Closed teezyyoxo closed 1 month ago
PezzaD84
commented
6 months ago Hi @teezyyoxo
This error message is usually an indication that the device name or serial is incorrect. Can you share the logs please and I can have a look to see whats going wrong? If you go to /Library/.LAPS/Logs/ and share the contents I will look over it and see if we can figure out whats going wrong.
teezyyoxo
commented
6 months ago Hi @PezzaD84 Thanks for your help!
Password length has been set to characters does not exist. Creating local admin now Device serial is FX4X24KCXC JAMF ID is LAPS Configuration has failed Cryptkey has not been successfully configured SecretKey has not been successfully configured No Teams Webhook configured LAPS Launch Daemon not found
Derp. I guess that answers that – I'll go through the configuration from the ground up again and report back.
PezzaD84
commented
6 months ago @teezyyoxo I would look at your API account and check the permissions. I sometimes find if the account is new it needs to log into jamf as a user.
aanklewicz
commented
2 months ago Was having the same issue. I noticed that the check box in Jamf Users for the API user to require password change after login was checked.
Now I'm getting a different error where it's seeing the devices, but it doesn't provide the password. When I run:
cryptkey="mycryptkey"
secretkey="mysecretkey"
passwd=$(echo $cryptkey | openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:$secretkey)
echo $passwdI get the following:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40EC26F401000000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:
wx�г>@����g@TramsGuardian I don't see the error when I run it from the policy, but it doesn't work. I just get SwiftDialog saying "Here's the password" and there's nothing there.
PezzaD84
commented
1 month ago @aanklewicz Can you please share the local logs from /Library/.LAPS/logs Also what OS version are you running?
aanklewicz
commented
1 month ago I'm running macOS 15.1 beta
This started because of an end user running macOS 14.6.1 had issues decoding.
aanklewicz
commented
1 month ago On 14.4.1 I'm getting this error
bad decrypt
8319892160:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/AppleInternal/Library/BuildRoots/ce725a5f-c761-11ee-a4ec-b6ef2fd8d87b/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/evp/evp_enc.c:549:Hmm I wonder if this is an OS 15 issue? I can see in the logs the password validation failed so possibly the passwords became out of sync and thats breaking the decoder app. Have you tried running the creation/cycle script on that device to see if the remediation steps in the script fix the issue?
aanklewicz
commented
1 month ago I ran the creation and cycle script just now, then using the new values in Jamf, I ran:
cryptkey="mycryptkey"
secretkey="mysecretkey"
passwd=$(echo $cryptkey | openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:$secretkey)
echo $passwdand got the error above.
bad decrypt
8319892160:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/AppleInternal/Library/BuildRoots/ce725a5f-c761-11ee-a4ec-b6ef2fd8d87b/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/evp/evp_enc.c:549:I think there is one issue for macOS 14 and then I think macOS 15 broke something in the openssl command you're using in the script.
PezzaD84
commented
1 month ago @aanklewicz I cant seem to replicate the issue and only get bad decrypt errors when the secret or crypt key are incorrect. Can you try the below and see if you get a password echoed out?
cryptkey="U2FsdGVkX195xzR1qpC648k+pyy4IZySeaFBIzdh0Wb7+cKKPQ712wYPFoZwW08y" secretkey="++V4UxvSwciBlY"
aanklewicz
commented
1 month ago That worked as expected on 14.6.1 and outputs 9CZgGYlk3+wgOeSbE33#
aanklewicz
commented
1 month ago In 15.1 I get the following output
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
9CZgGYlk3+wgOeSbE33#I've noticed when I run the creation/cycle script, it doesn't change the secret key, should it?
PezzaD84
commented
1 month ago @aanklewicz It should definitely be changing the secret key otherwise the new unique password will not be able to be decoded.
It should be failing if the key is not being uploaded correctly so I'm wondering if the API account you are using has the right permissions to write to Extension attributes or computer inventory? It wouldn't make sense that one fails and the other doesn't but might be worth checking.
Possibly it uploaded the secret once and now the check to see if its populated is seeing the old one but its not being updated.
Can you run the create & cycle script but add on the verbose switch and share this with me please. Should be something like sudo jamf policy -event createLAPS -verbose
PezzaD84
commented
1 month ago @aanklewicz I've just release v2.3.1 which includes a small debug mode which might highlight some of the issues you are seeing. Hopefully this will help us figure out whats going on.
aanklewicz
commented
1 month ago verbose: Parsing Policy LAPS | Create Admin and Cycle Password (454)...
verbose: The Management Framework Settings are up to date.
verbose: Found 1 matching policies.
Executing Policy LAPS | Create Admin and Cycle Password
verbose: Copying script to temp directory...
verbose: Determining script type...
Running script LAPS | Create and Cycle Password...
Script exit code: 0
Script result: Error checking any previous configuration.....
Log found. Checking for previous failures.....
Previous Failures found. Please investigate existing log files to avoid any future failures.
Cleaning up previous failed deployment.....
Resetting Encoded LAPS Password.....
<?xml version="1.0" encoding="UTF-8"?><computer><id>4277</id></computer>Resetting LAPS Secret key.....
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Conflict</p>
<p>Error: Problem with extension attribute</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
thumbtacklaps
LAPS Account found. Removing account and associated files and folders now.....
Removing thumbtacklaps from admin users group.....
Removing thumbtacklaps from the local device.....
Removing thumbtacklaps files and folders.....
Success - LAPS Account has been removed and reset.
Creating new Log file and moving existing log file to failures folder.
Checking for existing local admin account thumbtacklaps....
Log does not exist. Creating Log file now.....
LAPS Log created. Continuing setup.....
=================================================================
=========== LAPS Account creation 22/08/2024 09:43:09 ===========
=================================================================
Password length has been set to 16 characters
A Special character has been set in the password
thumbtacklaps does not exist. Creating local admin now
2024-08-22 09:43:09.613 sysadminctl[66371:1617106] ----------------------------
2024-08-22 09:43:09.614 sysadminctl[66371:1617106] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2024-08-22 09:43:09.614 sysadminctl[66371:1617106] ----------------------------
2024-08-22 09:43:09.732 sysadminctl[66371:1617106] Creating user record…
2024-08-22 09:43:10.272 sysadminctl[66371:1617106] Assigning UID: 501 GID: 20
2024-08-22 09:43:11.023 sysadminctl[66371:1617106] Creating home directory at /Users/thumbtacklaps
thumbtacklaps
LAPS Account created Successfully
<?xml version="1.0" encoding="UTF-8"?><computer><id>4277</id></computer><html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Conflict</p>
<p>Error: Problem with extension attribute</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
CryptKey and SecretKey Escrowed to Jamf successfully
Device serial is PC7KR92FM2
JAMF ID is 4277
LAPS Configuration was successful
No slack URL configured
No Teams Webhook configured
LAPS Launch Daemon found. Removing old Launch Daemon.
Launch Daemon removed.
verbose: Removing local copy...
Running Recon...This was with the older version. I'll update the script to 2.3.1 and run it again.
PezzaD84
commented
1 month ago @aanklewicz thanks for this. I can see a curl error with the extension attribute. I'm not entirely sure what the error is but if the secret key is not being written to the extension attribute then this would be your problem. If you go into the computer inventory and then edit the extension attributes to be blank can you try the creation again and see what happens?
PezzaD84
commented
1 month ago Looks like it's trying to remediate itself but when trying to reset the Secret Key it's failing to find or edit the secret key extension attribute. If this reset fails then it will hold an old secret key and would explain the bad decrypt error we have been seeing.
aanklewicz
commented
1 month ago I updated to 2.3.1 and am now getting another error. So I'm prepping my test machine to have macOS 14 on it, so I can test there.
aanklewicz
commented
1 month ago I ran it on a machine with 14.3, it had nothing stored in Jamf, as it was a fresh install. I got the following.
verbose: JAMF binary already symlinked
verbose: Checking for an existing instance of this application...
Checking for policies triggered by "createLAPS" for user "aanklewicz"...
verbose: Checking for active ethernet connection...
verbose: No active ethernet connection found...
verbose: Removing any cached policies for this trigger.
verbose: Parsing servers...
verbose: Parsing Policy LAPS | Create Admin and Cycle Password (454)...
verbose: The Management Framework Settings are up to date.
verbose: Found 1 matching policies.
Executing Policy LAPS | Create Admin and Cycle Password
verbose: Copying script to temp directory...
verbose: Determining script type...
Running script LAPS | Create and Cycle Password...
Script exit code: 0
Script result: Error checking any previous configuration.....
No previous log found. Starting initial setup.....
Checking for existing local admin account thumbtacklaps....
Log does not exist. Creating Log file now.....
LAPS Log created. Continuing setup.....
=================================================================
=========== LAPS Account creation 22/08/2024 10:58:23 ===========
=================================================================
Password length has been set to 16 characters
A Special character has been set in the password
thumbtacklaps does not exist. Creating local admin now
2024-08-22 10:58:24.089 sysadminctl[7199:48623] ----------------------------
2024-08-22 10:58:24.089 sysadminctl[7199:48623] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2024-08-22 10:58:24.089 sysadminctl[7199:48623] ----------------------------
2024-08-22 10:58:24.213 sysadminctl[7199:48623] Creating user record…
2024-08-22 10:58:24.795 sysadminctl[7199:48623] Assigning UID: 502 GID: 20
2024-08-22 10:58:27.523 sysadminctl[7199:48623] Creating home directory at /Users/thumbtacklaps
GroupMembership: root aanklewicz thumbtacklaps
LAPS Account created Successfully
<?xml version="1.0" encoding="UTF-8"?><computer><id>4554</id></computer><html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Conflict</p>
<p>Error: Problem with extension attribute</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
Device serial is QG50CWYHNJ
JAMF ID is 4554
LAPS Configuration has failed
SecretKey has not been successfully configured
No slack URL configured
No Teams Webhook configured
LAPS Launch Daemon not found
verbose: Removing local copy...
Running Recon...Still not running, we're troubleshooting further. With help from @gingerscripting, we found that the conflict was another EA that has the word "secret" in it.
Just cleared out and we're not getting the <?xml version="1.0" encoding="UTF-8"?><computer><id>4554</id></computer><html> error any more... but it's not getting the Jamf ID. We are continuing to troubleshoot. Just thought I'd document it here.
aanklewicz
commented
1 month ago Okay, we reverted our API user back to the original one, and now everything is working as expected.
Thank you so much for your help @PezzaD84
A feature request might be to search for more than just "secret" when grepping EAs, so that we can use "secret" in other EA titles.
PezzaD84
commented
1 month ago @aanklewicz great spot I will edit the greps for a more accurate search. I did think there might be an extension attribute conflict as it was odd that the secret key EA was playing up. Thanks for the feedback I will work on this tomorrow to rectify the issue.
Hi all, I'm fairly certain that I'm doing something wrong here. I've done everything per the documentation (or so I think) and am able to get the UI to appear. I submit either a serial or valid FQDN/hostname of a Mac in Jamf and make sure the dropdown at the bottom is correct, and get the following message in return.
What should I check?
EDIT: Doing more research and it looks like this won't work on Macs that "don't know" they are being LAPS-managed. Our local admin account is provisioned through prestage, and I'm getting the feeling that a prestage local admin and LAPS cannot coexist. Or maybe I have this completely misunderstood.