Posted on 05-07-2019 10:45 PM
Hello all,
I've seen this mentioned a couple of times before on here, and it seems no one really has an issue with it aside from me.
We have a print server that uses Active Directory to auth users for print jobs- they have an NFC card they can boop, it ties to the users AD account, print job gets released.
This works fine for Windows users, but on Mac the keychain keeps the old AD password, so when the password is updated the printing no longer works. The software is called Papercut.
I'm exploring the possibility of using Nomad and Nomad Login to synchronise the AD login with what's in the keychain, but ran into two problems-
1) The sync local password option doesn't appear to do anything. My process so far has been to install Nomad Login, and use it to create the local user account, then install Nomad. The UseKychain and LocalPasswordSync are both set to 1, and when this failed to sync the passwords I also set LocalPasswordSyncOnMatchOnly to 1. Changing the password through the Nomad app does not prompt for the local password to change, and after restarting the login password for the machine has not been updated (it's still the same password as the initial Nomad Login password). Does Nomad actually sync with Nomad Login or do I need to do something weird here? I noticed there are two plist files for this, one in ~/Preferences and one in /Preferences, which one do I need to set this defaults in?
2) The documentation at https://nomad.menu/help/preferences-and-what-they-do/ states I can pass a list of keychain items to sync with Nomad as a dict, however I haven't been able to find anything that gives a decent example of what that should look like on the command line. Any attempt I make at setting this using default write results in an error "Could not parse: Try single quoting". Does anyone have an example of a dict from the command line?
Posted on 05-08-2019 01:26 AM
I just tested it. First I created the dict
defaults write com.trusourcelabs.NoMAD KeychainItems -dict
Then I added to it
defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'PaperCut Server' '"{Exchange:<>}"'
And this created it. The {Exchange:<>} has " adjacent to it, and then wrapping that is the ' single quotes.
You can probably go ahead and run the second command only, and create the dict and input the values to it.
Hope this helps
Posted on 05-08-2019 01:54 AM
To create multiple items in the dict.
defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'PaperCut Server' '"{Exchange:<>}"' 'Google DriveFS' '"{Exchange:<>}"'
I tested this without having an existing plist in the location, and it created the plist and made the dict and put the 2 values into it.
Posted on 05-08-2019 03:15 AM
I have a similar issue. We want to achieve a situation where we don't bind to AD, so I have a configuration where a user logs in with NoLoAD and the the keychain logs NoMAD in automatically. What I want to happen next is for the user to then click on to the 'Home Sharepoint' option - I have ShowHome set to true - and for their homedrive to then show up. This is where I am having an issue. At that point, the user has to reauthenticate and I need to see if I can get this to be single-click access.
My assumption is that this is to do with the Kerberos realms of the AD domain and the server hosting the shares are different, but I may be wrong.
Does anyone know of a way I can get such a configuration to work?
Ian
Posted on 05-08-2019 06:29 AM
Just to add to this, I have tried using the shares menu/automount to connect the share, but with the same result - a login box.
Any ideas,
Ian
Posted on 05-08-2019 06:53 AM
This Article is what I used to get NoLo and NoMAD working together so that once you login with NoLo nomad gets the keychain item and updates. The basic issue was if NoMAD doesn't install until after a user has logged in NoLo has nothing to reference when passing the keychain. You need to install NoMAD and NoLo at the same time (or at least before a user logs in) to create the initial keychain item. That article helped and @nstrauss is in the MacAdmins slack all the time and he helped me as well.
Posted on 05-08-2019 05:02 PM
Awesome responses!
Thanks to your input I'm now able to sync local password and network password- @sharriston that article is fantastic thank you for sharing.
Next step is to try writing the dict and getting the printer login keychain item updating as well, thank you all!
Posted on 05-08-2019 10:41 PM
So I've set the following-
defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'printanyware_copier' '"<<shortname>>"'
However the password is still not updating. In the Keychain manager the password type is listed as "network", does KeychainItem only apply to Application passwords?
I'm also trying to sync the Wifi password with the WifiNetworks option, and this doesn't seem to be updating either. It's RADIUS auth with WPA2 enterprise, which I suspect may not be supported for this?
Posted on 05-09-2019 01:06 PM
This is a problem here too. My recommendation to users (we use NoMAD and NoLo) is to not save their password for the Papercut printers in their keychain. They're prompted when they want to print something, which is annoying, but it has cut down on the number of tickets and calls when it comes to that first week after a password change and now they can't print.
Posted on 05-09-2019 07:33 PM
So I asked the question in the Macadmins slack, and it appears that NoMAD will only sync application passwords.
Also, I have no idea why it's failing to set the wifi password as well, but I suspect for the same reason- NoMAD is probably not capable of synchronising enterprise grade network auth.