User profile for user: gk06
gk06 Author
User level: Level 1
8 points

Security Update 2021-004 - Kerberos issues? no fileserver connection possible

Hi there:

we installed the security update 2021-004 on the 25th May on 4 different units (Mac Pro 6,1 and Macbooks). The Macs are joined to an Active Directory. Since this security update installed it's not possible to connect to a fileserver (neither synology, nor Windows-Fileserver, nor helios fileserver) anymore. The authentication cannot get through anymore (I get asked to authenticate, fill it in and then comes the spinning ball).

We found hints to Kerberos tickets here: https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/ and indeed the "Ticket Viewer" app in System/Library/CoreServices starts with a greyed out windows and the spinning ball). Even with new logged in AD-joined user accounts it cannot connect to the fileserver.

We tried with local users and local admin accounts on the mac to connect to fileserver - this works! So it seems just to be affected with those AD-Users (we do "mobile accounts").


Weird: the whole login procedure on the mac itself seems to be affected, too: login as a local user takes sometimes for hours and after a restart it works just fine (again: sometimes...)


Those Macs are from different companies, joined to different active directories. Some affected users have admin privileges but that doesn't make any differences in the symptoms as far we can see.

Perhaps a Kerberos & Caching problems? Is anybody getting the same issues? Any ideas how to solve this?

Thanks to anybody in advance! Regards - Gisela

Posted on May 26, 2021 1:28 AM

Reply
6 replies
User profile for user: jürgenfromwalluf
jürgenfromwalluf
User level: Level 1
4 points

May 26, 2021 4:05 AM in response to gk06

Hi Gisela, we have exakt the same problems here with our Mojave client machines – but instead of AD, we use the Open Directory Server via the Server.app on a Mojave Mac mini. All OD accounts can't connect to our Mac file server (10.10) any more (we also use "mobile accounts", but non-mobiles don't work either). On a test machine, I created a fresh local account and manually copied the user data from a mobile account – pretty laborious, but it worked. But as you said the login success to the machine is quite random. A horrible scenario for users and admins... Get your work done, Apple!!

Reply
User profile for user: esa63ase
esa63ase
User level: Level 1
9 points

May 26, 2021 5:16 AM in response to jürgenfromwalluf

Same problem here. But I think it may be a problem with some specific software rather than with the connection to fileserver.


After upgrading to 2021-004, I couldn't connect to my Mac with my network account. It hangs after entering username and password with the "please wait" grey circle logo rolling around forever.


I was worried I did something bad to my network account so I checked it with another Mac on 2021-003 update, and I could instantly connect.


However, I didn't blame connection to fileserver because another network account works all the time on the 2021-004 machine. So I thought maybe on my net account there are some personal options or preferences that have trouble migrating to this security update.


So I moved my ~/Library/Caches folder to ~/Library/Caches.bak on the server share; then I tried to login again to my network account, and behold, the connection worked instantly! And a new ~/Library/Caches was created. However, as soon as I logged off and tried logging in again, I was stuck again to the endless grey circle logo.


So I am note quite sure what to do with this problem, mitigation so far is to disable the upgrade to 2021-004 while waiting for more information from Apple.

Reply
User profile for user: gk06
gk06 Author
User level: Level 1
8 points

May 26, 2021 8:48 AM in response to gk06

Thanks to all - I will report this to Apple. Thanks to macadmins.org - they found out its the "use_kcminit" in pam.d which could be causing this issue. For security reasons I don't dare trying to just "delete" this in the pam.d (and macadmins don't suggest ;-) ) as it is authorization ...

Thanks again for your feedbacks!

Reply
User profile for user: Allan Jones
Allan Jones
User level: Level 9
77,912 points

May 26, 2021 8:18 AM in response to gk06

Apple needs to know but will not see problem reports here; this is primarily an end-user venue.


For SU issues it is very important to use the Feedback system to get such issues squarely before an Apple employee. This is the link I recommend:


Feedback - macOS - Apple


It seems 60+ percent of all new SUs have flaws and that won't change unless Apple gets the word. Thanks!



Reply
User profile for user: gk06
gk06 Author
User level: Level 1
8 points

May 27, 2021 9:22 PM in response to esa63ase

Thanks - same on our side.

to point it out clearly: work can hardly be done with no Fileserver connections possible.

!Even the login after sleep mode is not working anymore and you need to restart your computer as the authentication is not going through!

Mojave computers without this security update 2021-004 still just working fine.

Unfortunately there is no roll back possibility as far as I know. Due to our customer relations we are still forced to stay with Mojave for a few more months.


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Security Update 2021-004 - Kerberos issues? no fileserver connection possible

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up