- Jamf Nation Community
- Products
- Jamf Pro
- Re: Centrify Express
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Centrify Express
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2011 05:16 PM
Any Centrify Express users here? Its free and its a complete re-write of the Apple AD bind it seems. I wonder if it would be worth it to ditch Apples own tool and move to this seeing as Centrify had AD working before Apple did :D
28 REPLIES 28
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 12:00 AM
Seems to be something that I did to make it not work. I've got it going now. So, this is great and everything, but is there any way to define what AD groups will automatically have Admin access when logging in or is that a function of their paid product?
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 12:29 AM
paid product i think.
in fact, i'm a little stumped how you got a mobile account working too. that is also supposed to be a part of the paid product from what i understand.
but i've just started looking into this. not a centrify guru by any stretch
Jeffrey Compton
Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 12:40 AM
I manually converted it.
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 05:27 AM
Holy crap. How long has this been out there??? I'll be testing this with Lion TO-DAY.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 06:49 AM
I just noticed it today. I tested it out and it seemed to have worked! Having SMB issues but hey this is a start!
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 07:14 AM
Yeah I just bound a 10.7 GM install to the domain with it. Works! Now to test the offline/caching that I really need.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 07:40 AM
centrify express has been around awhile. if it works for you over the built in stuff, go for it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 08:12 AM
Out of interest, did your AD pass the ad check?
Regards,
Ben.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 08:19 AM
It did. I only had one error with SSH.
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 08:56 AM
WOOOO OFFLINE LOGINS, KERBEROS TICKETS.... whole shootin' match.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:01 AM
I had weird SMB issues hows SMB working?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:21 AM
Actually, I can't connect to anything SMB now. Neither hostname or IP work. AFP is ok though.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:24 AM
Scratch that... it's just extremely slow.
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:33 AM
I have everything working perfectly now. I did a clean install of 10.7, installed the Centrify Plugin, Bound to AD, restarted and BAM! Kerberized deliciousness!!!
Looks like we have a winner winner!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:49 AM
Any connectivity with SMB issues? I'm dead slow over here.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 09:58 AM
Nope just transferred a few gigs of files setting up my profile and had no issues at all.
The one thing I did notice was that it defaulted me to a Network Account and not a Mobile Account. I had to go and concert the account manually.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 10:20 AM
Yeah I did notice it said "network" however offline logins worked ok for me. Wonder if the network vs. mobile account has anything to do with the smb issue.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 10:22 AM
It might, try converting the account to a mobile account.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 01:12 PM
Using Centrify's account migration tool, I assume?
Jeffrey Compton
Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2011 01:21 PM
No I went into System Preferences and Click Mobile Account.
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2011 12:26 AM
I found that Centrify Express is missing something we need: determining Admin rights for specific AD groups. That's something left to their paid products called "zones" apparently. So close, yet so far :)
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2011 12:34 AM
Why not script this via Casper anyways? As the groups in AD only work when online & not offline.
Regards,
Ben.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2011 11:06 AM
OK - a lot of confusion on this, mostly because built-in AD plugin and Centrify Express handle things very differently.
First off, the out-of-the-box Centrify Express install does indeed work for offline logins. I don't know what happened with my first install, but it probably was related to the fact that I was trying all kinds of crazy things with built-in AD plugin before trying CE. I re-imaged 10.7, installed CE, and all was OK. I could login off-line, on-line, kerberos kosher, etc. Overall, works much better than the 10.7.0 AD plugin, although the initial network login is quite slow. But we are testing 10.7.2 developer seed right now. Will report on that later.
A "mobile account" is actually an account copied from the AD to local directory services.
With CE, somehow they are caching network credentials without actually creating that mobile account. Like you posted, Mathew, you can indeed go to Sys Prefs, authenticate as a local admin, and then create the mobile account manually. But with the built-in AD plugin, you can set that globally to create the mobile account at login. Would love to know if you could do that with CE.
Jeffrey Compton
Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2011 11:18 AM
I need to play with it more. All I know is I am finally able to bind to AD! I do get a yellow dot though.
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2011 06:55 AM
The issue with that is that you'd have to enumerate the groups to see what individual accounts are in the AD group and then add those individual accounts to the admin group. That's not a game I want to be in. I want to add an AD group to the Admin group and be done with it. It's how it's supposed to work anyway.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2011 08:52 AM
Is your goal to just give local admin rights to a domain account ?
Jeffrey Compton
Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2011 09:00 AM
No, to an AD group.
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2011 05:03 AM
Does Centrify Express allow you to map uid and gid?
I tried using it with 10.7, but same problem we have with Apple's built-in AD plug-in, incorrect user id and group ids unless you map them. Unfortunately, Apple's AD plug-in can't find the unix groups if you map the user and group correctly. I don't see any mapping option within Centrify Express eg. Map UID to attribute uidNumber.
Sean
