Kerberos SSO default realm issue

msergi
New Contributor III

Hi Everyone,

Wondering if anyone has recently experienced an issue with Apple Kerberos SSO for macOS not recognizing the default realm set in the Jamf config profile?

I have been testing this in advance of replacing enterprise connect, and had it set up and working perfectly with our single domain, got everything working how I wanted it, live password testing etc, and had several test users reset their password successfully.

Now this week when I went to change my own password, I got the message in the screenshot. Nothing in the config profile has changed, has anyone seen this or have any suggestions?
all clients are on Catalina latest version

Thanks!
4cc3b0c6a2f945679d4d095614361ca9

b6a3ccfeaa07444abbf7fd6559f84f8a

1 ACCEPTED SOLUTION

Jason33
Contributor III

Yes, I ran into this in July. You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled.

View solution in original post

10 REPLIES 10

Jason33
Contributor III

Yes, I ran into this in July. You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled.

msergi
New Contributor III

thanks for the quick response, I will try that right now! did you find info via support from apple or jamf or something? There is nothing like that in any of the documentation :(

Jason33
Contributor III

Apple Support. Apparently the fix will be released with Big Sur.

gabester
Contributor III

@Jason33 I wish there was a dislike button... That is NOT the way. Not your fault, I know, but discouraging that so many of Apple's solutions today are just "(complete a major) upgrade to the next thing" rather than using their the barest sliver of their profitability to fix bugs and issues for older versions.

Jason33
Contributor III

@Sterritt I completely agree. Not everyone is going to upgrade to the next major release, and certainly not businesses will jump on it right away. This should be fixed by Apple in Catalina, no question.

AdamCraig
Contributor III

Just found this. I tried this solution, but i'm still getting this error. using Jamf Connect 2.0.1 on 10.15.7

350ad2b2d1534af9b137940cae6d0fda

AdamCraig
Contributor III

Nevermind, I think I had an error in my krb5.conf file. :facepalm: re-did it all and it worked.

MikaelDez
Contributor

@Jason33 I just tried this, packaged it with Composer and I still get the default realm is missing. Laptop is on Catalina because my Comm Media professors are adamantly refusing Big Sur for software compatibility - any ideas?

Thanks,
Mike

bigmikeey
New Contributor II

To save time and for deployment speed I scripted it instead of making a package. No composer work needed. Also if Jamf Connect is already running then it would seem like the fix is not working @MikaelDez you will need to "quite" Jamf Connect or better yet unload it first. So the full solution is below. 

#!/bin/bash

#Find the Current users ID.
currentUser=$( /usr/bin/stat -f %Su "/dev/console" )
userID=$( /usr/bin/id -u "$currentUser" )

#Unload the Jamf Connect Menu bar app
/bin/launchctl bootout gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist

#Create the Kerberos file
touch /etc/krb5.conf

#Write the content into the file
cat << 'EOT' >/etc/krb5.conf
 
[libdefaults]
default_realm=MCSLTD.INTERNAL

EOT

#wait 2 seconds
sleep 2

#Kill any running instance with the name Jamf Connect
pkill "Jamf Connect"

#Re-launch Jamf Connect Menu bar app (by launching the LaunchAgent)
/bin/launchctl bootstrap gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist

exit 0

 

 

 

This worked great, thanks!