After installing Composer 9.1, random AD account lock outs?

Stubakka
Contributor II

At the risk of just sounding totally stupid... I noticed my AD account locking out randomly lately and was not sure what the issue was, ran a Lock out report on my Domain and it came back blank, Then 2 days ago a co worker of mine also installed Composer 9.1 and is not having the same lock out issues with AD, I see composer is asking for admin rights when it opens and it seems totally strange that Composer would be doing this but now my co workers account is also coming up as a blank report in AD, so we are wondering if anyone has seen this or if this is a bug?

20 REPLIES 20

scottb
Honored Contributor

Dumb question. Do you save your password in your apps (checkbox)?
If yes, could you have saved an old password and not have it updated somewhere? That's the main reason I stopped using that checkbox on apps. Just a thought.
Also, are you planning on upgrading to 9.2?

Stubakka
Contributor II

Hello, From what i see when i open Composer 9.1 it just asks me for my login which since I'm on an AD bound system, is my AD username and password, NO checkbox is there to save the entry in keychain. Also we don't currently have casper running but are looking to very soon.

scottb
Honored Contributor

Yeah, sorry, I guess Composer doesn't have that like the others.
So you're just using Composer without Casper? Another place we have lots of lockouts is using our AD cred's on Wifi (internal, secure Wifi).
Do you possibly do that? Since Composer isn't using a saved ID/Pass, I don't know how that would happen.

bentoms
Esteemed Contributor
Esteemed Contributor

Composer asks to authenticate locally with Administrator rights.

So, the lockout must be being caused elsewhere.

As @boettchs enquires above, are you sure you're not using your AD creds elsewhere?

For Example;
I've know people to get locked out after deploying AV clients as they entered in their creds, & post a pw change the clients were using the old pw & therefore locked them out.

Stubakka
Contributor II

Yeah it pretty much happened as soon as I started using composer, and our AD lookup tool pretty much always can find an even on the AD controllers where the lock out happened, now they come back blank.

bentoms
Esteemed Contributor
Esteemed Contributor

@Gabriel.Duff.. Has the password changed on the account doing the AD lookup? It's a service account & not yours right??

Stubakka
Contributor II

I think i see what you mean, its pretty much a filter we use logged in as ourselves, In this case my coworker is running the lock out report that is looking for lock out events in AD

yellow
Contributor

Hmm.. OS X 10.9, Composer 8.73 (and tried 8.72) and when I build a package... I get locked out of AD. Composer goes crazy and starts opening shell after shell after shell until I get locked out. This was definitely not an issue pre-10.9. Honestly, I don't know what Composer is doing.. it doesn't hit the JSS at all.

I should note.. this happened on other Macs running 10.9. And it DOES NOT happen if we build the same installer as a DMG. Only as a .PKG. The destination is a local folder, and it doesn't matter where we put it. Even my Desktop borks.

Stubakka
Contributor II

Ah good to know someone else is seeing this also.

yellow
Contributor

Are you running 10.9 also?
We opened a support ticket with JAMF and as usual they are right on top of it. There's a debug req into the devs. No ETA on a fix.

Side note: if you authenticate initially with root or some other local admin, your AD account won't get locked out and everything will package fine.

colonelpanic
Contributor

@yellow

Any updates from JAMF on this? I just upgraded my production machine to mavericks and I'm seeing the same thing now.

nkalister
Valued Contributor

I've had 2 lock outs recently after using composer on 10.9, thought I was going crazy! good to know it's not just me.

mcarver
New Contributor III

We had also seen this happening. We were told by JAMF to build on a local non bound to AD account. Haven't had the issue since.

yellow
Contributor

So, we have a bug report in with JAMF, so they know about it and the developers will (presumably) fix it in a future version.

Our directives have been the same, use a local admin account to authenticate your Composer app when you run it, and you at least won't get locked out and it will work just fine. Kind of annoying if the meantime between Composer use = brain flush and you forgetfully lock yourself out.

scottb
Honored Contributor

One thing that's really annoying is that when I use Casper Admin, I get a 'casperadmin.ad' kerberos ticket as our casperadmin account is AD. If I need to log into a file-server, I have to nuke that stupid ticket or else I can't get to my shares. I know this was discussed elsewhere, but it's another niggling AD/Casper thing that you have to remember or you bang you head. Again.

nkalister
Valued Contributor

vote this feature request up if kerberos and casper have been annoying you, boettchs! https://jamfnation.jamfsoftware.com/featureRequest.html?id=1202

scottb
Honored Contributor

Done. :)

As a point of interest, the tickets are accessed alphabetically it appears. If the account with another kerby ticket starts with A or B or ? cas then it will use that ticket.
Anything ? cas and it uses the casperadmin ticket, which is the pain.

elsmith
New Contributor III

I am also experiencing this problem, but I get it no matter WHAT account I authenticate with. This is new to the last week - I have never had any problems with Composer on my normal, AD-bound Mac. Now it looks like I will have to build packages on a machine where I am logged in TO THE MACHINE using a local account. . . as well as using a local account for Composer.

Unfortunately, we are still on Casper 8.73 and can't upgrade quite yet, so unless this is fixed in all versions, there's not much help for us.

This must be yet another Mac OS X 10.9.2 "feature" - could possibly even have to do with the most recent security patch that came out. . . . at least for us.

yellow
Contributor

What I've been using is a local, non-domain admin account on the Mac I use to create packages with Composer. When prompted for an admin account credentials to create something in composer, I just use that account and don't have any issues with my domain account getting locked out.

pmcgurn
New Contributor III

First post on here -

Just tacking on that this is still an issue as of 9.7. It happens when I build the package in Composer, but not beforehand, while I'm configuring it. I'd call this a bug, since it's clear that "something" in Composer is failing, and the buggy part is that it's blindly retrying it until it causes the AD lockout.

Super annoying.