PezzaD84
commented
1 year ago Hi,
What failures are you experiencing? Are you able to share the logs from JAMF and the local LAPS log and I will take a look to see whats going on(/Library/.LAPS/Logs/)
Closed snowwalker1988 closed 1 year ago
PezzaD84
commented
1 year ago Hi,
What failures are you experiencing? Are you able to share the logs from JAMF and the local LAPS log and I will take a look to see whats going on(/Library/.LAPS/Logs/)
snowwalker1988
commented
1 year ago Hi, one failure I found myself. I didn´t use the new LAPS.pkg
Now the Log in JAMF is the following:
Script result: Error checking any previous configuration.....
Log found. Checking for previous failures.....
No previous failures detected. Continuing LAPS Configuration.....
Log already exists. Continuing setup.....
***** LAPS Account cycled 14/07/2023 13:45:36
Password length has been set to 12 characters
macadmin does not exist. Creating local admin now
2023-07-14 13:45:37.017 sysadminctl[21042:138097] ----------------------------
2023-07-14 13:45:37.017 sysadminctl[21042:138097] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2023-07-14 13:45:37.018 sysadminctl[21042:138097] ----------------------------
2023-07-14 13:45:37.198 sysadminctl[21042:138097] Creating user record…
2023-07-14 13:45:37.972 sysadminctl[21042:138097] Assigning UID: 503 GID: 20
2023-07-14 13:45:38.144 sysadminctl[21042:138097] Creating home directory at /Users/macadmin
GroupMembership: root it-support macadmin
LAPS Account created Successfully
<?xml version="1.0" encoding="UTF-8"?><computer><id>2</id></computer><?xml version="1.0" encoding="UTF-8"?><computer><id>2</id></computer>CryptKey and SecretKey Escrowed to Jamf successfully
Device serial is xxx (xxx for privacy)
JAMF ID is 2
LAPS Configuration was successful
No slack URL configured
LAPS Launch Daemon not foundIs "LAPS Launch Daemon not found" a failure or maybe I have a problem to understand the construct how changing the password now is working? Till now we use the 4th policy.
snowwalker1988
commented
1 year ago One the client above it was fresh computer without any macadmin before.
But when I now try it on a machine with a macadmin from an older macOSLAPS version we get this:
Script result: Error checking any previous configuration.....
Log found. Checking for previous failures.....
No previous failures detected. Continuing LAPS Configuration.....
Log already exists. Continuing setup.....
***** LAPS Account cycled 14/07/2023 14:16:00
Password length has been set to 12 characters
GroupMembership: root macadmin it-support
macadmin has already been created and is a local admin. Resetting local admin password....
2023-07-14 14:16:01.574 sysadminctl[2890:18853] ### Error:-14090 File:/AppleInternal/Library/BuildRoots/c2cb9645-dafc-11ed-aa26-6ec1e3b3f7b3/Library/Caches/com.apple.xbs/Sources/Admin_sysadminctl/addremoveuser/main.m Line:378
2023-07-14 14:16:01.574 sysadminctl[2890:18853] Operation is not permitted without secure token unlock.
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
Authentication for node /Local/Default failed. (-14090, eDSAuthFailed)
Password validation failed.Hi,
Thats a good point you bring up that the "LAPS Daemon not found" is not clear. Its not a failure and I've amended the text now. Thanks for raising that.
The second issue you have raised is an odd one. The newer scripts use the same API calls so they should still be looking at the same extension attributes to get the password. Again, the "Password validation failed" line is going to go in the troubleshooting section as a new entry. If you see this the next run of the LAPS Policy will clean up any issues and get you back on track. I will also add extra wording to the failure message for users.
Thanks for bring these issues up. I've amended the wording in the script now and will add the failure message to the wiki.
snowwalker1988
commented
1 year ago Hi, thanks for updating this.
We now looked some days with test clients. On a few clients it works good.
But one some clients we get following failures (also when trying [Create Local Admin & password] a second time):
Script exit code: 1 Script result: Error checking any previous configuration.....
Log found. Checking for previous failures.....
No previous failures detected.
Continuing LAPS Configuration.....
Log already exists. Continuing setup.....
***** LAPS Account cycled 19/07/2023 11:44:00 Password length has been set to 12 characters GroupMembership: root jamfadmin macadmin macadmin has already been created and is a local admin.
Resetting local admin password....
2023-07-19 11:44:01.062 sysadminctl[25110:2816541] resetting password for macadmin. (Keychain will not be updated!)
2023-07-19 11:44:02.074 sysadminctl[25110:2816541] SystemConfiguration commitChanges failed. DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed) Password validation failed.
Please re-run the LAPS policy. If the problem persists please raise a ticket.
Error running script: return code was 1. Running Recon... Do you have some idea why?
Best regards
PezzaD84
commented
1 year ago Hi,
This is very odd as the script should find the failure and create a failures folder and log.
If all else is failing then there is the reset LAPS script which you could use to flush the account and settings completely from the device and start from scratch. You can find the reset script on the main github page. There are some short instructions in the wiki and in the script itself.
Hello, can you explain or make a readme "What is to do for updating to a newer version?"? I tryed to set the new scripts, but then I get failures. Best regards, snowwalker1988