- Jamf Nation Community
- Products
- Jamf Pro
- Re: AD Group membership when authenticating using ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2017 07:25 AM
Hi all,
When authenticating with cached credentials on a AD bound Mac (10.10.x, 10.11.x, 10.12.x) the group memberships are not cached it seems...
I was expecting that AD group memberships should also be cached. Seems not the case. Anyone else seeing this behaviour?
The case:
I use several groups in the form of laptop_admins which all live in AD. The users in those groups should receive admin privileges when logging in to the system. (configured in bind script using dsconfigad -groups) It all works fine except when disconnected from the network during login. Everyone has 2 users, usern and admin_usern. only admin_usern users can be member of a laptop_admins group, usern are standard accounts.
When authenticating with network connected, the terminal command
id admin_userngives the expected results
(... ,331206878(XXXXXlaptop_admins), ...). When authenticating with network disconnected,
id admin_userndoesn't give that group, but refreshes/updates once communication with AD is possible (GlobalProtect always on VPN)
so...
When no network connection is available (datacenter environment for example) and logging in using the cached credentials of admin_usern (to change the network settings to a fixed IP address) the admin_usern doesn't receive admin privileges since it thinks admin_usern is not member of laptop_admins...
For being complete, the issue can easily be solved by "hard" adding the admin_usern user to the admin group in /Local/Default by:
sudo dseditgroup -o edit -n /Local/Default -a admin_usern -t user adminjust wandering if anyone else sees this behaviour...
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2017 07:47 AM
Yes, this is true and normal. AD Group membership (and permissions from them) are not carried over when a cached account is used.
If you are looking to give a user admin privs, you need to define that locally on the computer. the command below will add the user 'adusername' to the local admin group so that adusername is always recognized as an admin.
/usr/sbin/dseditgroup -o edit -a adusername -t user admin
-T-
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2017 07:47 AM
Yes, this is true and normal. AD Group membership (and permissions from them) are not carried over when a cached account is used.
If you are looking to give a user admin privs, you need to define that locally on the computer. the command below will add the user 'adusername' to the local admin group so that adusername is always recognized as an admin.
/usr/sbin/dseditgroup -o edit -a adusername -t user admin
-T-
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2017 07:51 AM
thanks! just crossed my edit of the original post where i added more or less the same comment :-)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-08-2017 12:44 AM
