The localFallback key only works with AD, not Cloud IdP + AD

[dstranathan]

When testing only AD (no cloud), the localFallback key worked as expected. Example:

If the Mac was offline (or not on the AD domain), XCreds would allow local accounts to auth + log in without the "Offline Authentication" checkbox needing to be displayed in the UI (This is the shouldShowLocalOnlyCheckbox key).

But when testing Entra and AD together, the behavior of localFallback key has changed. Example:

If the Mac is offline, (i.e.; the Azure IdP webview cant appear), XCreds defaults to showing the local/AD name + password boxes. This is expected, however, the localFallback key does not work as expected - I have to manually check the "Offline Authentication" checkbox each time to use a local account. XCreds wont fall back to a local account automatically when offline (it attempts to try the AD domain, but doesn't fall back when its not located).

I'm asking about because my IT security guys do not want users to see the "Offline Authentication" checkbox, as it 1 adds complexity to the login routine and 2 it provides a way for users to circumvent the Azure authentication each time - regardless if they are really "offline" or not. My InfoSec manager says this is a no-go.

Ill try to ssh into a test Mac and reproduce this as best as I can and post logs

[dstranathan]

Log example below.

Procedure:

-Booted Sonoma 14.5 M1 Mac + XCreds 5 7096 (on my LAN/AD Domain via Ethernet)
-SSH into the Mac and tail logs (/tmp/xcreds/xcreds.log) with debug enabled.
-Switch XCreds overlay from Cloud auth to AD/Local auth
-Without ticking the "Offline Authentication" checkbox, try to auth with a known local account (not in AD).
-Auth fails. Error in GUI: "Authentication Failed." See log at 12:39:07 (Clearly XCreds is trying AD and not falling back to local here...?)
-Tick the "Offline Authentication" checkbox.
-Next, I try again to auth with the same known local account (not in AD). Auth successful.
-User logs into Mac etc.

Log:

~ % defaults read /Library/Preferences/com.twocanoes.xcreds showDebug
1
~ % tail -f /tmp/xcreds/xcreds.log
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:333 signInButtonPressed(:) network auth.
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:341 networkAuth() NoMAD Login User: simr, Domain: SGC.LOC
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:369 networkAuth() Attempt to authenticate user
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:716 NoMADAuthenticationFailed(error:description:) AuthenticationFailed: Client ([email protected]) unknown
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:750 NoMADAuthenticationFailed(error:description:) UnknownPrincipal
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:763 NoMADAuthenticationFailed(error:description:) AD authentication failed, Unknown AD User.
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:239 authFail(:) Unknown AD User
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:258 setLoginWindowState(enabled:)
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:260 setLoginWindowState(enabled:)
2024-07-23T12:39:07-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:265 setLoginWindowState(enabled:)
2024-07-23T12:46:55-05:00 SecurityAgentHelper-arm64(2988): DefaultsOverride.swift:152 integer(forKey:)
2024-07-23T12:47:05-05:00:Last message repeated 6 times
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:277 signInButtonPressed(:) Sign In button pressed
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:293 signInButtonPressed(:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:379 updateLoginWindowInfo() Format user and domain strings
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:380 updateLoginWindowInfo()
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:387 updateLoginWindowInfo()
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:394 updateLoginWindowInfo()
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): LogShim.swift:21 os_log(:log:type:::::::::) Found managed preference: %{public}@:ADDomain:::::::
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:398 updateLoginWindowInfo() Defaulting to managed domain as there is nothing else
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:402 updateLoginWindowInfo() Using domain from managed domain
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:295 signInButtonPressed(:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:258 setLoginWindowState(enabled:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:260 setLoginWindowState(enabled:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:265 setLoginWindowState(enabled:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:333 signInButtonPressed(:) network auth.
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:341 networkAuth() NoMAD Login User: simr, Domain: SGC.LOC
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:369 networkAuth() Attempt to authenticate user
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:716 NoMADAuthenticationFailed(error:description:) AuthenticationFailed: Client ([email protected]) unknown
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:750 NoMADAuthenticationFailed(error:description:) UnknownPrincipal
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:763 NoMADAuthenticationFailed(error:description:) AD authentication failed, Unknown AD User.
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:239 authFail(:) Unknown AD User
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:258 setLoginWindowState(enabled:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:260 setLoginWindowState(enabled:)
2024-07-23T12:47:05-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:265 setLoginWindowState(enabled:)
2024-07-23T12:47:08-05:00 SecurityAgentHelper-arm64(2988): DefaultsOverride.swift:152 integer(forKey:)
2024-07-23T12:47:12-05:00:Last message repeated 6 times
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): DefaultsOverride.swift:152 integer(forKey:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:277 signInButtonPressed(:) Sign In button pressed
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:293 signInButtonPressed(:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:379 updateLoginWindowInfo() Format user and domain strings
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:380 updateLoginWindowInfo()
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:387 updateLoginWindowInfo()
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:394 updateLoginWindowInfo()
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): LogShim.swift:21 os_log(:log:type:::::::::) Found managed preference: %{public}@:ADDomain:::::::
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:398 updateLoginWindowInfo() Defaulting to managed domain as there is nothing else
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:402 updateLoginWindowInfo() Using domain from managed domain
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:295 signInButtonPressed(:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:258 setLoginWindowState(enabled:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:260 setLoginWindowState(enabled:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:265 setLoginWindowState(enabled:)
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:300 signInButtonPressed(:) do local auth only
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): PasswordUtils.swift:432 getLocalRecord(:) Building OD query for name simr
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): PasswordUtils.swift:253 localNode Finding the DSLocal node
2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): PasswordUtils.swift:450 getLocalRecord(_:) Found local user: <ODRecord 0x12802e0d0 [attributes {'dsAttrTypeStandard:GeneratedUID': '304E482E-6586-4FB6-8F2A-DEA19B413070', 'dsAttrTypeNative:_xcreds_promoted_to_admin': '1', 'dsAttrTypeNative:IsHidden': '1', 'dsAttrTypeNative:accountPolicyData': '<CFData 0x1281a86c0 [0x1fcb748c0]>{length = 352, capacity = 352, bytes = 0x3c3f786d6c2076657273696f6e3d2231 ... 2f706c6973743e0a}', 'dsAttrTypeNative:shell': '/bin/zsh', 'dsAttrTypeNative:authentication_authority': [';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>', ';Kerberosv5;;simr@LKDC:SHA1.A03C1D7C6223B899C4AEE361A9345C5AC42A42C2;LKDC:SHA1.A03C1D7C6223B899C4AEE361A9345C5AC42A42C2;', ';SecureToken;'], 'dsAttrTypeNative:uid': '501', 'dsAttrTypeNative:unlockOptions': '0', 'dsAttrTypeNative:name': 'simr', 'dsAttrTypeNative:_writers_UserCertificate': 'simr', 'dsAttrTypeNative:passwd': '********', 'dsAttrTypeStandard:AppleMetaNodeLocation': '/Local/Default', 'dsAttrTypeStandard:RecordType': 'dsRecTypeStandard:Users', 'dsAttrTypeNative:generateduid': '304E482E-6586-4FB6-8F2A-DEA19B413070', 'dsAttrTypeNative:_writers_hint': 'simr', 'dsAttrTypeNative:realname': 'simr', 'dsAttrTypeNative:_writers_AvatarRepresentation': 'simr', 'dsAttrTypeNative:inputSources': '

InputSourceKind Keyboard Layout KeyboardLayout ID 0 KeyboardLayout Name U.S. ', 'dsAttrTypeNative:record_daemon_version': '8780000', 'dsAttrTypeNative:gid': '20', 'dsAttrTypeStandard:RecordName': 'simr', 'dsAttrTypeNative:_writers_passwd': 'simr', 'dsAttrTypeNative:_writers_inputSources': 'simr', 'dsAttrTypeNative:_writers_picture': 'simr', 'dsAttrTypeNative:_writers_unlockOptions': 'simr', 'dsAttrTypeNative:home': '/Users/simr', 'dsAttrTypeNative:_writers_jpegphoto': 'simr', 'dsAttrTypeNative:AvatarRepresentation': '', 'dsAttrTypeNative:_xcreds_oidc_username': 'simr', 'dsAttrTypeNative:picture': '/Library/SIMR/GUI/Logos/org.stowers.tree.png'}]> 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): LogShim.swift:21 os_log(_:log:type:_:_:_:_:_:_:_:_:) Finding user record:::::::: 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): PasswordUtils.swift:149 verifyUser(name:auth:) searching for user simr and password with count 7 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:411 setRequiredHintsAndContext() 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:412 setRequiredHintsAndContext() Setting hints for user: simr 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:415 setRequiredHintsAndContext() 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:419 setRequiredHintsAndContext() 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:432 completeLogin(authResult:) Complete login process with allow 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): XCredsLoginMechanism.swift:266 allowLogin() Allowing Login 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): XCredsLoginMechanism.swift:269 allowLogin() Dismissing loginWindowWindowController 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): SignInWindowController.swift:452 completeLogin(authResult:) 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): MainLoginWindowController.swift:139 loginTransition(completion:) invalidating timer 2024-07-23T12:47:12-05:00 SecurityAgentHelper-arm64(2988): MainLoginWindowController.swift:143 loginTransition(completion:) 2024-07-23T12:47:13-05:00 SecurityAgentHelper-arm64(2988): MainLoginWindowController.swift:173 loginTransition(completion:) completion 2024-07-23T12:47:13-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:360 allowLogin() 2024-07-23T12:47:13-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:362 allowLogin() 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsPowerControlMechanism.swift:22 run() XCredsPowerControlMechanism mech starting 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsPowerControlMechanism.swift:74 run() No special users named. pass login to the next mech. 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:360 allowLogin() 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:362 allowLogin() 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): MechanismCreate XCredsLoginPlugin.m:30 id:CreateUser 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismCreate:EngineRef:MechanismId:MechanismRef:] XCredsLoginPlugin.m:111 2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): ==========> Authorization Plugin CreateUser Mechanism created.<===========

2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): MechanismInvoke XCredsLoginPlugin.m:43 id:CreateUser
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismInvoke:] XCredsLoginPlugin.m:133
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:23 init(mechanism:)
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:29 init(mechanism:) Setting up prefs
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:270 setupPrefs()
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:40 run() CreateUser mech starting
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:43 run() Local Login Detected
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: groups
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) groups value is empty::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: guestUser
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:79 run() user:simr
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:20 init()
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:15 init(suiteName:)
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:25 refreshCachedPrefs()
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:29 refreshCachedPrefs() no override defined
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Found managed preference: %{public}@:CreateAdminUser:::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): Found a createLocalAdmin key value: true
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Checking for CreateAdminIfGroupMember groups::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Computed xcredsPass accessed: %@::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Checking for local username::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: passwordOverwrite
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Skipping local account creation::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: aliasName
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: networkSignIn
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:313 updateOIDCInfo(user:) Checking for local username
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Results of local user check %{public}@:true:::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:334 updateOIDCInfo(user:) updating info in DS
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:134 array(forKey:)
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:337 updateOIDCInfo(user:) Checking if member of group
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: groups
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:347 updateOIDCInfo(user:) checking for kerberos principal
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: kerberos_principal
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:356 updateOIDCInfo(user:) setting oidc full username to DS
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: fullusername
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:363 updateOIDCInfo(user:) checking for alias to add as a username for rogp
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: aliasName
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:370 updateOIDCInfo(user:) Fallback,saving account name to DS as username for ropg as needed
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: allADAttributes
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): DefaultsOverride.swift:134 array(forKey:)
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:397 updateOIDCInfo(user:) No AD Attributes
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:427 getHint(type:) No hint retrieved for: tokens
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:240 run() seeing if we have an alias
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:247 run() Checking if user should be made admin
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Building OD query for name %{public}@:simr:::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Finding the DSLocal node::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsCreateUser.swift:254 run() Making admin user
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Find the administrators group::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Finding the DSLocal node::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Adding user to administrators group::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) Allowing login::::::::
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:360 allowLogin()
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:362 allowLogin()
2024-07-23T12:47:13-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type:::::::::) CreateUser mech complete::::::::
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): MechanismCreate XCredsLoginPlugin.m:30 id:LoginDone
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): -[XCredsLoginPlugin MechanismCreate:EngineRef:MechanismId:MechanismRef:] XCredsLoginPlugin.m:111
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): ==========> Authorization Plugin LoginDone Mechanism created.<===========

2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): MechanismInvoke XCredsLoginPlugin.m:43 id:LoginDone
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): -[XCredsLoginPlugin MechanismInvoke:] XCredsLoginPlugin.m:133
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:23 init(mechanism:)
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:29 init(mechanism:) Setting up prefs
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:270 setupPrefs()
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsLoginDone.swift:13 run() XCredsLoginDone mech starting
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:360 allowLogin()
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsBaseMechanism.swift:362 allowLogin()
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): MechanismCreate XCredsLoginPlugin.m:30 id:EnableFDE
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismCreate:EngineRef:MechanismId:MechanismRef:] XCredsLoginPlugin.m:111
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): ==========> Authorization Plugin EnableFDE Mechanism created.<===========

2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): MechanismInvoke XCredsLoginPlugin.m:43 id:EnableFDE
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismInvoke:] XCredsLoginPlugin.m:133
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:23 init(mechanism:)
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:29 init(mechanism:) Setting up prefs
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:270 setupPrefs()
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsEnableFDE.swift:19 run() EnableFDE mech starting
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:360 allowLogin()
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:362 allowLogin()
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): MechanismCreate XCredsLoginPlugin.m:30 id:KeychainAdd
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismCreate:EngineRef:MechanismId:MechanismRef:] XCredsLoginPlugin.m:111
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): ==========> Authorization Plugin KeychainAdd Mechanism created.<===========

2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): MechanismInvoke XCredsLoginPlugin.m:43 id:KeychainAdd
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): -[XCredsLoginPlugin MechanismInvoke:] XCredsLoginPlugin.m:133
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:23 init(mechanism:)
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:29 init(mechanism:) Setting up prefs
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsBaseMechanism.swift:270 setupPrefs()
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsKeychainAdd.swift:22 run() XCredsKeychainAdd mech starting
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsKeychainAdd.swift:35 run() Getting Home Dir
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): LogShim.swift:21 os_log(:log:type::::::::_:) Checking for local username::::::::
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsKeychainAdd.swift:39 run() uid: 501
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsKeychainAdd.swift:47 run() checking UID
2024-07-23T12:47:15-05:00 authorizationhosthelper.arm64(3121): XCredsKeychainAdd.swift:55 run()
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): MechanismDestroy XCredsLoginPlugin.m:59 id:LoginWindow
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): -[XCredsLoginPlugin MechanismDestroy:] XCredsLoginPlugin.m:185
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): XCredsLoginMechanism.swift:68 tearDown() Got teardown request
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): MechanismDestroy XCredsLoginPlugin.m:59 id:tries
2024-07-23T12:47:15-05:00 SecurityAgentHelper-arm64(2988): -[XCredsLoginPlugin MechanismDestroy:] XCredsLoginPlugin.m:185

[twocanoes]

how would the log go? If you are offline (can't reach IdP) but can reach the DC, shouldn't auth be attempted to the DC? Or should there be a way to not try AD if it is online but no user account?

[davelebbing]

@dstranathan I tried this and everything worked as expected. With Entra and AD set up I enabled XCreds settings for LocalFallback and shouldDetectNetworkToDetermineLoginWindow. I created a local-only user and set Ethernet to Inactive. After logging out I was shown the local XCreds sign in screen. I could enter the name and password for the local-only non-AD user and did not need to check the Offline Authentication box. Please confirm if any of what I describe is different than your scenario.

[dstranathan]

@davelebbing Was out a couple days. Back now. What you summarized is similar to I am doing. Im planning on deploying build 7105 today and getting another qualified test user in the mix this week.

Relevant keys:

<key>shouldAllowKeyComboForMacLoginWindow</key>
<true/>
<key>shouldDetectNetworkToDetermineLoginWindow</key>
<true/>
<key>shouldPreferLocalLoginInsteadOfCloudLogin</key>
<false/>
<key>shouldShowCloudLoginByDefault</key>
<true/>
<key>shouldShowLocalOnlyCheckbox</key>
<true/>
	

[dstranathan]

Did another test on 7130. Same issue persists. Unable to log in with a local-only account unless the "Offline Auth" box is ticked.

To clarify what I mean by "Fallback": Falling back from the Azure IdP web view to local/AD UI works when XCreds knows the Mac is truly "offline". That's not a problem. Its when Im trying to use a local account (i.e.; like a IT hidden admin/service account, etc)

-When Im on my home Wi-fi (no VPN or domain access), the error is "Cant reach domain controller"
-When Im 100% "offline" (No IP or route), the error is "Cant reach domain controller"
-When Im on the LAN/Domain, the error is "Authentication failed"

Once I tick the "Offline Auth" box manually, then I can log in with any local-only account.

In the past this behavior worked: If a domain wasn't located, then Xcreds would "fallback" and next look for a local match in dscl and then log them in if it was found and password matched.

This is 100% reproducible on all 10 of my test Macs (laptops, desktops, Wi-fi, Ethernet, Ventura, Sonoma, Sequoia)

[davelebbing]

Not able to reproduce on build 7130. Tested with the attached mobileconfig and did not need to click the offline auth checkbox. Tested with a non AD local user and with an AD user. Tested with normal network access and with Ethernet interface disabled.

localfallback-azad.mobileconfig.txt

[dstranathan]

Im using the exact same settings as are my group of test users. We can all reproduce the issue.

To clarify, these are Macs that are using an Azure IdP and AD for Kerberos. Not sure if you are testing this or not (but your example config looks like you are)

I also manage Macs in other org that are 100% Azure (no AD), and this problem does not exist - users can fall back to a local account (including local-only accounts) without clicking the "Offline Auth" checkbox.

Id be more than happy to arrange a Zoom to demonstrate this.

[dstranathan]

I just tested again on Build 7176. Behavior is the same.

When sitting at the Xcreds local/AD UI (name + password firlds), I cant use a known local account unless I check the Offline Auth box first. It appears to me that XCReds is trying to find the local account in AD, and then not falling back to look for a local account. Once T check the "Offline Auth" box, the load account can log in as expected.

-If the Mac is on the AD domain, it fails with "Authentication failed"
-If Mac is off the domain (home network etc) it fails with "Cannot reach domain controller"
-This error applies to both local-only accounts (not in AD) and AD users who have local accounts.
-I can log in with a local-only user when using an XCReds config that is 100% AD, but not with Azure/AD combined.

Ill send logs vis Slack now.