macOS 10.14.4 work with AD : Keychain lost after updating password out of mac

hawkzhang45
New Contributor II

Hi everyone,

I was told Apple finally fixed AD password syncing issues on macOS 10.14.4 several days ago, which I thought is great. (https://support.apple.com/en-us/HT209149#macos10144)

However I confirmed a new issue while using 10.14.4: If I change my AD password out of Mac, and use new password to login, normally it will require me to input old password to update keychain. This time, it did notice me about it, but no step to input the old password even I choose "Update Keychain Password", then it create a new keychain for me. As my company need cert to connect wifi, this is pretty annoying.

If anyone have same situation, you can try recovery your keychain by finding it in ~/Library/Keychains/XXXXXXX

Everything worked perfectly if I change password in mac, which IT department not recommend.

Appreciate a lot if anyone can offer Apple's explanation (links or mail reply) about it. A solution will even better.

23 REPLIES 23

ClassicII
Contributor III

Interesting, as I have tested almost every single 10.14.4 password situation except for this one. I don't think I ever actually clicked "Update" to see if it worked.

I will test this out tomorrow.

You can take a look at all my testing on the active directory and local accounts fixes in 10.14.4

https://mrmacintosh.com/category/local-accounts/
https://mrmacintosh.com/category/ad-mobile-accounts/

m_entholzner
Contributor III
Contributor III

Apple has confirmed that this is a known issue / bug / defect of 10.14.4. I'd suggest to raise an Enterprise ticket with Apple and add your +1 to this defect. So far I have no bug ID, but you can add your case to ours: 20000049607662

ClassicII
Contributor III

@hawkzhang45 & @m.entholzner

Thanks for posting this, I have investigated and have also confirmed the issue. I wrote about it and posted a workaround for restoring the old login keychain.

https://mrmacintosh.com/10-14-4-update-breaks-update-keychain-password/

I also included an open radar.

ddixon
New Contributor II

@hawkzhang45 & @m.entholzner & @ClassicII

What I have never understood about this whole process, is the need to have an end user enter their old Active Directory created keychain password to change to their new Active Directory created keychain password, and not lose any of their keychain data. As someone that works in a place in a Helpdesk capacity. I must assist users in changing their forgotten passwords. The need for an end user to know and enter their old password, defeats the purpose of helping an end user change to a new password, if they cannot remember their old password. Which was the reason that they called the Helpdesk for help in the first place.

unlimitedbalde
New Contributor

lol, I had met the same problem , hoping somebody help!!!

ClassicII
Contributor III

This is still busted in 10.14.5

@m.entholzner

Any word from your ticket ?

m_entholzner
Contributor III
Contributor III

@ClassicII , Apple told me that they don't disclose internal bug IDs... but as this is a known issue, you should be able to just set your +1 on this issue. But they also confirmed that this is not fixed in 10.14.5 - let's hope for 10.14.6...

hawkzhang45
New Contributor II

Working on it

ClassicII
Contributor III

Not seeing any movement on the bug report so I filed an Enterprise Support Ticket this morning.

ClassicII
Contributor III

@hawkzhang45

Just saw your post now, awesome work on the script! Let me test it out and if it works.

takayuki
New Contributor III

We also opened an Enterprise Support Ticket today to request Apple to include the fix to macOS 10.14.6 beta.

ClassicII
Contributor III

Heads up,

This fix is not looking good making it into 10.14.

The latest word is it's fixed in 10.15 beta 2.

If this is important to your organization you better talk with Apple now.

@m.entholzner @takayuki @hawkzhang45

takayuki
New Contributor III

Thanks for your heads-up @ClassicII .

We also contacted Apple Enterprise Support to request to bring this fix to macOS 10.14.6.

analog_kid
Contributor

I've also opened an Enterprise support case regarding this issue with hopes they'll resolve it in 10.14.6.

mikeh
Contributor II

I can confirm that the keychain password is updated properly in the latest 10.15 beta. Waiting for a response from Apple about making the fix available to 10.14.6.

m_entholzner
Contributor III
Contributor III

same for us... we've also requested this to be fixed in 10.14.6 too.

MTFIDjamf
Contributor II

Has anyone had a chance to test 10.14.6 yet? Did Apple fix it? We have a ticket open with Apple support but they have yet to answer the question on 10.14.6...

m_entholzner
Contributor III
Contributor III

there was no fix included in the latest beta - maybe this changed in the release version, but I fear this is still not fixed :(

mschroder
Valued Contributor

I am always amazed how long it takes Apple to fix something. This makes the enterprise support quite a bad deal :(

captam3rica
New Contributor III

Hi All,

Has there been any more movement on this topic?

We have been testing the latest Jamf Connect Verify KeychainItems key with the latest 10.15 beta but don't seem to be getting any luck with updating specified keychain items.

mikeh
Contributor II

We've have an enterprise support ticket open on this issue even since it was discovered. It's been fixed in the Catalina betas, but we've been told that it won't be backported to Mojave. Unfortunate.

Luckily, @ClassicII's instructions for restoring the original Keychain work like a charm. It's too bad that that it's just a little labor intensive.

gabester
Contributor III

Super frustrated by this - which would seem to be a fairly straightforward fix, esp. on managed devices. Apple's now releasing security updates for Mojave that REMOVE FEATURES (e.g. the --ignore option) and ADDS FEATURES (ability to understand MDM profile "Major Update" deferral) and is large enough to practically be a complete OS installation, but it does not bother to implement what likely is a trivial bug fix, thereby offloading on macOS support teams an extensive effort. I shouldn't have to update my users to Catalina - which is its own bag of hurt for many kinds of user-facing prompts for permissions and access that cannot be managed - to resolve this bug. Apple ought to patch it in Security Update 2020-004 for macOS Mojave.

Open tickets with Apple Enterprise support. Make your voices heard.

mschroder
Valued Contributor

And not even fixed in 2020-004 :(