Jamf Nation Community

msergi · ‎09-25-2020

Hi Everyone,

Wondering if anyone has recently experienced an issue with Apple Kerberos SSO for macOS not recognizing the default realm set in the Jamf config profile?

I have been testing this in advance of replacing enterprise connect, and had it set up and working perfectly with our single domain, got everything working how I wanted it, live password testing etc, and had several test users reset their password successfully.

Now this week when I went to change my own password, I got the message in the screenshot. Nothing in the config profile has changed, has anyone seen this or have any suggestions?
all clients are on Catalina latest version

Thanks!

Jason33 · ‎09-25-2020

Yes, I ran into this in July. You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled.

View solution in original post

Jason33 · ‎09-25-2020

Yes, I ran into this in July. You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled.

msergi · ‎09-25-2020

thanks for the quick response, I will try that right now! did you find info via support from apple or jamf or something? There is nothing like that in any of the documentation :(

Jason33 · ‎09-25-2020

Apple Support. Apparently the fix will be released with Big Sur.

gabester · ‎09-30-2020

@Jason33 I wish there was a dislike button... That is NOT the way. Not your fault, I know, but discouraging that so many of Apple's solutions today are just "(complete a major) upgrade to the next thing" rather than using their the barest sliver of their profitability to fix bugs and issues for older versions.

Jason33 · ‎09-30-2020

@Sterritt I completely agree. Not everyone is going to upgrade to the next major release, and certainly not businesses will jump on it right away. This should be fixed by Apple in Catalina, no question.

AdamCraig · ‎11-02-2020

Just found this. I tried this solution, but i'm still getting this error. using Jamf Connect 2.0.1 on 10.15.7

AdamCraig · ‎11-02-2020

Nevermind, I think I had an error in my krb5.conf file. :facepalm: re-did it all and it worked.

MikaelDez · ‎05-28-2021

@Jason33 I just tried this, packaged it with Composer and I still get the default realm is missing. Laptop is on Catalina because my Comm Media professors are adamantly refusing Big Sur for software compatibility - any ideas?

Thanks,
Mike

bigmikeey · ‎07-20-2021

To save time and for deployment speed I scripted it instead of making a package. No composer work needed. Also if Jamf Connect is already running then it would seem like the fix is not working @MikaelDez you will need to "quite" Jamf Connect or better yet unload it first. So the full solution is below.

#!/bin/bash

#Find the Current users ID.
currentUser=$( /usr/bin/stat -f %Su "/dev/console" )
userID=$( /usr/bin/id -u "$currentUser" )

#Unload the Jamf Connect Menu bar app
/bin/launchctl bootout gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist

#Create the Kerberos file
touch /etc/krb5.conf

#Write the content into the file
cat << 'EOT' >/etc/krb5.conf
 
[libdefaults]
default_realm=MCSLTD.INTERNAL

EOT

#wait 2 seconds
sleep 2

#Kill any running instance with the name Jamf Connect
pkill "Jamf Connect"

#Re-launch Jamf Connect Menu bar app (by launching the LaunchAgent)
/bin/launchctl bootstrap gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist

exit 0

MrRoboto · ‎11-04-2021

This worked great, thanks!

Jamf Nation Community

Kerberos SSO default realm issue