Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7737: Best practice options for Software vendors to identify Mac computers bound to Active Directory using Centrify

Centrify Identity Service, Mac Edition ,  

28 November,16 at 11:01 PM

Applies to: Centrify Identity Service, Mac Edition
 

 
Problem:
 
Third party software (known as “the software” moving forward) is used which requires the Mac to be bound to Active Directory, but the software does not recognize the Mac as bound to Active Directory when bound using Centrify in place of Apple native Open Directory bind.
 


Cause:
 
This generally happens because the software is looking for the bind information in a manner which will not recognize the Centrify node once bound to Active Directory.
 


Workaround:
 
No workaround at this time.
 


Resolution:
 
To solve this issue, the software vendor should follow the following best practices for how an API should check to see if Mac is bound to Active Directory.

Note: This is recommended even if Centrify is not installed or used for the Active Directory bind.
 
 
Ensure the software is getting the correct AD plugin, regardless of the provider:
 
The API uses an equivalent to
scutil show com.apple.opendirectoryd.ActiveDirectory command, which includes the AD NodeName,  DomainNameDNS and DomainNameFlat. (see below)

 
Bound Using Centrify
 
bash-3.2$ scutil
> show com.apple.opendirectoryd.ActiveDirectory
<dictionary> {
  DomainForestName : centrifylab.test
  DomainGuid : CC60248D-4028-4652-9633-3B8C75905571
  DomainNameDns : centrifylab.test
  DomainNameFlat : CENTRIFYLAB
  MachineRole : 3
  NodeName : /CentrifyDC
  TrustAccount : Mac01$
}

 
Bound using Apple
 
bash-3.2$ scutil
> show com.apple.opendirectoryd.ActiveDirectory
<dictionary> {
  DomainForestName : centrifylab.test
DomainGuid : CC60248D-4028-4652-9633-3B8C75905571
  DomainNameDns : centrifylab.test
  DomainNameFlat : CENTRIFYLAB
  MachineRole : 3
  NodeName : /Active Directory/CENTRIFYLAB
  TrustAccount : mac02$
}
 
For the API, we recommend using SCDynamicStoreCopyValue() to read the key com.apple.opendirectoryd.ActiveDirectory, to identify the NodeName,DomainNameDNS and DomainNameFlat.
 
 
If network user attributes are needed, the software can use the following method:
 
The API uses an equivalent to
dscl /Search read /Users/username, which should look for the needed attributes. For example,  AppleMetaNodeLocation, RealName, AppleMetaRecordName, AuthenticationAuthority and the UniqueID (see below)
 
Bound using Centrify
 
bash-3.2$ dscl /Search read /Users/Ryan
AppleMetaNodeLocation: /CentrifyDC/Default
AppleMetaRecordName: CN=Ryan,OU=MacUsers,DC=centrifylab,DC=test
AuthenticationAuthority: CentrifyDC
RealName: Ryan

UniqueID: 2110348419

 
 
Bound using Apple
 
bash-3.2$ dscl /Search read /Users/Ryan
AppleMetaNodeLocation:
/Active Directory/CENTRIFYLAB/centrifylab.test
AppleMetaRecordName: CN=Ryan,OU=MacUsers,DC=centrifylab,DC=test
AuthenticationAuthority: ;Kerberosv5;;ryan@CENTRIFYLAB.TEST;CENTRIFYLAB.TEST; ;NetLogon;ryan;CENTRIFYLAB
RealName: Ryan

UniqueID: 2110348419
 
 
For the API, we recommend queryWithNode() Open Directory API. The needed attributes can be found here. For example, AppleMetaNodeLocation, RealName, AppleMetaRecordName, AuthenticationAuthorityUniqueID etc.
 

 
Collecting User group membership can use the following method:
 
 
The API uses an equivalent to
dscl /Search read /Users/username, which should look at dsAttrTypeNative:memberOf: (see below)

 
Bound using Centrify
 
bash-3.2$ dscl /Search read /Users/Ryan
dsAttrTypeNative:memberOf:
CN=MacAdmins,OU=MacUsers,DC=centrifylab,DC=test
CN=MacUsers,OU=MacUsers,DC=centrifylab,DC=test
CN=ard_admin,OU=MacUsers,DC=centrifylab,DC=test
CN=ADSyncAdmins,CN=Users,DC=centrifylab,DC=test
CN=Domain Admins,CN=Users,DC=centrifylab,DC=test
CN=Domain Users,CN=Users,DC=centrifylab,DC=test
CN=Enterprise Admins,CN=Users,DC=centrifylab,DC=test

 
Bound using Apple
 
bash-3.2$ dscl /Search read /Users/Ryan
dsAttrTypeNative:memberOf:
CN=ADSyncAdmins,CN=Users,DC=centrifylab,DC=test
CN=ard_admin,OU=MacUsers,DC=centrifylab,DC=test
CN=MacUsers,OU=MacUsers,DC=centrifylab,DC=test
CN=MacAdmins,OU=MacUsers,DC=centrifylab,DC=test
CN=Domain Admins,CN=Users,DC=centrifylab,DC=test
CN=Enterprise Admins,CN=Users,DC=centrifylab,DC=test
 
 
For the API, we recommend queryWithNode() Open Directory API with the dsAttrTypeNative:memberOf attribute.


For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.