I've been experimenting with NoMAD and I have the preferences set to sync local passwords as shown below. It seems the only time it initiates a sync (on subsequent login) is if the local user changes the AD password from the NoMAD menu. How do I force a sync without the person having to change their AD password?
I am experimenting with NoMAD running under Sierra. I have LocalPasswordSync =1 (true). I just changed my AD password using the NoMAD menu, then signed out and signed back in. I expected it to do what it says in the documentation below but it didn't. It neither alerted me or prompted me. Is there some other key that needs to be modified in the config file that I'm missing?
Take the password supplied by the user and attempt to get Kerberos credentials with it. If successful then check the password agains the local user password using the OpenDirectory APIs. If the network password does not match the local password, alert the user and prompt them for their local password. Using the local password, first check to ensure it is the correct local password. If the password is correct then change the local password, the user's local Keychain, from the local password to the network password. This also needs to be done when the user changes their network password. Assuming the local password was already in sync, NoMAD will use the old and new network passwords submitted by the user to change the local password. Note: behavior with storing the password in the local Keychain may be problematic, but will be corrected.
Hmm. I could be wrong here, but if you had already been signed in and had a keychain entry, and all you did was change your password using the NoMAD menu with keychain sync turned on, I'm not sure that you will get a message, as it will just sync it for you since it already knows what your previous password was.
From what I've seen, I only get the message that tells me they're out of sync in instances like the first time I sign in to NoMAD on a Mac, when there is no existent keychain entry already. Every time I change the password after that, I don't get a message because it is automatically syncing it for me.
So I'm testing out NoMad and I'm looking for the same behavior: I'm logged into Computer1 and am logged into NoMad. I change my AD password on a different device (we'll call it computer 2), I get the alert to re-sign in because it detected a password change on Computer1. I do sign in with the new password, but it doesn't change the login keychain password like I would expect. If I log out of Computer1 and back in I get the usual Keychain update dialog.
I'm deploying the default settings via MDM- all the other settings seem to take effect, so I'm pretty sure the settings are applying.
I believe I have all the correct keys to do this:
Am I missing something?
We have a number of 10.12.4 machines and I'm in the process of testing out NoMAD 1.0.4 on them... They're all AD bound and the external password change identification is working fine, however - we seem to be having an issue with the keychain sync. If the password is changed externally and the user logs in with it, but cancels the keychain sync prompt, it stops checking and just keeps prompting them for the old keychain password on each subsequent login... That point it seems like the only option is to have them reset their password themselves - a solution that's not always feasible. I have UPCAlert and LocalPasswordSync and UseKeychain set - and it certainly works to identify an external password change if they're logged in at the time... But if the user has ignored the OS warning, NoMAD doesn't seem to care and I don't seem to be able to find a way to force the change.
Anyone have an idea on this?
From my looking into NoMAD, the synchronization it offers is for the user account password (which is handled by AD automatically, if you're binding to AD), which is different from the Keychain password. In our environment we are still binding to AD, and are experiencing the long-standing issue with keeping the Keychain password in sync with the AD password. I'm relatively new to this, but it looks like Keychain Minder offers this, but is no longer being well developed/supported. In my testing in macOS Sierra, Keychain Minder will detect if the Keychain password is out-of-sync with AD if you wait for the machine to sleep and wake up, but whatever was checking at login that it was in sync no longer works.