Category: BugReport.Apple.com

10.14.4 Update breaks “Update Keychain Password” + Workaround

MrMacintosh.com - 10.14.4 Update breaks Update Keychain Password
10.14.4 Update breaks Update Keychain Password

UPDATE: 11/17/19

This issue was fixed in 10.15.0, only to break again in 10.15.1! I’m covering the issue again here.

mrmacintosh.com/10-15-1-update-breaks-update-keychain-password-again-workaround/

If you are here for the 10.15.1 issue, you can follow the same 10.14.4 workaround instructions below.

UPDATE: 07/31/19

This will probably be the final update. Sadly the issue is NOT fixed in 10.146. Even worse, this will be the final update and the issue will not be fixed in Mojave. I submitted this issue right after it was found in 10.14.4 and it’s just a bummer that this will never be fixed in Mojave. The only good news I can give you is that this is fixed in macOS Catalina 10.15.

UPDATE: 07/09/19

The AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in macOS Mojave 10.14.5. This issue is still not fixed in current 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!

10.14.4 Update password fixes/problems

I really like the 10.14.4 update, trust me I do! It arrived with so many fixes that have really helped MacAdmins. The problem is, it also broke a few things. Just when I thought we found all the fixes/problems a new one pops up. If you have been following along, this is now my 4th article on password fixes/problems in the 10.14.4 update. Lets quickly review

10.14.4 Update breaks “Update Keychain Password” process for Ad Mobile Accounts.

This issue affects Active Directory Mobile Account users. If you use Mobile Accounts you have seen this message before.

Update/create keychain message
Which option should I pick? In 10.14.4 it doesn’t matter they both create a new keychain!

You will only see this message if you change your Active Directory Password outside the Mac. An example of this would be if you changed your AD password on a 2nd Mac, Windows PC or Web Portal. Logging in with the new password will sync that new password down to the Macs local cache but can NOT change the keychain password without the OLD password. You can click “Create New Keychain” and brand new login keychain will be created. But what if you have Xcode Developer Certs and Private keys or Wifi certs? In this case you need your old keychain intact.

Clicking “Update Keychain Password” just creates a new login keychain.

If you click “Update Keychain Password” you should see this. (10.14.0-10.14.3)

Update Keychain Password dialog
What you should see in 10.14.0-10.14.3

Instead, after clicking the update button you will not see this message and you are now at the desktop. If you open up keychain access you will see that your login keychain was wiped out.

Workaround – Find renamed keychain, change password and restore.

Good news, I have a workaround for you. The old login Kkeychain luckily still remains in ~/Library/Keychains

We will have to perform a few steps to restore your old login keychain

  • 1. Find renamed keychain – located in ~/Library/Keychains and called login_renamed_1.keychain-db
  • 2. Change password of login_renamed_1.keychain-db from old to new
  • 3. Remove login.keychain-db
  • 4. Rename login_renamed_1.keychain-db to login.keychain-db
  • 5. Restore login.keychain-db to Keychain Access.app
  • 6. Log out and back in.

1. Find renamed keychain

The old keychain is located in ~/Library/Keychains and called login_renamed_1.keychain-db

Your old login keychain and the new one that was just created.

2. Change login_renamed_1.keychain-db password

You used to be able to change the login keychain password through Keychain Access. This is no longer possible.

can't change login keychain password.

What if we clicked “Add Keychain” and tried to add the renamed keychain then try to change the password?

try to change renamed password

This looks promising but after clicking “change password for keychain login_renamed” nothing happens. I then tried to unlock it with the old password.

unlock renamed

After unlocking I attempted to change the password again.

2nd password change attempt

Still no go! After clicking change password nothing happened. At this point, I thought I was out of luck.

Enter CLI command security

Never give up a fight without visiting the Command Line Interface! The CLI can be your best friend. Let’s take a look at the security man page and see if anything will help us. Open terminal and type in man security

set-keychain-password       Set password for a keychain.

Oh ya, now we are talking! Let’s take a look at the options.

security set-keychain-password

Perfect, just what we are looking for. Lets try it out.

sudo security -v set-keychain-password /path_to_user_keychain

You will be prompted for your old and new password. Now that the old keychain has the same password as your AD account we can move it back into Keychain Access.app.

3. Remove login.keychain-db

Now we can just delete the empty login keychain.

Right click on login and select Delete Keychain “Login” then click “Delete References & Files”. You should now only have Local Items, System and System Roots.

4. Rename login_renamed_1.keychain-db to login.keychain-db

We now need to rename login_renamed_1.keychain-db to login.keychain-db. You can either do this in keychain access or in the finder. Let’s rename in the finder. Click once on login_renamed_1.keychain-db and change it to login.keychain-db.

5. Restore login.keychain-db to Keychain Access.app

Now all we need to do is add our old keychain back to Keychain Access.app. Right click in the keychain section and select “Add Keychain”.

add keychain

Navigate to ~/Library/Keychains/login.keychain-db and select it. You will now see login in the keychain box! At this time it will be locked. You can test unlocking it now. Right click on login and select “Unlock Keychain login”

unlock

You will now be prompted to enter in your current password.

6. Log out and back in to confirm

You have now restored your old keychain. Log out and then back in to confirm. You are now good to go!

As always, we need to submit a bug report to Apple.

I can not stress how important this is. The more reports we put in the higher priority the issue gets. We are also running out time and only have about 3 weeks before 10.14.5 is released.

I have submitted a bug report to Apple at bugreport.apple.com. I also created an open radar at openradar.appspot.com

https://openradar.appspot.com/radar?id=4962927241068544

Credits

Thanks to hawkzhang45 from JAMF Nation forum for calling this issue out. Also to m.entholzner for conformation and submitting an Apple Enterprise Ticket. You can read the original thread here.

10.14.4 update keychain password

10.14.4 Update breaks local account password reset when using FileVault Recovery Key

Mr. Macintosh - 10.14.4 Update breaks local account password reset when using FileVault Recovery Key.
10.14.4 Update breaks local account password reset when using FileVault Recovery Key.

UPDATE: 05/16/19 – 10.14.5 Update fixes this issue

10.14.5 fixes this issue
The macOS 10.14.5 update fixes this issue.

As noted above this issue is now fixed in macOS 10.14.5. You can read on if you are interested in how this all went down.

I have been testing the new password fixes/changes in macOS Mojave 10.14.4. You can see the changes in the “What’s new in the updates for macOS Mojave” support document. What I found was, the 10.14.4 Update breaks local account password reset when using the FileVault Recovery Key.

Mr. Macintosh - Enterprise Content section from the what's new in 10.14.4 update document.
Enterprise Content section from the what’s new in 10.14.4 update document.

I wrote about how Apple fixed mobile password syncing issues on how 10.14.4 fixes Mobile Account Password syncing issues in 10.14.0-10.14.3. This was a huge win for Active Directory Users. We finally have a functioning password change system in place. I found this problem while testing these new fixes. Instructions for this procedure are listed in this Apple Support Document.

Let’s confirm this on 10.14.3 and 10.14.4

I setup a fresh 10.14.4 (18E226) system, created a local account and then enabled FileVault. I then performed the following test.

  1. Boot system – Select user
  2. Click the ? Button so I can enter the recovery key.
  3. The system will now boot to the login window
  4. You will see the username filled in with your username with the password reset window.
  5. Type in a brand new password and then hit “Reset Password”
  6. The window thinks for a second then shakes you off.
  7. The password is not changed.
Mr. Macintosh - Reset password window after entering in the recovery key.
Reset password window after entering in the recovery key.

Performing the same test on 10.14.3 (18D109) worked as designed. After clicking “Reset Password” the system accepts the new password then logs you in.

Workaround: resetpassword in Recovery

Good thing is, the resetpassword application in the recovery partition still works.

Mr. Macintosh - Trusty ole resetpassword still works.
Trusty ole resetpassword still works.

1st way to reset your password. Boot to Recovery

Boot your Mac holding Command R to boot the Mac into the Recovery Partition. Once in click Utilities from the Menu Bar then select Terminal. Once in type in resetpassword, then follow the instructions.

Note: If you have a T2 Mac, this option requires that you have a SecureToken Admin on the system to access the Terminal.app.

2nd way to reset your password, the FV2 Screen.

You can trigger the 2nd way at the FV2 login window.

  1. Wait up to a minute at the login screen, until you see a message saying that you can use the power button on your Mac to shut down and start up again in Recovery OS. If you don’t see this message, FileVault isn’t on.
  2. Press and hold the power button until your Mac turns off.
  3. Press the power button again to turn on your Mac.
  4. When the Reset Password window appears, follow the onscreen instructions to create a new password.

If you would like to follow Apple’s instructions on how to reset local account passwords you can visit this Apple Support Article.

“Radar or it didn’t happen”

This was a really great quote from Jason Broccardo @zoocoup. Filing bugs and tickets is a really important task for MacAdmins. Apple rates issues by the number of reports/tickets they get for each issue. If this feature is important to you please do the following.

File this issue as a bug to bugreport.apple.com

Then open up an Open Radar on openradar.appspot.com. This will help with tracking and you can let others know about the issue. (This site is not affiliated with Apple Inc.)

File an Apple Care Enterprise ticket if you have an account. https://www.apple.com/support/enterprise/

You can also dupe the radar that I submitted. https://openradar.appspot.com/50005199

Mastodon