Help

sysadminctl -secureTokenOn Returns "Unknown user" for Active Directory Account?

mschroder
Valued Contributor

Posted on ‎07-30-2019 05:19 AM

Dear friends of the Secure Token,

I try to get a secure token for an active directory account. The AD user can login and is admin, but when I run

sysadminctl interactive -adminUser ladmin -adminPassword - -secureTokenOn adaccount -password -

I get prompted for the password of ladmin (which has a secure token), and then I see

sysadminctl[number1:number2] Unknown user adaccount

Any idea what is wrong here and how to fix this?

0 Kudos
4 REPLIES 4

m_stirrup
New Contributor II

Posted on ‎07-30-2019 06:14 AM

When logged in via the admin account I use.

sudo fdesetup list

sudo fdesetup remove -user first.last

Sysadminctl interactive -secureTokenOn first.last -password currentADPasswordhere

sudo diskutil apfs updatePreboot /

I'm not sure you can grant a secure token to a currently logged in account, only from an account that has one and is currently logged in.

0 Kudos

mschroder
Valued Contributor

Posted on ‎07-30-2019 06:25 AM

I have tried this as local admin logged in, as the AD account logged in, with or without 'sudo', with or without 'interactive', I always get the 'Unknown user' - which is really strange when I am logged in as that user :(

I even tried a different AD account (defined directly, and not a member of a network group and added via scripts), but also there : 'Unknown user'.

How I love these precise and telling error messages.

0 Kudos

sshort
Valued Contributor

Posted on ‎07-30-2019 06:50 AM

@mschroeder What version of macOS are you running? There were some enhancements to securetoken behavior starting in 10.14.2 that are detailed in this post.

If your end goal is to have FileVault encryption enabled, just skip to enabling FileVault and macOS will auto sort out the securetoken and grant one to that AD account (assuming you're performing that command/action as the local admin user, not the AD account and running at least 10.14.2).

0 Kudos

mschroder
Valued Contributor

Posted on ‎07-30-2019 07:15 AM

@sshort: I was testing on 10.14.6, so I should have profited from the enhancements in 10.14.2.

For now my goal is indeed enabling FileVault, but I wonder which other actions might require the Secure Token (now or in the future). I had tried try to enable FileVault, but it did not work. Seems I need to do some more reading on this.

0 Kudos