Applies to: Centrify DirectControl on all versions of Mac OS X
Question:
A user changed their password from "outside" of the Mac; such as online webmail, Sharepoint, Windows machine, etc.
After this, they may be unable to log into their Mac with their new password.
The password has been verified on other machines to be valid. The issue only seems to affect Mac systems that are connected via Wifi.
If the Mac is connected via an Ethernet cable and the user tries to login again, it accepts their new password immediately.
Why does this happen?
Note: Passwords which are changed from the Mac System Preferences or at the reminder prompt do not encounter this issue.
Answer:
The cached password hash is only updated during a "Connected" login process.
In order to get the updated password synced with the Mac again, the user needs to perform a login while the adclient is in "Connected" mode.
To see which mode the Mac is currently in, users with version 5.1 and later can go to:
System Preferences > Centrify > Look for the "CentrifyDC mode" in Account Configuration.
For versions prior to 5.1, open the Terminal and run the command: adinfo
Look for the line that reads:
CentrifyDC mode: Connected
===
It is recommended perform one of the following options immediately afterwards if passwords are changed externally from the Mac systems:
Doing a Connected login:
(Make sure these steps are performed while Centrify is in Connected mode. If a VPN is required for this, then make sure to switch it on first - please see the additional KB at the end of this article for configuring VPN to work with Centrify)
-
Option 1:
- If the user is still in their Mac session after changing their password:
- Set up a screensaver password by going to:
-- System Preferences > Security & Privacy > "Require password [immediately] after sleep or screensaver begins"
- Invoke the screensaver (e.g. via a Hot Corner) and log back in, this will count as a Connected login.
-
Option 2:
- If the user is still in their Mac session after changing their password:
- Open the Terminal and type:
login <ad_username>
- Enter the new password and the local cache will be synced as well
- (This can also be done from another user's Terminal if the changed-password user had already logged out)
-
Option 3:
- Connect the Mac to the domain via Ethernet and perform a regular login operation (just need to logout and log back in) .
An example password-change sequence might be:
-
User "fred_jones" logs into their Wifi-connected Mac and changes their password via a third-party software.
-
After the password is updated, they can verify by opening the Terminal and typing:
login fred_jones
-
When the new password is accepted, they can close the Terminal and continue working as normal.
To configure a Mac VPN interface to work with Centrify, please see the following KB:
