You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: NeiSpe77
NeiSpe77 Author
User level: Level 1
9 points

Active Directory login fail on Catalina

After installing the macOS Security Update 2021-003 I've noticed that when I want to login with my AD account it fails. I've unbound my iMac and then bound it again, a couple times. I've reset the switch I connect to and even tried a direct connection not using the switch. I've even tried WIFI. I also booted into Recovery mode and did a First Aid on the drive and it's fine.


Computers that have Big Sur (11.4) installed seem fine.


I now notice that if I try to login right away it fails, however if I give it a few seconds then try it struggles a bit but does let me in.


I was just wondering if anyone else is experiencing this?

Posted on May 27, 2021 2:41 PM

Reply
Question marked as Top-ranking reply
User profile for user: NeiSpe77
NeiSpe77 Author
User level: Level 1
9 points

Posted on Jun 21, 2021 12:52 PM

So I found the solution.


macOS Catalina Security Update 2021-003 causes this issue.


The fix is to edit the /etc/pam.d/authorization and /etc/pam.d/screensaver files and remove the "use_kcminit" lines from each file.

auth optional pam_krb5.so use_first_pass **use_kcminit**


Then reboot.


After making these changes, I've since rebooted my Mac a few times and each time I've been able to login with my AD account.

View in context

Similar questions

8 replies
Question marked as Top-ranking reply
User profile for user: NeiSpe77
NeiSpe77 Author
User level: Level 1
9 points

Jun 21, 2021 12:52 PM in response to NeiSpe77

So I found the solution.


macOS Catalina Security Update 2021-003 causes this issue.


The fix is to edit the /etc/pam.d/authorization and /etc/pam.d/screensaver files and remove the "use_kcminit" lines from each file.

auth optional pam_krb5.so use_first_pass **use_kcminit**


Then reboot.


After making these changes, I've since rebooted my Mac a few times and each time I've been able to login with my AD account.

Reply
User profile for user: AnnieL2
AnnieL2
User level: Community Specialist

May 28, 2021 1:16 PM in response to NeiSpe77

Good day to you NeiSpe77, 


We understand that when attempting to login with an Active Directory account, the login fails. 


There are a few basic isolating steps we can suggest. First is testing while in safe mode How to use safe mode on your Mac  and the second is testing in a new admin user on your Mac Set up users, guests, and groups on Mac


Let us know what you find out.

Reply
User profile for user: AnnieL2
AnnieL2
User level: Community Specialist

Jun 17, 2021 11:59 AM in response to NeiSpe77

NeiSpe77, 


Hope your vacation was wonderful! 


Thanks for testing in safe mode, that’s good to know. Do you have any start up items in System Preferences > Users & Groups > Login Items? If so, let’s disable them all, boot to regular mode and test logging in again. If the issue is resolved, you can enable start up items again one at at a time to see if we can identify the culprit. 


Let us know how it goes. 

Reply
User profile for user: NeiSpe77
NeiSpe77 Author
User level: Level 1
9 points

Jun 17, 2021 12:09 PM in response to AnnieL2

Thanks for the reply.


I have nothing at all in my Login Items.


I have since removed my iMac from the domain a few times. The last time I removed it I noticed that the device no longer showed in the Active Directory so I added it again (all using a Local Admin account I created). Then I was able to see the device once I bound it to the AD. I removed it from the AD and then rebooted the Mac, I then did an unbind on the Mac and rebooted again.

Now I am unable to bind the Mac. After I enter the Active Directory Name in the Directory Utility it takes a moment but then gives me the error: "The plugin encountered an error processing request"

Reply
User profile for user: NeiSpe77
NeiSpe77 Author
User level: Level 1
9 points

Jun 21, 2021 9:40 AM in response to AnnieL2

Yep, I have bound a lot of Macs over the years.


So I just found this out. In the Users and Groups section the option: Allow network users to login at the login window disappears. It wasn't there. Using the Active Directory Tools on my Windows computer I deleted the iMac object. I then removed the iMac from the domain. I then rebooted the iMac and logged in with my local account and bound it again and I saw that it this option was there again. I logged out and then I was able to login with my AD account. To make sure it was still going to be there I then rebooted the iMac and I couldn't login with my AD account. I logged in with my local admin account and saw that that option was gone again. Yet, I have a green dot beside my Network Account Server with the name of my domain. If i do a Command + K I and enter my AD account and password I can see my network drives. Can you explain why that option disappears?


Thanks.

Reply

Active Directory login fail on Catalina

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up