Applies to: All versions of Centrify DirectControl on Mac OS X
A Mac was previously joined to the AD domain with the built-in Apple AD plugin and AD accounts could login with no problems.
When re-binding the Mac onto the domain using Centrify, AD accounts which used to be able to login may experience variations of the following issues:
- The system hangs at the login screen with a spinning icon,
- Users are able to login, but they have no permissions on anything within their own home folders.
How can the logins be restored on the Mac systems?
If the AD accounts are configured to login with local home directories, then there could be a UID mismatch between when the Mac was joined under the Apple AD plugin, and when the Mac is joined with Centrify.
To determine if this is the case, bind the Mac to the domain with Centrify and run the following Terminal commands:
ls -ln /Users/
This will return a list of the home folders within the /Users/ directory next to their registered UIDs:
macbookpro:~ macadmin$ ls -ln /Users/
drwxrwxrwt 3 0 0 102 Jul 22 2011 Shared
drwxr-xr-x 11 789654 20 374 Apr 16 03:22 ad_user1
drwxr-xr-x 11 789655 20 374 Apr 16 03:22 ad_user2
drwxr-xr-x+ 14 501 20 476 Apr 16 03:14 macadmin
In the above example, the AD accounts ad_user1 and ad_user2 had previously logged into this Mac before with the UIDs 789654 and 7889655 respectively.
Checking the current UIDs of these two accounts while bound under Centrify will give different values, depending on whether they are explicitly defined (if joined in Zone Mode), or calculated (if joined in Auto Zone mode). The adquery command can be used to check the current UID of an AD account:
macbookpro:~ macadmin$ adquery user -u ad_user1
macbookpro:~ macadmin$ adquery user -u ad_user2
To sync the UIDs of the home folders back to their AD accounts, there are three options:
Option 1: (Recommended)
- If using Auto Zone, enable the following Group Policy:
Computer Configuration / Centrify Settings / DirectControl Settings / Adclient Settings / "Generate new uid/gid using Apple scheme in Auto Zone"
(See the Explain tab of this GP for more information on this setting)
- If using Zone Mode, open the DirectManage Access Manager and open the Zone properties where the user accounts have been added.
Under the "User Defaults" tab, set the UID to "Use Apple UID scheme".
If necessary, do the same for the "Group Defaults" tab and the GID value.
Remove and re-add the users' UNIX Profile in that Zone
- Once the above settings have been activated (for their respective Zone environment), go to the target Mac and login as Local Admin
- Open the Terminal and run the following commands to verify the setting is now active:
adquery user -u ad_username
ls -ln /Users/
- The UID from the adquery output should now match the user's home folder UID as shown in the ls -ln command
- See also:
- Use the following command to force the ownership of the home folders back to the rightful AD account:
sudo chown -R ad_user1 /Users/ad_user1/
- Use Account Migration to link the home folder back to the AD account. This approach will preserve the UID of the original home folder, but will mask the true UID of the AD account while that user is logged in.
- For Centrify for Mac versions 5.1.0 and above, Account Migration can be performed under:
System Preferences > Centrify > Account Migration.
See the following KB for more information on Account Migration: