Force immediate NoMAD local password sync?

mccallister
Contributor

I've been experimenting with NoMAD and I have the preferences set to sync local passwords as shown below. It seems the only time it initiates a sync (on subsequent login) is if the local user changes the AD password from the NoMAD menu. How do I force a sync without the person having to change their AD password?

<key>LocalPasswordSync</key>
<string>1</string>

14 REPLIES 14

dpertschi
Valued Contributor

@mccallister under what other condition are you wanting/expecting the sync? If your having password resets outside of macOS, then you should enable UPCAlert. With that enabled, NoMAD will notice external password changes and prompt you to Sign In again to synchronize the local account.

mccallister
Contributor

What I am trying to do is get an initial password sync between the AD and the local.

dpertschi
Valued Contributor

OK, so in addition to using a launch daemon to keep it running, have a look at triggering the first sign in like:

open nomad://signin

https://www.nomad.menu/apple-events/

teodle
Contributor II

I am experimenting with NoMAD running under Sierra. I have LocalPasswordSync =1 (true). I just changed my AD password using the NoMAD menu, then signed out and signed back in. I expected it to do what it says in the documentation below but it didn't. It neither alerted me or prompted me. Is there some other key that needs to be modified in the config file that I'm missing?

Take the password supplied by the user and attempt to get Kerberos credentials with it. If successful then check the password agains the local user password using the OpenDirectory APIs. If the network password does not match the local password, alert the user and prompt them for their local password. Using the local password, first check to ensure it is the correct local password. If the password is correct then change the local password, the user's local Keychain, from the local password to the network password. This also needs to be done when the user changes their network password. Assuming the local password was already in sync, NoMAD will use the old and new network passwords submitted by the user to change the local password. Note: behavior with storing the password in the local Keychain may be problematic, but will be corrected.

znilsson
Contributor II

@teodle Do you also have

UseKeychain 1

set?

teodle
Contributor II

Yes. I did that. Still not seeing what I expect on NoMADsign-in (which BTW works great otherwise), which is an alert that local account psswd is out of sync with Active Directory psswd.

I need to go back and read the documentation again, I guess.

znilsson
Contributor II

Hmm. I could be wrong here, but if you had already been signed in and had a keychain entry, and all you did was change your password using the NoMAD menu with keychain sync turned on, I'm not sure that you will get a message, as it will just sync it for you since it already knows what your previous password was.

From what I've seen, I only get the message that tells me they're out of sync in instances like the first time I sign in to NoMAD on a Mac, when there is no existent keychain entry already. Every time I change the password after that, I don't get a message because it is automatically syncing it for me.

teodle
Contributor II

AH....I got it working. Was running the defaults command as the wrong user. LOL.

AdamH
New Contributor II

So I'm testing out NoMad and I'm looking for the same behavior: I'm logged into Computer1 and am logged into NoMad. I change my AD password on a different device (we'll call it computer 2), I get the alert to re-sign in because it detected a password change on Computer1. I do sign in with the new password, but it doesn't change the login keychain password like I would expect. If I log out of Computer1 and back in I get the usual Keychain update dialog.

I'm deploying the default settings via MDM- all the other settings seem to take effect, so I'm pretty sure the settings are applying.
I believe I have all the correct keys to do this:

<key>LocalPasswordSync</key> <true/>
<key>LocalPasswordSyncOnMatchOnly</key> <true/>
<key>UPCAlert</key> <true/>
<key>UseKeychain</key> <true/>

Am I missing something?

guidotti
Contributor II

@AdamH are you using NoMAD v1.4?
I am running macOS 10.12.4 with NoMAD v1.4 and this is all working correctly.
We are not using the SyncOnMatchOnly key, though.

nebakke
New Contributor II

We have a number of 10.12.4 machines and I'm in the process of testing out NoMAD 1.0.4 on them... They're all AD bound and the external password change identification is working fine, however - we seem to be having an issue with the keychain sync. If the password is changed externally and the user logs in with it, but cancels the keychain sync prompt, it stops checking and just keeps prompting them for the old keychain password on each subsequent login... That point it seems like the only option is to have them reset their password themselves - a solution that's not always feasible. I have UPCAlert and LocalPasswordSync and UseKeychain set - and it certainly works to identify an external password change if they're logged in at the time... But if the user has ignored the OS warning, NoMAD doesn't seem to care and I don't seem to be able to find a way to force the change.

Anyone have an idea on this?

slemp
New Contributor

From my looking into NoMAD, the synchronization it offers is for the user account password (which is handled by AD automatically, if you're binding to AD), which is different from the Keychain password. In our environment we are still binding to AD, and are experiencing the long-standing issue with keeping the Keychain password in sync with the AD password. I'm relatively new to this, but it looks like Keychain Minder offers this, but is no longer being well developed/supported. In my testing in macOS Sierra, Keychain Minder will detect if the Keychain password is out-of-sync with AD if you wait for the machine to sleep and wake up, but whatever was checking at login that it was in sync no longer works.

mfishel
New Contributor

Will anyone post an example of their nomad script? I am so very new to mac scripting. Thanks!

RogerH
Contributor II

@mfishel You should reach out to the community on the MacAdmins Slack there is a NoMAD channel where Joel and the creators hang out and can help you.