Local account password not syncing with AD, but KeyChain password does

Hi,

I've got LocalPasswordSync and UseKeychain enabled on a new MacBook I'm setting up.

When logging into NoMAD, I get the prompt telling me that the local and AD passwords don't match. I enter the local password, it's accepted and it looks like the sync has occurred as NoMAD logs me into AD. If I log out of my local account though, I can only log back in with my old password, so the sync to the local account clearly hasn't taken place. During login though, I get an error that "The system was unable to unlock your login keychain". If I press the "Update Keychain Password" button and enter my AD password, it unlocks the keychain, so the password sync has clearly run on this part.

Checking out the console, I can see the following:

default	15:10:03.549157 +0100	NoMAD	level: base - Local password is right. Syncing.
default	15:10:03.640724 +0100	NoMAD	level: base - Local User Password is incorrect. Error: Error Domain=com.apple.OpenDirectory Code=5402 "Failed global policy "ProfilePayload:93755e40-1c3b-0135-231d-6d6572616b69:allowSimple"" UserInfo={policyEvaluationDetails=<CFArray 0x7faa74fd72c0 [0x7fffce14cda0]>{type = immutable, count = 2, values = (
	0 : <CFBasicHash 0x7faa777214f0 [0x7fffce14cda0]>{type = immutable dict, count = 3,
entries =>
	0 : <CFString 0x7faa77741f10 [0x7fffce14cda0]>{contents = "policySatisfied"} = <CFBoolean 0x7fffce14d748 [0x7fffce14cda0]>{value = false}
	1 : <CFString 0x7faa7775f280 [0x7fffce14cda0]>{contents = "policyContentDescription"} = <CFString 0x7faa77765050 [0x7fffce14cda0]>{contents = "Not have two consecutive, or three sequential characters."}
	2 : <CFString 0x7faa7776ac90 [0x7fffce14cda0]>{contents = "policyIdentifier"} = <CFString 0x7faa7775bf00 [0x7fffce14cda0]>{contents = "ProfilePayload:93755e40-1c3b-0135-231d-6d6572616b69:allowSimple"}
}

The password contains a sequence of 3 characters, which I assume is what's causing problems as I've tested the process out with an alternative password and it works as expected. I've ensured that Simple password values are set on the MacBook but that's made no difference.

If the password change has failed at any point, then NoMAD should be trapping this and throwing an error.

assigned to @Mactroll

changed milestone to %Barzona

Agreed. NoMAD should error in these cases. Putting a pre-flight check when changing password via the sign in window. We already had it in the password change window.

added Ready for Testing label

Please test with 1.0.5(650) or later. As NoMAD now checks if the new password can be applied locally before doing the change remotely.