Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4488: Local admin rights randomly disappear on OS X 10.9

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl version 5.1.3 and higher on Mac OS X 10.9

Problem:

After making an upgrade to 10.9 OS X, AD users with admin rights mapped to their AD groups seem to lose their admin status at random times.
 
When the sudo command is used while logged in as a user under the group policy "Map zone groups to local admin group", the following error message may appear:
 
>> Sorry, user xxxx is not allowed to execute xxx as root on <hostname>
 
At other times, the same user can run sudo command successfully. AD group used in the group policy does not seem to be the cause as it can be successfully resolved when running adquery user -A.
 
When the id command is used to check the group membership of the affected user, the admin group is sometimes in the list and sometimes not there. This seems to happen at random intervals. 

E.g.
>> id <username>
uid=12312412412(username) gid=20(users) groups=20(staff), 1231241241249(group1), 223423(group2), 80(admin), 12345(group3)

Running the same command after a few minutes:
>> id <username>
uid=12312412412(username) gid=20(users) groups=20(staff), 1231241241249(group1), 223423(group2), 12345(group3)

<<<<< 80(admin) group is now missing >>>>>

Why does this happen?

 
Cause:

This is an Apple bug. The problem can also be reproduced using the default Apple AD plugin.

In OS X Mavericks, it appears the "time to live" interval of the System Cache has been shortened and causes the cache to expire more frequently. The problem occurs when the cache expires and needs to be refreshed – when user tries to use “sudo” for the first time, the admin right may not have been restored. Since it takes between a few seconds to a few minutes in order for the admin right to resume, the user has to try entering sudo several times before it starts working again.


Workaround:

Add the AD user's username directly into the local admin group on the Mac via either the System Preferences, or by using the following command:
 
sudo dscl . append /Groups/admin GroupMembership [username]

See also the KB at:

Resolution:

Apple has accepted and acknowledged this as a bug in OS X and so should be working to fix this on their side. (Apple Bug ID 16284630 / 15284164)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.