Posted on 09-26-2017 07:03 AM
it looks like there's a bug/issue on 10.13 for macs that are bound to AD, when the users tries to changes their password, it seems to have changed it, but in reality it doesn't.
anyone else experiencing this issue?
Posted on 09-26-2017 07:11 AM
Yes, I got an email from Apple yesterday.
Posted on 09-26-2017 07:27 AM
have you received a notice on any estimated time when they will release a fix?
Posted on 09-26-2017 07:39 AM
Lets remember that Apple took THREE dot versions of Sierra to eliminate the hideous badpasswordattempt bug which saw many MANY AD users locked out of their accounts. They don't seem to be QA'ing AD much if at all, and have tried to outsource their enterprise QA to their customers. Sorry Apple, but you don't pay me (or seemingly anyone) to QA the enterprise features of your product.
Posted on 09-26-2017 07:50 AM
@jason_d wow even Enterprise Connect broke. What the heck is happening at Apple. Must be PTSD....
Posted on 09-26-2017 07:57 AM
@osxadmin Apple almost never provides advance notice on updates/fixes.
Personally, I am surprised this type of issue made it out of Beta or GM into Zero Day release...unless it was not in Beta or GM? Pure speculation on my part.
Posted on 09-26-2017 08:10 AM
Wait! Are you saying a 10.xx.0 release of OS X broke Active Directory integration?? Well, blow me down! That's never happened before!
Posted on 09-26-2017 08:51 AM
So, I'm having the exact same issue with our Macs which are bound to Apple Open Directory. So they really messed this one up. Hope the fix will follow quickly.
Posted on 09-26-2017 09:32 AM
Historically, the OS updates come out about every 6 weeks (+/- 1 or 2)
I wouldn't expect 10.13.1 until end of October-ish
And, it wasn't until 10.12.3 in late January that we got the crippling iCloud AD account lockout bug fixed.
Posted on 09-26-2017 10:30 AM
Just discovered another potential issue...
While it is just my first test case, upgrading from 10.12.6 to 10.13.0 broke the administrative privileges set in our Directory Bindings via JAMF.
We have groups in AD setup to "Allow administration by" and after updating to 10.13 those accounts would not work to elevate. If I unbound and rebound with our Binding policy the group regained admin privileges.
Posted on 09-26-2017 11:50 AM
@kendalljjohnson Yes we've seen the same thing. Local accounts with admin privs aren't affected though, only AD groups granted admin access have this issue.
Posted on 09-26-2017 11:55 AM
Makes sense if AD integration is broken. It sounds all around like Apple really bunged up the AD piece here. But what else is new? They are consistent on this issue if nothing else.
Posted on 09-26-2017 12:04 PM
"Why are you using a core business service like Active Directory? You should let everyone use local admin accounts of their choice! IBM does it! Or use Enterprise Connect! Wait! That is broken too! Switch your Macs out for iPads!" -Apple
Posted on 09-27-2017 01:06 PM
anyone else seeing an issue with AD bound computers having issues with users not being able to log back in if they do the upgrade off site? i have 6 users who have upgraded while traveling and now they are unable to login to their computer.
Posted on 09-27-2017 01:30 PM
@shunt Yes, we have at least one user who upgraded off-site and couldn't login local post-upgrade to macOS High Sierra 10.13.0 (17A365).
(And the release notes for macOS High Sierra 10.13.1 beta (17B25c) don't seem too promising.)
Posted on 09-27-2017 02:32 PM
I have run across this behavior. If I take a 10.12 machine which is bound to our AD and upgrade it to 10.13, everything works just fine, the user can log in.
However, if I try a clean install of 10.13 and bind it to AD with mobile accounts turned on, it will not login, just gives a generic error message saying something went wrong.
If I setup a new machine with local accounts on, everything works fine, can login to the same AD account that would not work using mobile accounts.
Go figure. Anyone have any ideas, or do I skip building new 10.13 loads for now?
Posted on 09-27-2017 06:31 PM
we had an Apple System Engineer came on campus yesterday, and he did confirmed late bug issue with High Sierra and AD/Mobile accounts/changing passwords etc..
His advise was to hold off upgrades...
Posted on 09-28-2017 07:07 AM
Apple Professional Services emailed this morning:
Hello, Just a quick update regarding the issue with password changes while bound to Active Directory and logged into your Mac with an Active Directory account in macOS High Sierra. If your organization is impacted by this issue and you have a paid Apple Developer Program account or Apple Developer Enterprise Program account, please test macOS High Sierra 10.13.1 beta seed 17B25 or later, which includes a fix for this issue.
Posted on 09-28-2017 07:39 AM
In my limited testing, this issue is NOT resolved in macOS 10.13.1 (17B25c).
Posted on 09-28-2017 09:29 AM
@shunt @dan.snelson - Yes! So glad we arent alone in finding the locked out after installation issue!
We have found that logging in with a local admin account and re-binding the machine does allow AD accounts to log in, then we have to re-sync the login/FV password in System Preferences > Security & Privacy > FileVault - Enable Users. Oddly, it still shows that the user who just clearly unlocked the drive cannot unlock this.
Posted on 09-28-2017 09:45 AM
@shunt Yep, got hit by this personally and had to drive back to the office to be able to login with my network account. ;(
Posted on 09-28-2017 02:31 PM
@dhorsfall We've noticed in our environment (AD Mobile accounts) that you don't have to re-bind, just authenticate the user in System Preferences from a local admin account (i.e. click on the Unlock icon and have the user login with their credentials). They have to be either on the network or VPN'd in, and have to be admins on the computer. Saves the effort of having to unbind and rebind. (we also had to have remote employees create a tempadmin account with the fancy Single User Mode trick of removing /var/db/.applesetupdone).
Posted on 09-29-2017 07:31 AM
We've also experienced this issue. Somewhat related, using an AD account, I am not able to turn on FileVault at all with a brand new fresh install of High Sierra. I get the following error: "Authentication server refused operation because the current credentials are not authorized for the requested operation." but I am able to continue setting it up with a local account. The problem with enabling it on the local account is that it's our IT account and so my worry is that every time the machine reboots, I need to enter the IT account password to decrypt the drive instead of the AD user account. Then of course if this is true, then password changes required on the AD account side won't be cascaded to FileVault.
Posted on 09-29-2017 07:45 AM
Does anyone know if NOMAD is working correctly?
Posted on 10-02-2017 07:39 AM
i have now had users unable to login after the upgrade onsite but some of the users who have upgraded at home were fine. The user who was onsite, we just had to unbind the computer from AD and bind it back and she was able to login again. Apple still has not told me if they have came up with a fix yet or not. the only thing i have gotten out of them is that there might be a resolution to this issue in the next patch.
Posted on 10-02-2017 11:33 AM
@jrepasky looks like Joel released a NoMAD update today to fix the pw change issue through NoMAD, link to post here:
Posted on 10-02-2017 12:19 PM
Once I found some clients could not log in using their ID and password that were using AD it wasn't necessary to unbind and re-bind. Have them use their regular ID and password but have them use an ethernet cable that is connected to the domain to log in. Disconnect the ethernet cable after and they're good to go. I understand that this is an okay work around if you have clients that are onsite and your team can run around with cables and adapters to resolve.
I did try making the user an admin in sys pref but that did not work. Maybe something to do with how the profile was originally set up as a mobile/managed account?
Posted on 10-02-2017 12:19 PM
Unfortunately in two instances so far I have found the computer name to be changed so that will need to be edited and re-binded but I will need to test this more. I hope not otherwise EPO will be a nightmare.
Posted on 10-06-2017 04:43 AM
I can confirm this behavior, did anyone test with 10.13.1 to see if it is fixed?
Posted on 10-06-2017 06:39 AM
I have installed the 10.13.1 Beta on a test machine. I can confirm that it did fix the issue with not changing the password in AD, but that is the only thing that it changed apparently. FileVault password and Keychain password did not change. I tried on multiple occasions changing the password on a test AD account and saw the same results each time. I have to turn off FileVault and turn back on in order for the new password to be set. I also have to create a new KeyChain in order to prevent annoying pop-ups asking for old password.
Posted on 10-06-2017 09:03 AM
AD bound computers having issues with users not being able to log back in if they do the upgrade off site?
We've had one so far. User returned to campus with laptop, plugged in, and within 30 seconds, account authenticated.
Not everyone will be this close....
Posted on 10-07-2017 03:34 PM
Odd, when running the High Sierra Beta versions, no issues whatsoever. Just upgraded off-site and could not log into AD account. But logged into local admin account, connected to VPN, fast user switched and all was fine. Really odd. but its seemingly clear Apple really has no interest in AD (not that I ever cared), but it will definitely trip up a lot of unsuspecting users.
Posted on 11-06-2017 04:32 AM
On 10.13.1 GM we are still seeing issues with FV passwords for mobile AD accounts not getting updated.
Users changes their password, on next reboot the FV password is the old password but the user account is the new password.
Is this still a known issue with 10.13.1?
Posted on 11-08-2017 11:50 AM
@MatG - we are still seeing this behavior on 10.13.1 clients, yes
Posted on 11-08-2017 01:20 PM
yes still an issue with 10.13.1
Posted on 11-09-2017 04:00 AM
Found on Slack:
We were see more issue in 10.13.1 with AD accounts and FV password sync issues. Apple have informed me: “it appears there is an issue in 10.13.0 and10.13.1 where as long as the password is only updated from the Users & Groups pane, the FileVault password will get updated after rebooting and unlocking the volume with the old FileVault password ... but if the AD password is ever changed away from the client from the AD server, from a website, etc), the passwords do not get synced again, even after changing it again from the Users & Groups pane. This behavior has been reported to Apple and is being targeted for a future update."
Posted on 11-09-2017 04:01 AM
Posted on 12-07-2017 08:28 AM
Version 10.13.2 just came out and promises to fix some AD problems.
Posted on 12-08-2017 11:34 AM
I'm running 10.3.2. I cannot enable fileVault as a domain account. I receive an error. Account "username" cannot be used to manage encryption on this Mac. Click lock to prevent further changes, then select another administrator account, and try again.
Posted on 12-12-2017 06:01 AM
I have a test Mac here that I was running 10.13.1 on and I experienced the problem of the FileVault Password not syncing up with Active Directory after a password change no matter how long I let it sit. I just updated it to 10.13.2. After the update, I let it sit for a few minutes at the desktop then I restarted it. It now takes the password I changed it to a couple weeks ago.
It sucks that these really stoopid bugs are surfacing in High Sierra, but I am glad Apple is making progress on fixing them.