Jamf Nation Community

bet4test3r · 3 weeks ago

Hello,

we have the following problem:

Nobody can change their AD password via NoMAD. This error shows up:

"Unable to change password: Configuration file does not specify default realm"

I found out as soon as I go to the nomad app container and execute the unix file, another NoMAD instance is opening and showing an icon in the menu bar, where I can successfully change my AD password:

In Jamf we deliver nomad and the launch agent as a policy and a Plist as a configuration profile.

This comes from the past, I dont know if this is enough and correct in this time:

The weird thing is that it is working with the unix file inside the nomad.app which is on all our Macs.

Thank you for your help in advance!

mschlosser · 3 weeks ago

NoMad has not been supported or updated for a long time now. I would encourage you to discontinue its use and migrate to a supported solution soon. i.e. platformSSO, jamf connect or xcreds. etc.

bet4test3r · 3 weeks ago

Yes, I know. But have currently no resources for a change.

mschlosser · 3 weeks ago

platformsso is free and builtin to macOS:

https://developer.apple.com/documentation/authenticationservices/platform-single-sign-on-sso

here's some better documentation as far as config goes:

https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313/web

bet4test3r · 3 weeks ago

Looks like Cloud AD is neccessary with PSSO and xCreds.

Do you know a solution for our problem above?

mschlosser · 3 weeks ago

well, i'd still be a little gunshy about using an aging and clearly unsupported solution for obvious reasons, be based upon what you said worked for you. i guess you could try terminating the process that spawns via the launch agent and manually executing the process via script as you describe above, even if that works, a hack is a hack. unsupported is unsupported. that said best of luck.

jamiesmithJAX · 3 weeks ago

I still have to use Nomad (hoping to move off soon) but I know that when I set it up initially, I had a similar issue and the fix for me was just putting my kerberos realm in all Caps like DOMAIN.COM

bet4test3r · 3 weeks ago

I also read this and our Kerberos realm is EXAMPLE.LOCAL (same like AD Domain just in Capslock).

jamiesmithJAX · 3 weeks ago

This is the configuration I have been using for years, only occasionally editing the password policy rules that display when you click the ? when changing your password. I have had no issues with it

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ADDomain</key>
    <string>DOMAIN.COM</string>
    <key>GetHelpOptions</key>
    <string>mailto:helpdesk@domain.com</string>
    <key>GetHelpType</key>
    <string>URL</string>
    <key>HideExpiration</key>
    <false/>
    <key>HidePrefs</key>
    <True/>
    <key>KerberosRealm</key>
    <string>JAX.ORG</string>
    <key>KeychainItems</key>
    <dict>
        <key>Exchange</key>
        <string>&lt;&lt;shortname&gt;&gt;@company.org</string>
    </dict>
    <key>LocalPasswordSync</key>
    <true/>
    <key>MenuAbout</key>
    <string>About NoMAD</string>
    <key>MenuGetHelp</key>
    <string>Contact the Service Desk</string>
    <key>MenuGetSoftware</key>
    <string>Self Service</string>
    <key>MenuHomeDirectory</key>
    <string>Network home folder</string>
    <key>MenuRenewTickets</key>
    <string>Renew Kerberos Tickets</string>
      <key>PasswordPolicy</key>
            <dict>
                <key>minLength</key>
                <string>16</string>
                <key>minLowerCase</key>
                <string>1</string>
                <key>minMatches</key>
                <string>3</string>
                <key>minNumber</key>
                <string>1</string>
                <key>minSymbol</key>
                <string>1</string>
                <key>minUpperCase</key>
                <string>1</string>
            </dict>
     <key>MessagePasswordChangePolicy</key>
    <string>PassPhrase Complexity Requirements  
       
       •  Minimum of 16 characters 

       •   Consider a passphrase that is long, complex, hard to crack but easy for you to remember. A phrase, such as a song lyric,      
           book title, or quote will be longer in length, easy for you to remember, and difficult for someone else to guess. 
           Example: Smelltheroses!10

       •  Include at least one character from at least three of the following five categories: 
             1.	Uppercase (A-Z) 
            2.	Lowercase (a-z) 
            3.	Base 10 digits (0-9) 
            4.	Non-alphanumeric characters (like !@#$%^) 
            5.	Any Unicode character including Unicode characters from Asian languages. 
 
</string>
    <key>MessageUPCAlert</key>
    <string>Your password was changed elsewhere.</string>
    <key>PasswordExpireCustomAlertTime</key>
    <integer>0</integer>
    <key>RenewTickets</key>
    <true/>
  <key>DontShowWelcome</key>
  <true/>
<key>HideRenew</key>
  <true/>  
  <key>HidePrefs</key>
  <true/>
  <key>SecondsToRenew</key>
    <string>7200</string>
    <key>ShowHome</key>
    <true/>
    <key>UPCAlert</key>
    <true/>
    <key>UseKeychain</key>
    <true/>
 
</dict>
</plist>

AJPinto · 3 weeks ago

Is there a reason you are using NoMad still? That tool is fully end of life, and passing credentials through it is just asking for problems.

https://www.jamf.com/blog/jamf-to-archive-nomad-open-source-projects/

bet4test3r · 3 weeks ago

The reasons are time and money (Jamf Connect cost way too much).

And maybe that we still have a normal AD. Many are just working with Cloud directories.

Its really nice from you to not answer my question and start a completely other topic....

AJPinto · 3 weeks ago

Your question is about using an end of life application. How to fix this is to not use an end of life application. Go find some other tool that is within your budget.

Jamf Nation Community

NoMAD Password change not working