NoMAD Login AD (NoLoAD) - mobile user login trouble

regexaurus
New Contributor II

I've been learning about NoMAD and NoLoAD and decided to try it out today. I installed both on a MacBook running Mojave (10.14), currently bound to AD. I downloaded from:

https://files.nomad.menu/NoMAD.pkg
https://files.nomad.menu/NoMAD-Login-AD.zip

and both installed via pkg (double-click).

sudo authchanger -print output:

mechanisms: builtin:policy-banner NoMADLoginAD:CheckAD NoMADLoginAD:PowerControl,privileged NoMADLoginAD:EULA NoMADLoginAD:CreateUser,privileged NoMADLoginAD:DeMobilize,privileged builtin:login-begin builtin:reset-password,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged builtin:login-success loginwindow:success loginwindow:FDESupport,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login CryptoTokenKit:login loginwindow:done NoMADLoginAD:EnableFDE,privileged NoMADLoginAD:SierraFixes,privileged NoMADLoginAD:KeychainAdd,privileged

defaults read /Library/Preferences/menu.nomad.login.ad.plist output:

{ ADDomain = "MYORG.LOCAL"; KeychainAddNoMAD = 1; KeychainCreate = 1;
}

(replaced part of domain with MYORG, for anonymity)

I can sign on a local admin account with no trouble and run NoMAD and authenticate against AD. So far, I've not been able to sign on as a mobile (AD) user, from the NoLoAD prompt. It acts like the username or password is bad. However, from a terminal, I can do su -l <MobileUser> and it accepts the password I enter. My goal is to demobilize the mobile user account and unbind from AD. I don't know if this is related, but I don't have network connectivity (at least not to a network where AD is reachable) at the NoLoAD prompt. The user authenticates on a wireless network (with AD credentials) after signing on. The MacBook only connects wirelessly.

You can see some anonymized NoLoAD log entries on PasteBin, representing a failed attempt to use fast user switching (while signed on as local admin) to sign on as a mobile user, and subsequent sign back on as local admin. I'm not sure if the logs are helpful.
One log entry stands out, indicating the username or password is invalid. I'm not sure what I'm doing incorrectly, since I can authenticate with those very credentials at a Terminal prompt. I also noted the no plugin at path...NoMADLoginAD.bundle log entry. I'm not sure that's important, since according to the README, the NoLoAD package should automatically drop all the required bits in the appropriate locations. I think.

I would appreciate any suggestions or a (gentle) kick in the right direction. :-)

1 REPLY 1

regexaurus
New Contributor II

After posting the above, I used rtrouton's script to demobilize the mobile user and unbind the MacBook from AD. I was still unable to login as the (previously mobile) user at the NoLoAD prompt, but now I could no longer authenticate as the user via su -l <LocalUser>, either. After changing the user's password (passwd <LocalUser>), I can now sign on as the demobilized (local) user at the NoLoAD prompt. I'm still not out of the woods however. Even though I set NoLoAD preferences to create a KeyChain entry and auto sign on NoMAD, that isn't working. As far as I can tell, it's not even attempting (I see no related KeyChain entry). Also, I can manually launch NoMAD and authenticate with the user's AD credentials, but the local account and the AD account seem disjointed. The local and AD usernames are the same, but the passwords differ and NoMAD isn't syncing the credentials.