'Special' characters in JSS accounts imported from LDAP

uoscasper
New Contributor

Hi all.

Having a major issue with Casper Admin and LDAP users. Our organisation has a password policy that stipulates the use of special characters. This is causing us major issues.

Example - a user is imported into the JSS and then launches Casper Admin. The share is not mounted, and no warning is given. The user can't then add any packages as the share isn't mounted. Said user can mount the share manually in Finder with the same password. User then removes special characters, and Casper Admin works as expected. So far, using the top row of the keyboard only, the only 'special' characters we have verified to work correctly are ' and !

The issue is that our cyber security policy has recently been launched, and asking users to simplify their passwords is out of the question as it prevent a risk to the organisation.

Can I ask if anyone else has this issue, and if so how did you resolve it?

The issue is on a Server 2012 R2 install of the JSS, with an SMB share configured. The issue seems to occur on anything more recent than 9.82.

JAMF are aware of the issue, but are unable to provide a solution, so we are a bit stuck.

Does anyone have any ideas?

Thanks,

Ian

7 REPLIES 7

were_wulff
Valued Contributor II

@uoscasper ,

Unfortunately, if certain special characters are causing Casper Admin to fail in its authentication to the SMB share, the only option to get around it is to not use the offending special characters and find other ways to keep the passwords complex enough to meet security requirements.

If that is an impossibility for your organization, you will not be able to use Casper Admin until the issue has been verified, filed, and fixed on our end, and will need to use the web app to upload files.

To do that you or your users that have access to upload files, will go to Settings >> Computer Management.

From there they’ll be able to select the appropriate option for what they wish to do; if it’s just uploading packages, they’ll click on Packages >> New to upload a package.

If they need to edit or update and existing package, find the package they need to update, click on it, and click Edit and they’ll have the ability to change information or upload a newer version of the package.

It sounds as though you already have a case open with us; if you have not sent logs in already, it would be extremely helpful for our looking into the issue and for our development team to have the debug logs from Casper Admin and a JamfSoftwareServer.log from a time when the issue was reproduced.

Since these are LDAP accounts, if there are any odd issues going on with LDAP communication with the JSS, it will sometimes show those messages in the JamfSoftwareServer.log and the Casper Admin log will give us an idea of what Casper Admin thinks is happening.

These files can be sent in on the case you currently have open.

Thanks!
Were Wulff
Jamf Support

uoscasper
New Contributor

Hi there.

Thanks for the response. I have already submitted the CasperAdminDebug.log file in the case we have open. The server is unavailable at the moment, but as soon as it is available again I will attach the other log to the case.

I will feedback to management about using the web interface to upload packages in the interim, until this is hopefully resolved.

Thanks,

Ian

were_wulff
Valued Contributor II

@uoscasper

Thanks for getting those sent in! They do tend to provide our development team valuable insight into what the software thinks is happening vs. what’s actually happening. The UI errors Casper Admin gives are sometimes pretty vague, so the log will be helpful in determining the root cause as to why it seems to be having issues with certain special characters.

It’s also helpful to know that the SMB share is able to be mounted manually, with the special characters in the passwords, through Finder as that does narrow it down to likely being an issue specific to Casper Admin.

I did find your case, but haven’t had a chance to read through all of the e-mails yet, so I do apologize if I ask for something that has already been sent in or answered.

One other thing to possibly try--I can't guarantee it will work, but I've seen it work for other issues with Casper Admin in the past so it's certainly worth a shot:

  • Go to My Assets and download a previous version of the JSS to get a previous version of Casper Admin. I wouldn't go back any further than 9.8 just to be safe.

  • Drag the older Casper Admin out to the Desktop or somewhere that isn't Applications (we don't want to overwrite the latest version just in case).

  • Right click on Casper Admin >> Show Package Contents >> Go into the Contents folder >> Open the Info.plist in a text editor (I use Text Wrangler, but Xcode or anything that won't try to 'convert' it will work).

  • Under CfBundleShortVersionString you should see the version number of the version you downloaded. Change it to 9.99.0 if you’re on 9.99.0 If you’re not on 9.99.0, change it to the appropriate version number (if you’re not sure what it is, you can find it in the info.plist of the Casper Admin that’s in Applications >> Casper Suite)

  • Save the file

  • Open up the older Casper Admin and see if the older version that we’ve ‘faked’ to be the current version will work with the passwords that have special characters.

I don’t have a formal Product Issue number for you yet, as it’s still being written up and put together, but once we have one and have it confirmed in house (it will go to an open status at that point), I’ll reply again with the number.

When Product Issues are resolved, they are listed in our Release Notes, so you’ll be able to check future Release Notes for that number to see if the issue has been fixed.

Thanks!
Were Wulff
Jamf Support

were_wulff
Valued Contributor II

@uoscasper

Jumping in again with a couple additional things that came to mind.

I figured I'd get a bit ahead of the game and do some testing with the information I had from this thread and your case; using 9.99.0 I wasn't able to replicate the behavior being seen (the password I used on the dummy account was ~!@#$%^&()`/><[]}{|-+= just for reference), but I did see Casper Admin prompt for the user credentials twice before finally being okay with it and moving on to mounting the SMB distribution point and opening Admin fully.

That's not too out of the ordinary as there are some long standing issues with SMB between Windows environments and Mac environments; Apple's SMB stack doesn't always pass credentials in the way the Windows stack expects so it'll prompt multiple times (or simply keep rejecting) known good credentials. I've also seen in another thread on Jamf Nation that 10.12.5 has some known issues with mounting SMB..., so that could have also been the cause of it prompting for credentials twice (the computer I used for testing is on 10.12.5). Still worth noting however.

I also saw that your environment is still on 9.98, if I read the case note correctly.
As I haven't yet been able to replicate the behavior in 9.99.0 there is the possibility that it was an issue in 9.98 that wasn't reported/noticed and was cleared up with the updates made for 9.99.0 If updating to 9.99.0 is an option for your environment, that may be something to consider as well.

Thanks!
Were Wulff
Jamf Support

uoscasper
New Contributor

Hi @were.wulff Thanks for the update. Its peculiar how it works for you, it definitely won't for me. The environment has now been upgraded to 9.99.0 and we are still having the issues. I've tried various Casper Admin versions to no avail.

We are going to do everything through the web interface in the meantime, it seems an acceptable workaround until the issue is resolved.

The Mac I have the Casper Suite installed on is running 10.12.4, but if I get the chance I might revert it to El Capitan, to see if it is a Sierra issue. If I manage to get the time to do that I will let you know if that resolves it.

But from the case so far, I did the password Luis recommended, and then substituted the last character for a special character, and it only worked with two of them. With /Volumes/ open in Finder, you could see that the drive wasn't mapping, and the Casper Admin log shows it didn't even try.

So if you could keep the issue open and pass on the issue number when its logged I will keep my eyes open for release notes.

Many thanks,

Ian

were_wulff
Valued Contributor II

@uoscasper

I did get that Product Issue filed as PI-004105 and your case is attached to it.

Just to note: The Product Issue is still in the Confirming phase. We do not open an issue we file ourselves until someone else on the team has had a chance to test and verify it using the steps and information given; this is just kind of a failsafe to make sure the issue is reproducible.

Since I’ve apparently had some good luck and can’t make it happen in the way you're seeing (which is definitely odd for me, usually I can make SMB shares on Windows fail to mount on a Mac client just by thinking about SMB shares failing to mount!), one of my team mates will be testing it out in his environment to see if he sees the described behavior.

I did have someone else from Support reach out to me yesterday to say he had a couple of customers seeing the same/similar behavior as well, so it’ll be helpful to get information from his cases to add. We’re still waiting to hear back on those cases, however.

If you get a chance today to get that JamfSoftwareServer.log sent in on the case you have open, that'd be great!

It also may be helpful, if it's something you're able to do, to have a video of it happening; I only mention this as it's been something that's been difficult to reproduce in house, so the more evidence of it happening in customer environments we can get, the better.

Thanks!
Were Wulff
Jamf Support

uoscasper
New Contributor

Hi @were.wulff

I have attached a zipped copy of the jamfsoftwareserver.log to the case I have open, so you should be able to get a copy of it now.

Hope it helps with the troubleshooting.

Regards,

Ian