How to Remove Centrify from OS X
Centrify is a solution for quickly and easily integrating UNIX, Linux and Mac systems with Active Directory.
On today’s guide I am going to show you how to remove Centrify from a Mac and to restore the UID and permissions to the AD account(s) on the Mac computer you remove Centrify from.
In order to remove Centrify from the command line, which is the way to go, for most administrators, you need to be in the latest version available through their Customer Support Portal.
So check out the steps after the break…
First a couple of things:
ADacct = A general active directory account either the one on the Mac you are going to remove Centrify from or your AD Admin Account.
MacTest = How my test machine is named, this can be whatever name your Mac has.
- Install Centrify on the Mac you wish to remove it from.
- Log in with your “ADacct”.
- From a Windows computer, SSH via Putty (or SSH with another Mac) into MacTest as a Local Admin (this is to prove everything can be done via command-line).
- Looking in the /Users/ folder shows ADacct’s home and UID (Note the -l and -ln parameters used):
- Go to Mac and logout your “ADacct”
- Go back to Putty and uninstall Centrify: sudo sh /usr/share/centrifydc/bin/uninstall.sh
- Rejoin using the Apple plugin:
sudo dsconfigad -add ADacct.local -user DomainAdmin -password DomainPass -computer MacTest –force
- At this point, checking the /Users/ folder again shows the UID for my user’s local home is no longer recognized (Notice here I am only using -l but the username is no longer resolving like it was in Step 4):
- Trying to login now as “ADacct” would fail as the permissions between the user profile and its home folder would conflict.
- This is easily fixed by re-owning the folder back to the user. There is no need to look up the UID manually: sudo chown -R ADacct /Users/ADacct
- Checking the /Users/ folder now shows that the user now resolves back again, and that the UID has now changed to the Apple format:
- Logging in as “ADacct” now can succeed with no permission errors.
In summary, you should be able to do this with just three commands (assuming one local AD home folder per Mac) and the only variable that changes is the AD username:
- sudo sh /usr/share/centrifydc/bin/uninstall.sh
- sudo dsconfigad -add MyUserADacct.local -user DomainAdmin -password DomainPass -computer MacTest -force
- sudo chown -R ADacct /Users/ADacct