Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3125: NFS group permission issues on Mac OS X

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:18 AM

Applies to: Centrify DirectControl with Mac OS X and NFS mounted shares
Copying to shared folders mounted via NFS works correctly in OS X 10.8, but fails for some folders in OS X 10.7 under the same user account. 
The issue only seems to occur with NFS shares which are owned by particular groups. 

This is an Apple bug and can be reproduced using Apple's default AD plugin without Centrify installed.
The root cause is exactly as described in: (Link provided as a courtesy)
If the user's Auxiliary GIDs list does not contain the NFS share's GID, the user will have no permissions on that mounted share.
On OS X 10.7, when composing the Auxiliary GIDs list, the group with the largest GUID is dropped and replaced with GID 0.
To identify group that has the largest GUID, run the "id" command while logged in as an AD user and the last group listed is the one with the largest GUID.
Note: 10.8 has similar problem with dropping groups, but the logic is different. It is as yet unknown on how to identify which group it drops.

Since the AD group GUID is generated automatically at creation and cannot be modified afterwards (using ADSIEdit to create the group does not work either as it appears to not accept any values when trying to set a specific objectGUID attribute), the workaround provided in the UIOWA link above can be adapted to work with AD groups as well.
  • This workaround works by creating a dummy "FakeGroup" in AD (where the GUID cannot be set) and also creating a dummy local "FakeGroup" on the Mac (where the GUID can be set).
  • The "Map zone groups to local group" GP can then be used to map the AD group over the local group when the user logs in and so that FakeGroup is still the one that gets dropped when the 10.7 machine polls the user's group list.
To set this up:
  1. Create a group in ADUC called "FakeGroup" and put all the AD Mac users in there. 
    • If the Mac is connected in Zone Mode, then add the FakeGroup into the Centrify Zone, give it a GID that is DIFFERENT to the equivalent local FakeGroup on the Mac (Which is determined by the dscl command below). 
    • If the Mac is connected in Auto Zone, then proceed straight to Step 3.
  3. Enable the following Group Policies: 
    • ​​Computer Configuration / Centrify Settings / Common UNIX Settings / "Specify commands to run" 
      • In the "Run command" box, enter: 
        • ​​dscl . create /Groups/FakeGroup GeneratedUID FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF ; dscl . create /Groups/FakeGroup PrimaryGroupID 999999 ; dscl . create /Groups/FakeGroup RealName "FakeGroup" 
      • ​​(This will create the group with the high GUID locally on the Mac) 
    • Computer Configuration / Centrify Settings / Mac OS X settings / Accounts / "Map zone groups to local group" 
      • Local Group: FakeGroup 
      • Zone Group: For Zone Mode users, enter the UNIX name of the FakeGroup (By default this should be "fakegroup"). 
      • Zone Group: For Auto Zone users, use the Browse button to search for the group in AD.
    • (This will map the Zone group onto the local Mac group that was just created with the first GP) 
  4. Go to the Mac and run the following commands: 
    • adgpupdate 
    • sudo adflush 
  5. Login as a member of FakeGroup and run "id", FakeGroup should now be the last entry. 
None, unfortunately this is an Apple bug and is not Centrify-related.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.