Mojave Security Update 2021-004 broke Kerberos for me

Hi, please report this upgrade bug to the Apple Support team here, I've heard they don't check this forum...

Safe mode didn't help me either as it doesn't clear user caches if they are stored on a network drive.

It would seem to me that the credentials cache must be munged.

Safe Boot, (holding Shift key down at startup), does the problem occur in Safe Mode? Could take 10 minutes.

Safe mode attempts to repair Disks & clears lots of caches & loads safe Drivers, & prevents loading of 3rd party extensions, so if Safe Mode works try again in regular boot.

To find out if it's system wide or user specific, try this...

Open System Preferences>Users & Groups, unlock the lock, click on the little plus icon, make a new admin account, log out & into the new account.

Does it work in the new account?

Hello there

Apple is aware about the Kerberos bug which also affects macOS Catalina.

The botched security updates were pulled off from both the Software Update service and Download Support page as a fix is currently in the works. Once the bug is fixed Apple will issue a revised build adressing the Kerberos issue.

macOS Catalina is also affected, forcing Apple to delay the release of standalone DMG bundles and SU installers.

For now only Safari 4.1.1 can be manually downloaded from the swscan catalog, which also includes Mojave and Catalina security updates in the form of PKG bundles. The product support page hasn't been updated yet with the download links containing the DMG bundles since Apple is working on a fix for the Kerberos mobile services.

dragontorc wrote:

The botched security updates were pulled off from both the Software Update service and Download Support page as a fix is currently in the works. Once the bug is fixed Apple will issue a revised build adressing the Kerberos issue.

The updates were pulled? or the part which causes the problem was removed from the update? I'm still being prompted to install both macOS Mojave Security Update 2021-004 and Safari 14.1.1.

Although I don't use AD I'm playing it safe as I do have my Macs bound to an LDAP server with mobile accounts set up. There's nothing to say whether these would be affected in the same way or not.

It's poor form for Apple to still be serving these updates days after they found out about the problem without at least updating the documentation on the website with a warning.

Before finding this thread I was troubleshooting a separate (related?) issue with failed DDNS updates on macOS 11. While testing a 10.14 machine I installed the macOS Mojave Security Update 2021-004 update and experienced the symptoms noted here - klist hangs, connections to server shared folders hang/don't connect, etc. Contrary to reports above this update is still being published.

This is a significant bug that Apple needs to fix ASAP.

No update yet. Things like this are why Apple failed in the enterprise. A bug that blocks users from logging into their computer and/or accessing critical resources, the most basic of requirements, and they don't even bother to fix it for weeks, maybe months.

Thanks, this was useful to find.

I have 3x 2015 MacBook Pro on 10.14.6, that are bound to Active Directory and currently exhibiting this behaviour.

I upgraded one of them to macOS 11 which fixed the issue.

The other two will get an upgrade if there is no fix shortly.

If you implemented a community developed workaround, it may be an issue when the ActiveDirectory passwords expire. Apple apparently, has a Mojave patch in Apple Seed for enterprise customer testing. Most MacAdmins have been upgrading folks to Catalina if they are able to do so. The workaround is only temporary and might introduce unexpected problems or cause a new security issue. This only affects Mojave Mac's that installed the security update and are bound to an ActiveDirectory domain using a mobile account (copy of an AD account cached on the Mac). The best source of information is the MacAdmins Slack #Mojave Channel. It's not a fix. It's a workaround and if you can upgrade to Catalina then you should probably just do so. Those apply the fix are those who cannot upgrade to Catalina due to some other constraint in their environment such as legacy software being used.

THANK YOU!!!!

My work laptop has been a BRICK for the last few weeks. It's just been miserable. I couldn't connect to any of our file shares. I couldn't lock my screen without it freezing. If I hovered over the Enterprise Connect icon, my entire laptop would freeze and I would have to do a reboot. I tried so many different things, and this finally fixed it. My organization already hates supporting us devops weirdos that insist on using a MacBook to do our job, so I was a couple of weeks from trading it in for some $400 Windows laptop that let me do my job again. You're a lifesaver.

Update must still be live. I just installed this update on a Mojave iMac bound to OD working fine prior to the Security update. Took the machine offline for a day to fix, client (and I—they complained loudly about things breaking *every* time I visit) lost a day's productivity. I ultimately brought the user local. Mobile doesn't make sense in this environment, anyway, but this should either be tested for, or somehow we are made aware in liner notes for these not-so-minor updates.

Maybe this is dead tech (Server and OD,) and Apple's too inexperienced in their current workforce to care (or actively doesn't,) but a developer friend of mine commented that it seems Apple just doesn't know how to do proper testing anymore, or doesn't care. The goodwill engendered with ensuring existing setups don't break with Every. Stupid. Update ... would work wonders for Apple's bottom line. I haven't bought, nor have I recommended, new hardware for about 6 years now.

If they continue to support older hardware/software configurations, they should, well, continue to support older hardware/software configurations! Do it or don't! If it came down to it though, I fear that their answer would be the latter.

Matt W (TechnicalMac) wrote:

I just installed this update on a Mojave iMac bound to OD working fine prior to the Security update. Took the machine offline for a day to fix

Thank you for posting this information. There are posts saying this problem only affected mobile users on AD but I'd been taking that information with a pinch of salt as nobody had confirmed there were no problems with other directory technology. I still use mobile users but migrated from OD to LDAP some time ago. It was purely by chance I spotted this thread at the beginning of the month just before updating.

In my opinion if Apple (or any developer for that matter) decide to stop supporting any functionality they need to tell users in advance so users can decide whether to migrate or to risk delaying/stopping updates. If this setup is no longer supported Apple have not done that. If it is supported then there is a serious bug in the update which for some reason they have neither fixed nor, as far as I can find, documented.

It's only a bug in the security update a far as I can tell.

macOS Big Sur does support mobile users on AD without any issues, we've upgraded two Mojave users so far and they are working normally again.

Maybe this is dead tech (Server and OD,) and Apple's too inexperienced in their current workforce to care (or actively doesn't,) but a developer friend of mine commented that it seems Apple just doesn't know how to do proper testing anymore, or doesn't care.

I would lean towards Apple not caring too much about macOS in enterprise or even workgroup environments. As a side effect, that results in a workforce that doesn't know and doesn't care much about these environments.

This isn't the only Kerberos related bug either. In Big Sur DDNS is completely broken.

https://www.jamf.com/jamf-nation/discussions/38422/big-sur-problem-dinamic-registration-in-dns-server