Cache AD group membership in local dscl or other local usable store.
Originator: | benjaminrichardtoms | ||
Number: | rdar://23438116 | Date Originated: | 06/11/15 |
Status: | Open | Resolved: | |
Product: | OS X | Product Version: | 10.6+ |
Classification: | Feature | Reproducible: | Yes |
Summary: As per my blog post https://macmule.com/2015/11/06/ad-users-losing-admin-rights-when-off-the-domain/ OS X does not cache group membership for AD accounts when off the network. Steps to Reproduce: 1. Bind a Mac to AD. 2. Set "Allow Administration By:" to a security group 3. Login to the Mac when connected to the Domain as a use whom is part of the security group set in 2. 4. Verify that the user is an admin. 5. Disconnect the Mac from the domain, not unbinding. 6. run: dsmemberutil flushcache (not always needed, but speeds up the tests, the cache is not a great place to store this as it is volatile). 7. Login as the account that was an admin at step 4. 8. User will not be an admin Expected Results: User should be an admin still Actual Results: User is not an admin Version: 10.6+, tested on 10.8.5, 10.9.5, 10.10.5
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!