search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
384 stars 58 forks source link

Does not work if Active Directory is not in authentication search path #14

Closed briend closed 6 years ago

briend commented 6 years ago

There may be reasons to bind a computer to Active Directory but not use it for user authentication. For instance, you might be using LDAPv3 for user auth (or even just local accounts), but want to use an AD machine account for maintenance tasks that require network resources or credentials to connect to the wifi network. So you've removed AD from the Authentication Search Policy. If you do this, macOSLAPS does not work with error:

|macOSLAPS|Unable to connect to Active Directory

I think this is the related code: https://github.com/joshua-d-miller/macOSLAPS/blob/master/macOSLAPS/ADTools.swift#L26-L36

The fact that it gets this far shows that it knows that it is bound to AD, but just the query is not returning any results. Is there some way to use ODQuery for nodes not in the search path? It's frustrating because I can just run dscl and navigate to Active Directory/MyDomain/All Domains/Computers and see all the computers just fine.

If I add Active Directory to the Authentication Search Policy, bam, everything works fine. But I can't use that as a solution because it interferes with LDAPv3 connections which we use because we're in a multi-forest arrangement and don't want to use Centrify or PowerBroker solutions.

briend commented 6 years ago

Update, the Python legacy version of MacOSLAPS seems to work fine with this configuration. Trying to figure out the differences. . .

joshua-d-miller commented 6 years ago

So the difference is I'm actually building the search path in the python version whereas in the Swift version I'm just pulling it from Open Directory. You are correct in your case that wouldn't work because you have the search path removed. I'll look into this further to see what I can do to make it connect if the search path is not there.

joshua-d-miller commented 6 years ago

Please try the new build of macOSLAPS and see if this resolves your issue as I have engineered the same logic we used in the python version in the Swift version to pull the AD Search path.

joshua-d-miller commented 6 years ago

Have you had any luck with the new build?

briend commented 6 years ago

No I haven't had a chance, sorry. I think it should be fine, in fact I think with High Sierra I can include AD in the search path now (Apple must have fixed some bug). Closing issue. Thanks!