Just a heads up, we started experiencing SSO issues with systems that had upgraded to build 18G9216 this week. Many of our devices that are bound to Active Directory started experiencing hangs during kerberos actions (visiting internal SSO-enabled sites, or running klist/kdestroy).
We applied a workaround as found here, which has been successful in limited testing: https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/
I have a case open with Apple with no response yet.
No, I pushed a modified version of the script from that page, including capturing a backup of each file before modifying (and creating a rollback version to replace the files later). But you shouldn't need a file share for a script, since they are just downloaded from the web server nowadays, unless you're doing something very different than we are.
I hadn't even though about file shares to be honest, we use scripts to download packages from our Azure CDN and don't use file shares much anymore. But yeah, SMB file shares would leverage kerberos authentication.
We are seeing this as well today. It seems to have been caused by the update 'macOS Mojave Security Update 2021-004-10.14.6' and affects in our case AD bound computers with mobile accounts turned on.
Weirdly it only seems to affect computers that are on the network though, in testing it seems if you're off site and using the cached credentials (i.e. all our at-home staff) it's OK but if you have the cache and the machine can see the domain then it hangs.
The fix from the macrumours thread about removing use_kcminit from those two files works but I'm unsure exactly what that is achieveing. Having applied it to a test laptop it seems to fix the issue without breaking the use of the cached login as my main fear is putting a policy in place which suddenly renders all our off site kit useless.
Same problem here -- failed login on AD-bound machines running Mojave that had taken update 2021-004 (build 18G9216). We are keeping part of our fleet on Mojave for one last year while we move users from their old 32-bit apps to alternatives, so an immediate OS upgrade was not an option for all of our machines.
We have successfully tested and deployed the following short script:
#!/bin/bash sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization" sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver" pkill coreauthd pkill kcm pkill kdc
We scoped it to machines with the new OS 10.14 build with a trigger for startup but also made it available via Self Service. So far, a single application of the script corrects the issue for all users with managed accounts and/or new users creating managed accounts via AD-login.
Many thanks to Croaker_1 at Mac Rumors for the script -- https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/ and to the Jamf support team for helping us work through the issue!
If anyone else runs into this issue, I used the script above from @DWilliams.CheyMt and it worked for some users but not all. I found the use_kcminit line in the /etc/pam.d/login file as well so I had to add one line to that script and it seems to be working for more users now.
#!/bin/sh sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization" sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver" sed -i '' "s/use_kcminit//" "/etc/pam.d/login" pkill coreauthd pkill kcm pkill kdc