Jamf Nation Community

Yea, I assume that same thing also but I've been using my Mac since 10.7 and have run into this issue randomly as Apple released new stable builds. I would just come into work one day and not be able to login to my machine, so I reimaging would be the only way to get access to my Mac again.

Others have mentioned it's an issue with AD, but since Local accounts and root are unable to login either, I can't only point the finger a bad AD bind causing this much havoc.

For us it appears that any packages that write to /private cause this to happen. We did narrow it down to some legacy print drivers, Adobe products, and a webex client.

Recreating the packages fixed it in most cases. However with the Adobe Master's Collection, I converted to source, removed the files in /private and the rebuilt the dmg file.

We saw this here today and were working with it too. It looks like if the '/private/var/audit/current' symlink is overwritten by a file, users may not be allowed to login. The symlink seems to be recreated on startup, so moving the bad file out of the way and rebooting allows users to login again.
Something like this in a startup policy is fixing it here:

mv /private/var/audit/current /private/var/audit/current.bak

Then add a 'Reboot Immediately' to the startup policy, so the Mac reboots and the symlink gets recreated. That seems to fix it (on 10.7.2); interested to hear if that works in other environments.

I just removed the /private folder from my Acrobat install package. It installed and did not break my 10.7.2 install. It looks like you guys have found the fix. Thanks guys!

Thanks Cam! I removed /private/var/audit/current
from a misbehaving package and it now deploys properly.

So after removing or renaming this /private/var/audit/current file is it fixed permanently or does this need to be run at every reboot?

Thanks a ton guys this works for us as well. We have been fighting with this issue for some time now. Apple's solution had been to reinstall the entire OS.

Ok well it works.. but it comes back on its own randomly. Setting up a policy to check for and remove that file every 5.

if it's coming back, then you have some package that was created on 10.6.x that included it and is probably being installed via policy. go through your current packages (if it's anything like ours, it's a very time consuming process) and ensure the file is removed from your original package, then you don't need the script.

I found it in several of our packages.. now that they are removed I haven't had an issue.

Are these packages being built using the snapshotting features using Composer?

I routinely see the /private/var/audit directory modified when building packages. I always remove it from the given package I'm building and have never had a problem installing said package without that directory, and it's modified files, being included.

I was having this trouble too. I found going through all my packages individually tedious and it being summer holidays here I made use of a lab I had just imaged with only a base image. I had narrowed down the problem to 11 packages so I made a policy for each package and applied each policy to a seperate machine. Within 20 minutes I knew which package was causing the problem and was bale to fix it. Much quicker than opening each package individually and picking through its innards.

It was this thread which put me onto the solution to the problem, so thanks to all who contributed.

Regards

Lincoln