I’m not sure if this is a bug or not, or maybe I’m not understanding what the preferences do…
UseKeychainPrompt set to true.
If a user changes their password in Users and Groups, the NoMAD keychain item does not get updated automatically, so despite the actual login password being different, NoMAD does not see a problem because the keychain item is still in sync with the AD password. Auto-login continues to work with the old password.
What behaviour should I see from ‘UseKeychainPrompt’ that “forces a sign in” to capture the updated password and store it in keychain so that NoMAD isn’t basically ignoring a Users & Groups password change? (edited)
Right now I can refresh NoMAD as much as I like but nothing changes. According to the logs, it’s definitely
Checking if the user has a password in the keychain
@HASysOps The behavior you're describing is correct. NoMAD is designed to keep your local password in sync with your AD password. It doesn't handle local only password changes based on my experience. Since the user's AD password doesn't change NoMAD doesn't trigger a local password or keychain entry change.
My recommendation is to train your users to change their password one way. Be that through NoMAD, a web portal, or whatever other solution you have available. The important bit is you let NoMAD handle the local password change. Users should always be changing their LDAP/AD/IdP password. After a successful password change NoMAD shouldn't take too long to pick up on that fact and prompt the user to change their local password.
In the case a user entirely forgets their password I generally log into our admin service account, force change their password, log into their account, and create a new keychain. At that point they can sign back into NoMAD to get a good working state. Hope that helps!