AD users cannot login to Apple MAC operating systems via GUI
说明
Issue 1: - ssh logins work correctly. GUI logins timeout. - Active Directory users are unable to log in using the Mac login Window. - The screen will shake as if an incorrect password has been entered.
Issue 2: - ssh logins work correctly. GUI logins timeout. - The credentials entered in the Mac GUI login window are correct, but the RainbowWheel/Spinning Wait Cursor eventually times out without letting the user log in.
原因
The problem is being caused by the credentials cache, more specifically the Heimdal kcm (credential cache server) and seems limited to machines bound to a directory, like Active Directory or Open Directory. MACs are no longer able to access the credential cache; which consequently prevents any ticket action from taking place.
The offending line is this PAM entry: auth optional pam_krb5.so use_first_pass use_kcminit
The presence of use_kcminit is producing unexpected results in the PAM chain of module loading, and it is interrupting all additional modules, including our pam_vas module.
解决办法
Reconfigure the OS's PAM entry to ignore cached Kerberos credentials for authorization (as well as screensaver and login).
Workaround 1: The script was written to remove the offending entry and kill processes that may have loaded the Kerberos module. This solved the issue of network logins failing. *** #!/bin/sh # run as root/sudo sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization" sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver" sed -i '' "s/use_kcminit//" "/etc/pam.d/login" # kill related processes pkill coreauthd pkill kcm pkill kdc #
After the "use_kcminit" text is removed, the GUI logins work correctly. However, you may need to restart the MAC OS to restart other services that also depend on the cache module.
Reversal of Workaround 1: In case you want to reverse the changes, apply this bash script: #!/bin/bash #!/bin/bash sed -i '' "s/pam_krb5.so.*/&use_kcminit/" "/etc/pam.d/authorization" sed -i '' "s/pam_krb5.so.*/&use_kcminit/" "/etc/pam.d/screensaver" sed -i '' "s/pam_krb5.so.*/&use_kcminit/" "/etc/pam.d/login"
其他信息
As this issue belongs to the OS and not to Authentication Services, We recommend reviewing the list of patches applied to your distribution that deal with Heimdal (pam_krb5.so) library updates.
This issue has been observed in Monterrey, Sonoma and Ventura OSs