Security Update 2021-003 Catalina and 2021-004 Mojave

agen · May 26, 2021, 6:15pm

Originally published at: Security Update 2021-003 Catalina and 2021-004 Mojave - TidBITS

Patches security vulnerabilities in Catalina and Mojave. (Free, various sizes, macOS 10.15.7 and 10.14.6)

stottm · May 26, 2021, 8:44pm

WARNING!!!

Mojave Security Update 2021-004 breaks Kerberos! If you are bound to Active Directory using a Mobile AD account then you will have a very bad day.

System Prefs Unlock Hangs
SMB / AFP Shares will hang
Screen cannot be unlocked force reboot required
Azure login may not work.
NoMAD won’t load.

mashedgear · May 27, 2021, 12:06pm

I was able to create a workaround that should work until Apple releases a fix. I recommend you back up any files you make changes to prior to saving your work. Please follow these few easy steps below.
Please update at your own RISK. These issues were resolved for me on two different workstations but I cannot guarantee that they will work the same for you.*****


1. Open up the following two files (/etc/pam.d/authorization and /etc/pam.d/screensaver) in your favorite text editor.  You may need to open it as an admin.  I suggest using nano via terminal.  Open a terminal and enter sudo nano /filepath/filename

2. Now remove the "use_kcminit" from each file and then save the file.


/etc/pam.d/authorization
    # authorization: auth account
    auth       optional       pam_krb5.so use_first_pass **use_kcminit**
    auth       optional       pam_ntlm.so use_first_pass
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so

/etc/pam.d/screensaver
    # screensaver: auth account
    auth       optional       pam_krb5.so use_first_pass **use_kcminit**
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so
    account    sufficient     pam_self.so
    account    required       pam_group.so no_warn group=admin,wheel fail_safe
    account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

3. Once you have removed the entries you will need to reboot your Mac.

DanShockley · June 9, 2021, 1:34am

Wow, @mashedgear - thank you VERY much for that fix!
This was causing me headaches, locking up a remote machine I use for work, which meant having to ssh in to do a forced restart.
One point: It looks like the formatting in your post marked the words “optional” in bold, and there are extraneous asterisks around the “use_kcminit” keyword in your post. So, if anyone else is confused, the instructions are to open each of those files, delete just that keyword (use_kcminit) at the end of the line, keeping the rest of the line.

Very useful workaround!

LitePenguins · June 25, 2021, 7:05pm

Made an account just to thank you. Thanks for saving the headaches! This solves all the login issues freezing/hanging, etc. Much appreciated. Works as of 6/25/2021 on Mojave after the update.

kriss332 · July 4, 2021, 3:14am

Just like litePenguines, signed up for this site for thanking. Also could you plz elaborate abit on what are the purposes of thoese files and the meaning of parameters used in them that we removed. Thanks again…

A_Lee_Wade · July 9, 2021, 6:58pm

It’s a trend: I too signed up just to say thank you. After a few weeks, it finally got to be too big a pain to put up with, and yours was the second article I found. You’ve also saved me a lot of headaches. THANKS!

tivrick · August 9, 2021, 9:42am

Does Security Update 2021-005 Mojave fix this issue? I had to reinstall to go back to 2021-003 and am now too scared to do any further updates to my Mojave system.

alvarnell · August 9, 2021, 11:05am

I heard from some Enterprise IT’s that it does and they were trying to remember how to back out of the workarounds that they used.