Network user homes have wrong permissions

luke_jaeger
Contributor

This is slightly alarming. Our lab Macs are set up with AD authentication (thru NoMAD) ; network users get a local home created at first login on any given computer. Network user accounts get standard permissions.

Today I noticed that user homes are created with wrong permissions on some (but not all!) of the lab Macs.

I would expect user homes to be owned by [some_user]:staff with default permissions 700. On some machines this is the case; on others I'm seeing 750 or 755. 

Especially weird because I just nuked & paved the whole lab, so configs should be identical.

Am I overlooking something obvious? Where does the umask get set? I don't see anywhere in NoMAD to control it; is it coming from the AD server?

[Intel iMacs running 13.6.7, highest os version they support]

7 REPLIES 7

AJPinto
Honored Contributor III

Well, the first problem I see is you are using NoMad. I would suggest moving off of NoMad as it is fully end of life and support as of 8 months ago and see if the issues persist. 

 

Jamf to Archive NoMAD Open-Source Projects

we're definitely going to migrate away from NoMad, but it's not happening right away. I run one small piece of a campus-wide network so changes can take time. I think we're committed to NoMad until summer of 2025.

AJPinto
Honored Contributor III

I understand the limited budget, but honestly if you cannot migrate to a new solution you need to be discontinuing the use of NoMad immediately. It was retired 8 months ago and is a security risk, a pretty large one considering its brokering AD credentials.  

 

You may want to look into Apples Kerberos SSO extension

 Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)

 

You may want to explain it to your leadership like they are 5. Being a bit intentionally facetious as I deal with these people also and know their attention span and comprehension skills are not that good.

"Using Nomad after it was discontinued in December of 2023 is risky because it no longer gets updates to fix security problems, making it easier for bad people to break into our systems. This can lead to stealing important information can causing big problems for our organization. We need to switch to a new, support tool to keep everything save and secure."

Maybe toss in some examples of recent data breaches, and how much it cost the organizations. 

Understood, but it's not my decision, and no way are they rolling out a new sign-on system 6 weeks before the semester starts. I need a good enough solution to this particular problem for now.

easyedc
Valued Contributor II

So Kerberos SSO (formerly Enterprise Connect) is that solution. It handles the functionality similarly to what noMAD performed (read AD, handle ticket requests, sync passwords).  I wonder if the problem is not in your NoMAD set up, but in how macOS is interacting with AD. Apple has "encouraged" moving off of directly binding to AD for years (probably close to a decade at this point).

There used to be a steep entry point ($$$$) into Enterprise Connect and NoMAD, but starting with Kerberos SSO (~2022) it's free.  Kerberos SSO is baked into the OS, so all you should need to do is follow the documentation to create the configuration profiles to point to your domain controller and you should be good. 

 

AJPinto
Honored Contributor III

Exactly this. There is not much NoMad (Free version) can do that Apples Kerberos SSO extension cannot do. This is really the only stop gap solution that is free, and it takes all of 10 minutes to configure and deploy.

 

Long term something like Jamf Connect or macOS's PSSO would be the best solution, but JC costs money and PSSO is still not yet fully realized, and lord only knows if they have the Microsoft or Okta bolt-ons to support.

easyedc
Valued Contributor II

One followup about Jamf Connect - I personally don't see the point in spending money unless you're using fully cloud AD based accounts. If you're relying on an on-prem AD service (even in a hybrid environment) you can still get by with Kerberos SSO for free. And since Apple just recently started throwing it into the OS, I suspect it to be an available solution for a while.