search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
383 stars 57 forks source link

fresh install doesn't work #45

Closed DBLClick closed 3 years ago

DBLClick commented 3 years ago

Attempted to install on OS X Mojavi 10.14.6 installed with no issues, manually copied .plist to preferences folder. Application doesn't run.

joshua-d-miller commented 3 years ago

Can you provide what your log file says when macOSLAPS runs? This file is located in /Library/Logs and is called macOSLAPS.log

DBLClick commented 3 years ago

Sorry that would have to wait until Monday. I'm trying to get it to work in the office.

From: Joshua D. Miller notifications@github.com Sent: Friday, November 20, 2020 4:10 PM To: joshua-d-miller/macOSLAPS macOSLAPS@noreply.github.com Cc: DBLClick Joe.Tricat@hotmail.com; Author author@noreply.github.com Subject: Re: [joshua-d-miller/macOSLAPS] fresh install doesn't work (#45)

Can you provide what your log file says when macOSLAPS runs? This file is located in /Library/Logs and is called macOSLAPS.log

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/joshua-d-miller/macOSLAPS/issues/45#issuecomment-731408683, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AOD3RNW2UQPSKIMH7EWHT7TSQ3LMDANCNFSM4TTRTXUA.

DBLClick commented 3 years ago

macOSLAPS.log

Logs attached

joshua-d-miller commented 3 years ago

Hi there @DBLClick,

It appears that your macOSLAPS is running as it continues due to there not being a domain controller selected. I would go ahead and check the following:

  1. The admin specified in the PLIST is the admin you want to change
  2. If the admin has secureToken make sure either the password for the admin is the one configured in the PLIST under FirstPass or there is an entry in the keychain (I don't believe there would be a keychain since this is a fresh install
  3. The machine is bound to Active Directory and it is able to write to itself as macOSLAPS uses the computer account to write to itself and read its expiration date.

Thanks!

DBLClick commented 3 years ago

I am the admin, The error for non specified domain controller happend with check in Plist with nothing was specified, I then game it a name of the domain controller the error never changed. I do believe this is a secure token issue. but I give the preferred domain both short name and FQDN and it still does say it not specified.

DBLClick commented 3 years ago

well found after reboot the domain controller issue resolved. Assuming the daemon needs to stop and start no info on this.

logs now show Info|Fri Nov 27, 2020 11:08:02 AM|macOSLAPS|Using Preferred Domain Controller adcc01.occ.treas.gov... Info|Fri Nov 27, 2020 11:09:28 AM|macOSLAPS|Using Preferred Domain Controller adcc01.occ.treas.gov...

but no info in the domain for the account. when trying to apply macSOLAPS -resetPassword it

$ sudo /usr/local/laps/macOSLAPS resetPassword Info|Fri Nov 27, 2020 11:09:28 AM|macOSLAPS|Using Preferred Domain Controller adcc01.occ.treas.gov... Illegal instruction: 4

Unable to find what Illegal Instruction: 4 is.

joshua-d-miller commented 3 years ago

That error is most likely because it is trying to change the password but there is either no password set under FirstPass or in the keychain so because the user is a secureToken user it is unable to change the password and fails.

DBLClick commented 3 years ago

Okay, rebuilt workstation standard build. Management account not first account using Centrify DC to bind to the domain.

Blank info in AD: logs shows.

Debug|Mon Dec 07, 2020 01:28:49 PM|macOSLAPS|This machine does not appear to be bound to Active Directory

Assuming now that Centrify isn't compatible with macOSLAPS.

running latest version of centrify.

joshua-d-miller commented 3 years ago

@DBLClick you are correct that it is unfortunately not compatible with Centrify as I believe Centrify uses a different binding method vs the OpenDirectory method that macOS uses built-in. I reuse the functions that OpenDirectory uses which are most likely not compatible with Centrify. I'd be willing to look into it but unfortunately, I don't have access to Centrify.

DBLClick commented 3 years ago

https://www.centrify.com/trial-center/centrify-free-tier-vault/

free tier for up to 50 machines

joshua-d-miller commented 3 years ago

@DBLClick I'm currently developing a local method to pull the password that might be able to be accommodated with Centrify. Would this be something you might want to try

DBLClick commented 3 years ago

I'm willing to try, just to check if it does. currently working on our Big Sur image. Does macLAPS work with the secure token root account?

joshua-d-miller commented 3 years ago

@DBLClick I have never tried it with the root account and I wouldn't recommend using it with the root account as someone can just disable it and reenable it and set a new password. I usually create an admin account that is granted secureToken. I'm still working through some bugs but will hopefully have a build you can give a try soon. Are you on the MacAdmin's Slack?

DBLClick commented 3 years ago

Just happened today I did successfully test it on a fresh build Big Sur workstation. Deployed using Jamf and tested root account worked fantastically. Thank you. MacAdmin's Slack? is that a podcast?

joshua-d-miller commented 3 years ago

@DBLClick Thank you for the update. I will go ahead and close this ticket. The MacAdmins Slack is a slack team of MacAdmins from all around the world and is a great resource for managing macOS devices. You can join by requesting an account here: https://www.macadmins.org