diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix
index b28d031be83ad..6d3a29c28ba79 100644
--- a/pkgs/development/libraries/tpm2-tss/default.nix
+++ b/pkgs/development/libraries/tpm2-tss/default.nix
@@ -2,7 +2,7 @@
 , autoreconfHook, autoconf-archive, pkg-config, doxygen, perl
 , openssl, json_c, curl, libgcrypt
 , cmocka, uthash, ibm-sw-tpm2, iproute2, procps, which
-, shadow, libuuid
+, libuuid
 }:
 let
   # Avoid a circular dependency on Linux systems (systemd depends on tpm2-tss,
@@ -28,7 +28,6 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [
     autoreconfHook autoconf-archive pkg-config doxygen perl
-    shadow
   ];
 
   buildInputs = [
@@ -53,6 +52,17 @@ stdenv.mkDerivation rec {
     # Do not rely on dynamic loader path
     # TCTI loader relies on dlopen(), this patch prefixes all calls with the output directory
     ./no-dynamic-loader-path.patch
+
+    # Configure script expects tools from shadow (e.g. useradd) but they are
+    # actually optional (and we can’t use them in Nix sandbox anyway). Make the
+    # check in configure.ac a warning instead of an error so that we can run
+    # configure phase on platforms that don’t have shadow package (e.g. macOS).
+    # Note that *on platforms* does not mean *for platform* i.e. this is for
+    # cross-compilation, tpm2-tss does not support macOS, see upstream issue:
+    # https://github.com/tpm2-software/tpm2-tss/issues/2629
+    # See also
+    # https://github.com/tpm2-software/tpm2-tss/blob/6c46325b466f35d40c2ed1043bfdfcfb8a367a34/Makefile.am#L880-L898
+    ./no-shadow.patch
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/tpm2-tss/no-shadow.patch b/pkgs/development/libraries/tpm2-tss/no-shadow.patch
new file mode 100644
index 0000000000000..a42bf06771d0c
--- /dev/null
+++ b/pkgs/development/libraries/tpm2-tss/no-shadow.patch
@@ -0,0 +1,16 @@
+diff --git a/configure.ac b/configure.ac
+index e2d579b8..0eac4ff3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
+       AC_CHECK_PROG(adduser, adduser, yes)
+       AC_CHECK_PROG(addgroup, addgroup, yes)
+       AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+-         [AC_MSG_ERROR([addgroup or groupadd are needed.])])
++         [AC_MSG_WARN([addgroup or groupadd are needed.])])
+       AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+-         [AC_MSG_ERROR([adduser or useradd are needed.])])])
++         [AC_MSG_WARN([adduser or useradd are needed.])])])
+ 
+ AC_SUBST([PATH])
+