Skip to main content

Adding to the fun and excitement of High Sierra...



I have my first 10.13 (17A365) test box in Jamf. My (2) local admin accounts were siccessfully created during the Casper Imaging process, but I'm unable to authenticate with them.



-Can't log into the Login window.
-Can't SSH with them (SSH is on).
-Can't log in locally from the Terminal from another account ("login xxx").
-Can't authenticate to ARD with them (ARD is active but I cant connect).



Observations:



1) My local accounts are unusable regardless if the Mac is bound to AD or not.



2) Macs upgraded in-place from Sierra 10.12.6 work fine. Only Macs that are imaged "clean" from Casper Imaging 9.99 are effected.



3) The (2) local accounts are valid, and they have the correct UIDs according to DSCL. They are also in the correct local admin group (GID 80).



4) My AD accounts work (i.e the Mac recongnizes AD users/groups and allows me to log in and create a managed mobile account).



5) One of my local admin accounts is my Jamf service account (used for the Jamf client/agent). Casper Remote can't authenticate to run any remote tasks (packages, scripts, etc). However, most login policies appear to work (map printers, mount network SMB drives etc).



6) I'm still on Jamf 9.99 (I can't update to 9.101 for a couple weeks)



If anyone has seen this please let chime in. I have searched all over, but haven't found anyone else experiencing this problem on 10.13 High Sierra.

Hy,
We had the same during beta period. Since Beta 9 that problem seemed to be solved.
Mike

Thanks @mbracco What version of Jamf are you running?

latest version. but the problem was 10.13 not jamf.

I figured it out:



After playing with sysadminctl tool I realized I was able to manually create functioning local admin accounts, but the admin account pkg in my Jamf imaging workflow wasnt working.



After more research I realized that 10.13 doesn't support SHA1 passwords any longer.



So it turns out I was using a 3-year old local admin account package in my Casper Imaging workflow that was created with Per's (now deprecated) CreateUserPKG GUI tool (https://github.com/MagerValp/CreateUserPkg).



I switched to Greg's pycreateuserpkg Python CLI tool and all is good now!(https://github.com/gregneagle/pycreateuserpkg/blob/master/createuserpkg)

We noticed this and realized that (somehow) the password is F**ked up.



This was on a newly built machine (10.12.6) that was upgraded to 10.13.



Boot to recovery, open terminal and use 'resetpassword'
After resetting the password you should be able to authenticate normally.



Peter



*forked ;-)

Here's what we did to update our deployable Local Admin pkg - which we also created many moons ago with the CreateUserPKG tool. Couldn't see much difference between the pkg this tool, and the pycreateuserpkg Python CLI tool, hence this quick modification**.




  1. Deploy old pkg

  2. Manually reset password of the account created (we just did via this via System Preferences > Users & Groups).

  3. Navigate to /private/var/db/dslocal/nodes/Default/users and copy the user's plist

  4. Open the old pkg in Composer and replace the user plist with the one copied above.

  5. Repackage and deploy where necessary.



You will need to temporarily modify access permissions on the Default folder and contents whilst extracting / replacing the plist.



** We compared both pkg contents with Composer after we found neither were working for us.

@dstranathan , I think I'm in the same situation as you (have an old PKG created with the old CreateUserPKG tool, doesn't seem to work in 10.13). You mentioned Greg's version, but as someone who isn't familiar with Python it goes over my head. Is it possible to make this into an app with a GUI, or is this something that has to be run in a terminal-type Python application?



If it's going to be too complicated I can try using @merc_support 's method.



Thanks

Found this https://derflounder.wordpress.com/2017/12/24/creating-local-user-accounts-with-pycreateuserpkg/ which is helpful. Doesn't look like there's a way to create a hidden account (which is what I need it for) so will try focusing on @merc_support 's recommendation.

@el2493



You can create a hidden account in pycreateuserpkg using the --hidden flag

Unfortunately using the pycreateuserpkg creates one issue. The secure token that is required for things like FileVault is not created using this method.



I'm still trying to find a way to get my local admin account working so it wont break any processes, but using pycreateuserpkg will cause issues with any system running 10.13.3 and up.



-Frank J

@ShadowGT Have you found a solution by now? I used the pycreateuserpkg and now logged into the admin account and it says failed to authenticate to sys admin framework as by the op.



Edit: And with which parameters do you create the admin pkg @dstranathan ? Because it cant be that ShadowGT and me have a problem with it and you not 😃

I tried pycreateuserpkg for the first time to create a local admin account. Everything seemed to work correctly except for a keychain error upon logon. Am I missing something?

Terms & ConditionsCookie settings