macOS 10.14 Mojave Unable to connect to local directory or change password #22
Comments
|
Hi, This may have something to do with TCC are you receiving any kind of error message? Thanks! |
|
I am seeing the same issue on Mojave. It writes the new password to AD but doesn't change it locally. From the macOSLAPS logs: Info|Tue Oct 30, 2018 01:51:11 PM|macOSLAPS|Password Change is required as the LAPS password for admin has expired From the system logs: 2018-10-30 13:51:11.281293-0700 localhost sudo[17557]: username : TTY=ttys000 ; PWD=/Users/username ; USER=root ; COMMAND=/usr/local/laps/macOSLAPS -resetPassword |
|
I am seeing the same issue when the user is created with sysadminctl. I have a policy in Jamf that creates the user and installs the client that user works fine. Both are on 10.14. |
|
Just curious, has there been any resolution that has worked for the local password change with Mojave clients? I am seeing the same thing in our logs. Info|Mon Oct 15, 2018 04:18:18 PM|macOSLAPS|Password Change is required as the LAPS password for localadmin has expired |
|
Just an update. And apologies if this is incorrect but I modified the PWChange file to print out the unexpected error and received the following: Unexpected error: Error Domain=com.apple.OpenDirectory Code=4001 "Operation was denied because the current credentials do not have the appropriate privileges." UserInfo={NSLocalizedDescription=Operation was denied because the current credentials do not have the appropriate privileges., NSLocalizedFailureReason=Operation was denied because the current credentials do not have the appropriate privileges.}. |
|
@Sbacon2 Are you running macOSLAPS as the root user or an admin user that can make changes to the local directory? |
|
I have the same issue and I'm logged in as the root user. |
|
Just an FYI there is an issue that has been submitted to Apple related to this. (It applies to changes in 10.14) If you disable the secure token for the user, the password change works locally. With the secure token enabled, it fails to reset password due to 'not having appropriate privileges'. There is a PI with Jamf and an issue submitted with Apple as this is most likely not expected behavior on Apple's side. |
|
@joshua-d-miller I have tested running it as both root and an admin user with the same results. |
|
@jkeller13 Do you have anymore information on this submission? Perhaps a link? |
|
@Sbacon2 I don't have a link because I did not file the bug in Apple's Radar system |
|
Ah, that would make a lot of sense. Our local admin user doesn't have a secure token and that would be why I can't replicate this issue. So it sounds like that this will be addressed in a later version of macOS I'm assuming and it not expected behavior (At least not at this time). I'll leave this open and have you test when the next version fo 10.14 comes out and hopefully the radar was fulfilled. |
|
One thing @bartreardon and I kind of figured out was the account created via MDM through DEP could not change the password however if the account was created via something like pycreateuserpkg or just on the system it worked fine. Please see if this is the issue for you and let me know. Thanks! |
|
I'm not using macOSLAPS, yet, so I can't give you any log output from your code. To be able to continuously change an admin password with SecureToken you probably need to find a way to store the password locally (which I totally understand that you want to avoid as long as possible). I hope this helps |
|
Hi, Is there any update? Or do you have any information when we can expect a solution for that problem? |
|
Hi, The way I see it is we are going to have to figure out a way to store the current LAPS password on the system as we will not be able to read it from Active Directory. We will need to figure out how to store it securely as this is a security vulnerability and if the password was found it could be used in a bad way. Since secureToken accounts (Admin accounts created with DEP) require us to know the old password, we will need to perform this. I'm currently evaluating the best possible way to do this and will update everyone if I find a way that is best. Thanks for your patience! |
|
Thanks for persisting with this @joshua-d-miller . I really want to use this on our systems, but unfortunately we FileVault encrypt all our devices so this SecureToken issue is annoying to say the least! Looking forward to any developments you make. |
|
Hello everyone, Please try the latest build and let me know if it resolves the issues. Thanks! |
|
hi @joshua-d-miller, I did some quick testing today, and it worked very well. Thanks for the fix, I'll report back if I see any issues in further tests. |
|
Same here! It is working in both 10.14.2 and 10.14.3. On first password attempt I get the message: "Nothing was retrieved from the keychain. Status code -25300". But it works as expected and subsequent password changes work as well! Also if run from a local user account that doesn't have the permissions to write to the specified log file, the password get's changed locally, but not saved in keychain or reported to AD and the command hangs. |
|
I'm glad things are working. I also took care of that status message when loading the keychain entry. It should no longer display. Please try the latest build and let me know. |
|
I'm going to call this issue closed now since we determined that DEP accounts with secureToken were the issue and this has since been resolved. |
|
Hi, Can your code be implemented using JAMF Pro? I've never worked with .swift files. |
There's a script that implements LAPS in jamf here https://github.com/ducksrfr/LAPSforMac/blob/master/LAPS.sh jamf pro already does password randomisation for their admin account - there are a couple of FR's out there asking to expose it in the interface (e.g. https://www.jamf.com/jamf-nation/feature-requests/7901/jamf-managment-account-password-retrieval) that said - writing back to jamf from this version is something I've been interested in looking at as well (if I ever get the time to play with it 😜 ) |
|
Hi, Script result: XXXXX is a local user on the ComputerJAMF Binary is /usr/local/bin/jamf No Password is stored in LAPS. ======== Aborting LAPS Update ========Error running script: return code was 1. |
When run with the -resetPassword flag, it updates the pw on the AD but not locally.
The text was updated successfully, but these errors were encountered: