Help

Keychain on mac bound to active directory

dgintor
New Contributor

Posted on ‎02-17-2016 04:41 PM

Hello, I've noticed that keychain is created in system.keychain when mac joined to active directory. This keychain is named "/Active Directory/yourdomainname". This keychain stores the computer password and I would like to use this password to perform machine authentication (802.1x)

The issue I'm having, even though the created keychain set access control to "allow all applications to access this item", I still have to use "sudo" to retrieve the password (using security find-generic-password).

After further digging, I found an "error" in the access control.
using the following command in terminal: security dump-keychain -a /Library/Keychains/System.keychain
I looked at the keychain data for "/Active Directory/yourdomainname" and found:
entry 0:
authorizations (1): any
security: SecACLCopySimpleContents: The specified access control list is not in standard (simple) form.

Does anyone here know how to fix this?

Thanks in advance.

0 Kudos
Reply
4 REPLIES 4

mm2270
Legendary Contributor III

Posted on ‎02-17-2016 06:52 PM

I see the same output about it not being in simple form when dumping the System.keychain for our AD password, but its irrelevant. I can see the password for that entry with the following (change "DOMAIN" to your domain)

sudo security find-generic-password -s "/Active Directory/DOMAIN" -w /Library/Keychains/System.keychain

As for always needing to use sudo to access that, well, of course. Its in the System.keychain, not the local user keychain, so that makes perfect sense. You wouldn't actually want items in the System.keychain easily read without needing escalated privileges would you??

0 Kudos
Reply

dgintor
New Contributor

Posted on ‎02-17-2016 07:01 PM

Well, that's the thing. It's supposed to be accessible without needing to sudo because of the access control setting in the keychain.

So here's the kicker, if you go into the keychain, right click and get info, select access control, move the selection and put it back to all applications can access this item. Hit the save changes button.

It will "fix" the simple form part and you can retrieve the password without sudo.

I'm wondering if this simple form issue is on the Mac side or active directory.

0 Kudos
Reply

jason_bracy
Contributor III

Posted on ‎02-17-2016 08:32 PM

It's an AD thing. That password will change at an interval determined by AD and the change will reset your changes (I think it actually deletes and recreates the keychain, but I'm not 100% sure on that). You'd be much better off using an AD machine certificate to authenticate to 802.1X since you can control that, you have no control over the AD machine password.

0 Kudos
Reply

JustinN
New Contributor III
In response to jason_bracy

Posted on ‎01-11-2022 07:30 AM

I thought the machine password interval was set by the machine.

0 Kudos
Reply