Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Cant login using local password - no sudo 'sudo: PAM authentication error: error in service module'

Background:

My MBP is working on corporate network bound to active-directory, however I'm using a local account to use/access my mbp


Apparently Microsoft is disabling LDAP (unencrypted) and only accepting LDAPS on domain controllers in March. Our network engineers has been monitoring the DC logs for LDAP non encrypted traffic and appears that the few macs we on the network bound to AD are all talking unsigned.


I was asked to make the following changes to rectify the problem:


dsconfigad -packetencrypt ssl

dsconfigad -packetsign require


I rebooted and logged in iWatch so didn't notice the issues immediately, however the machine became sluggish, and was only after trying to roll back did I notice that I couldn't get elevated privileges anymore, i.e. sudo as its reporting 'sudo: PAM authentication error: error in service module'


Now Ive found that I also cant log in locally using my local password the only way I can access my computer is because my iWatch is paired and unlocks my account.


Second problem is I can no longer sudo as it again wont accept passwords giving me the following error 'sudo: PAM authentication error: error in service module'


Thirdly I can no longer open up user accounts from the system Preferences


sooooooo as I don't want to have to restore / re-install my computer from backups if I can help it I'm after some troubleshooting suggestions to allow me to rollback the changes.



I have limited access to console and log is filled with these:



Regards,


Stephen...



MacBook Pro 15”, macOS 10.15

Posted on Jan 23, 2020 8:18 PM

Reply
Question marked as Best answer

Ok Ive resolved this, however I'm lucky in that my MBP is being managed by our enterprise MDM service, Cisco Meraki, so I could get an elevated privilege cli from the Meraki console and run some commands.


I removed the computer from the domain using: "dsconfigad -remove -u <username> -p <password>"


then rebooted and all was back to normal.


I dont know how I would have achieved it without the backdoor of the MDM service.


Posted on Jan 23, 2020 9:23 PM

Similar questions

1 reply
Question marked as Best answer

Jan 23, 2020 9:23 PM in response to madeinoz67

Ok Ive resolved this, however I'm lucky in that my MBP is being managed by our enterprise MDM service, Cisco Meraki, so I could get an elevated privilege cli from the Meraki console and run some commands.


I removed the computer from the domain using: "dsconfigad -remove -u <username> -p <password>"


then rebooted and all was back to normal.


I dont know how I would have achieved it without the backdoor of the MDM service.


Cant login using local password - no sudo 'sudo: PAM authentication error: error in service module'

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.