5 Replies Latest reply on Sep 10, 2014 5:57 PM by Jim Gilliver

    SignUp on Mac - Stop after Login

    Timothy Grzeczka Pioneer

      Have an good one; we have six brand new Macs running Mavericks that I installed SignUp client 8.4.1 (Server 8.4) on Friday afternoon. When I left, they were working great. We got in this morning and all six of them when you login they stop and go no further. I've checked the permissions on the Group and Type and they are fine.

       

      Has anyone seen this kind of behavior with Macs and SignUp?

        • Re: SignUp on Mac - Stop after Login
          Scott Olswold Guide

          Timothy,

           

          MacOS 10.9 "Mavericks" requires a newer version of the SignUp client:

           

          Macintosh Components

           

          Regards,

          Scott Olswold

          Pharos Systems Technical Support

            • Re: SignUp on Mac - Stop after Login
              Timothy Grzeczka Pioneer

              Excellent. I'll get that downloaded. Can you recommend a way to get into the Mac without having to redo it from scratch?

                • Re: SignUp on Mac - Stop after Login
                  Jim Gilliver Pioneer

                  The SignUp Client modifies the authorization database to be able to replace the login window.  Unfortunately, older versions of the client replaced the rights list with hard-coded items.  This happened with uninstall as well as install, which means after uninstalling on a modern system you are left with rights copied from a much older system (I suspect 10.4 or even earlier).  This behaviour was changed in the most recently released SignUp client, but that missing information can't so easily be reconstructed.

                   

                  Because of this, I would advise restoring the machines to a standard image if you can.  If you don't have that option, you should be able to get the machine into a working state with this process:

                   

                  1) Boot in single user mode by holding down cmd-s at the very start of the boot process.  Hold it until you see a black text window instead of the grey Apple boot screen.

                  2) Follow the on-screen instructions to check the disk and remount the root partition in read-write mode.

                  3) Run this command:

                  security authorizationdb read system.login.console | sed "s/SignUp:su_/loginwindow:/" | security authorizationdb write system.login.console

                   

                  This is basically what the newest client does when enabling or disabling the client, except that your rights list will likely be the outdated one.  This should still allow you to reboot and login, but ideally you should replace the rights list with a copy from a fresh install of the same version.  I believe the list is the same for all 10.9.x releases, but I don't know for sure.  To do this, run this command in Terminal.app on a known-good system:

                  security authorizationdb read system.login.console > goodrights.plist

                  Copy the goodrights.plist file to the recovered systems, and run:

                  sudo security authorizationdb write system.login.console < goodrights.plist


                  After replacing the rights list, upgrade the SignUp client to the newest version, even if you plan to uninstall.  If you run the old uninstaller, you will end up with another out-of-date rights list.



                  Note: If you enabled sshd (Remote Login in sharing preferences) on the clients before the problem occurred, you can transfer the file via scp and then just run the last command via ssh to restore the rights to normal.  Then reboot with 'sudo reboot' and the machine should start up fine.  For example:

                  good_machine$ scp goodrights.plist admin@broken_machine:.

                  good_machine$ ssh admin@broken_machine

                  broken_machine$ sudo security authorizationdb write system.login.console < goodrights.plist

                  broken_machine$ sudo reboot



                  1 of 1 people found this helpful
                    • Re: SignUp on Mac - Stop after Login
                      Timothy Grzeczka Pioneer

                      Thanks for all the awesome info Jim. The good thing it was a brand new set of 6 Macs in our TechCenter so we just imaged them again and put the latest SignUp on. Thanks for all the help.

                        • Re: SignUp on Mac - Stop after Login
                          Jim Gilliver Pioneer

                          In my opinion, the best thing to take away from this is that you should enable remote login on all machines you administer   Because we 'interfere' with the system at such a low level, problems tend to be severe, and winter10.10 is coming.  If your local policies don't forbid it, having ssh available can save you a lot of single-user mode reboots if something goes wrong in the future.  The commands above could be scripted and used in a loop of machine names to repair an entire lab in minutes.