James Hope

Q: Is there a way to reset keychain passwords from server.app?

We have a Lion server and a number of Macs that authenticate with the server through open directory. On occasion users have forgotten passwords, and so I've reset them from server.app. I've tried both getting them to enter their password on the server, or setting their password to "password" with reset at next login set, but both methods result in an issue whenever the user logs in where they're prompted to create a new keychain or use their old one (which is not possible because they have forgotten the password to unlock it). This is frustrating for me and users.

 

Am I doing something wrong, or is this how it is supposed to work? It'd be a real pity if the latter was true, and would go against the idea that "it just works" on the Mac.

Posted on May 5, 2013 6:48 PM

Close

Q: Is there a way to reset keychain passwords from server.app?

  • All replies
  • Helpful answers

  • by James Hope,

    James Hope James Hope May 9, 2013 4:20 PM in response to James Hope
    Level 1 (55 points)
    May 9, 2013 4:20 PM in response to James Hope

    Has no one else had this problem??

  • by infinite vortex,Solvedanswer

    infinite vortex infinite vortex May 12, 2013 7:45 AM in response to James Hope
    Level 7 (21,405 points)
    May 12, 2013 7:45 AM in response to James Hope

    That's the way it works. Due to the nature of a Keychain, and what is potentially stored in it, once a password is forgotten you need to use a new Keychain and all data within is "lost". If there were a way to reset the Keychain password then you can grab anyone's Keychain, insert it into another account and then use the reset password to get all of the data out of it… at which point there's little point to password protecting it at all.

  • by James Hope,

    James Hope James Hope May 12, 2013 3:45 PM in response to infinite vortex
    Level 1 (55 points)
    May 12, 2013 3:45 PM in response to infinite vortex

    Good point. I guess I'll just have to put up with it then and get the users to create a new keychain. The inconvenience might be enough to force them to remember their passwords instead of forgetting them all the time (it's the same people each time).

  • by infinite vortex,

    infinite vortex infinite vortex May 13, 2013 8:33 AM in response to James Hope
    Level 7 (21,405 points)
    May 13, 2013 8:33 AM in response to James Hope

    I get you completely. I have the same problem with some of "my lot".

     

    What I will often do is on a password reset I'll ask if they want me to keep/save their password as well for next time they forget… which they will. It saves a great deal of hassle at both ends when they "yes, great idea!". At which point I'll just put it into my Keychain.