NoMAD Login AD (NoLoAD) - mobile user login trouble

Question

I've been learning about NoMAD and NoLoAD and decided to try it out today. I installed both on a MacBook running Mojave (10.14), currently bound to AD. I downloaded from:

https://files.nomad.menu/NoMAD.pkg
https://files.nomad.menu/NoMAD-Login-AD.zip

and both installed via pkg (double-click).

sudo authchanger -print output:

mechanisms:
      builtin:policy-banner
      NoMADLoginAD:CheckAD
      NoMADLoginAD:PowerControl,privileged
      NoMADLoginAD:EULA
      NoMADLoginAD:CreateUser,privileged
      NoMADLoginAD:DeMobilize,privileged
      builtin:login-begin
      builtin:reset-password,privileged
      builtin:forward-login,privileged
      builtin:auto-login,privileged
      builtin:authenticate,privileged
      PKINITMechanism:auth,privileged
      builtin:login-success
      loginwindow:success
      loginwindow:FDESupport,privileged
      HomeDirMechanism:login,privileged
      HomeDirMechanism:status
      MCXMechanism:login
      CryptoTokenKit:login
      loginwindow:done
      NoMADLoginAD:EnableFDE,privileged
      NoMADLoginAD:SierraFixes,privileged
      NoMADLoginAD:KeychainAdd,privileged

defaults read /Library/Preferences/menu.nomad.login.ad.plist output:

{
    ADDomain = &#034;MYORG.LOCAL&#034;;
    KeychainAddNoMAD = 1;
    KeychainCreate = 1;
}

(replaced part of domain with MYORG, for anonymity)

I can sign on a local admin account with no trouble and run NoMAD and authenticate against AD. So far, I've not been able to sign on as a mobile (AD) user, from the NoLoAD prompt. It acts like the username or password is bad. However, from a terminal, I can do su -l <MobileUser> and it accepts the password I enter. My goal is to demobilize the mobile user account and unbind from AD. I don't know if this is related, but I don't have network connectivity (at least not to a network where AD is reachable) at the NoLoAD prompt. The user authenticates on a wireless network (with AD credentials) after signing on. The MacBook only connects wirelessly.

You can see some anonymized NoLoAD log entries on PasteBin, representing a failed attempt to use fast user switching (while signed on as local admin) to sign on as a mobile user, and subsequent sign back on as local admin. I'm not sure if the logs are helpful.
One log entry stands out, indicating the username or password is invalid. I'm not sure what I'm doing incorrectly, since I can authenticate with those very credentials at a Terminal prompt. I also noted the no plugin at path...NoMADLoginAD.bundle log entry. I'm not sure that's important, since according to the README, the NoLoAD package should automatically drop all the required bits in the appropriate locations. I think.

I would appreciate any suggestions or a (gentle) kick in the right direction. :-)

regexaurus · Answer

After posting the above, I used rtrouton's script to demobilize the mobile user and unbind the MacBook from AD. I was still unable to login as the (previously mobile) user at the NoLoAD prompt, but now I could no longer authenticate as the user via su -l , either. After changing the user's password (passwd ), I can now sign on as the demobilized (local) user at the NoLoAD prompt. I'm still not out of the woods however. Even though I set NoLoAD preferences to create a KeyChain entry and auto sign on NoMAD, that isn't working. As far as I can tell, it's not even attempting (I see no related KeyChain entry). Also, I can manually launch NoMAD and authenticate with the user's AD credentials, but the local account and the AD account seem disjointed. The local and AD usernames are the same, but the passwords differ and NoMAD isn't syncing the credentials.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded