Local Password Sync

defaults write com.trusourcelabs.NoMAD LocalPasswordSync 1

Setting the defaults key to force local password syncing will cause NoMAD to check on Sign In to ensure that your AD password is in sync with your local password. If the passwords do not match, NoMAD will attempt to update the local account password to the network password.

Note that this process is only from network to local. In other words, NoMAD will not take a local password and update AD with it. This also works for both AD bound systems and unbound systems.

The basic process is as follows:

1. Take the password supplied by the user and attempt to get Kerberos credentials with it.

2. If successful, then check the password against the local user password using the OpenDirectory APIs.

3. If the network password does not match the local password, alert the user and prompt them for their local password.

4. Using the local password, first check to ensure it is the correct local password.

5. If the password is correct, then change the local password, the user’s local Keychain password, and the user’s FileVault password from the local password to the network password.

This process will also be followed when the user changes their network password. Assuming the local password was already in sync, NoMAD will use both the old and the new network passwords submitted by the user to change the local password.