search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
384 stars 58 forks source link

Unable to connect to local directory or change password (not using FileVault) #40

Closed agarcia1313 closed 3 years ago

agarcia1313 commented 5 years ago

Before I begin, just want to say thanks for creating this, its awesome. Anyway, we've pushed out the current release (macOSLAPS 1.1.4 Build 230) via ARD to about 35 machines and on 4 of them when we send the unix command /usr/local/laps/macOSLAPS we're getting the message "Unable to connect to local directory or change password...". Two of them are running MacOS 10.14.6 and two of them are running 10.13.6. We're not using filevault on any of the machines but on one of the ones having the issue I went ahead and tried the command sudo defaults write /Library/Preferences/edu.psu.macoslaps FirstPass "tempadminpassword" and sudo killall cfprefsd to see if it would make any difference and it did not. I even unbound/re-bound that same Mac from the active directory but still no dice. Not sure how to proceed. Let me know if there's any additional info I can send you. Any help would be greatly appreciated.

agarcia1313 commented 5 years ago

Ok, I have an update. On three out of the four, when looking again at the error thrown up by macOSLAPS when running the /usr/local/laps/macOSLAPS command it does display this message: "...has been detected to have a secureToken. Performing secure password change...". Looks like the ms-Mcs-AdmPwd had been updated on those 3 with the same temp password (that I assume macOSLAPS creates temporarily). I fixed those 3 by using the firstPass key. I guess I thought secureToken was only used when filevault is being used (which we're not using). I still have the issue with the last one, these steps did not work on the one I was originally trying to fix

ilikebigruts commented 5 years ago

Hi agarcia1313, I'm no macOSLAPS expert but here's some things I'd try.

  1. Delete the computer object from AD. (we have to do this from time to time to get the trust working again) 1.a Re-bind the computer.

  2. If you're going to try and use the "FirstPass" functionality you have to make sure there is no macOSLAPS keychain in the "System" keychain, if it's there delete it or macOSLAPS will use it instead of "FirstPass" 2.a Make sure the local admin account password matches the "FirstPass" password.

  3. Is it on a network that can reach your Domain Controllers? Try to ping it.

Given it's working on all but one of your Macs it's probably safe to say your config is all good and that something's not right with that one Mac. That's all that springs to mind right now, let us know how you go.

eatyourpeas747 commented 4 years ago

Same issue here and have tried the suggestions in this thread. I am running on 10.15.1

joshua-d-miller commented 4 years ago

Hello @agarcia1313,

Do the machines that are not changing have secureToken enabled on the accounts?

Thanks!

ilikebigruts commented 4 years ago

Hi Joshua, I've been using this app for a couple of years now and it's been great. Today I installed the latest release 1.1.6.274 and am now getting the same error "Unable to connect to local directory or change password". My mac is not using file vault and yes it does have a secure token and the current password IS in the keychain. What I noticed is if I try and run it manually with -resetPassword I get a GUI prompt "macOS wants to make changes. Enter an administrator's name and password to allow this." "macOS wants to use the "System" Keychain. I click cancel and see the same error in the logs. Does that help shed any light on the issue for you? Is there anything I can do to help assist trouble shoot the issue? I'm still running 10.14.6

ilikebigruts commented 4 years ago

Looks like the new binary doesn't have permissions to access/modify the macOSLAPS keychain?

joshua-d-miller commented 4 years ago

Hmm. I know there was an issue with a previous version and the certificate. I may need to add some logic into the program to allow access to the keychain item no matter what. That way it doesn't throw this error. I'm assuming after you fixed the keychain issue that it worked?

Thanks!

ilikebigruts commented 4 years ago

Yes, once authenticating to allow the macOSLAPS binary access to the macOSLAPS keychain item it worked as expected.

bcreidie commented 4 years ago

I was having the "Unable to connect to local directory or change password (WITH FileVault) issue. I found the error would surface when ran against the administrator account created when the macOS was installed. I created a second administrator account on the same machine using the GUI and then ran macOSLAPS against that second account and it macOSLAPS ran successfully. I am not entirely sure what is different between the local accounts.

Edit to include: macOS 10.15.3 macOSLAPS-1.1.6.274

howlerwolf1313 commented 4 years ago

Hello, I'm having a similar issue on 10.15.3. Is macOSLAPS compatible with 10.15?

sh-3.2# /usr/local/laps/macOSLAPS -status Info|Mon Mar 02, 2020 04:13:45 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing... Warning|Mon Mar 02, 2020 04:13:45 PM|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change... Info|Mon Mar 02, 2020 04:13:45 PM|macOSLAPS|Password Change is required as the LAPS password for admin, has expired Error|Mon Mar 02, 2020 04:13:45 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting...

/usr/local/laps/macOSLAPS -version 1.1.6

After running that command my configuration file in /Library/Preferences/edu.psu.macoslaps.plist gets deleted. Could it be my antivirus deleting things or a change in 10.15? Thanks

howlerwolf1313 commented 4 years ago

The issue ended up being the configuration file in /Library/Preferences/edu.psu.macoslaps.plist. This file needs to be created via the defaults command, otherwise it may be deleted when running from the binary - /usr/local/laps/macOSLAPS.

rustymyers commented 4 years ago

I'm also having an issue with this. I wonder if it's an older computer record in EAD, as I rebound without removing that first... 

sudo /usr/local/laps/macOSLAPS -v -resetPassword
Info|Wed Jul 29, 2020 02:02:27 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Info|Wed Jul 29, 2020 02:02:27 PM|macOSLAPS|Password Change is required as the LAPS password for clmadmin, has expired
Info|Wed Jul 29, 2020 02:02:27 PM|macOSLAPS|The local admin: clmadmin has been detected to have a secureToken.         Performing secure password change...
Error|Wed Jul 29, 2020 02:02:27 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting...
joshua-d-miller commented 4 years ago

The computer record needs to have write access to itself in order to change the record. I would try expiring the password in AD and then try running it again without reset the password. Let me know the results.

rustymyers commented 4 years ago

Sooo, I think I caused this myself by resetting the local admin account password to the initial value. I suspect that causes the tool to prevent updating the password?

joshua-d-miller commented 4 years ago

If you have a secureToken user the program will look for the password in two places:

  1. Keychain - This is usually the random password after initial setup
  2. Config Profile - Usually the burner password used when the computer is first built to ensure secureToken transition

The reason for this is secureToken users must supply the old password in order to remain a secureToken user.

joshua-d-miller commented 3 years ago

I'm going to go ahead and close this issue as there doesn't appear to be any further issues.