Munki - Change local admin password & keychain

260 views
Skip to first unread message

James Knightley

unread,
Oct 25, 2016, 4:35:00 AM10/25/16
to munki-discuss
Morning All,

Can anyone point me in the right direction, I need to change the local admin password and keychain on our mac's due to our 180 day password change policy.

I am currently using Munki and the following command to change the password /usr/bin/dscl . -passwd /users/administrator XXXXXX

This command seems to update the password but leaves me with an keychain mismatch, so my questions is do you have a better way of doing this or can advise how to also update/delete the keychain ?

The devices have users profiles that need to remain so I cant just delete the keychain folder.

Kind Regards

James

Mr. Alan Siu

unread,
Oct 25, 2016, 10:58:55 AM10/25/16
to munki-...@googlegroups.com
This should help you out:

Another way you could do it, though, is to change the password on one machine and then package up the Keychains directory for that user and deploy it to the other machines.

Or, if you don't need the keychain itself, you can also delete the Keychains directory altogether for that user—one will be recreated when the user logs in.


Alan Siu
Client Systems Analyst
St. Ignatius College Preparatory

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to munki-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/2c402a1f-8a5e-4342-abd1-e5d9a8ce08e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gerd Niemetz

unread,
Oct 25, 2016, 11:06:15 AM10/25/16
to munki-discuss
Hi!

Maybe
security set-keychain-password -o {oldpwd} -p {newpwd} /Users/{UserShortNameHere}/Library/Keychains/login.keychain
can help, but use with care

best regards
Gerd

A.E. van Bochoven

unread,
Oct 25, 2016, 2:38:06 PM10/25/16
to munki-...@googlegroups.com
Changing the password with a script run by munki seems to be a very unsafe way to handle this. Anyone that can access the munki webserver will be able to read the cleartext password.

I think I would use Per Oloffson's createuserpkg to update the password.

Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.

To post to this group, send email to munki-...@googlegroups.com.

Mr. Alan Siu

unread,
Oct 25, 2016, 2:40:23 PM10/25/16
to munki-...@googlegroups.com
Should have the same User ID, too, I believe—not just the same username.


Alan Siu
Client Systems Analyst
St. Ignatius College Preparatory

On Tue, Oct 25, 2016 at 11:37 AM, A.E. van Bochoven <ne...@mac.com> wrote:
Changing the password with a script run by munki seems to be a very unsafe way to handle this. Anyone that can access the munki webserver will be able to read the cleartext password.

I think I would use Per Oloffson's createuserpkg to update the password.

Sent from my iPhone

On 25 Oct 2016, at 11:43, Gerd Niemetz <gerd.n...@gmail.com> wrote:

Hi!

Maybe
security set-keychain-password -o {oldpwd} -p {newpwd} /Users/{UserShortNameHere}/Library/Keychains/login.keychain
can help, but use with care

best regards
Gerd

Am Dienstag, 25. Oktober 2016 10:35:00 UTC+2 schrieb James Knightley:
Morning All,

Can anyone point me in the right direction, I need to change the local admin password and keychain on our mac's due to our 180 day password change policy.

I am currently using Munki and the following command to change the password /usr/bin/dscl . -passwd /users/administrator XXXXXX

This command seems to update the password but leaves me with an keychain mismatch, so my questions is do you have a better way of doing this or can advise how to also update/delete the keychain ?

The devices have users profiles that need to remain so I cant just delete the keychain folder.

Kind Regards

James

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discuss+unsubscribe@googlegroups.com.

To post to this group, send email to munki-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/6f289bf5-f4a9-4d1d-aeb6-1017ec416d5c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discuss+unsubscribe@googlegroups.com.

To post to this group, send email to munki-...@googlegroups.com.

James Knightley

unread,
Oct 26, 2016, 10:39:37 AM10/26/16
to munki-discuss
Thanks for all the information, will have a play.
Reply all
Reply to author
Forward
0 new messages