Just a heads up, we started experiencing SSO issues with systems that had upgraded to build 18G9216 this week. Many of our devices that are bound to Active Directory started experiencing hangs during kerberos actions (visiting internal SSO-enabled sites, or running klist/kdestroy).
We applied a workaround as found here, which has been successful in limited testing: https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/
I have a case open with Apple with no response yet.
We have started to upgrade users to Big Sur, but will test this fix on the next couple users. Are you pushing a payload-less policy with pipes as separators? I wouldn't be able to push a script, since our file share cannot be mounted due to this bug.
No, I pushed a modified version of the script from that page, including capturing a backup of each file before modifying (and creating a rollback version to replace the files later). But you shouldn't need a file share for a script, since they are just downloaded from the web server nowadays, unless you're doing something very different than we are.
I hadn't even though about file shares to be honest, we use scripts to download packages from our Azure CDN and don't use file shares much anymore. But yeah, SMB file shares would leverage kerberos authentication.
We are seeing this as well today. It seems to have been caused by the update 'macOS Mojave Security Update 2021-004-10.14.6' and affects in our case AD bound computers with mobile accounts turned on.
Weirdly it only seems to affect computers that are on the network though, in testing it seems if you're off site and using the cached credentials (i.e. all our at-home staff) it's OK but if you have the cache and the machine can see the domain then it hangs.
The fix from the macrumours thread about removing use_kcminit from those two files works but I'm unsure exactly what that is achieveing. Having applied it to a test laptop it seems to fix the issue without breaking the use of the cached login as my main fear is putting a policy in place which suddenly renders all our off site kit useless.
Strange thing is that it only appears to effect Macs that are AD bound. On devices that are not AD bound I see no pronlems with kerberos. On the AD bound test Mac even a simple 'klist' gets stuck :(
Since this week we also see issues with our Mojave Macs (AD bound, mobile accounts), when they are connected to our corporate network (VPN or WiFi in the office). klist just stucks, even after a fresh reboot and Internet only.
It seems they also have installed the 2021-004 update!
We are also seeing this and have also implemented the workaround- https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/
We just made it a self service policy to run if needed.
This was the push we needed to get users to upgrade to Big Sur. Blessing in disguise!
Same problem here -- failed login on AD-bound machines running Mojave that had taken update 2021-004 (build 18G9216). We are keeping part of our fleet on Mojave for one last year while we move users from their old 32-bit apps to alternatives, so an immediate OS upgrade was not an option for all of our machines.
We have successfully tested and deployed the following short script:
#!/bin/bash sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization" sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver" pkill coreauthd pkill kcm pkill kdc
We scoped it to machines with the new OS 10.14 build with a trigger for startup but also made it available via Self Service. So far, a single application of the script corrects the issue for all users with managed accounts and/or new users creating managed accounts via AD-login.
Many thanks to Croaker_1 at Mac Rumors for the script -- https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/ and to the Jamf support team for helping us work through the issue!
If anyone else runs into this issue, I used the script above from @DWilliams.CheyMt and it worked for some users but not all. I found the use_kcminit line in the /etc/pam.d/login file as well so I had to add one line to that script and it seems to be working for more users now.
#!/bin/sh sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization" sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver" sed -i '' "s/use_kcminit//" "/etc/pam.d/login" pkill coreauthd pkill kcm pkill kdc