Mojave Security Update 2021-004

[Dragao75]

We are also having issues with kerberos after the security update.
I have run the script which removes the kmc_init from the pam files. but now there is no kerberos login on the fileserver. (pre update the connection was automatically made.)

When a user is now connecting to an samba server he/she needs to enter his/her password (which is accepted if correct)

is this expected behaviour?

has anyone checked to see if it is not just some weird access right issue ? (access to the heimdal cache / daemon)
It feels like it is that simple...

 

[Gregg2]

This bug only affects machine bound to Active Directory (i.e. within a company, school, organization, etc.)

Ah, good! I didn't understand the definition I found.

 

[MarkC426]

Installed no problems on cMP 5.1.

 

[RatVader]

Ah...thanks for the feedback. I was not able to find an unpatched machine to test this on. I had assumed (silly me) that the background (&) called the command (klist) but maybe it is the other way around. I'll do some reading and testing: if there is a better way I'll post more info here.

I was able to get this working by killing the process inside the subshell that assigns it to the $precheck variable:

precheck="$(klist 2>&1 & sleep 2; pkill klist)"

if [[ $precheck ]]; then
  echo "klist success"
  echo "All good. Patch not required"
  exit 0
else
  echo "klist fail"
  echo "Patch is required. Keep going..."
fi

 

[RatVader]

I was able to get this working by killing the process inside the subshell that assigns it to the $precheck variable:

precheck="$(klist 2>&1 & sleep 2; pkill klist)"

if [[ $precheck ]]; then
  echo "klist success"
  echo "All good. Patch not required"
  exit 0
else
  echo "klist fail"
  echo "Patch is required. Keep going..."
fi

My full script is below, taken from @croaker_1's V1.2 script, and modified with @prbsparx's precheck idea (along with my tweak to allow the check to complete on affected machines, plus a check to confirm the script is running as root). We'll be pushing this out as a postinstall script in a .pkg through Munki to our machines this afternoon.

#!/bin/bash
# Mojave Security Update 2021-004 Kerberos hang fix/workaround
# Stops processes from hanging during Kerberos authentication on Active Directory bound machines
# Credit to @croaker_1, @prbsparx, and @RatVader on the MacRumors forum:
# https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/?post=29938447#post-29938447

# Insure script is running as root
if [ "$(id -u)" != "0" ]; then
  echo "This script MUST be run as root" && exit 1
fi

precheck="$(klist 2>&1 & sleep 2; kill $! 2>&1)"

if [[ $precheck ]]; then
  echo "klist success"
  echo "All good. Patch not required"
  exit 0
else
  echo "klist fail"
  ## kill backgrounded klist because it is likely to be stuck
  pkill klist
  echo "Patch is required. Keep going..."
fi

echo "Running pam.d fix"
## remove use_kcminit entry from pam.d authorization and screensaver
if [[ -f /etc/pam.d/authorization ]]; then
  echo "Processing /etc/pam.d/authorization"
  sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
else
  echo "/etc/pam.d/authorization not found"
  echo "Patch failed"
  exit 1
fi

if [[ -f /etc/pam.d/screensaver ]]; then
  echo "Processing /etc/pam.d/screensaver"
  sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
else
  echo "/etc/pam.d/screensaver not found"
  echo "Patch failed"
  exit 2
fi

# kill related processes
echo "Killing related processes"
pkill coreauthd kcm kdc

 

[TheIntruder]

Anyone have an inkling if Apple is going to issue a patch for this? Not wise to anger your enterprise customers.

And since they still haven't posted the stand alone download pkg, I guess they don't have to pull and re-issue it like they've done before.

 

[prbsparx]

This bug only affects machine bound to Active Directory (i.e. within a company, school, organization, etc.)

I disagree with this. We do not bind Macs to AD at my current work. But we see this issue as well.
If you are bound to AD or your pam.d files include `use_kcminit` or `default_principal` you are likely to see this.

 

[CallMeDave]

My full script is below, taken from @croaker_1's V1.2 script, and modified with @prbsparx's precheck idea (along with my tweak to allow the check to complete on affected machines, plus a check to confirm the script is running as root).

I ran this on one machine. The screen now unlocks, but it takes 30-45 seconds.

Better than force restarting, but not a good long term fix!

Much appreciation to the hard work put in here so far.

 

[chrfr]

Anyone have an inkling if Apple is going to issue a patch for this? Not wise to anger your enterprise customers.

And since they still haven't posted the stand alone download pkg, I guess they don't have to pull and re-issue it like they've done before.

The standalone package is now available but not linked off the main downloads page: https://support.apple.com/kb/DL2074
The package it includes was built May 20 so it doesn't have any fixes related to this problem.

 

[CallMeDave]

I heard back from my customer, and after restart they note that initial login in takes 30-45 seconds now.

@RatVader perhaps you can add backups of /etc/pam.d/screensaver and /etc/pam.d/authorization before writing changes, to allow clean roll-back...?

 

[avz]

The standalone package is now available but not linked off the main downloads page: https://support.apple.com/kb/DL2074
The package it includes was built May 20 so it doesn't have any fixes related to this problem.

Would somebody be able to post a direct link as iOS only gives an option to email? It is more convenient for me to download it with iPhone.

 

[avz]

Would somebody be able to post a direct link as iOS only gives an option to email? It is more convenient for me to download it with iPhone.

All I had to do is request a desktop version of a page. Easy enough.

 

[permanentmacdabbler]

Installed no problems on cMP 5.1.

Same here on cMP 4,1 flashed to 5,1. It took longer than the previous update (003) which was just like the usual NVMe slightly longer boot time whereas this took nearly 10mins which made me panic but everything is fine so far.

 

[ctwine]

Hi there, we have jsut deployed the script, and it's working again. Thanks
But we have an other problem now... Google Drive is not working since then, it want's a new authorzation, which it does. But then does not start. Using latest version of Google Drive. Anyone with the same issue?

 

[davidlv]

Hi there, we have jsut deployed the script, and it's working again. Thanks
But we have an other problem now... Google Drive is not working since then, it want's a new authorzation, which it does. But then does not start. Using latest version of Google Drive. Anyone with the same issue?

Apple just posted the update as a download.
Does this repair the issue?

Security Update 2021-004 (Mojave) - Apple Support

macOS Mojave Security Update 2021-004 is recommended for all users and improves the security of macOS.

support.apple.com

 

[RatVader]

I heard back from my customer, and after restart they note that initial login in takes 30-45 seconds now.

@RatVader perhaps you can add backups of /etc/pam.d/screensaver and /etc/pam.d/authorization before writing changes, to allow clean roll-back...?

Excellent idea, @CallMeDave. See the below script that I've updated to include both backing up the files it changes and checking the build number to confirm that the problematic update has been applied.

Hopefully this script is just to provide a temporary fix, and Apple patches the underlying issue soon.

https://github.com/RatVader/2021ADRepair/blob/main/2021ADRepair

 

[CallMeDave]

My company has an enterprise ticket open, and Apple has acknowledged the issue.
But they've made no promises. So be hopeful, but be prepared to be disappointed.

 

[chrfr]

Apple just posted the update as a download.
Does this repair the issue?

Security Update 2021-004 (Mojave) - Apple Support

macOS Mojave Security Update 2021-004 is recommended for all users and improves the security of macOS.

support.apple.com

It does not solve the problem. The updater contains an installer package that was built on May 20.

 

[howdytom]

I have successfully installed the macOS Mojave Security Update 2021-004 on a MacPro5,1. It’s been running fine since 5 days without any issues.

 

[FarmerBob]

Good to go the day it came out on a 3,1. The 2020-006 SecUpdt was the only update that I did not have to fiddle with. But that was during the Apple Safari 14.0 debacle. It loaded without alteration. I have found that as long as you have the base 10.14.6, 18G103 last full install, you can update directly to the latest SecUpdt. I went to 2021-004 directly. After reinstalling, or over installing the base patched install.

 

[neilr]

Thanks so much for this info. Was driving me nuts. I just edited the files manually. MacPro 5,1. But had to kill the processes. Worked until next day, pkill to the rescue.

My system NOT bound to AD, but I access Windows desktop remotely using VPN and running RDP. RDP would not authenticate w/o this - stuck on “configuring PC”. Also affected was MS outlook/mac - The account setting agent automagically discovers the inside server address when the VPN has been on (even when initially pointed at the external address) - so outlook would also hang and not update messages.

UPDATE: I have to kill kcm & kdc once a day or so to restore connectivity even to other macs on my home net. Arrghh -

 

[FarmerBob]

Thanks so much for this info. Was driving me nuts. I just edited the files manually. MacPro 5,1. But had to kill the processes. Worked until next day, pkill to the rescue.

My system NOT bound to AD, but I access Windows desktop remotely using VPN and running RDP. RDP would not authenticate w/o this - stuck on “configuring PC”. Also affected was MS outlook/mac - The account setting agent automagically discovers the inside server address when the VPN has been on (even when initially pointed at the external address) - so outlook would also hang and not update messages.

UPDATE: I have to kill kcm & kdc once a day or so to restore connectivity even to other macs on my home net. Arrghh -

If you haven't gotten this fixed yet. Try "SilentKnight". It's a bit of a full gamut necessities updater. That's how I went to 2021-004 with out messing it the check code.

 

[neilr]

If you haven't gotten this fixed yet. Try "SilentKnight". It's a bit of a full gamut necessities updater. That's how I went to 2021-004 with out messing it the check code.

Thanks - however my problem is that I did install 2021-004 - that’s what broke Kerberos/AD - uninstalling it would be handy but I don’t think its doable

 

[andrit]

Following up from my previous post. After doing some (a lot of) reading about Heimdal Kerberos, reports on the #MacAdmin Slack and a lot of trial and error here is what I have discovered. The problem is definitely being caused by the credentials cache, more specifically the Heimdal kcm (credential cache server) and seems limited to machines bound to a directory (possibly only Active Directory) before Security Update 2021-004 got installed. It may also affect machines bound after the Security Update but I have not tested that. I have not yet figured out exactly what is happening but the end result is that updated machines are no longer able to access the credential cache; which consequently prevents any ticket action from taking place. I could only find two lines of interest form the logs and you can see that they relate directly to cache config:

View attachment 1782147

The fix (well, really just a stop-gap measure until I can discover the actual cause) is to basically tell the OS to ignore cached Kerberos credentials for authorization (as well as screensaver). A shout out to @jojo on #MacAdmins for confirming my suspicions. To do this you will need to edit two system files (yours should look similar to these):

/etc/pam.d/authorization
    # authorization: auth account
    auth       optional       pam_krb5.so use_first_pass use_kcminit
    auth       optional       pam_ntlm.so use_first_pass
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so

/etc/pam.d/screensaver
    # screensaver: auth account
    auth       optional       pam_krb5.so use_first_pass use_kcminit
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so
    account    sufficient     pam_self.so
    account    required       pam_group.so no_warn group=admin,wheel fail_safe
    account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Using your favorite text editor (sudo) remove use_kcminit from each file.

For good measure I also killed related processes:

sudo pkill coreauthd
sudo pkill kcm
sudo pkill kdc

In my testing this does not prevent remote users (those without connectivity to the domain controller) from logging into/unlocking their machines but I urge you to do your own testing before rolling it out.

I've also written a no-frills script to make it easy to deploy to users:

#!/bin/bash
sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
pkill coreauthd
pkill kcm
pkill kdc

This fixed my problem. I only had to reboot to make it work on the permanent basis. Thanks!

 

[DRizzo]

No restart was required on our side. We pushed the script through our JAMF cloud. We have over 500 Mojave Macs.

You made my day! Thanks again!
Martin

Hi Martin (and others),

I'm attempting to run this in Jamf as a Self-Service item. The script fixes the issue but creates errors every time. Have you seen these errors? If so, were you able to suppress them? Thanks,