Centrify DirectControl version 5.1.3 to 5.2.1 on Mac OS XQuestion:
The following group policy has been enabled so that AD users logging into Mac systems can get their UIDs generated using the Apple AD plugin method instead of the traditional Centrify UID method.
- Computer Configuration / Centrify Settings / DirectControl Settings / Adclient Settings / "Generate new uid/gid using Apple scheme in Auto Zone"
This setting allows for easier migration for Mac systems that were previously joined under the Apple AD plugin as AD users do not need to modify their UIDs after switching over to Centrify. It also eliminates the need for the Account Migration tool for previously Apple-bound AD users.
However it was found that the AD cache needs to be flushed (sudo adflush
) before the new UID algorithm will take effect, even if no AD users have logged in to be cached yet.
Why does this happen?Answer:Note:
- As of Centrify Suite 2015, a new option has been added to the adjoin function to enable the agent to immediately use the Apple UID schema without the need to first flush the AD cache.
- This means the notes below now only apply to Centrify Suite 2014.1 / Mac agent versions 5.1.3 - 5.2.1 installed.
When a Mac first joins the domain under Centrify, the agent will immediately start building the AD cache with the default schema plus any additional options specified in the centrifydc.conf
If the the Apple UID configuration is pushed via GP, then the parameter will be applied after the AD cache has already been initiated:
- Mac system joins domain
- AD cache starts building (using the default Centrify UID scheme)
- Group policy mappers are run and downloads the config change to the Apple UID scheme
- AD cache flushed, can now be rebuilt using Apple UID scheme.
To make the Mac agent use the Apple UID scheme immediately after joining, the parameter needs to be set BEFORE the join:
- Install the Centrify for Mac agent
- Open /etc/centrifydc/centrifydc.conf for editing
- Uncomment and change the following line:
# auto.schema.apple_scheme: false
- Join domain
- AD cache will now be built using the Apple UID scheme
This only affects machines joined to the domain in Auto Zone mode. Users logging into machines joined under Zone Mode can have their UNIX Profiles configured to use the Apple UID scheme via the Zone properties in DirectManage Access Manager. This means when the AD cache is initialised on the Mac side, it will immediately use the Apple UID scheme.