Illegal instruction: 4

[paulgab]

I have MacOSLAPS version 1.1.1 installed on MacOS 10.14.4. I have installed via macOSLAPS-1.1.1.223.pkg file and created the attached edu.psu.macoslaps.plist file: edu.psu.macoslaps.txt

When running the command sudo macOSLAPS -resetPassword I receive the following output:

Info|Mon Apr 29, 2019 01:12:46 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Info|Mon Apr 29, 2019 01:12:46 PM|macOSLAPS|Password Change is required as the LAPS password for itslocaladmin, has expired
Illegal instruction: 4

The ms-Mcs-AdmPwd field in Active Directory is be updated to: Th1sIsN0tth3P@ssword

FileVault is not turned on and checking the log file, it contains the same as what is outputted to screen.

[joshua-d-miller]

So that password is set when a machine is initially bound to AD and has an invalid date. I am not familiar with the Illegal Instruction: 4. I have looked at the code and can see that your run did make it to attempting to change the password for the account. If the account is a secureToken account, you will also need to set the FirstPass key which should be the password that the account has initially when first created. Once this has been changed, then the keychain entry in System.keychain will be used. Are you running the -resetPassword command because this is a rebuild or is it a newly built machine?

[paulgab]

Hi, Does MacOSLAPS only kick in at the time when the Mac is bounded to the domain? The info for FirstPass is "LAPS Admin is a FileVault user", the admin account that I am attempting to change the password for, is not using FileVault. If I need to use the FirstPass key, how should it be formatted? I am using the -resetPassword command because the Mac has been bound to the domain for years, I am was attempting to get MacOSLAPS started. Thanks

[joshua-d-miller]

@paulgab This utility currently only works with bound machines. The FirstPass attribute is only needed if your local admin account will be a secureToken admin. Even if the machine has been bound to the domain for years you would not necessarily need to use the -resetPassword flag as there has never been a password set in AD. The FirstPass key is just a string.

[paulgab]

I have checked if the local admin account "itslocaladmin", which MacOSLAPS is trying to reset the password has the secureToken set and it doesn't:

sysadminctl -secureTokenStatus itslocaladmin
2019-05-08 17:45:55.879 sysadminctl[69874:35967850] Secure token is DISABLED for user itslocaladmin

If I run just sudo macOSLAPS the following is outputted:

Info|Wed May 08, 2019 05:52:06 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|Wed May 08, 2019 05:52:06 PM|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Wed May 08, 2019 05:52:06 PM|macOSLAPS|Password Change is required as the LAPS password for itslocaladmin, has expired
Illegal instruction: 4

Any ideas, what might be the issue?

Lastly on install, is the Launch Daemon automatically enabled?

Thanks

[joshua-d-miller]

@paulgab Yes, the Launch Daemon is automatically enabled. Which keys do you have specified in your preference PLIST?

[paulgab]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DaysTillExpiration</key>
    <integer>30</integer>
    <key>LocalAdminAccount</key>
    <string>itslocaladmin</string>
    <key>PasswordLength</key>
    <integer>14</integer>
    <key>RemoveKeyChain</key>
    <true/>
    <key>ExclusionSets</key>
    <string></string>
    <key>RemovePassChars</key>
    <string>{}[]|</string>
</dict>
</plist>

[joshua-d-miller]

@paulgab try removing the RemovePassChars key and string and see if it works. I wonder if those symbols are not being read correctly.

[paulgab]

@joshua-d-miller I've changed the plist to the below, and MacOSLAPS is behaving the same.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DaysTillExpiration</key>
    <integer>30</integer>
    <key>LocalAdminAccount</key>
    <string>itslocaladmin</string>
    <key>PasswordLength</key>
    <integer>14</integer>
    <key>RemoveKeyChain</key>
    <true/>
    <key>ExclusionSets</key>
    <string></string>
</dict>
</plist>

[joshua-d-miller]

@paulgab Is this only happening when using the -resetPassword flag?

[paulgab]

@joshua-d-miller It is also occurring for when running sudo macoslaps:

Info|Tue May 14, 2019 12:52:38 PM|macoslaps|No Preferred Domain Controller Specified. Continuing...
Warning|Tue May 14, 2019 12:52:38 PM|macoslaps|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Tue May 14, 2019 12:52:38 PM|macoslaps|Password Change is required as the LAPS password for itslocaladmin, has expired
Illegal instruction: 4

[joshua-d-miller]

@paulgab Is the password changing locally and maybe just not in Active Directory? I'm trying to pinpoint where your stop is happening. You could also download the source code and run it as root and put in stops to determine where it is breaking.

[paulgab]

@joshua-d-miller Sorry I haven't had time to check if the local password is being changed or not. I'll try to check this during the week.

I am reading through the source to understand how it works, but as I and not a developer I am not sure how to place stops in.

[joshua-d-miller]

@paulgab Are you still having issues with using macOSLAPS? I haven't heard from you in a while.

[paulgab]

@joshua-d-miller I've built a test machine running MacOS 10.14.5 and installed MacOSLAPS version 1.1.1.

For this new computer, the initial account has the Secure token is ENABLED:

sysadminctl interactive -secureTokenStatus itslocaladmin
2019-07-19 13:15:08.543 sysadminctl[614:7773] Secure token is ENABLED for user itslocaladmin

I have added the FirstPass key to the .plist file.

The results are the same as the other computer I was testing on:

sudo macOSLAPS
Password:
Info|Fri Jul 19, 2019 01:20:50 pm|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|Fri Jul 19, 2019 01:20:50 pm|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Fri Jul 19, 2019 01:20:50 pm|macOSLAPS|Password Change is required as the LAPS password for itslocaladmin, has expired
Illegal instruction: 4

I've checked, the local admin account password and it is not being changed.

The ms-Mcs-AdmPwd field in Active Directory is be updated to: Th1sIsN0tth3P@ssword

Any ideas where we go from here?

Thanks Paul.

[joshua-d-miller]

Paul thanks for the information. It sounds like the password change is when the issue is occurring. It seems are you able to write to Active Directory. Are you adding any exclusion characters?

[paulgab]

No

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DaysTillExpiration</key>
    <integer>30</integer>
    <key>LocalAdminAccount</key>
    <string>itslocaladmin</string>
    <key>PasswordLength</key>
    <integer>14</integer>
    <key>RemoveKeyChain</key>
    <true/>
    <key>ExclusionSets</key>
    <string></string>
    <key>FirstPass</key>
    <string>**************</string>
</dict>
</plist>

[joshua-d-miller]

@paulgab Thank you for this info. Are you compiling the binary or are you using the package install? Secondly is this just one machine or multiple? What OS are the machines running that are experiencing this issue? Would you be able to talk with me on the MacAdmins Slack?

[paulgab]

I am using the package install.

I’m testing this on two computers, both running 10.14.

I’m not on Slack, but can join if needed. I’m in Australia, so we might have some timezone issues if you want to chat live.

Thanks Paul

On 25 Jul 2019, at 4:52 am, Joshua D. Miller notifications@github.com wrote:

@paulgab Thank you for this info. Are you compiling the binary or are you using the package install? Secondly is this just one machine or multiple? What OS are the machines running that are experiencing this issue? Would you be able to talk with me on the MacAdmins Slack?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[joshua-d-miller]

Paul,

Have you tried the latest build?

Thanks!

[paulgab]

Hi Joshua, Unfortunately version 1.1.3.225 behaves the same.

Regards Paul.

[joshua-d-miller]

@paulgab How was the itslocaladmin account created? Did you use DEP or did you create it with the pycreatureuserpkg? Also, I know it probably won't work but I updated the version to 1.1.4.

[paulgab]

@joshua-d-miller The local admin account is the initially created account during OS install. I have also tested on an additional account created via the User & Groups System Preferences with the same result. I'll try out the new version when I return from holidays next week. Thanks.

[paulgab]

@joshua-d-miller I've installed version 1.1.4, but as expected, it has made no difference.

What is you recommended method of creating the local admin account? Does macOSLAPS have any dependences? What would your MacOS build steps be?

Thanks.

[joshua-d-miller]

@paulgab I create our admin account with jamf but originally created it with createuserpkg before the python one. I'm sure either of these will work could you try running macOSLAPS on a system where your admin account is not a secureToken user?

Thanks!

[joshua-d-miller]

Paul,

Have you tried the latest build to see if you have any luck? I know we haven't chatted in a while but I thought I would check with you.

Thanks!

[paulgab]

Hi Joshua, I’m currently travelling. I’ll test the latest version when I return at the end of the month.

Thanks Paul.

On 11 Jan 2020, at 12:48 am, Joshua D. Miller notifications@github.com wrote:

 Paul,

Have you tried the latest build to see if you have any luck? I know we haven't chatted in a while but I thought I would check with you.

Thanks!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[paulgab]

Hi Joshua, Still no good, but I've started playing with the source code and found where it is failing. Using some debugging print statements in the file PasswordGen.swift, I found problem line 19: string_passwordCharacters = exclude_character_sets(password_chars: string_passwordCharacters)

If I comment out this line, macOSLAPS works perfectly. Any ideas why this might be the case?

Regards.

[joshua-d-miller]

Paul,

Are you defining any exclusion characters? It sounds like you might be defining something that it doesn't like.

Thanks!

[paulgab]

Hi Joshua, I removed:

ExclusionSets

<string></string>

From the plist file, and it now works.

Thanks for your patience with this issue. Might need some code to sanity check the plist file and/or update to README.md.

Thanks Paul.

[joshua-d-miller]

Thanks for the update @paulgab I'll go ahead and resolve this. Stay safe!

[DorianBorca]

Hi,

in the end what was the solution for this issue? I am running on Big Sur, AD joined via CentrifyDC, local admin account with secureToken disabled, macOSLAPS 2.1.0

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

DaysTillExpiration 30 LocalAdminAccount user PreferredDC SERVERNAME PasswordLength 20 RemoveKeyChain

Thank you