#!/bin/bash

# Mojave Security Update 2021-004 Kerberos hang fix/workaround
# Stops processes from hanging during Kerberos authentication on Active Directory bound machines
# https://macadmins.slack.com/archives/CB0547P08

# Credit to @croaker_1, @prbsparx, and @RatVader on the MacRumors forum:
# https://forums.macrumors.com/threads/mojave-security-update-2021-004.2297615/?post=29938447#post-29938447

# Ensure script is running as root
if [ "$(id -u)" != "0" ]; then
  echo "This script MUST be run as root" && exit 1
fi

precheck="$(klist 2>&1 & sleep 2; kill $! 2>&1)"

if [[ $precheck ]]; then
  echo "klist success"
  echo "All good. Patch not required"
  exit 0
else
  echo "klist fail"
  ## kill backgrounded klist because it is likely to be stuck
  pkill klist
  echo "Patch is required. Keep going..."
fi

echo "Running pam.d fix"

## remove use_kcminit entry from pam.d authorization and screensaver
if [[ -f /etc/pam.d/authorization ]]; then
  echo "Processing /etc/pam.d/authorization"
  sed -i '' "s/use_kcminit//" "/etc/pam.d/authorization"
else
  echo "/etc/pam.d/authorization not found"
  echo "Patch failed"
  exit 1
fi

if [[ -f /etc/pam.d/screensaver ]]; then
  echo "Processing /etc/pam.d/screensaver"
  sed -i '' "s/use_kcminit//" "/etc/pam.d/screensaver"
else
  echo "/etc/pam.d/screensaver not found"
  echo "Patch failed"
  exit 2
fi

# kill related processes
echo "Killing related processes"
pkill coreauthd kcm kdc