Posted on 07-27-2016 05:34 AM
Hi @bentoms or anyone else that can help,
I'm having an issue where user's can't reset their password successfully using ADPassMon, the user has a valid kerberos token and line of sight to Active Directory, the machine is connected to the network via cable, I've tried resetting all the ADPassMon settings but have no luck getting this working, I have also tried un-binding and re-binding to the domain and resetting the mac in between attempts.
I have a script which is making my ADPassMon plist as such:
#!/bin/sh
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon accTest -int 0
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableKerbMinder -bool true
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableKeychainLockCheck -bool true
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon expireAge -int 90
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Our Policy Text"
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon pwPolicyButton "I understand"
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon passwordCheckInterval -int 1
defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon runIfLocal -bool true
chown $loggedInUser /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon.plist
If anyone could shed some light on this that would be helpful, i've tried using this with a previous version and the latest stable version from here
Posted on 07-27-2016 06:35 AM
Is there any recorded errors that it is giving you? That could help us point to the correct direction.
Posted on 07-27-2016 06:39 AM
This is what I can see from Console.
Default 14:37:31.182678 +0100 ADPassMon subsystem: com.apple.securityd, category: unixio, enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 0
Default 14:37:44.562305 +0100 ADPassMon All password fields populated & new & verify match...
Default 14:37:44.567949 +0100 ADPassMon Attempting user password change..
Default 14:37:44.961414 +0100 ADPassMon Password change failed.
Posted on 07-27-2016 06:46 AM
Looking at the bug list in GitHub, this one struck a similar error that you posted:
https://github.com/macmule/ADPassMon/issues/65
You might check to see if those accounts are able to change their passwords in AD. It might be also worth trying to run the same command suggested in the bug thread here:
dscl . -passwd /Users/$USER oldPassword newPassword
Posted on 07-27-2016 07:30 AM
Hi @Sachin_Parmar
Are you getting an error message or is ADPassMon just not opening System Preferences > Users and Groups,
have you tried resetting the password directly in System Preferences > Users and Groups as a test ?
Posted on 07-27-2016 09:01 AM
Hi @jjones so i've seen that github page also and have tried it and I get the following on any account no matter how complex the password
passwd: DS error: eDSAuthPasswordQualityCheckFailed
<dscl_cmd> DS Error: -14165 (eDSAuthPasswordQualityCheckFailed)
Posted on 08-07-2016 12:40 AM
@Sachin_Parmar Check your domains password change policy.
The error is saying that you've failed some criteria, is there maybe a part of the policy that doesn't allow changes within X days?
Posted on 08-08-2016 12:15 AM
@bentoms @Sachin_Parmar We experienced this but the issues disappeared with the 10.11.6 update and in some cases unbinding and re-binding the Mac to our AD Domain.