Jamf Nation Community

Hello, From what i see when i open Composer 9.1 it just asks me for my login which since I'm on an AD bound system, is my AD username and password, NO checkbox is there to save the entry in keychain. Also we don't currently have casper running but are looking to very soon.

Yeah, sorry, I guess Composer doesn't have that like the others.
So you're just using Composer without Casper? Another place we have lots of lockouts is using our AD cred's on Wifi (internal, secure Wifi).
Do you possibly do that? Since Composer isn't using a saved ID/Pass, I don't know how that would happen.

Composer asks to authenticate locally with Administrator rights.

So, the lockout must be being caused elsewhere.

As @boettchs enquires above, are you sure you're not using your AD creds elsewhere?

For Example;
I've know people to get locked out after deploying AV clients as they entered in their creds, & post a pw change the clients were using the old pw & therefore locked them out.

Yeah it pretty much happened as soon as I started using composer, and our AD lookup tool pretty much always can find an even on the AD controllers where the lock out happened, now they come back blank.

@Gabriel.Duff.. Has the password changed on the account doing the AD lookup? It's a service account & not yours right??

I think i see what you mean, its pretty much a filter we use logged in as ourselves, In this case my coworker is running the lock out report that is looking for lock out events in AD

Hmm.. OS X 10.9, Composer 8.73 (and tried 8.72) and when I build a package... I get locked out of AD. Composer goes crazy and starts opening shell after shell after shell until I get locked out. This was definitely not an issue pre-10.9. Honestly, I don't know what Composer is doing.. it doesn't hit the JSS at all.

I should note.. this happened on other Macs running 10.9. And it DOES NOT happen if we build the same installer as a DMG. Only as a .PKG. The destination is a local folder, and it doesn't matter where we put it. Even my Desktop borks.

Ah good to know someone else is seeing this also.

Are you running 10.9 also?
We opened a support ticket with JAMF and as usual they are right on top of it. There's a debug req into the devs. No ETA on a fix.

Side note: if you authenticate initially with root or some other local admin, your AD account won't get locked out and everything will package fine.

@yellow

Any updates from JAMF on this? I just upgraded my production machine to mavericks and I'm seeing the same thing now.

I've had 2 lock outs recently after using composer on 10.9, thought I was going crazy! good to know it's not just me.

We had also seen this happening. We were told by JAMF to build on a local non bound to AD account. Haven't had the issue since.

So, we have a bug report in with JAMF, so they know about it and the developers will (presumably) fix it in a future version.

Our directives have been the same, use a local admin account to authenticate your Composer app when you run it, and you at least won't get locked out and it will work just fine. Kind of annoying if the meantime between Composer use = brain flush and you forgetfully lock yourself out.

One thing that's really annoying is that when I use Casper Admin, I get a 'casperadmin.ad' kerberos ticket as our casperadmin account is AD. If I need to log into a file-server, I have to nuke that stupid ticket or else I can't get to my shares. I know this was discussed elsewhere, but it's another niggling AD/Casper thing that you have to remember or you bang you head. Again.

vote this feature request up if kerberos and casper have been annoying you, boettchs! https://jamfnation.jamfsoftware.com/featureRequest.html?id=1202

Done. :)

As a point of interest, the tickets are accessed alphabetically it appears. If the account with another kerby ticket starts with A or B or ? cas then it will use that ticket.
Anything ? cas and it uses the casperadmin ticket, which is the pain.

I am also experiencing this problem, but I get it no matter WHAT account I authenticate with. This is new to the last week - I have never had any problems with Composer on my normal, AD-bound Mac. Now it looks like I will have to build packages on a machine where I am logged in TO THE MACHINE using a local account. . . as well as using a local account for Composer.

Unfortunately, we are still on Casper 8.73 and can't upgrade quite yet, so unless this is fixed in all versions, there's not much help for us.

This must be yet another Mac OS X 10.9.2 "feature" - could possibly even have to do with the most recent security patch that came out. . . . at least for us.

What I've been using is a local, non-domain admin account on the Mac I use to create packages with Composer. When prompted for an admin account credentials to create something in composer, I just use that account and don't have any issues with my domain account getting locked out.

First post on here -

Just tacking on that this is still an issue as of 9.7. It happens when I build the package in Composer, but not beforehand, while I'm configuring it. I'd call this a bug, since it's clear that "something" in Composer is failing, and the buggy part is that it's blindly retrying it until it causes the AD lockout.

Super annoying.