Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Grant Authentication Services accounts administrator rights

To grant Authentication Services accounts administrator rights

  1. Modify the /etc/opt/quest/vas/vas.conf file and add the following section to the Authentication Services configuration using a text editor:
    admin-users =

    For example, with the pico text editor, enter:

    $ sudo pico /etc/opt/quest/vas/vas.conf

    Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.

    For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for Authentication Services users with administrator rights. The Domain Users option also supports groups of users.

  2. Specify the group in the form, Domain\groupname.

    Either step ensures that Authentication Services processes the new configuration.

  3. Verify that the configured users have administrator rights by checking their group memberships using the following command line (the example is for a user called jdoe):
    $ groups jdoe

    If jdoe was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.

Active Directory user password hint

The password hint is displayed for all Active Directory users when you have Mac OS X configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is "Windows Domain Password".

Before Mac OS X will display authentication hints, you must enable the Show password hints option through the log in options.

After enabling password hints, after several incorrect login attempts, the password hint displays.

You can manage this hint centrally on the domain controller through Group Policy.

Note: For security reasons, if a mapped user changes his password hint, it is intentionally reset to the generic Windows domain password hint the next time he logs in.

Configuring Apple FileVault disk encryption

Authentication Services is compatible with Apple’s FileVault disk encryption, introduced in Mac OS X 10.7. In order to use FileVault with an Active Directory user, you must first create a mobile account for that user on the Mac OS X client. A Mac OS X mobile account has a local home directory that can automatically sync with the user’s network home directory.

To encrypt your disk

  1. As an Active Directory user, open System Preferences and navigate to Users & Groups.
  2. Click the Lock icon and enter administrator credentials to enable preference changes.
  3. Click the Create button next to Mobile account.

  4. Select your preferred syncing and home folder location preferences in the pop-up menu and click Create.

    A popup message displays explaining that you must log out and log back in to create the local home folder.

  5. Click Create and enter your password at the prompt.
  6. Log back in and configure FileVault encryption.

  7. From System Preferences, navigate to Security & Privacy and open the FileVault tab.
  8. Click Turn on FileVault to begin the encryption process.

  9. Select users (local users and mobile accounts) to enable them to unlock the encrypted disk at system startup.

    Note: Once you enable FileVault unlock for a user account, if you subsequently delete the account from Active Directory, you must also delete the local user account to disable FileVault unlock for that user.

  10. Enter a password for each user you enable.

  11. Take note of the recovery key on the following screen; store it somewhere yourself, and store it with Apple Support.

  12. Restart your system to begin encrypting the drive.

    The encryption can take several hours, depending on the size of your disk, during which time you can continue using your computer. You can monitor the encryption process by returning to the FileVault tab in Security & Privacy preferences.

    After you enable FileVault, your Mac OS X will initially boot to an unencrypted disk partition and ask for your password to unlock the encrypted partition. Because this separate partition does not have access to Authentication Services and Active Directory, you must use your most recent locally cached password. Before the local cache is updated, if you need to unlock the encrypted disk after a password change, either use your old password or click the Recover Key to unlock the drive. Once the drive is unlocked, although it says you must reset your password, you can ignore the prompt and log in with your recently changed account password.

    You can find more information about FileVault in this article by Apple Support: Use FileVault to encrypt the startup disk on your Mac

Authentication Services limitations on Mac OS X

There is some Authentication Services functionality that is limited by the Mac OS X system.

Limitations lists

  • When using the command line su utility to become a Authentication Services user, the Authentication Services PAM module will not create a ticket cache for the new session because Authentication Services uses the CCacheServer process for Kerberos ticket cache management. Creating this ticket cache would inadvertently destroy any existing Kerberos tickets.
  • If Authentication Services users who have custom home directory paths log into the system through the system login window and the parent directories for their home directory do not exist, the system home directory creation code incorrectly sets the ownership mode of all the home directory parent directories. This causes subsequent Authentication Services user logins to fail if they share the same home directory path. Their home directory will be created but it will be inaccessible to the user.

    Administrators should ensure that if they are using custom home directory paths, the parent directories are pre-created with a valid ownership and mode that allows all Authentication Services users to access those paths.

  • The automatic ticket feature of Authentication Services does not currently work with non-file-based ccaches. Because Mac OS X uses API based ccaches, the ticket renewal utility will not work.

    Note: You can manually renew tickets with any utility that supports renewing tickets, such as Apple's Ticket Viewer.

  • When using the Authentication Services mapped user feature, if a local user is mapped to a Authentication Services user and, at some point the user is unmapped (returned to a local account) you must reset the user’s password.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating