Open Radar

 
Summary:
While using AD account with FileVault 2 on OS X 10.9.2 (13C64), I get the error "Module: FDESupport - Failed to update passphrase for <UUID>" in /var/log//var/log/opendirectoryd.log after logging into the system with an account that has recently changed it's AD password. This error results in the failure to update the pre-boot password for the account. This appears to only happen when the "destroyfvkeyonstandby" setting is enabled.

Steps to Reproduce:
1. Enable FileVault 2 with a current AD account and password.
sudo fdesetup enable
Enter the user name:mnetest
Enter the password for user 'mnetest':<current ad password>

2. Reboot the machine.
AD account appears at the EFI pre-boot login and successfully accepts the current AD password and passes the credentials through the loginwindow and presents me with the desktop for the AD user.

3. Log out and reset password.
Change password in AD via the Active Directory Users and Computers (ADUC) "Reset password..." option.

4. Sucessfully log in at loginwindow with the reset password.
Update keychain using previous AD password.

/var/log/opendirectoryd.log shows "Module: FDESupport - Updated passphrase for 8796F4D2-970A-4E12-B71D-B9C6CD8FD596"

5. sudo pmset -a destroyfvkeyonstandby 1

6. Reboot.
AD account appears at the EFI pre-boot login and successfully accepts the current AD password and passes the credentials through the loginwindow and presents me with the desktop for the AD user.

7. Log out and reset password.
Change password in AD via the Active Directory Users and Computers (ADUC) "Reset password..." option.

8. Sucessfully log in at loginwindow with the reset password.
Update keychain using previous AD password.

/var/log/opendirectoryd.log shows "Module: FDESupport - Failed to update passphrase for 8796F4D2-970A-4E12-B71D-B9C6CD8FD596"

9. Reboot
AD account appears at the EFI pre-boot login but denies the recent password change. It accepts the PREVIOUS password. Single Sign On fails and I am presented with the loginwindow. Using the accounts CURRENT password allows me to log in at the loginwindow.

10. sudo pmset -a destroyfvkeyonstandby 0

11. Logout and attempt to log in again. Current AD password is accepted, however 
/var/log/opendirectoryd.log shows "Module: FDESupport - Failed to update passphrase for 8796F4D2-970A-4E12-B71D-B9C6CD8FD596"

12. reboot
AD account appears at the EFI pre-boot login but denies the recent password change. It accepts the PREVIOUS password. Single Sign On fails and I am presented with the loginwindow. Using the accounts CURRENT password allows me to log in at the loginwindow.

/var/log/opendirectoryd.log shows "Module: FDESupport - Updated passphrase for 8796F4D2-970A-4E12-B71D-B9C6CD8FD596"

13. reboot
AD account appears at the EFI pre-boot login and successfully accepts the current AD password and passes the credentials through the loginwindow and presents me with the desktop for the AD user.

Expected Results:
A user should be able to change their AD account password and have it update the pre-boot account password while the "destroyfvkeyonstandby" is enabled.

Actual Results:
AD account password changes are not updating the FileVault pre-boot environment account password while "destroyfvkeyonstandby" is enabled.

Version:
ProductName:    Mac OS X
ProductVersion: 10.9.2
BuildVersion:   13C64

Notes:
This is causing issues with McAfee's Management of Native Encryption 1.0.0 product as well.

https://kc.mcafee.com/corporate/index?page=content&id=KB81289

Configuration:


Attachments: