Using Apple’s scheme to generate UIDs and GIDs for Mac users

By default, Centrify uses a different scheme than the Apple Active Directory plugin to generate numeric user (UID) and group (GID) identifiers for Mac users added to Active Directory. If you use the default Centrify scheme to generate identifiers, you must resolve UID and GID conflicts after migrating users. For example, after migrating you can change ownership on the existing files (see Modifying the Mac UID and GID to match AD) otherwise users have Centrify-generated UIDs whereas their files belong to Apple-generated UIDs so users will be unable to access files and folders in their home directories.

On the other hand, Centrify allows you to use the Apple scheme, rather than the default Centrify scheme, to create UIDs and GIDs for migrated users. This method ensures compatibility with Mac tools, such as ExtremeZ-IP, that require UIDs and GIDs generated with the Apple scheme, not the Centrify scheme.

This section explains how to create Apple-generated UIDs and GIDs for Mac users who you are adding to Active Directory with Centrify Management Services for Mac when a computer is connected to Centrify Active Directory through Auto Zone.

Note:   If your computer is joined to a zone, however you are adding users to the zone, you can choose to use the Apple scheme to generate UID and GID values. For example, you can specify the Apple scheme with adedit, with the Zone Provisioning Agent, and in the Access Manager Console.

Centrify provides the auto.schema.apple_scheme parameter to enable use of the Apple schema for generating UIDs for new users. The recommended way to set this parameter is by way of group policy so that you can set it for a group of computers. You may also set the parameter on individual computers by editing the Centrify configuration file.

To use group policy to enable the Apple scheme for generating UIDs and GIDs:

  1. If you are generating new UIDs and GIDs for files that reside remotely in AFP or NFS mounted shares, back up the UIDs and GIDs on the computer where the share resides by executing a command similar to the following:
    adquery user > olduid

    Note:   You do not need to perform this step for Samba shares.

  2. On a Windows computer, open the Group Policy Management Editor and edit a group policy object that applies to Mac computers.

  3. Expand Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Direct Control Settings > Adclient Settings, and double-click Generate New uid/gid using Apple scheme in Auto Zone.

  4. Select Enabled and click OK to set the policy.

To edit the configuration file and enable the Apple scheme for generating UIDs and GIDs on a single computer:

  1. If you are generating new UIDs and GIDs for files that reside remotely in AFP or NFS mounted shares, back up the UIDs and GIDs on the server where the computer resides by executing a command similar to the following:
    adquery user > olduid

    Note:   You do not need to perform this step for Samba shares.

  2. Log in to a Mac computer.

  3. Edit the Centrify configuration file: /etc/centrifydc/centrifydc.conf.

  4. Find the following parameter, remove the comment and set its value to true:

    auto.schema.apple_scheme: true

You may also enable the Apple scheme to set the primary GID for users if you wish.

Note:   You may set the primary GID in this way only if the parameter auto.schema.private.group is set to false. Otherwise, the primary GID is set to the value of the user’s UID.

To enable the Apple scheme for generating the primary GID:

  1. If you are generating new UIDs and GIDs for files that reside remotely in AFP or NFS mounted shares, back up the UIDs and GIDs on the computer where the share resides by executing a command similar to the following:
    adquery user > olduid

    Note:   You do not need to perform this step for Samba shares.

  2. In the Group Policy Management Editor, edit a group policy object that applies to Mac computers, expand Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Direct Control Settings > Adclient Settings, and double-click Set user’s primary gid in Auto Zone.

  3. Select Enabled.

  4. In Set user’s primary gid in Auto Zone, type -1.

    The primary GID for each user will be generated by the Apple scheme, as specified with the “Generate New uid/gid using Apple scheme in Auto Zone” group policy, which you enabled in the previous procedure.

  5. Click OK to save the setting.

After setting these policies, run adgpupdate to update the group policies you just set, and flush the cache on each joined computer to update the UID and GID values for any existing users.

To flush the cache on each Mac computer:

  1. Log in to a Mac computer and open the Terminal application.
  2. Execute the following command as root:
    adflush

New users who you migrate to Active Directory from the Apple Active Directory plug-in will automatically keep the same UID, GID, and primary GID values that they had before migration, and their home ownership will work properly.

After you flush the cache, any existing users and groups will have their UID, GID, and primary GID values changed from the Centrify scheme to the Apple scheme. However, ownership of files and folders in home directories will still belong to the Centrify UID and GID. To change ownership to the new UID and GID generated by the Apple scheme, run the fixhome.pl script as explained in the following procedure.

To correct file ownership by running fixhome.pl:

Note:   If you generated new UIDs and GIDs for files that reside remotely in AFP or NFS mounted shares, the fixhome.pl script does not have permission to change UIDs and GIDs in the share, and you must manually update the UIDs and GIDs on the server where the share folders reside. In this scenario, go to Workaround for AFP and NFS mounted shares and continue from there.

For Samba shares and local UIDs and GIDs:

  1. Log in on a Mac computer for which you have changed UID and GID values to the Apple scheme.
  2. Execute the following command as root:
    /usr/local/share/centrifydc/sbin/fixhome.pl

The script changes ownership of files and folders in the home directory of all Centrify Active Directory users from the Centrify-generated UID or GID to the Apple-generated UID or GID.

The script uses /Users as the root for all home directories. You may specify a different home root if necessary by using the --dir option. Use the --help option to see a list of options that you can specify with this command:

/usr/local/share/centrifydc/sbin/fixhome.pl --help

For example, you can run the command in test mode to see the changes that will be made, but without committing the changes:

[root]#/usr/local/share/centrifydc/sbin/fixhome.pl --test
User      Home            UID Map                GID Map
user1     /Users/user1    796918879=>558948313   20=>5287576209

Or you could update specific users rather than all users:

[root]#/usr/local/share/centrifydc/sbin/fixhome.pl --include user2

Workaround for AFP and NFS mounted shares

For AFP and NFS mounted share folders (or remote file systems), fixhome.pl does not have permission to change the UID/GID of files in the folder. Perform the following steps to work around this issue:

  1. On the server where the share folders reside, open the UID/GID backup file to have access to the old UID/GID strings.
  2. On the server where the share folders reside, change the old UIDs and GIDs to the new UIDs and GIDs one at a time by executing commands similar to the following:
    find ShareFolder -user previous_uid -group previous_gid -exec chown new_uid:new_gid {} \;

To enable the Apple scheme for mobile users:

Additional steps are required to enable the Apple scheme for mobile users. After enabling the Apple scheme as described in the preceding sections, you must ensure that the UID and PGID for the mobile user’s local user record match the UID and PGID used by the DirectControl agent.

  1. Change the UID and PGID in the local user record so that they match the IDs used by the agent:
    1. Open Users and Groups.

    2. Right-click the mobile user account.

    3. Choose Advanced Options, and change the UID and PGID so that they match the IDs used by the agent.

  2. After changing the UIDs and PGIDs of mobile users, run the fixhome.pl script as described in To correct file ownership by running fixhome.pl:.

To use the Zone Provisioning Agent to enable the Apple scheme for generating UIDs and GIDs:

  1. Ensure that the Zone Provisioning Agent is configured as described in the section “Configure the Zone Provisioning Agent” in the Planning and Deployment Guide.
  2. Ensure that zone provisioning groups are created and configured as described in Chapter 8, “Preparing the environment for migration of existing users and groups” in the Planning and Deployment Guide.
  3. Start Access Manager.
  4. In the console tree, expand the Zones node.
  5. Select the top-level parent zone, right-click, then click Properties.
  6. Click the Provisioning tab.
  7. Click Enable auto-provisioning for group profiles.
  8. Click the Find icon to search for and select the primary group (typically the Domain Users group) as the Source Group.
  9. Select Generate using Apple scheme as the method for assigning a new GID to new UNIX group profiles.

    This method generates group GIDs based on the Apple algorithm for generating numeric identifiers from the Active Directory group’s objectGuid. This option is only supported for hierarchical zones.

  10. Select a method for assigning a new group name to new UNIX group profiles:

    • SamAccountName attribute generates the group name for the new UNIX group profile based on the samAccountName value.
    • CN attribute can be used if you verify the common name does not contain spaces or special characters. Otherwise, you should not use this option.

    • RFC 2307 attribute can be used if you have added the RFC 2307 groupName attribute to Active Directory group principals. Otherwise, you should not use this option.

    • Zone default value to use the setting from the Group Defaults tab for the zone. In most cases, the default is a variable that uses the sAMAccountName attribute.

    • By default, all UNIX group names are lowercase and invalid characters are replaced with underscores.

  11. Click OK to save your changes.