When you run commands or use applications that look up user information in the directory, the local Mac directory service is always consulted first before the look-up request is made to Active Directory. If a local user exists with the same name as a UNIX profile name that has been defined for the zone, a lookup request such as
id username will return the UID and GID associated with the local user account from the local directory service rather than the information associated with the UNIX profile defined in Active Directory.
For example, if you have a UNIX profile in Active Directory for the user
mia with the UID of
10024 and the user’s primary group is
mia with the GID of
10024 and the user is also a member of the Active Directory group
users and GID of
10001, running the
id mia command returns the following information from Active Directory:
uid=10024(mia) gid=10024(mia) groups=10024(mia), 10001(users)
However, if there is also a local user account with the same user name of
mia, but with a UID of 502 and a primary group named mia with a GID of 502, running
id mia returns the information for the local user retrieved from the Mac directory service, then any additional group membership information retrieved from Active Directory. For example:
uid=502(mia) gid=502(mia) groups=502(mai), 10001(users)
Because the Mac directory service is queried first, the information for the local user mia takes precedence over the information defined in Active Directory. To avoid retrieving the information for a local user instead of the UNIX profile defined in Active Directory, you should make sure that the UNIX profile user names in Active Directory are different from the local user or disable local user accounts.