Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mojave Security Update 2021-004

I've had a few cases now where making a typo in the password at the unlock screen while disconnected from the network will cause the system to get "stuck" and nothing but a hard restart or (if you can ssh in remotely) killing the window server and drop back to the login screen can get you out of that... But potentially you loose unsaved work.
 
RatVader said:
Excellent idea, @CallMeDave. See the below script that I've updated to include both backing up the files it changes and checking the build number to confirm that the problematic update has been applied.

Hopefully this script is just to provide a temporary fix, and Apple patches the underlying issue soon.

https://github.com/RatVader/2021ADRepair/blob/main/2021ADRepair
Click to expand...
Hi RatVader, do you have the script running at _every_ startup so it would check if Security Update has just been installed and if so, would apply a fix?
Or can you apply a fix to all 10.14.6 Macs, no matter if Security Update has been installed or not?
I've tested running the commands on clean 10.14.6 and then installing Security Update 2021-004 - didn't have any problem after update.
In latter case you unnecessarily modify _all_ computers, once and for all, and don't have to run the script at _every_ startup on all of them.
 
m4ctech said:
Hi RatVader, do you have the script running at _every_ startup so it would check if Security Update has just been installed and if so, would apply a fix?
Or can you apply a fix to all 10.14.6 Macs, no matter if Security Update has been installed or not?
I've tested running the commands on clean 10.14.6 and then installing Security Update 2021-004 - didn't have any problem after update.
In latter case you unnecessarily modify _all_ computers, once and for all, and don't have to run the script at _every_ startup on all of them.
Click to expand...
I ran the script and still have have use the pkill command when my apple remote desktop application will not remote a computer.
 
Anyone found a workaround for the unlock screen?
Either after locking my workstation from the Apple menu or from a timeout and screensaver starts, I sometimes can't unlock my computer again. The lock screen take input and then freezes there... The cancel button doesn't do anything and sleeping the machine doesn't help. Sometimes I can SSH in from my phone and 'sudo pkill kcm' will sometimes work, but not always (maybe 1 in 3 chance).

No luck uninstalling... I would probably have to do a fresh OS install or restore from a CCC made clone.

Did send apple feedback via this link though not sure it will do much good since they are just releasing a new OS soon...
 
That's interesting - today I restarted 10.14.6 MacBook Air with cached Mojave Security Update 004 and this popped up:
Note.jpg


Looks like Apple is blocking this update now on Macs joined to AD.
I've re-downloaded standalone Security Update 2021-004 from Apple, but it's still old version from May 20th.
 
croaker_1 said:
Following up from my previous post. After doing some (a lot of) reading about Heimdal Kerberos, reports on the #MacAdmin Slack and a lot of trial and error here is what I have discovered. The problem is definitely being caused by the credentials cache, more specifically the Heimdal kcm (credential cache server) and seems limited to machines bound to a directory (possibly only Active Directory) before Security Update 2021-004 got installed. It may also affect machines bound after the Security Update but I have not tested that. I have not yet figured out exactly what is happening but the end result is that updated machines are no longer able to access the credential cache; which consequently prevents any ticket action from taking place. I could only find two lines of interest form the logs and you can see that they relate directly to cache config:

View attachment 1782147

The fix (well, really just a stop-gap measure until I can discover the actual cause) is to basically tell the OS to ignore cached Kerberos credentials for authorization (as well as screensaver). A shout out to @jojo on #MacAdmins for confirming my suspicions. To do this you will need to edit two system files (yours should look similar to these):

Code: 
/etc/pam.d/authorization
    # authorization: auth account
    auth       optional       pam_krb5.so use_first_pass use_kcminit
    auth       optional       pam_ntlm.so use_first_pass
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so

/etc/pam.d/screensaver
    # screensaver: auth account
    auth       optional       pam_krb5.so use_first_pass use_kcminit
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so
    account    sufficient     pam_self.so
    account    required       pam_group.so no_warn group=admin,wheel fail_safe
    account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Using your favorite text editor (sudo) remove use_kcminit from each file.

For good measure I also killed related processes:
Code: 
sudo pkill coreauthd
sudo pkill kcm
sudo pkill kdc

In my testing this does not prevent remote users (those without connectivity to the domain controller) from logging into/unlocking their machines but I urge you to do your own testing before rolling it out.

I've also written a no-frills script to make it easy to deploy to users:
Bash: 
#!/bin/bash
sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
pkill coreauthd
pkill kcm
pkill kdc
Click to expand...
Hello, this might sound silly but how do you run this scrip ? I tried using terminal but I get permission is denied/operation not permitted. Thanks
 

Attachments

  • Screen Shot 2021-07-05 at 10.18.39 PM.jpg
    Screen Shot 2021-07-05 at 10.18.39 PM.jpg
    157.3 KB · Views: 131
Thanks a lot "Dacc1234" that did the trick. Extra Thanks to the brilliant ones you found the bug and created the scrip to fix it. Much easier than reloading OS
 
m4ctech said:
Hi RatVader, do you have the script running at _every_ startup so it would check if Security Update has just been installed and if so, would apply a fix?
Or can you apply a fix to all 10.14.6 Macs, no matter if Security Update has been installed or not?
I've tested running the commands on clean 10.14.6 and then installing Security Update 2021-004 - didn't have any problem after update.
In latter case you unnecessarily modify _all_ computers, once and for all, and don't have to run the script at _every_ startup on all of them.
Click to expand...
Hey @m4ctech, This particular script was optimized primarily for deployment via Munki and to run as-needed on computers exhibiting AD auth issues in our fleet. I wrote it to not disable credential caching on machines that weren't exhibiting the issue, as there are benefits to using the cache. The method you've described will certainly work, however, as the update doesn't modify the /etc/pam.d/authorization or /etc/pam.d/screensaver files.
 
dacc1234 said:
I ran the script and still have have use the pkill command when my apple remote desktop application will not remote a computer.
Click to expand...
Hello @dacc1234, I've noticed that the pkilling doesn't always refresh everything that it seems needs to be refreshed, so I always reboot after running the script.
 
  • Like
Reactions: dacc1234
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back