The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/ad23290877f6c028af1671d212f6dcf82659ec1c

commit ad23290877f6c028af1671d212f6dcf82659ec1c
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat May 19 10:37:39 2018

authpolicy: Anonymize machine password

Anonymizes the machine password logged by Samba.

BUG= chromium:843614 
TEST=authpolicy_debug 3 in crosh to enable debug logs,
     make domain join fail, e.g. by setting a non-existing computer ou
       in advanced settings,
     grep password -i /var/log/authpolicy.log
     Make sure it doesn't show the real password, should say <PASSWORD>

Change-Id: Ife5f35a31db841c0d4e02377fb632968b7c6b472
Reviewed-on: https://chromium-review.googlesource.com/1065817
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/ad23290877f6c028af1671d212f6dcf82659ec1c/authpolicy/samba_interface.cc

I have attempted to verify this bug. When domain join failed, it doesn't show any password information:

2018-05-21T18:19:46.296010+00:00 INFO authpolicyd[3527]: authpolicyd starting
2018-05-21T18:20:13.496273+00:00 INFO authpolicyd[3527]: #033[107;1;30mReceived 'JoinADDomain' request#033[0m
2018-05-21T18:20:27.373290+00:00 INFO authpolicyd[3527]: libminijail[2]: child process 12 exited with status 255
2018-05-21T18:20:27.373640+00:00 ERR authpolicyd[3527]: net ads join failed: computer OU does not exist
2018-05-21T18:20:27.373725+00:00 INFO authpolicyd[3527]: #033[41;1;97mJoinADDomain failed with code 30#033[0m

Is it good enough for verification?

Please find authpolicy.log attached.

Chrome OS: 10701.0.0
Chrome: 68.0.3436.0
Device: Robo360

Deleted: authpolicy.log 3.8 KB

authpolicy.log 3.8 KB View Download

Looks like the debug logs were not enabled. To enable debug logs before domain join, you have to be in dev mode. Open the console with CTRL + ALT + --> (F2 key), login as root and enter 'sudo -u chronos crosh', then 'authpolicy_debug 3'. Subsequent authpolicy logs should then start with a list of debug flags, e.g.

2018-05-18T13:22:18.518786+00:00 INFO authpolicyd[3050]: Received 'JoinADDomain' request
2018-05-18T13:22:18.518976+00:00 INFO authpolicyd[3050]: Debug flags:
2018-05-18T13:22:18.519015+00:00 INFO authpolicyd[3050]:   disable_seccomp               OFF
2018-05-18T13:22:18.519043+00:00 INFO authpolicyd[3050]:   log_seccomp                   ON
2018-05-18T13:22:18.519072+00:00 INFO authpolicyd[3050]:   trace_krb5                    ON
2018-05-18T13:22:18.519101+00:00 INFO authpolicyd[3050]:   log_policy_values             ON
2018-05-18T13:22:18.519129+00:00 INFO authpolicyd[3050]:   log_commands                  ON
2018-05-18T13:22:18.519158+00:00 INFO authpolicyd[3050]:   log_command_output            OFF
2018-05-18T13:22:18.519194+00:00 INFO authpolicyd[3050]:   log_command_output_on_error   ON
2018-05-18T13:22:18.519254+00:00 INFO authpolicyd[3050]:   log_gpo                       ON
2018-05-18T13:22:18.519292+00:00 INFO authpolicyd[3050]:   disable_anonymizer            OFF
2018-05-18T13:22:18.519322+00:00 INFO authpolicyd[3050]:   net_log_level                 10

Then do what you did above. Note that debug logs are disabled after 30 minutes or on reboot. Make sure the logs contain this:

2018-05-18T13:22:23.032612+00:00 INFO authpolicyd[3050]:       libnet_JoinCtx: struct libnet_JoinCtx
2018-05-18T13:22:23.032617+00:00 INFO authpolicyd[3050]:           in: struct libnet_JoinCtx
2018-05-18T13:22:23.032622+00:00 INFO authpolicyd[3050]:               dc_name                  : NULL
2018-05-18T13:22:23.032627+00:00 INFO authpolicyd[3050]:               machine_name             : '<MACHINE_NAME>'
2018-05-18T13:22:23.032632+00:00 INFO authpolicyd[3050]:               domain_name              : *
2018-05-18T13:22:23.032638+00:00 INFO authpolicyd[3050]:                   domain_name              : '<DEVICE_REALM>'
2018-05-18T13:22:23.032643+00:00 INFO authpolicyd[3050]:               domain_name_type         : JoinDomNameTypeDNS (1)
2018-05-18T13:22:23.032649+00:00 INFO authpolicyd[3050]:               account_ou               : NULL
2018-05-18T13:22:23.032654+00:00 INFO authpolicyd[3050]:               admin_account            : '<USER_SAM_ACCOUNT_NAME>@<USER_REALM>'
2018-05-18T13:22:23.032660+00:00 INFO authpolicyd[3050]:               admin_domain             : NULL
2018-05-18T13:22:23.032664+00:00 INFO authpolicyd[3050]:               machine_password         : '<PASSWORD>'
2018-05-18T13:22:23.032669+00:00 INFO authpolicyd[3050]:               join_flags               : 0x00000023 (35)

In particular, the line
  machine_password         : '<PASSWORD>'
should not be
  machine_password         : '<some Chinese-looking random characters like 歧捍꛼쀇ᴤ訒䏠厚핪瓯杄෶⮎꿗裢౨㊗謹表鹭⑙鼦䀯఼ﺫ䳿ꨜ'>'

Thanks! It looks correct:

localhost / # grep -i machine_password /var/log/authpolicy.log 
2018-05-22T17:37:43.222001+00:00 INFO authpolicyd[3777]: #033[35m              machine_password         : '<PASSWORD>'#033[0m
localhost / # 

Chrome: 68.0.3437.0
Chrome OS: 10704.0.0
Device: Robo360