FileVault 2 uses the GeneratedUID user attribute to save who is permitted to unlock an encrypted volume. If the GeneratedUID of a user differs from what was generated (or pulled from LDAP) when FileVault 2 was enabled, the user will not be permitted to unlock the machine, as their account will appear to be unavailable at the EFI menu. Also, this causes the crash of System Preferences on their Mac whenever they try to access the Security & Privacy prefpane.
This problem arises when /usr/bin/mcxrefresh
runs and pulls a null
value or a value different than what is stored locally from LDAP (if the attribute isn't defined for the user in question or is defined incorrectly, respectively), overwriting the GeneratedUID stored locally (which is generated and only stored locally when FileVault 2 is enabled without a matching LDAP attribute).
In other words, if an apple-generateduid value exists in LDAP for a user and is mapped properly on the users Mac to the GeneratedUID attribute, FileVault 2 will not generate a new value, but will instead use the value stored in LDAP.
I was able to resolve this issue by adding an attribute called apple-generateduid
to the LDAP entry of any user experiencing this issue. I could generate a random value for this attribute in Python by running the following one-liner from my terminal:
python -c 'import uuid; print str(uuid.uuid4()).upper();'
This isn't the only step, however. You must also add a mapping for this attribute on the client side. This is easily done using the following steps:
- Open System Preferences.
- Click Users & Groups.
- Click Login Options.
- Click on the Unlock Icon.
- Under Network Account Server, click Edit.
- Click to highlight your directory server.
- Under Services, double-click on your directory service (in my case, it was LDAPv3)
- In the window that slides open, highlight your configuration name, and then click the Edit... button.
- Under Search & Mappings scroll down and single-click on Users to highlight it.
- Click the Add button (the left one).
- Choose GeneratedUID from the list of available Attribute Types.
- In the right column, click the Add button, and type
apple-generateduid
. Click OK to save the changes until you're back at the main System Preferences dialog.
- At this point a mapping from GeneratedUID to
apple-generateduid
has been created. Now when OS X looks up the GeneratedUID value it will get the value of apple-generateduid from the user in questions LDAP entry.
Finally, it's important that the locally stored value of GeneratedUID and value stored on LDAP match. Run the following command and make sure the two GeneratedUID values match:
dscl /Search search /Users GeneratedUID $(dscl . read /Users/$(echo $USER) GeneratedUID | cut -d " " -f2)
Is it definitely the Late-2011 model and not the early-2011 model? as the early-2011 model had an intermittent problem with interference on the hard drive flex cable. It would usually only cause problems when a 6G SSD is fitted. Because it is the boot drive you can find the interference can cause boot problems, sometimes locking up or beach balling (the coloured circle going around).
If this is the case, the Late-2011 hard drive flex cable resolved this problem, so a replacement cable should sort it... but if its not working in the optical caddy either, then something else is going on (unless you have the 2.3GHz i5 Early-2011 machine. in which case, thats the only 2011 machine with a 3G SATA port in the optical bay, so your 6G drive wouldn't work in it). Can you confirm the generation? or the serial number will help identify the exact range and processor speed.
you can sometime fix the interference problem by insulating the flex cable a bit... or for testing the machine, connect your SSD to the hard drive flex cable, but instead of fitting it to the machine, leave the drive sitting on the side out of the casing unit so its away from the cable itself, as it will eliminate most of the direct interference issues.
I hope this helps. if you check your machine generation just let me know and i will see if i can help any further
Best Answer
I haven’t come across this, but it may be worth trying to create an additional Admin account and logging into that to reset your password on your current account.
How to create an additional Admin account
You can do this by tricking your Mac into thinking it's being set up as new:
/sbin/mount -uw /
and then pressing the enter keyrm /var/db/.AppleSetupDone
and then pressing the enter keyreboot
and then pressing the enter keyOnce you've done the above, try starting up and logging in as the new admin user. Assuming you can, then see if you can edit the password in your old account (just try changing it to your existing password).
[UPDATE]
Since we've established that even trying to boot into Single User Mode isn't working for you and that trying to do so results in the normal login screen appearing, I think we'd better investigate the possibility that your keyboard is faulty. This would explain your password not being accepted and the fact that pressing keys during startup may not have the desired result.
The best way to test this is to connect a USB keyboard and try using that. If you haven't got one, any cheap USB keyboard will do.