A few months ago we added Jamf Connect and all was good but recently and we started getting this error when a user was changing their password.
Jamf state this could happen If the Mac was previously bound to AD but we also saw this on new Mac’s that had never been bound, so the jury is out on the cause, but the good news is there is a simple fix.
The fix is to add a krb5.conf file to the user’s Mac (/etc/krb5.conf) and specify in that file the Kerberos realm.
For example the krb5.conf file would be:
[libdefaults]
default_realm=UK.DOMAIN.COM
Now we could of created this file, packaged in Composer, added to Jamf, created a policy, scoped and distributed but we have 5 realms (examples below)….so it seemed a lot of work to create 5 pkgs.
DOMAIN.COM
UK.DOMAIN.COM
US.DOMAIN.COM
ASIAPAC.DOMAIN.COM
RD.DOMAIN.COM
However, a quick search on https://community.jamf.com and this wonderful script by bigmikeey caught my eye. A quick test and we were in business. The Jamf community really is a fantastic resource.
All you need to do is change the MCSLTD.INTERNAL in the script below to your domain. Add the script to Jamf, create a policy and deploy. The krb5.conf is created on the users Mac and Jamf connect is killed and relaunched.
#!/bin/bash
#Find the Current users ID.
currentUser=$( /usr/bin/stat -f %Su "/dev/console" )
userID=$( /usr/bin/id -u "$currentUser" )
#Unload the Jamf Connect Menu bar app
/bin/launchctl bootout gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist
#Create the Kerberos file
touch /etc/krb5.conf
#Write the content into the file
cat << 'EOT' >/etc/krb5.conf
[libdefaults]
default_realm=MCSLTD.INTERNAL
EOT
#wait 2 seconds
sleep 2
#Kill any running instance with the name Jamf Connect
pkill "Jamf Connect"
#Re-launch Jamf Connect Menu bar app (by launching the LaunchAgent)
/bin/launchctl bootstrap gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist
exit 0
For our needs, we would have 5 scripts and change each one to the specific domain…..which I did! But a far more efficient way is to make the default_realm= value a variable, then have that variable set a script parameter in Jamf. So a single script, much more efficient.
So below is my version. You can see the domain variable is $4 and the default_realm=$domain
#!/bin/bash
#Jamf Script Parameter
domain=$4
#Find the Current users ID.
currentUser=$( /usr/bin/stat -f %Su "/dev/console" )
userID=$( /usr/bin/id -u "$currentUser" )
#Unload the Jamf Connect Menu bar app
/bin/launchctl bootout gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist
#Create the Kerberos file
touch /etc/krb5.conf
#Write the content into the file
cat << 'EOT' >/etc/krb5.conf
[libdefaults]
default_realm=$domain
EOT
#wait 2 seconds
sleep 2
#Kill any running instance with the name Jamf Connect
pkill "Jamf Connect"
#Re-launch Jamf Connect Menu bar app (by launching the LaunchAgent)
/bin/launchctl bootstrap gui/"$userID" /Library/LaunchAgents/com.jamf.connect.plist
exit 0
In the script Options section in Jamf you can set a Parameter Label as below:
Then when you create your policy and add the script you can enter your domain in the script Parameter Value and you will see your label set in script Options:
Now when you scope and trigger the script the krb5.conf will be created with the value entered so in this case UK.DOMAIN.COM
Once again thanks to the Jamf community for this fix 😊
