Excellent. I'll get that downloaded. Can you recommend a way to get into the Mac without having to redo it from scratch?
1 of 1 people found this helpful
The SignUp Client modifies the authorization database to be able to replace the login window. Unfortunately, older versions of the client replaced the rights list with hard-coded items. This happened with uninstall as well as install, which means after uninstalling on a modern system you are left with rights copied from a much older system (I suspect 10.4 or even earlier). This behaviour was changed in the most recently released SignUp client, but that missing information can't so easily be reconstructed.
Because of this, I would advise restoring the machines to a standard image if you can. If you don't have that option, you should be able to get the machine into a working state with this process:
1) Boot in single user mode by holding down cmd-s at the very start of the boot process. Hold it until you see a black text window instead of the grey Apple boot screen.
2) Follow the on-screen instructions to check the disk and remount the root partition in read-write mode.
3) Run this command:
security authorizationdb read system.login.console | sed "s/SignUp:su_/loginwindow:/" | security authorizationdb write system.login.console
This is basically what the newest client does when enabling or disabling the client, except that your rights list will likely be the outdated one. This should still allow you to reboot and login, but ideally you should replace the rights list with a copy from a fresh install of the same version. I believe the list is the same for all 10.9.x releases, but I don't know for sure. To do this, run this command in Terminal.app on a known-good system:
security authorizationdb read system.login.console > goodrights.plist
Copy the goodrights.plist file to the recovered systems, and run:
sudo security authorizationdb write system.login.console < goodrights.plist
After replacing the rights list, upgrade the SignUp client to the newest version, even if you plan to uninstall. If you run the old uninstaller, you will end up with another out-of-date rights list.
Note: If you enabled sshd (Remote Login in sharing preferences) on the clients before the problem occurred, you can transfer the file via scp and then just run the last command via ssh to restore the rights to normal. Then reboot with 'sudo reboot' and the machine should start up fine. For example:
good_machine$ scp goodrights.plist admin@broken_machine:.
good_machine$ ssh admin@broken_machine
broken_machine$ sudo security authorizationdb write system.login.console < goodrights.plist
broken_machine$ sudo reboot
Thanks for all the awesome info Jim. The good thing it was a brand new set of 6 Macs in our TechCenter so we just imaged them again and put the latest SignUp on. Thanks for all the help.
In my opinion, the best thing to take away from this is that you should enable remote login on all machines you administer Because we 'interfere' with the system at such a low level, problems tend to be severe, and winter10.10 is coming. If your local policies don't forbid it, having ssh available can save you a lot of single-user mode reboots if something goes wrong in the future. The commands above could be scripted and used in a loop of machine names to repair an entire lab in minutes.