Keychain on mac bound to active directory

dgintor
New Contributor

Hello, I've noticed that keychain is created in system.keychain when mac joined to active directory. This keychain is named "/Active Directory/yourdomainname". This keychain stores the computer password and I would like to use this password to perform machine authentication (802.1x)

The issue I'm having, even though the created keychain set access control to "allow all applications to access this item", I still have to use "sudo" to retrieve the password (using security find-generic-password).

After further digging, I found an "error" in the access control.
using the following command in terminal: security dump-keychain -a /Library/Keychains/System.keychain
I looked at the keychain data for "/Active Directory/yourdomainname" and found:
entry 0:
authorizations (1): any
security: SecACLCopySimpleContents: The specified access control list is not in standard (simple) form.

Does anyone here know how to fix this?

Thanks in advance.

4 REPLIES 4

mm2270
Legendary Contributor II

I see the same output about it not being in simple form when dumping the System.keychain for our AD password, but its irrelevant. I can see the password for that entry with the following (change "DOMAIN" to your domain)

sudo security find-generic-password -s "/Active Directory/DOMAIN" -w /Library/Keychains/System.keychain

As for always needing to use sudo to access that, well, of course. Its in the System.keychain, not the local user keychain, so that makes perfect sense. You wouldn't actually want items in the System.keychain easily read without needing escalated privileges would you??

dgintor
New Contributor

Well, that's the thing. It's supposed to be accessible without needing to sudo because of the access control setting in the keychain.

So here's the kicker, if you go into the keychain, right click and get info, select access control, move the selection and put it back to all applications can access this item. Hit the save changes button.

It will "fix" the simple form part and you can retrieve the password without sudo.

I'm wondering if this simple form issue is on the Mac side or active directory.

jason_bracy
Contributor III

It's an AD thing. That password will change at an interval determined by AD and the change will reset your changes (I think it actually deletes and recreates the keychain, but I'm not 100% sure on that). You'd be much better off using an AD machine certificate to authenticate to 802.1X since you can control that, you have no control over the AD machine password.

I thought the machine password interval was set by the machine.