Random Failure

[benmartel]

I was curious if you have ever seen a failure like this happen occasionally. It seems to fix itself just it will fail some times... Script result: simpleit is a local user on the Computer<br/>A Password was found in LAPS.<br/>Password stored in LAPS is correct for simpleit.<br/>Updating password for simpleit.<br/>Reset password for simpleit<br/>New password for simpleit is verified.<br/><html><br/><head><br/> <title>Status page</title><br/></head><br/><body style="font-family: sans-serif;"><br/><p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Bad Request</p><br/><p>Error in XML file</p><br/><p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1">here</a>.<br><br/>Please continue your visit at our <a href="/">home page</a>.<br/></p><br/></body><br/></html><br/><dscl_cmd> DS Error: -14090 (eDSAuthFailed)<br/>Error: LAPS password for simpleit is not correct!<br/>

This is the part that is really confusing me... <html><br/><head><br/> <title>Status page</title><br/></head><br/><body style="font-family: sans-serif;"><br/><p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Bad Request</p><br/><p>Error in XML file</p><br/><p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1">here</a>.<br><br/>Please continue your visit at our <a href="/">home page</a>.<br/></p><br/></body><br/></html>

[predfern]

This appears to be an issue with the XML going through the API to/from the JSS. The fact that it sometimes works and sometimes does not is odd. I wonder if it is some kind of network/DNS issue with the connection. If the API command was malformed it would fail every time. You could try running the API sequence manually on a computer several times in a row to see if you can replicate the random failure. If you do manage to replicate it I would follow up with your network team to see if they see anything odd with their logs.

[pauldalewilliams]

On my fork of this project I added password complexity. I found I got this error if I didn't exclude XML's escaped characters from the generated password: ", ', &, <, and >. I ended up logging the failed password so I could troubleshoot some peculiarities of Apple's password complexity requirements. If you've changed the password generation mechanism from what's used in the project you might try that. But if you're using openssl with the base64 option, you shouldn't get any of those characters.

[predfern]

That would do it! Thanks @pauldalewilliams

[pauldalewilliams]

No problem. Thanks for the great work and for sharing this, @predfern!

[benmartel]

Thanks, all I got much further on this recently. I was waiting to fully flush it out. I still get a very random error or two. It is much less frequent. I discovered that the password generator I was using would sometimes use '/' followed by an N or T or something that would make it interpret a new line and such. There still must be some set of char that are failing but it is very rare and I will keep an eye on it. As for the escaping, I have been doing that and would be happy to share what I changed if anyone was interested.

Also @predfern thanks for making this amazing tool. It is totally awesome.

[pauldalewilliams]

Here's my RandPass function, if it helps: https://github.com/pauldalewilliams/LAPSforMac/blob/master/LAPS.sh#L84-L115

It's designed to mostly match Apple's Passcode complexity requirements, though it's not perfect because I'm ignoring case. (With allowSimple disabled, "aba" is not allowed but "aBa" would be.)

By the way, if anyone knows a better way to code that, please let me know!

[benmartel]

I am using a passphrase generator. I found this tool https://github.com/anders/pwgen.

One of the requests from my boss was that there would be passphrases so it is easier to enter in if we need to.

Here is my forked version: https://github.com/benmartel/LAPSforMac/blob/master/LAPS.sh

[pauldalewilliams]

Interesting! Well, if you want to make troubleshooting easier, just add another logging entry so you can see what the failed password was. I did it here: https://github.com/pauldalewilliams/LAPSforMac/blob/master/LAPS.sh#L235-L239

If you see any of those failures, you'll want to reset immediately, but at least you'll be able to see the offending password.

[benmartel]

I did have a logging feature but have turned if off since. I was uneasy passing all the passwords over the logs.

[pauldalewilliams]

Totally understand. Useful to have when troubleshooting but probably not after that...speaking of which, I'm going to remove that now. :)