Originally published at: Security Update 2021-003 Catalina and 2021-004 Mojave - TidBITS
Patches security vulnerabilities in Catalina and Mojave. (Free, various sizes, macOS 10.15.7 and 10.14.6)
WARNING!!!
Mojave Security Update 2021-004 breaks Kerberos! If you are bound to Active Directory using a Mobile AD account then you will have a very bad day.
- System Prefs Unlock Hangs
- SMB / AFP Shares will hang
- Screen cannot be unlocked force reboot required
- Azure login may not work.
- NoMAD won’t load.
I was able to create a workaround that should work until Apple releases a fix. I recommend you back up any files you make changes to prior to saving your work. Please follow these few easy steps below.
Please update at your own RISK. These issues were resolved for me on two different workstations but I cannot guarantee that they will work the same for you.*****
1. Open up the following two files (/etc/pam.d/authorization and /etc/pam.d/screensaver) in your favorite text editor. You may need to open it as an admin. I suggest using nano via terminal. Open a terminal and enter sudo nano /filepath/filename
2. Now remove the "use_kcminit" from each file and then save the file.
/etc/pam.d/authorization
# authorization: auth account
auth optional pam_krb5.so use_first_pass **use_kcminit**
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
/etc/pam.d/screensaver
# screensaver: auth account
auth optional pam_krb5.so use_first_pass **use_kcminit**
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
3. Once you have removed the entries you will need to reboot your Mac.
Wow, @mashedgear - thank you VERY much for that fix!
This was causing me headaches, locking up a remote machine I use for work, which meant having to ssh in to do a forced restart.
One point: It looks like the formatting in your post marked the words “optional” in bold, and there are extraneous asterisks around the “use_kcminit” keyword in your post. So, if anyone else is confused, the instructions are to open each of those files, delete just that keyword (use_kcminit) at the end of the line, keeping the rest of the line.
Very useful workaround!
Made an account just to thank you. Thanks for saving the headaches! This solves all the login issues freezing/hanging, etc. Much appreciated. Works as of 6/25/2021 on Mojave after the update.
Just like litePenguines, signed up for this site for thanking. Also could you plz elaborate abit on what are the purposes of thoese files and the meaning of parameters used in them that we removed. Thanks again…
It’s a trend: I too signed up just to say thank you. After a few weeks, it finally got to be too big a pain to put up with, and yours was the second article I found. You’ve also saved me a lot of headaches. THANKS!
Does Security Update 2021-005 Mojave fix this issue? I had to reinstall to go back to 2021-003 and am now too scared to do any further updates to my Mojave system.
I heard from some Enterprise IT’s that it does and they were trying to remember how to back out of the workarounds that they used.