macOS 10.14 Mojave Unable to connect to local directory or change password

[irahodges]

When run with the -resetPassword flag, it updates the pw on the AD but not locally.

[joshua-d-miller]

Hi,

This may have something to do with TCC are you receiving any kind of error message?

Thanks!

[401cf609a3a217ec]

I am seeing the same issue on Mojave. It writes the new password to AD but doesn't change it locally.

From the macOSLAPS logs:

Info|Tue Oct 30, 2018 01:51:11 PM|macOSLAPS|Password Change is required as the LAPS password for admin has expired Info|Tue Oct 30, 2018 01:51:11 PM|macOSLAPS|Password change has been completed for local admin admin. New expiration date is Mon Jan 28, 2019 01:51:11 PM Error|Tue Oct 30, 2018 01:51:11 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting...

From the system logs:

2018-10-30 13:51:11.281293-0700 localhost sudo[17557]: username : TTY=ttys000 ; PWD=/Users/username ; USER=root ; COMMAND=/usr/local/laps/macOSLAPS -resetPassword 2018-10-30 13:51:11.296512-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38080, Description: Open a given node 2018-10-30 13:51:11.298147-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38081, Description: Querying records from directories 2018-10-30 13:51:11.306372-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38082, Description: Open a given node 2018-10-30 13:51:11.306835-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38083, Description: Retrieve record from node 2018-10-30 13:51:11.306836-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38084, Parent ID: 0x8000000000038083, Description: Querying records from directories 2018-10-30 13:51:11.308062-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38085, Description: Set value of an attribute 2018-10-30 13:51:11.312416-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38086, Description: Set value of an attribute 2018-10-30 13:51:11.317303-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38087, Description: Change password for record 2018-10-30 13:51:11.317612-0700 localhost opendirectoryd[99]: Created Activity ID: 0x37fa8, Parent ID: 0x8000000000038087, Description: Internal request 2018-10-30 13:51:11.319480-0700 localhost opendirectoryd[99]: (PlistFile) [com.apple.opendirectoryd:auth] Change password failed with ODErrorRecordPermissionError 2018-10-30 13:51:11.319612-0700 localhost opendirectoryd[99]: [com.apple.opendirectoryd:session] ODRecordChangePassword failed with result ODErrorRecordPermissionError 2018-10-30 13:51:11.321701-0700 localhost macOSLAPS[17558]: (CFOpenDirectory) Created Activity ID: 0x38088, Description: Closing a node reference 2018-10-30 13:51:11.323156-0700 localhost opendirectoryd[99]: Created Activity ID: 0x37fa9, Description: Internal request 2018-10-30 13:51:11.932729-0700 localhost opendirectoryd[99]: Created Activity ID: 0x37faa, Description: Kernel Request 2018-10-30 13:51:11.933300-0700 localhost opendirectoryd[99]: Created Activity ID: 0x37fab, Description: Kernel Request

[mpdonovan]

I am seeing the same issue when the user is created with sysadminctl. I have a policy in Jamf that creates the user and installs the client that user works fine. Both are on 10.14.

[ghost]

Just curious, has there been any resolution that has worked for the local password change with Mojave clients? I am seeing the same thing in our logs.

Info|Mon Oct 15, 2018 04:18:18 PM|macOSLAPS|Password Change is required as the LAPS password for localadmin has expired Info|Mon Oct 15, 2018 04:18:18 PM|macOSLAPS|Password change has been completed for local admin localadmin. New expiration date is Wed Nov 14, 2018 04:18:18 PM Error|Mon Oct 15, 2018 04:18:18 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting...

[ghost]

Just an update. And apologies if this is incorrect but I modified the PWChange file to print out the unexpected error and received the following:

Unexpected error: Error Domain=com.apple.OpenDirectory Code=4001 "Operation was denied because the current credentials do not have the appropriate privileges." UserInfo={NSLocalizedDescription=Operation was denied because the current credentials do not have the appropriate privileges., NSLocalizedFailureReason=Operation was denied because the current credentials do not have the appropriate privileges.}.

[joshua-d-miller]

@Sbacon2 Are you running macOSLAPS as the root user or an admin user that can make changes to the local directory?

[strydub]

I have the same issue and I'm logged in as the root user. Plus the file edu.psu.macoslaps.plist doesn't exist in /Library/Preferences/. Do you have any suggestion of what it can be done to resolve the issue?

[jkeller13]

Just an FYI there is an issue that has been submitted to Apple related to this. (It applies to changes in 10.14) If you disable the secure token for the user, the password change works locally. With the secure token enabled, it fails to reset password due to 'not having appropriate privileges'. There is a PI with Jamf and an issue submitted with Apple as this is most likely not expected behavior on Apple's side.

[ghost]

@joshua-d-miller I have tested running it as both root and an admin user with the same results.

[ghost]

@jkeller13 Do you have anymore information on this submission? Perhaps a link?

[jkeller13]

@Sbacon2 I don't have a link because I did not file the bug in Apple's Radar system

[joshua-d-miller]

Ah, that would make a lot of sense. Our local admin user doesn't have a secure token and that would be why I can't replicate this issue. So it sounds like that this will be addressed in a later version of macOS I'm assuming and it not expected behavior (At least not at this time). I'll leave this open and have you test when the next version fo 10.14 comes out and hopefully the radar was fulfilled.

[joshua-d-miller]

One thing @bartreardon and I kind of figured out was the account created via MDM through DEP could not change the password however if the account was created via something like pycreateuserpkg or just on the system it worked fine. Please see if this is the issue for you and let me know.

Thanks!

[pmex]

I'm not using macOSLAPS, yet, so I can't give you any log output from your code. However, if your user has a secure toke (typically when created through DEP enrolment) it can't have its password changed with sysadminctl -resetPasswordFor username. A user without a secure token (typically created by scripts/pkg) can have its password reset that way, though.

To be able to continuously change an admin password with SecureToken you probably need to find a way to store the password locally (which I totally understand that you want to avoid as long as possible).

I hope this helps

[rg717]

Hi, we are running into the same issue "Unable to connect to local directory or change password.". We are using Mojave and DEP.

Is there any update? Or do you have any information when we can expect a solution for that problem?

[joshua-d-miller]

Hi,

The way I see it is we are going to have to figure out a way to store the current LAPS password on the system as we will not be able to read it from Active Directory. We will need to figure out how to store it securely as this is a security vulnerability and if the password was found it could be used in a bad way. Since secureToken accounts (Admin accounts created with DEP) require us to know the old password, we will need to perform this. I'm currently evaluating the best possible way to do this and will update everyone if I find a way that is best.

Thanks for your patience!

[Edwinterb]

Thanks for persisting with this @joshua-d-miller . I really want to use this on our systems, but unfortunately we FileVault encrypt all our devices so this SecureToken issue is annoying to say the least! Looking forward to any developments you make.

[joshua-d-miller]

Hello everyone,

Please try the latest build and let me know if it resolves the issues.

Thanks!

[Edwinterb]

hi @joshua-d-miller, I did some quick testing today, and it worked very well. Thanks for the fix, I'll report back if I see any issues in further tests.

[irahodges]

Same here! It is working in both 10.14.2 and 10.14.3. On first password attempt I get the message: "Nothing was retrieved from the keychain. Status code -25300". But it works as expected and subsequent password changes work as well!

Also if run from a local user account that doesn't have the permissions to write to the specified log file, the password get's changed locally, but not saved in keychain or reported to AD and the command hangs.

[joshua-d-miller]

I'm glad things are working. I also took care of that status message when loading the keychain entry. It should no longer display. Please try the latest build and let me know.

[joshua-d-miller]

I'm going to call this issue closed now since we determined that DEP accounts with secureToken were the issue and this has since been resolved.

[cbruce2]

Hi, Can your code be implemented using JAMF Pro? I've never worked with .swift files.

[bartreardon]

Hi, Can your code be implemented using JAMF Pro? I've never worked with .swift files.

There's a script that implements LAPS in jamf here https://github.com/ducksrfr/LAPSforMac/blob/master/LAPS.sh

jamf pro already does password randomisation for their admin account - there are a couple of FR's out there asking to expose it in the interface (e.g. https://www.jamf.com/jamf-nation/feature-requests/7901/jamf-managment-account-password-retrieval)

that said - writing back to jamf from this version is something I've been interested in looking at as well (if I ever get the time to play with it 😜 )

[cbruce2]

Hi, I am using the LAPS.sh script that you mentioned above and it works flawlessly if there is a password stored in the JSS already. This is a new build and it errors out as seen below because it does not find a password stored. Is there a method to get past this and store a password in the JSS, so your script can randomize it?

Script result: XXXXX is a local user on the ComputerJAMF Binary is /usr/local/bin/jamf No Password is stored in LAPS. ======== Aborting LAPS Update ========

Error running script: return code was 1.