search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
383 stars 57 forks source link

Connecting to local directory issue #30

Closed majluk closed 5 years ago

majluk commented 5 years ago

Hello

First things first I would like to thank you for this tool. I have encountered issue. I am trying to run it with Xcode with sudo privileges. Settings in ConfigSettings.swift seems to be ok (at least same as AD Policies). HDD is encrypted with FileVault. macOS: 10.14.4 Admin account is created manually via GUI. Password expire is set to 17.04.2019 When I build and run I am receiving Unable to connect to local directory or change password. Before that there is: The local admin: has been detected to have a secureToken. Preforming secure password change...

However once I was successful and it almost worked. Password changed at AD but not in macOS. What more when I was running it for first time, I was able to change password in AD via part of ad_tools function in ADTools.swift which sending test password Th1sIsN0tth3P@ssword but now it's not possible.

majluk commented 5 years ago

Update:

When I build and run I am receiving Unable to connect to local directory or change password. Before that there is: The local admin: has been detected to have a secureToken. Preforming secure password change... However once I was successful and it almost worked. Password changed at AD but not in macOS.

I partially figured it out. It seems that first time password was changed locally after all (it wasn't accepted in macOs GUI). When I typed password AD received in FirstPass variable, it went through. Password was changed locally and in AD. Still receiving some errors but works. Now I am trying to make it run in background.

joshua-d-miller commented 5 years ago

@majluk Have you tried downloading the pkg install under releases and then using a configuration profile to run the app instead of building it in Xcode?

majluk commented 5 years ago

Hello @joshua-d-miller Thanks for reply.

I wasn't using configuration profile. What I did was:

edu.psu.macoslaps.plist is getting delete after I run sudo macOSLAPS

VertigoRay commented 5 years ago

We're seeing the same issue on one particular computer. The computer is using the same image as the rest of our systems. It would be nice if there were more debug logging in this particular section to know exactly where the break is occurring. Will be putting Xcode on this one and editing and debugging the code to get more verbose logging out of the executable. For now, this is the only logging we're getting, which is a bit vague:

Info|Thu May 02, 2019 09:13:39 AM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...

Warning|Thu May 02, 2019 09:13:39 AM|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...

Info|Thu May 02, 2019 09:13:39 AM|macOSLAPS|Password Change is required as the LAPS password for %admin%, has expired

Info|Thu May 02, 2019 09:13:39 AM|macOSLAPS|The local admin: %admin% has been detected to have a secureToken. Performing secure password change...

Error|Thu May 02, 2019 09:13:39 AM|macOSLAPS|Unable to connect to local directory or change password. Exiting...

I would like to see debug or verbose logging available.

VertigoRay commented 5 years ago

Fixed it on our end. After adding a ton of debug logs to the code, realized the changes to the PList file were not getting read. I was convinced there was a second PList file somewhere, but it turns on PList caching was getting in our way. Here's what fixed it for us:

sudo killall cfprefsd

Doing that fixed the issue and all the debugging message started reporting information from the updated PList; a reboot should also fix.

Maybe there's a more elegant way to force the process to refresh the PList file ... ?

Refs:

joshua-d-miller commented 5 years ago

So the best thing to do in this situation is to use the defaults command when writing values to a PLIST. That way you do not have to kill cfprefsd in order for your changes to take effect. The other thing to do that would be most efficient would be to make a configuration profile by either using an MDM or Tim Sutton's project mcxToProfile. Hopefully, this will fix your issue as well @maljuk as you stated you were editing a PLIST file and then placing it in /Library/Preferences

majluk commented 5 years ago

Thank you for informations. I will try to fix it when find some time.

majluk commented 5 years ago

Worked for me. I edited settings file one more time, paste it to its location, load edu.psu.macoslaps-check.plist to Launch Deamon but on a different laptop and it's changing. Maybe there was something wrong with previous machine? Thanks for help.

joshua-d-miller commented 5 years ago

@majluk Sure thing. I'll go ahead and resolve this issue.