Posted on 12-17-2012 09:08 AM
Hey Guys,
I was reading over the FV2 White Paper. It looks like if you change your AD password any where else i.e. website or on a pc it will make it to the os but not down to FV2 preboot. Is this the way its supposed to work? I thought that when it was changed in the os it will also be passed down to the efi boot partition. This is not the case in my testing.
Posted on 12-17-2012 09:28 AM
Ryan,
Here's a post summarizing how this process works in 10.7.4 and later:
Posted on 12-17-2012 10:36 AM
Rich,
Thanks for the response. Interesting enough I have read that post on your site. I figured this is how it has to work. I am running 10.8.2 using the native AD plugin and it does not seem to work. Basically the OS knows about the new password but FV2 never gets it. I am not sure if I am dealing with some sort of bug or something on my side.
I wanted to say that your website is fantastic and your postings are a huge asset to the Mac community.
Thanks again.
Posted on 12-17-2012 11:04 AM
In our environment, if someone changes their AD password outside of their Mac, they log into their Mac (as a cached login - WiFi connectivity is user-based certs after login) and then simply lock their screen. Since they're in sight of the domain controller, when they unlock their screen they then use their new password and it updates the FV2 password. They then need to update their keychain password, however.
Posted on 12-17-2012 12:37 PM
Ryan,
If it's not updating properly, you may want to see if a machine with a fresh OS install from Apple's Internet Recovery has the same issue.
If a fresh copy of 10.8 installed from Apple's Internet Recovery works, the main thing I'd look at now would be the Recovery HD partition on the problem machine(s). In that event, I'd recommend decrypting the Macs then rebuilding the Recovery HD partition.
There's a scripted process available that will rebuild the Recovery HD partition:
There's also a couple of posts available on how to build an installer package that sets up a Recovery HD partition:
http://managingosx.wordpress.com/2012/08/15/creating-recovery-partitions/
http://derflounder.wordpress.com/2012/06/26/creating-an-updated-recovery-hd/
Posted on 12-17-2012 01:45 PM
This is a known Bug with Apple. We had one computer with FV2 while bound to AD have this issue. There is no way to sync the passwords at that point. You will have to delete the user account and at that point you can add the user account and make the user part of the FV2 group.
We have been using FV2 mixed in our environment since before the release of 10.8 and like I said it has happened once and I submitted a Bug with Apple and might be fixed in 10.8.3. If this is a continuos issue, you might have something else going on in your environment or image.
Posted on 12-17-2012 01:49 PM
Thanks, Grant. Can you share the bug ID #?
Posted on 12-18-2012 09:30 AM
I have requested it but their response was as follows.
"We continue working with Apple Engineering regarding your issue.
Your issue may be addressed in a future software release. Due to Apple confidential information contained in this report I am unable to provide the bug ID on this issue.
We understand the impact of this issue and appreciate how this issue affects your organization. We will continue to raise awareness within the Engineering team about the issue, but cannot guarantee any results from our efforts."
Not very comforting if you ask me.
Posted on 12-18-2012 11:48 AM
hmm thanks for the info Grant.
I have submitted my own bug report
12896076
Changing AD password outside the OS will not pass the new password to FileVault
Posted on 12-31-2012 06:52 AM
I submitted a bug report to Apple. The good news is that I received a reply that it was a duplicate of 8322580. At the very least they know about it. I am kind of surprised that only one other person here has noticed this bug. But that is also a good thing if it is working for every one else. :)
Posted on 10-23-2013 05:57 PM
We have started to see this on a few machines again. Before we could just create an authentication event at the terminal or screen saver and it would sync up but thats not working with 10.8.5.
We even had the user change the password on the mac and still no change.
Would enabling another user then removing the problematic user and then re adding them do anything? If not I may just try what Rich suggested and decrypt, rebuild the recovery and then try that.
Any one else seeing this?
Posted on 04-04-2014 05:57 AM
Hi Guys,
I have seen this cropping up in tests ive been running. Im trying to cover all situations and build a flowchart of how to deal with different issues for the front office team. In my tests (MBP Retina 15" 10.9.2 & FV2) the scenario where a password is reset in AD, the Mac is logged in using the old password. FV passes straight through to the desktop and obviously no kerberos ticket can be acquired. The scenario that @rtrouton describes where FV passes you to the login screen appears to happen +- 10-20% of the time only. I have to use @jarednichols workaround to induce an authentication event the other 80-90% of the time to get FV to take the password, then reboot to get the keychain to update.
I have rebuilt the machine using the restore partition and the issues persist.
Is this the same issue you guys are experiencing and has anyone found a more permanent solution?
Thanks