Works erratically (or is it me?) about adpassmon HOT 33 CLOSED

Hmm. Odd.

Does the standard users password expire? Anything in the logs? (System.log look for ADPassMon).

On 8 Apr 2016, at 10:59, MaxFrames [email protected] wrote:

I'm trying to use the application on a domain-joined iMac running OSX 10.9.5.
Logged on as a domain user (which is also an admin on the iMac) I've downloaded the latest version, put it in the Applications directory and launched it from there. It went through a first run configuration, and it installed itself in the menu bar as supposed to.
At this point I've logged off and logged on as a different user, also a domain user but without administration rights on the machine. The application did not show in the menu bar. The task monitor showed that the process was running. I tried to kill the process and start the app, but again there was no sign of it being active at all besides it being listed in the active tasks. I've tried to promote the user to admin, uninstall the app and install it again; I've tried to delete the plist preferences and reboot, the problem was not solved.
What is the correct procedure to install the app and configure it to run automatically for all the users?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub

from adpassmon.

I've repeated the test again: logged on as a domain user (whose password does not expire), installed ADPassMon from scratch, verified it was working (shown in the menu bar), logged off, logged on as a domain user account (whose password does expire - 180 days) and verified ADPassMon was running (resource monitor) but now showing in the menu bar.
After doing this, I logged on again as the domain admin and retrieved this from System.log:

Apr 13 08:45:47 sp-pescara.local ADPassMon[373]: Running on OS 10.9.x
Apr 13 08:45:47 sp-pescara.local ADPassMon[373]: Running under a network account.
Apr 13 08:45:47 sp-pescara.local ADPassMon[373]: Native password method selected
Apr 13 08:45:47 sp-pescara.local ADPassMon[373]: Testing Universal Access settings…
Apr 13 08:45:58 sp-pescara.local ADPassMon[373]: Prompting for password
Apr 13 08:46:09 sp-pescara.local ADPassMon[373]: Enabled
Apr 13 08:46:09 sp-pescara.local ADPassMon[373]: Domain reachable.
Apr 13 08:46:09 sp-pescara.local ADPassMon[373]: Testing if password can expire…
Apr 13 08:46:09 sp-pescara.local ADPassMon[373]: Password does not expire.
Apr 13 08:46:09 sp-pescara.local ADPassMon[373]: Stopping.
Apr 13 08:47:02 sp-pescara.local ADPassMon[488]: Running on OS 10.9.x
Apr 13 08:47:02 sp-pescara.local ADPassMon[488]: *** -[ADPassMonAppDelegate applicationWillFinishLaunching:]: Can’t make «class ocid» id «data optr00000000E0B0020000600000» into type integer. (error -1700)
Apr 13 08:50:23 sp-pescara.local ADPassMon[650]: Running on OS 10.9.x
Apr 13 08:50:23 sp-pescara.local ADPassMon[650]: Running under a network account.
Apr 13 08:50:23 sp-pescara.local ADPassMon[650]: Native password method selected
Apr 13 08:50:23 sp-pescara.local ADPassMon[650]: Testing Universal Access settings…
Apr 13 08:50:23 sp-pescara.local ADPassMon[650]: Enabled
Apr 13 08:50:24 sp-pescara.local ADPassMon[650]: Domain reachable.
Apr 13 08:50:24 sp-pescara.local ADPassMon[650]: Testing if password can expire…
Apr 13 08:50:24 sp-pescara.local ADPassMon[650]: Password does not expire.
Apr 13 08:50:24 sp-pescara.local ADPassMon[650]: Stopping.

As you can see, there is an error, which I cannot make heads or tails about, and it seemed to have occurred upon the second logon, i.e. when I logged on as the standard user.
I've found this: #59
If it helps, the system on this machine is localized in Italian.

from adpassmon.

By applying the suggestion in thread #59 (removing the dot from the expire date field) I've been able to make AdPassMon appear on the menu bar of the users.
I can confirm the problem lies there because the app worked out of the box for all the users whose passwords did not expire (no problems with the expire date format).

from adpassmon.

Can you folks run the below & advise what is returned?

echo '(131258737778620155/10000000)-11644473600' | /usr/bin/bc

@MaxFrames

from adpassmon.

@MaxFrames

Can you test the below?

ADPassMon.zip

from adpassmon.

@macmule
It's been so long that I'd forgotten all about this issue :-P
Well, since then I've upgraded to OSX 10.12. The OS language is still Italian.
I have tried the app I extracted from the ZIP file you posted above. No difference in my case. I still have the same problem (apparently, my plist workaround has been reverted by upgrading the OS). The app starts automatically, and is visible in the menu bar, if the user password does not expire. If the user password does expire, the app is not visible in the menu bar though the process is running.
The output of the echo command you posted is "1481400177".
I hope it helps, and a solution is near.

from adpassmon.

& the output is from the expiring account right?

Sat, 10 Dec 2016 20:02:57 GMT is the epoch time converted to human readable.

Can you post the ~/lLogs/ADPassMon.log from the account with the minus days?

from adpassmon.

The output is from the account with an expiring password, yes.
I am not sure what log you want me to post. I assume you mean the ADPassMon.log file found in the Console app, under ~/Library/Logs. Here is how it looks this morning (viewed from the same account):

Thu Nov 3 13:40:11 CET 2016 Launching.....
Thu Nov 3 13:40:11 CET 2016 ADPassMon 2.21.0
Thu Nov 3 13:40:11 CET 2016 Running on OS 10.12.x
Thu Nov 3 13:40:11 CET 2016 Username: maxframes
Thu Nov 3 13:49:55 CET 2016 Launching.....
Thu Nov 3 13:49:55 CET 2016 ADPassMon 2.21.0
Thu Nov 3 13:49:56 CET 2016 Running on OS 10.12.x
Thu Nov 3 13:49:57 CET 2016 Username: maxframes
Fri Nov 4 08:45:34 CET 2016 Launching.....
Fri Nov 4 08:45:34 CET 2016 ADPassMon 2.21.0
Fri Nov 4 08:45:35 CET 2016 Running on OS 10.12.x
Fri Nov 4 08:45:35 CET 2016 Username: maxframes

Not much there, it seems.

Thanks

from adpassmon.

Thanks.

I'm just trying to figure out how to recreate the issue to fix it.

Can you also post the org.pmbuko.adpassmon.plist? Should be in the users library.

Regards,

Ben.

On 4 Nov 2016, at 07:54, MaxFrames [email protected] wrote:

The output is from the account with an expiring password, yes.
I am not sure what log you want me to post. I assume you mean the ADPassMon.log file found in the Console app, under ~/Library/Logs. Here is how it looks this morning (viewed from the same account):

Thu Nov 3 13:40:11 CET 2016 Launching.....
Thu Nov 3 13:40:11 CET 2016 ADPassMon 2.21.0
Thu Nov 3 13:40:11 CET 2016 Running on OS 10.12.x
Thu Nov 3 13:40:11 CET 2016 Username: maxframes
Thu Nov 3 13:49:55 CET 2016 Launching.....
Thu Nov 3 13:49:55 CET 2016 ADPassMon 2.21.0
Thu Nov 3 13:49:56 CET 2016 Running on OS 10.12.x
Thu Nov 3 13:49:57 CET 2016 Username: maxframes
Fri Nov 4 08:45:34 CET 2016 Launching.....
Fri Nov 4 08:45:34 CET 2016 ADPassMon 2.21.0
Fri Nov 4 08:45:35 CET 2016 Running on OS 10.12.x
Fri Nov 4 08:45:35 CET 2016 Username: maxframes

Not much there, it seems.

Thanks

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

from adpassmon.

from adpassmon.

As text?

Regards,

Ben.

On 4 Nov 2016, at 08:23, MaxFrames [email protected] wrote:

I've found it under Library/Preferences, but how do I open it as text?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

from adpassmon.

thanks @MaxFrames.. sorry hadn't had AM coffee.

1,4724892 is odd, i'm trying to replicate that comma but cannot :(

That also gives a date of "GMT: Sat, 20 Jun 1970 10:14:52 GMT"

However, that last date seems to sat 29th of August?

from adpassmon.

It is 29th of August. That was the date when this user's password last expired. Indeed I can confirm that I last changed it on August 30th. Passwords in our domain expire every 6 months, so the current expiration date is february 26, 2017 for this account. As for the comma, I understand it shouldn't be there? Maybe it's because of regional settings? I am using the Italian version of OSX with Italian regional settings. In Italian, the comma is used as a decimal separator (so for example 1.47 becomes 1,47).

from adpassmon.

Yep.. i've been looking at decimal marks & making it non-regionalised as AppleScript is faux-americas english, so expects no comma.. but cannot replicate yet.. i'll keep trying though!

@MaxFrames can you run:

/usr/bin/dscl localhost read /Search/Users/$USER msDS-UserPasswordExpiryTimeComputed

and:

/usr/bin/dscl localhost read /Search/Users/$USER SMBPasswordLastSet | /usr/bin/awk '/LastSet:/{print $2}'

Then post the results from both?

from adpassmon.

The first command gives "No such key: msDS-UserPasswordExpiryTimeComputed"
The second command gives "131170124806387645"

from adpassmon.

ok.. cool.. to the last commands result gives an Epoch of: 1472538880, which gives a date of: GMT: Tue, 30 Aug 2016 06:34:40 GMT.

That's only 66 days ago, not the 137 you're seeing.. but still negative days.

For the last command, you should get the result twice. Are you only getting it once?

bens-Mac:~ adtest$ /usr/bin/dscl localhost read /Search/Users/$USER SMBPasswordLastSet | /usr/bin/awk '/LastSet:/{print $2}'
131227334336522647
131227334336522647

from adpassmon.

@MaxFrames can you also post the output of dsconfigad -show?

Removing the domain info at the top

bens-Mac:~ adtest$ dsconfigad -show
Active Directory Forest          = pretendco.com
Active Directory Domain          = pretendco.com
Computer Account                 = bens-mac$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = not set
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

from adpassmon.

Yes I am only getting the output once, not twice.

Active Directory Forest = mydomain.local
Active Directory Domain = mydomain.local
Computer Account = sp-mymachine$

Advanced Options - User Experience
Create mobile account at login = Disabled
Require confirmation = Enabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled

Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = amministratori dominio,amministratori enterprise
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain

from adpassmon.

Ah!

Network account. (Create mobile account at login = Disabled).

Ok, gives me something else to test.

from adpassmon.

Yep, we are not using roaming profiles.

from adpassmon.

Cool.

Something more to test, it changes the dscl calls a wee bit.

I'll get back to you.

On Fri, Nov 4, 2016 at 12:01 PM, MaxFrames [email protected] wrote:

Yep, we are not using roaming profiles.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#61 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACWczvYk6iWwFimIilRcefTgBX9V5Dprks5q6x6egaJpZM4IC3Aw
.

Regards,

Ben

from adpassmon.

Can you download & run the attached, then paste the output?

bens-Mac:~ adtest$ /Volumes/VMware\ Shared\ Folders/DerivedData/cfprefs-adpassmon.py
Key Value = 1481888633
Key Forced = False

cfprefs-adpassmon.py.zip

The above output is from a Mac which is bound, network & non-roaming account, & os etc is in italian.

from adpassmon.

oh.. you're on 10.12?

from adpassmon.

The output of the py file run in a terminal:
Key Value = 1,4724892
Key Forced = False

from adpassmon.

Please test: https://github.com/macmule/ADPassMon/releases/tag/154

from adpassmon.

It sort of works! A big step forward and a small step back.
The application now launches both on the account with the non expiring password and on the account with the expiring password. On the latter, it displays the correct number of days left before expiration. But on the former, it now displays a bogus negative value (-2541 days), and it displays a warning that I will have to change the password... in 2009!

from adpassmon.

@MaxFrames Cool. I spent ages on the expiration calls.. not the non-expiring!

Can you post the log ~/Library/Logs/ADPassMon.log from the account that doesn't expire?

Also, the output of /usr/bin/dscl localhost read /Search/Users/$USER userAccountControl | /usr/bin/awk '/:userAccountControl:/{print $2}' under the same account.

from adpassmon.

Log:
Wed Nov 9 10:30:41 CET 2016 Launching.....
Wed Nov 9 10:30:41 CET 2016 ADPassMon Version: 2.21.0 (154)
Wed Nov 9 10:30:41 CET 2016 Running on OS 10.12.x
Wed Nov 9 10:30:41 CET 2016 Username: sysadmin
Wed Nov 9 10:30:41 CET 2016 Set number formatter
Wed Nov 9 10:30:41 CET 2016 Registering defaults..
Wed Nov 9 10:30:41 CET 2016 Retrieving defaults..
Wed Nov 9 10:30:42 CET 2016 Running under a network account.
Wed Nov 9 10:30:46 CET 2016 Native password method selected
Wed Nov 9 10:30:46 CET 2016 Testing Universal Access settings…
Wed Nov 9 10:30:46 CET 2016 Skipping Accessibility check...
Wed Nov 9 10:30:46 CET 2016 Starting auto process…
Wed Nov 9 10:30:46 CET 2016 Domain test succeeded.
Wed Nov 9 10:30:46 CET 2016 Domain test succeeded.
Wed Nov 9 10:30:46 CET 2016 myDomain: mydomain.local
Wed Nov 9 10:30:46 CET 2016 myLDAP: mydc.mydomain.local.
Wed Nov 9 10:30:46 CET 2016 Using alt method
Wed Nov 9 10:30:47 CET 2016 mySearchBase: DC=mydomain,DC=local
Wed Nov 9 10:30:47 CET 2016 Got expireAge: 180
Wed Nov 9 10:30:47 CET 2016 pwdSetDateUnix via DSCL: 128879838540468750
Wed Nov 9 10:30:47 CET 2016 pwdSetDate epoch: 1243510000
Wed Nov 9 10:30:47 CET 2016 Today epoch: 1478683847
Wed Nov 9 10:30:47 CET 2016 Days Since Set: 2721,91952546296
Wed Nov 9 10:30:47 CET 2016 alt daysUntilExp: -2541,91952546296
Wed Nov 9 10:30:47 CET 2016 alt daysUntilExpNice: -2542
Wed Nov 9 10:30:47 CET 2016 alt secondsTilExpiry: -219621800
Wed Nov 9 10:30:47 CET 2016 Got expireDateUnix from alt: 1259062000
Wed Nov 9 10:30:47 CET 2016 expirationDate: Tue Nov 24 12:26:40 CET 2009
Wed Nov 9 10:30:47 CET 2016 Triggering notification…
Wed Nov 9 10:30:47 CET 2016 Native password method selected
Wed Nov 9 10:30:47 CET 2016 Testing Universal Access settings…
Wed Nov 9 10:30:47 CET 2016 Skipping Accessibility check...
Wed Nov 9 10:30:47 CET 2016 Testing Keychain Lock state...
Wed Nov 9 10:30:55 CET 2016 Keychain unlocked...

Output of command:
66048

from adpassmon.

Perfect! (well not, but from an issue tracking pov it is).

I'll have a look at this & hopefully will have a new build out over the weekend.

from adpassmon.

@MaxFrames please test: https://github.com/macmule/ADPassMon/releases/tag/155

from adpassmon.

It seems to work; I see correct indications for the account with the non expiring password ("--") and for the account with the expiring password (103d).
Thanks for the good work.

from adpassmon.

I wonder if I can make here a feature request. I would like to be able to change preferences globally (for all users). Specifically, I would like the password change method to default to "use adpassmon" for all users, because I want to make sure the keychain password is automatically kept in sync (a major cause of headaches); if I'm not mistaken, the only way to apply this setting to the main user of this machine is to log on with his account (I don't have the password, and I wouldn't anyway w/o permission).
thanks again

from adpassmon.

Thanks for the update @MaxFrames. :)

For the settings, i'd deploy a profile to all the Macs running ADPassMon.

ADPassMon would pick them up on it'a 1st launch after the profile has been installed.

from adpassmon.