
06-09-2014 05:12 PM
I converted my account to be a mobile account. However when I'm offline from our network, it seems to lose the admin rights. Then when I come back into the office, it comes back. Is this normal, or a setting I need to modify?
06-10-2014 06:27 AM
What versions of OS X and Centrify is your Mac on? (You can find the Centrify version by running adinfo -v at the Terminal)
Also - approximately how many AD groups is your AD account a member of?
It's possible you may have run into a Mavericks bug we recently discovered...
06-10-2014 10:51 AM
It's very likely that you've run into the Mavericks bug:
When a user is a member of more than ~15 AD groups, it takes longer for a user to obtain the admin right:
In OS X Mavericks, it appears the "time to live" interval of the System Cache has been shortened which in turn causes the cache to expire more frequently. When the cache expires and needs to be refreshed, can take between a few seconds to several minutes for the AD group list to be restored.
If it does not get the AD group list in time, then it may not see the group that you're mapping into the Local Admin group on the Mac. Since your machine is off the network, it may not be able to refresh it's AD group memberships fully and so never restores that local admin group mapping fully while offline.
Please note that this is an Apple bug - they have been made aware and acknowledged the bug into their system - the same issue can also be reproduced on Apple's own default AD plugin.
A possible workaround to this is to add the user directly into the Local Admin group - login as a true Local Admin, open the Terminal and run:
sudo dseditgroup -o edit -a [username] -t user admin
06-10-2014 04:25 PM
The problem is that if the Mac cannot see the AD group in the first place, then it won't be able to add it into the local admin group.
So while it is possible using this command sequence..:
dseditgroup -o edit -f n admin
dseditgroup -o edit -a macadmin -t group admin
(Where "macadmin" is the UNIX group name of the AD group)
...it's not an effective workaround for this bug.
The latest information I have is that Apple are aware and are working on this, but we don't have any other information beyond that.
06-10-2014 04:37 PM
Another possible option is to use the Centrify "auto.schema.groups" option to reduce the number of AD groups that are UNIX enabled on the Mac. By reducing the number of groups, you're likely to work around the Apple bug.
Full explanation can be found in the /etc/centrifydc/centrifydc.conf. Here's a snippet.
# # This parameter specifies the Active Directory groups to be included in Auto # Zone. # # By default all Active Directory groups are included. When you specify one or # more groups in this parameter, the groups specified are assigned a group ID # on this computer. # # Note: If an Active Directory user specified in "auto.schema.allow.users" is a # member of a group and that group is NOT specified in "auto.schema.groups", # that group is ignored. # # Any groups listed under "auto.schema.groups" can be domain local, global or # universal groups. They must be security groups; however, distribution groups # are not supported. # # You specify groups by name or you can list the group names in a file. The # group name can be specified in any of the following formats: # - SAM account name: sAMAccountName@domain.com # (specify the domain if the group is not in the current domain) # - User Principal Name: email@example.com # - NTLM: DOMAIN+sAMAccountName # - Full DN: CN=commonName,...,DC=domain_component,DC=domain_component # - Canonical Name: domain.com/container/cn # # If a name contains space characters, you can put the name in double quotes or # escape the space characters using backslashes: # e.g. "Domain Admins", Domain\ Users # # adclient writes any name that is not recognized to the Centrify DirectControl # log file. # # You can enter the list of groups separated by comma, for example: # auto.schema.groups: centrify_groups, "Domain Admins", Domain\ Users, group1, firstname.lastname@example.org, DOMAIN+group3, CN=group4\,CN=Users\,DC=domain\,DC=com, domain.com/Users/group5 # # You can also use a file to specify groups, for example: # auto.schema.groups: file:/etc/centrifydc/auto_groups.allow # # In the file, enter each name line by line. You can mix name formats, for # example: # centrify_groups # "Domain Admins" # Domain Users # group1 # email@example.com # DOMAIN+group3 # CN=group4,CN=Users,DC=domain,DC=com # domain.com/Users/group5 # # Default is empty, i.e. all AD groups are included in Auto Zone. # # Controlled by group policy under the setting # "Computer Configuration" # -> "Centrify Settings" # -> "DirectControl Settings" # -> "Adclient Settings" # -> "Specify AD groups allowed in Auto Zone" # # auto.schema.groups:
With Centrify's Standard Edition, these parameters can be managed via GPO, along with 200+ other settings.
VP of Enterprise Solutions
Found my response helpful? Click the Kudos button!