Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4737: "Generate new uid/gid using Apple scheme" GP requires an adflush to take effect

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:14 AM

Applies to: Centrify DirectControl version 5.1.3 to 5.2.1 on Mac OS X

Question:

The following group policy has been enabled so that AD users logging into Mac systems can get their UIDs generated using the Apple AD plugin method instead of the traditional Centrify UID method.
  • Computer Configuration / Centrify Settings / DirectControl Settings / Adclient Settings / "Generate new uid/gid using Apple scheme in Auto Zone"
This setting allows for easier migration for Mac systems that were previously joined under the Apple AD plugin as AD users do not need to modify their UIDs after switching over to Centrify. It also eliminates the need for the Account Migration tool for previously Apple-bound AD users.


However it was found that the AD cache needs to be flushed (sudo adflush) before the new UID algorithm will take effect, even if no AD users have logged in to be cached yet.

Why does this happen?


Answer:

Note:
  • As of Centrify Suite 2015, a new option has been added to the adjoin function to enable the agent to immediately use the Apple UID schema without the need to first flush the AD cache.
  • This means the notes below now only apply to Centrify Suite 2014.1 / Mac agent versions 5.1.3 - 5.2.1 installed.

When a Mac first joins the domain under Centrify, the agent will immediately start building the AD cache with the default schema plus any additional options specified in the centrifydc.conf file.

If the the Apple UID configuration is pushed via GP, then the parameter will be applied after the AD cache has already been initiated:
  1. Mac system joins domain
  2. AD cache starts building (using the default Centrify UID scheme)
  3. Group policy mappers are run and downloads the config change to the Apple UID scheme
  4. AD cache flushed, can now be rebuilt using Apple UID scheme.


To make the Mac agent use the Apple UID scheme immediately after joining, the parameter needs to be set BEFORE the join:
  1. Install the Centrify for Mac agent
  2. Open /etc/centrifydc/centrifydc.conf for editing
  3. Uncomment and change the following line:

    # auto.schema.apple_scheme: false

    ..to...

    auto.schema.apple_scheme: true
     
  4. Join domain
  5. AD cache will now be built using the Apple UID scheme


Note:

This only affects machines joined to the domain in Auto Zone mode. Users logging into machines joined under Zone Mode can have their UNIX Profiles configured to use the Apple UID scheme via the Zone properties in DirectManage Access Manager. This means when the AD cache is initialised on the Mac side, it will immediately use the Apple UID scheme.


See also:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.