ADPassMon not longer reseting password via Change Password option

Sachin_Parmar
Contributor

Hi @bentoms or anyone else that can help,

I'm having an issue where user's can't reset their password successfully using ADPassMon, the user has a valid kerberos token and line of sight to Active Directory, the machine is connected to the network via cable, I've tried resetting all the ADPassMon settings but have no luck getting this working, I have also tried un-binding and re-binding to the domain and resetting the mac in between attempts.

I have a script which is making my ADPassMon plist as such:

#!/bin/sh

    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon accTest -int 0
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableKerbMinder -bool true
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableKeychainLockCheck -bool true
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon expireAge -int 90
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Our Policy Text"
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon pwPolicyButton "I understand"
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon passwordCheckInterval -int 1
    defaults write /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon runIfLocal -bool true
    chown $loggedInUser /Users/$loggedInUser/Library/Preferences/org.pmbuko.ADPassMon.plist

If anyone could shed some light on this that would be helpful, i've tried using this with a previous version and the latest stable version from here

7 REPLIES 7

jjones
Contributor II

Is there any recorded errors that it is giving you? That could help us point to the correct direction.

Sachin_Parmar
Contributor

This is what I can see from Console.

Default 14:37:31.182678 +0100   ADPassMon   subsystem: com.apple.securityd, category: unixio, enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 0
Default 14:37:44.562305 +0100   ADPassMon   All password fields populated & new & verify match...
Default 14:37:44.567949 +0100   ADPassMon   Attempting user password change..
Default 14:37:44.961414 +0100   ADPassMon   Password change failed.

jjones
Contributor II

Looking at the bug list in GitHub, this one struck a similar error that you posted:
https://github.com/macmule/ADPassMon/issues/65

You might check to see if those accounts are able to change their passwords in AD. It might be also worth trying to run the same command suggested in the bug thread here:

dscl . -passwd /Users/$USER oldPassword newPassword

May
Contributor III

Hi @Sachin_Parmar Are you getting an error message or is ADPassMon just not opening System Preferences > Users and Groups,
have you tried resetting the password directly in System Preferences > Users and Groups as a test ?

Sachin_Parmar
Contributor

Hi @jjones so i've seen that github page also and have tried it and I get the following on any account no matter how complex the password

passwd: DS error: eDSAuthPasswordQualityCheckFailed
<dscl_cmd> DS Error: -14165 (eDSAuthPasswordQualityCheckFailed)

bentoms
Release Candidate Programs Tester

@Sachin_Parmar Check your domains password change policy.

The error is saying that you've failed some criteria, is there maybe a part of the policy that doesn't allow changes within X days?

cddwyer
Contributor

@bentoms @Sachin_Parmar We experienced this but the issues disappeared with the 10.11.6 update and in some cases unbinding and re-binding the Mac to our AD Domain.