The AD “Update Keychain Bug” was fixed in 10.15.0, only to be Broken again in 10.15.1.
UPDATE: 03/26/20 – The bug is fixed after installing the Catalina 10.15.4 Combo Update!
UPDATE: 02/03/20 – This bug is still not fixed in 10.15.3! Please contact Apple about this if you haven’t already.
When the issue was first reported to me, I really didn’t believe the bug could be back right after it was fixed. You have to understand my frustration here, I first reported this bug back in 10.14.4!!!
I was disappointed that Apple didn’t fix this bug before the final release of Mojave. Near the end of Mojave, Apple did confirm the issue was fixed in a Beta Build of 10.15.
For Mojave users the fix for the issue would be
Upgrade to macOS Catalina
The bug is back.
During the 10.15 Beta period, I confirmed the bug was fixed in and figured that would be the end of it.
Yesterday, I confirmed the bug is back in 10.15.1.
The Bug is Exactly the same as the 10.14.4 bug.
The 10.15.1 Update Keychain Password bug is the same exact problem as the 10.14.4 issue.
If you change your Active Directory Password off the Mac, you will see the Update Keychain Password Dialog. If you click the 2nd button to UPDATE your login keychain password, the dialog box disappears and a new keychain is created for you. The old Login Keychain is still there but is renamed!
This is what you SHOULD see happen. Once you click the Update Keychain Password button a password box shows up. From here you need to type in your OLD keychain password. Once you do this, your Login Keychain Password is synced up and you are good to go.
Workaround
The good news is, you can remove the “New” keychain and rename your previous login keychain so you can access it again. You can follow the same instructions listed in my 10.14.4 article.
I will submit an Enterprise Support ticket tomorrow morning. If you use Mobile Accounts, I would ask that you do the same to build an impact statement. Please reach out to your SE or if you are a regular user support.apple.com/
Credits
I’d like to give special thanks toMr. Macintosh reader Cesar who first reported this issue.
If you are here for the 10.15.1 issue, you can follow the same 10.14.4 workaround instructions below.
UPDATE: 07/31/19
This will probably be the final update. Sadly the issue is NOT fixed in 10.146. Even worse, this will be the final update and the issue will not be fixed in Mojave. I submitted this issue right after it was found in 10.14.4 and it’s just a bummer that this will never be fixed in Mojave. The only good news I can give you is that this is fixed in macOS Catalina 10.15.
UPDATE: 07/09/19
The AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in macOS Mojave 10.14.5. This issue is still not fixed in current 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!
10.14.4 Update password fixes/problems
I really like the 10.14.4 update, trust me I do! It arrived with so many fixes that have really helped MacAdmins. The problem is, it also broke a few things. Just when I thought we found all the fixes/problems a new one pops up. If you have been following along, this is now my 4th article on password fixes/problems in the 10.14.4 update. Lets quickly review
10.14.4 Update breaks “Update Keychain Password” process for Ad Mobile Accounts.
This issue affects Active Directory Mobile Account users. If you use Mobile Accounts you have seen this message before.
You will only see this message if you change your Active Directory Password outside the Mac. An example of this would be if you changed your AD password on a 2nd Mac, Windows PC or Web Portal. Logging in with the new password will sync that new password down to the Macs local cache but can NOT change the keychain password without the OLD password. You can click “Create New Keychain” and brand new login keychain will be created. But what if you have Xcode Developer Certs and Private keys or Wifi certs? In this case you need your old keychain intact.
Clicking “Update Keychain Password” just creates a new login keychain.
If you click “Update Keychain Password” you should see this. (10.14.0-10.14.3)
Instead, after clicking the update button you will not see this message and you are now at the desktop. If you open up keychain access you will see that your login keychain was wiped out.
Workaround – Find renamed keychain, change password and restore.
Good news, I have a workaround for you. The old login Kkeychain luckily still remains in ~/Library/Keychains
We will have to perform a few steps to restore your old login keychain
1. Find renamed keychain – located in ~/Library/Keychains and called login_renamed_1.keychain-db
2. Change password of login_renamed_1.keychain-db from old to new
3. Remove login.keychain-db
4. Rename login_renamed_1.keychain-db to login.keychain-db
5. Restore login.keychain-db to Keychain Access.app
6. Log out and back in.
1. Find renamed keychain
The old keychain is located in ~/Library/Keychains and called login_renamed_1.keychain-db
2. Change login_renamed_1.keychain-db password
You used to be able to change the login keychain password through Keychain Access. This is no longer possible.
What if we clicked “Add Keychain” and tried to add the renamed keychain then try to change the password?
This looks promising but after clicking “change password for keychain login_renamed” nothing happens. I then tried to unlock it with the old password.
After unlocking I attempted to change the password again.
Still no go! After clicking change password nothing happened. At this point, I thought I was out of luck.
Enter CLI command security
Never give up a fight without visiting the Command Line Interface! The CLI can be your best friend. Let’s take a look at the security man page and see if anything will help us. Open terminal and type in man security
set-keychain-password Set password for a keychain.
Oh ya, now we are talking! Let’s take a look at the options.
Perfect, just what we are looking for. Lets try it out.
You will be prompted for your old and new password. Now that the old keychain has the same password as your AD account we can move it back into Keychain Access.app.
3. Remove login.keychain-db
Now we can just delete the empty login keychain.
Right click on login and select Delete Keychain “Login” then click “Delete References & Files”. You should now only have Local Items, System and System Roots.
4. Rename login_renamed_1.keychain-db to login.keychain-db
We now need to rename login_renamed_1.keychain-db to login.keychain-db. You can either do this in keychain access or in the finder. Let’s rename in the finder. Click once on login_renamed_1.keychain-db and change it to login.keychain-db.
5. Restore login.keychain-db to Keychain Access.app
Now all we need to do is add our old keychain back to Keychain Access.app. Right click in the keychain section and select “Add Keychain”.
Navigate to ~/Library/Keychains/login.keychain-db and select it. You will now see login in the keychain box! At this time it will be locked. You can test unlocking it now. Right click on login and select “Unlock Keychain login”
You will now be prompted to enter in your current password.
6. Log out and back in to confirm
You have now restored your old keychain. Log out and then back in to confirm. You are now good to go!
As always, we need to submit a bug report to Apple.
I can not stress how important this is. The more reports we put in the higher priority the issue gets. We are also running out time and only have about 3 weeks before 10.14.5 is released.
Thanks to hawkzhang45 from JAMF Nation forum for calling this issue out. Also to m.entholzner for conformation and submitting an Apple Enterprise Ticket. You can read the original thread here.