Applies to: Centrify DirectControl 5.3 (Suite 2016) for Mac OS X
On the Mac OS X client, it is found that an AD user without admin rights can simply unlock the padlock with an incorrect password. Consider the scenario, given an AD user with CN/Name "Alpha" and samAccountName is "Beta". On the Mac, create a local admin account call "Beta" (similar to AD samAccountName). You can login with AD account Alpha and unlock the padlock by simply provide an incorrect password.
Prior to authentication, Centrify DirectControl will search if there's a conflict between the AD account with Local account which is the case here. Once CDC confirms the local account is same as AD account, authentication will be handled by the OS local database and CDC will ignore all passwords. On the other hand the OS will skip authentication altogether since Local account is not found.
Turn off (set it to False) two parameters below in /etc/centrifydc/centrifydc.conf file: