OS Updates trigger failedLoginCount password policies

Originator:eric
Number:rdar://28852381 Date Originated:10/19/2016
Status:Closed Resolved:
Product:macOS Product Version:10.12.1/16B2553a
Classification: Reproducible:Always
 
Summary:
When running an OS update that restarts a FileVaulted computer and automatically logs in as the user that ran the update, the failedLoginCount of the user's record is incremented and can cause the user to not be able to authenticate as an admin or get a valid command prompt in the Terminal.

Steps to Reproduce:
1. Start with an admin account on a system that needs an OS update (i.e. 10.12 to 10.12b5).
2. Apply a password policy that locks the account after 5 failed login attempts. 'pwpolicy -setaccountpolicies -u "$username" /path/to/pwpolicy.plist' (see attached file)
3. Run the update and wait for the computer to restart
4. Authenticate as the user that ran the update.
5. Open system preferences and try to authenticate to a panel
6. Open the Terminal and look at the command prompt.

Expected Results:
The admin user should be able to authenticate to locked system preference panels.
The user should see a standard command prompt.

Actual Results:
The authentication dialog shakes as if the password is wrong.
The Terminal window shows
Login incorrect
login: 
and won't accept any user name.
To confirm the problem, logout and back in as another user and run 'pwpolicy authentication-allowed -u $problemusername' The system will report that they can't log in due to maxFailedAttempts.  Clearing failedLoginCount and failedLoginTimestamp will allow the user back in.

Comments

Odd follow up here...

The original report on this issue, Bug ID 19046804, is closed. The issue was resolved in macOS 10.12.4, which will be available for beta testing, so please check the Apple Developer web site for it.

If you still see the issue in a newer release, please file a new bug report.

By eric at Dec. 6, 2016, 3:04 p.m. (reply...)

Engineering has determined that your bug report (28852381) is a duplicate of another issue (19046804) and will be closed.

By eric at Nov. 9, 2016, 3:01 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!