Skip to main content
Question

resetpassword Authentication Server could not be contacted

  • October 29, 2020
  • 7 replies
  • 240 views
K
Forum|alt.badge.img+12

Catalina 10.15.7 bound to AD.
Local admin the second account which is a user with admin privileges - isn't able to log in after attempting to reset the password.

Did a force unbind the system
Booted to recovery (tested with WiFi on and off)
From Terminal - resetpassword. Using the password recovery tool I'm unable to set that second account password because it says 'authentication server could not be contacted'

A bit confused as to why it even attempts that if the bind to AD isn't there anymore. Removing & re-adding the account is a nuclear option I can't use just yet.

I see posts with this error using dsconfigad and attempting to bind but I haven't found a solution for when in recovery mode

    7 replies

    J
    Forum|alt.badge.img+17
    • joshuasee
    • Valued Contributor
    • October 29, 2020

    Is the second account a directory service user? Cached account directory service accounts are marked as having remotely administered passwords, even if the binding is gone. As a result, local password tools, including resetpassword, won't touch them for fear of creating an inconsistency with the directory service.

    K
    Forum|alt.badge.img+12
    • k3vmo
    • Author
    • Valued Contributor
    • October 29, 2020

    @joshuasee That's what I was afraid of - Is the cached directory info something you can purge?

    J
    Forum|alt.badge.img
    • JoshoForShort
    • New Contributor
    • February 25, 2021

    We're in the same boat at the moment.
    @k3vmo did you manage to get it resolved, or did you proceed with nuking the account?

    U
    Forum|alt.badge.img+1

    In the network applet in sys Prefs highlight you WiFi card connection and click the Advanced button, then go to the 802.1x tab and see if anything is listed. If there is Delete it. If not the back on the network page click the Location and set a New location.

    K
    Forum|alt.badge.img+12
    • k3vmo
    • Author
    • Valued Contributor
    • March 4, 2021

    It's possible it could have been as simple as his note above - however, _
    I had to issue a decrypt File Vault from Jamf - I then ran Rich Trouton's script - https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_to_local_account

    AFTER BACKING UP

    I still couldn't change the password under the recovery partition so as the last attempt - I logged into the local admin account.
    I copied the UID of the user account - I then deleted their account and selected to KEEP HOME FOLDER AS-IS

    I then created a new account - and right-clicked on it to Advanced Options. I set the UID to the same as the account I removed - then pointed it to the existing home directory -- the key here is that when you create the new account - the username of the account has to be identical to the home directory name.

    Rebooted and logged in with the new user (which matched the old home directory name) and new password I set and was able to get to the files.

    Granted - I didn't document what security updates this had so your mileage may vary. This by no means was an official fix. I think I got lucky.

    U
    Forum|alt.badge.img

    Hi @k3vmo I am having the same problem and when I go to delete the user account there is no option to save the home folder, any advice on this one?

    Thanks,

    Matthew

    K
    Forum|alt.badge.img+12
    • k3vmo
    • Author
    • Valued Contributor
    • April 13, 2021

    @user-KKwmGBmzZi What OS? Are you removing it via Users & Groups in System preferences? Options like dscl from the command line won't keep it by default unless you add other options in the command.

    Terms & ConditionsCookie settingsAccessibility statement