Centrify DirectControl for Mac.Question:
How can I cache/recache a network account's password for login?Answer:
Summary: When an AD user first logs in, the password for the account will be cached. The cache can be cleared using the adflush
command. There are several scenarios you may wish to ensure a password is cached and current.
When logging into a Mac joined to the domain with Centrify using a network account, the first login must be while Centrify is in connected mode. Upon first login of the account, the password is cached on the local Mac allowing login of the network account while Centrify is in disconnected mode. You may wish to cache/recache a network account's password in several scenarios:
1) Caching the password for a remote user in advance
- Caching the password for a remote user in advance
- You are updating the password on a Mac after a password change
- You believe you may have a corrupt cache, preventing login
If deploying a Mac to a remote user whose first login may be while Centrify is in disconnected mode, the network account must first have a cached password in advance for login to proceed. One way to do this is to merely login with the network user account before deploying the machine. This can be done at the normal login screen, but can also be done at the Terminal with the following steps:
- Login to the Mac, ensure Centrify is in connected mode, and open the Terminal app.
- Enter the command: login AD_Username
- Provide the password for the account.
- Once login at the Terminal completes successfully, the password will be cached.
- You can enter the logout command to logout of the network account. You will now be able to login with the account in disconnected mode.
An alternative method is to use the prevalidation method described in KB-2505: How to set up prevalidation (pre-caching) of the AD cache.
.2) Updating the password on a Mac after a password change
You may run into a scenario where a network user's password is changed from another source other than directly on the Mac itself. For example, password was changed through the Outlook Web App by the user, or by an IT member in Active Directory. If the Mac is in disconnected mode, the Mac will continue using the previous password. To ensure the password is updated on a Mac, login to the Mac with the network account while Centrify is in connected mode. This will update the password in the cache to the new password.
For further reading on this scenario, please see KB-3154: User cannot login to Mac again after changing their password externally (e.g. via webmail or from Windows)
.3) Possible corrupted cache, preventing login
A symptom of a corrupt cache can be when a network user is unable to login while in disconnected mode, while certain the password is correct. In this scenario, you can clear the cache by logging in as a local admin and entering the following command in the Terminal: sudo adflush
. You will need to return the Mac to connected mode and login again for a new cache to be created with the user's password.
If you are experiencing login issues, please see KB-3000: Troubleshooting login issues on Mac systems