Hi all,
When authenticating with cached credentials on a AD bound Mac (10.10.x, 10.11.x, 10.12.x) the group memberships are not cached it seems...
I was expecting that AD group memberships should also be cached. Seems not the case. Anyone else seeing this behaviour?
The case:
I use several groups in the form of laptop_admins which all live in AD. The users in those groups should receive admin privileges when logging in to the system. (configured in bind script using dsconfigad -groups) It all works fine except when disconnected from the network during login. Everyone has 2 users, usern and admin_usern. only admin_usern users can be member of a laptop_admins group, usern are standard accounts.
When authenticating with network connected, the terminal command
id admin_usern
gives the expected results
(... ,331206878(XXXXXlaptop_admins), ...)
.
When authenticating with network disconnected,
id admin_usern
doesn't give that group, but refreshes/updates once communication with AD is possible (GlobalProtect always on VPN)
so...
When no network connection is available (datacenter environment for example) and logging in using the cached credentials of admin_usern (to change the network settings to a fixed IP address) the admin_usern doesn't receive admin privileges since it thinks admin_usern is not member of laptop_admins...
For being complete, the issue can easily be solved by "hard" adding the admin_usern user to the admin group in /Local/Default by:
sudo dseditgroup -o edit -n /Local/Default -a admin_usern -t user admin
just wandering if anyone else sees this behaviour...
