LAPS for Big Sur and Monterey | error <dscl_cmd> DS Error: -14090 (eDSAuthFailed)

ysdevgan
Contributor

Hi,

We are using LAPSforMac/LAPS.sh at master · caffine247/LAPSforMac · GitHub for LAPS rotation however this script is not working on macOS Big Sur or Monterey.

Here is the error message:

Y_devgan_0-1636748198468.png

Just wondering if someone has an alternative or fix for this ?

Thanks!

1 ACCEPTED SOLUTION

If it helps this is what my line 82 looks like:

oldPass=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath -e "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}')

View solution in original post

6 REPLIES 6

geoff_widdowson
Contributor II

Last year when Big Sur came out I had to update the LAPS script for it to work.

This script need to be updated to include the -e on each of the lines (there are three on lines 82, 186, 242) for the xpath command. This is due to the version of python now used.

ysdevgan
Contributor

Thanks @geoff_widdowson for sharing. I've updated the script to include -e for xpath however it is still failing to validate password 

yad_devgan_1-1637073003050.png

 

If it helps this is what my line 82 looks like:

oldPass=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath -e "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}')

ysdevgan
Contributor

That's what I had on my on script.  Issue is line 165 - "passwdA=`dscl /Local/Default -authonly $resetUser $oldPass`"

I can't verify password locally either.

I have three questions.

1) Did you have this working previous to Big Sur?

2) On the LAPS script have you hardwired the values on lines 48-51 like so:

# HARDCODED VALUES SET HERE
apiUser="LAPS.api"
apiPass="appple1234"
resetUser="LAPSuser"

 

3) on line 68 do you have your jss address:

apiURL="https://jss.**************.com:8443"

 

I seem to remember that if any of these were missing I got simiar errors that you are getting. 

 

I appreciate your help with this issue. The script has all the values as you have mentioned in your last comment. I did more investigation and found that LAPS user's secure Token status is disabled. From research I did there is no possibility to enabled unless I know the password for LAPS user.  Script is not able to use default password to do authentication. Here is our current workflow

-All our Macs are DEP enrolled. During prestage, we create a local admin user

-Once onboarding is completes. On check-in, default password used in PreStage is used to rotate LAPS password which is failing