Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Group permissions on auto-mounted home directories

For Authentication Services to resolve to a Windows SID to a Unix UID or GID, the user or group to whom that SID belongs must have had a UID or GID manually assigned to them. Or, in other words, you must Unix-enable the user or group on the Unix Account tab in Active Directory Users and Computers. If a group or user has not been Unix-enabled, the Mac OS X machine will still assign a UID or GID to the user or group, but the Authentication Services agent software will not be able to resolve the a UID or GID.

To log into an Mac OS X machine, all users must be Unix-enabled so this normally only causes problems when dealing with group permissions on SMB-mounted home directories. It is not uncommon for the group owner of a network home location to be a group WITHOUT a Unix GID assigned. When a user's ability to access this directory relies on correct group membership, problems can arise. It is, therefore, best practice to Unix-enable all groups that are used for SMB File level permissions on network mounted home directories.

Mounting AFP shares

To mount AFP shares, you must have an AFP file server that knows about all your Active Directory users and credentials. You can easily accomplish this using third-party software that shares files from a Windows machine joined to your domain.

Special Mac OS X features

This section details two special Mac OS X features:

  • Local Administrator Rights for Authentication Services Users
  • Active Directory User Password Hint

Local Administrator rights for Authentication Services users

Authentication Services allows you to give local administrator rights to Authentication Services users on individual Mac OS X systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows Mac OS X system administrators "admin" access on Mac OS X systems without a shared local account.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating