Kerberos/SSO hanging with Mojave Security Update 2021-004

alexjdale
Valued Contributor III

Just a heads up, we started experiencing SSO issues with systems that had upgraded to build 18G9216 this week. Many of our devices that are bound to Active Directory started experiencing hangs during kerberos actions (visiting internal SSO-enabled sites, or running klist/kdestroy).

We applied a workaround as found here, which has been successful in limited testing: https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/

I have a case open with Apple with no response yet.

15 REPLIES 15

nvts
New Contributor II

We have started to upgrade users to Big Sur, but will test this fix on the next couple users. Are you pushing a payload-less policy with pipes as separators? I wouldn't be able to push a script, since our file share cannot be mounted due to this bug.

Thanks

alexjdale
Valued Contributor III

No, I pushed a modified version of the script from that page, including capturing a backup of each file before modifying (and creating a rollback version to replace the files later). But you shouldn't need a file share for a script, since they are just downloaded from the web server nowadays, unless you're doing something very different than we are.

I hadn't even though about file shares to be honest, we use scripts to download packages from our Azure CDN and don't use file shares much anymore. But yeah, SMB file shares would leverage kerberos authentication.

ianatkinson
Contributor

We are seeing this as well today. It seems to have been caused by the update 'macOS Mojave Security Update 2021-004-10.14.6' and affects in our case AD bound computers with mobile accounts turned on.

Weirdly it only seems to affect computers that are on the network though, in testing it seems if you're off site and using the cached credentials (i.e. all our at-home staff) it's OK but if you have the cache and the machine can see the domain then it hangs.

The fix from the macrumours thread about removing use_kcminit from those two files works but I'm unsure exactly what that is achieveing. Having applied it to a test laptop it seems to fix the issue without breaking the use of the cached login as my main fear is putting a policy in place which suddenly renders all our off site kit useless.

mschroder
Valued Contributor

Strange thing is that it only appears to effect Macs that are AD bound. On devices that are not AD bound I see no pronlems with kerberos. On the AD bound test Mac even a simple 'klist' gets stuck :(

hansjoerg_watzl
Contributor II

Since this week we also see issues with our Mojave Macs (AD bound, mobile accounts), when they are connected to our corporate network (VPN or WiFi in the office). klist just stucks, even after a fresh reboot and Internet only.
It seems they also have installed the 2021-004 update!

isThisThing0n
Contributor

We are also seeing this and have also implemented the workaround- https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/

We just made it a self service policy to run if needed.

This was the push we needed to get users to upgrade to Big Sur. Blessing in disguise!

DWilliams-cmsd
New Contributor III

Same problem here -- failed login on AD-bound machines running Mojave that had taken update 2021-004 (build 18G9216). We are keeping part of our fleet on Mojave for one last year while we move users from their old 32-bit apps to alternatives, so an immediate OS upgrade was not an option for all of our machines.

We have successfully tested and deployed the following short script:

#!/bin/bash
sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
pkill coreauthd
pkill kcm
pkill kdc

We scoped it to machines with the new OS 10.14 build with a trigger for startup but also made it available via Self Service. So far, a single application of the script corrects the issue for all users with managed accounts and/or new users creating managed accounts via AD-login.

Many thanks to Croaker_1 at Mac Rumors for the script -- https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/ and to the Jamf support team for helping us work through the issue!

iRyan417
New Contributor

If anyone else runs into this issue, I used the script above from @DWilliams.CheyMt and it worked for some users but not all. I found the use_kcminit line in the /etc/pam.d/login file as well so I had to add one line to that script and it seems to be working for more users now.

#!/bin/sh
sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
sed -i '' "s/use_kcminit//" "/etc/pam.d/login"
pkill coreauthd
pkill kcm
pkill kdc

Strannik
New Contributor III

RatVader posted a nice scripts on GitHub to fix Mojave and Catalina Security Update issue.
There is also another script to reverse the changes made by first script.
See it here: https://github.com/RatVader/2021ADRepair

MrRoboto
Contributor III

Is this also an issue for Security Update 2021-003 Catalina?

sdagley
Esteemed Contributor II

@MrRoboto No, it's a Mojave specific issue

MrRoboto
Contributor III

@sdagley That is my understanding also. Do you know why RatVader's script mentions Catalina?

sdagley
Esteemed Contributor II

@MrRoboto The Heimdal library was updated in both the Mojave and Catalina Security Updates, but the problem only seems to occur on Mojave as I've never seen a report of a problem on Catalina.

lmrosbro
New Contributor III

Hi, has anyone tested the new security update that just dropped today? 2021-005? 

lmrosbro
New Contributor III

2021-005 Seems to have fixed the issue.