Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

first Previous Page 6 of 19 last Next
  • by Philip GW,

    Philip GW Philip GW Nov 4, 2014 5:05 PM in response to Erich Wetzel
    Level 1 (5 points)
    Nov 4, 2014 5:05 PM in response to Erich Wetzel

    I had the same problem at first.  I fixed it by doing a Get Info on the local and LauchAgents folders and making sure the permissions were System R/W  with everything else Read only.  Then I Applied To Enclosed Items, to push those permission down to the scripts. Another thing I did different was logged into the computer as "root" so I'd have the rights to do anything and remain in the GUI.  I just needed terminal to do the chmod.  You can enable the root user in Directory Editor.  Then login in as "Other" and enter root as the username and the password you entered in Directory Editor when you enabled the root user.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Nov 4, 2014 5:08 PM in response to Philip GW
    Level 2 (345 points)
    Servers Enterprise
    Nov 4, 2014 5:08 PM in response to Philip GW

    Philip GW

     

    As you were typing, I was fixing it as you had stated before. I must learn to follow instructions!

     

    With permissions set properly I can also confirm that this seems to be working as hoped. Multiple network and local users are logging in and out in succession without restarts.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Nov 4, 2014 5:12 PM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Nov 4, 2014 5:12 PM in response to Erich Wetzel

    Anyone have a simple way to automatically push this to clients, or do we need to do it manually or via ARD?

     

    We only have a few clients so if it is not really easy I will be faster touching each machine.

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Nov 5, 2014 4:23 AM in response to Erich Wetzel
    Level 1 (29 points)
    Mac OS X
    Nov 5, 2014 4:23 AM in response to Erich Wetzel

    I did it with ARD

    (Apple Remote Desktop,

    https://itunes.apple.com/de/app/apple-remote-desktop/id409907375?mt=12&uo=4, respectively

    https://itunes.apple.com/us/app/apple-remote-desktop/id409907375?mt=12&uo=4 for the US-Store)

     

    There you could put files and issue terminal commands to multiple clients at once. Wich did the job for 12 Clients in about 5 Minutes.

     

    Sorry, i did all the Steps i described as root so i had no issues with the rights system.

    So if you need advice how to setup the root account in OS X let me know.

    Alternatively you could do everything with sudo.

     

    Greetings,

    Ben

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Nov 5, 2014 7:55 AM in response to Benjamin Losch
    Level 2 (345 points)
    Servers Enterprise
    Nov 5, 2014 7:55 AM in response to Benjamin Losch

    Thanks Ben, that sounds easiest.

     

    -Erich

  • by cohort-codey,

    cohort-codey cohort-codey Nov 5, 2014 8:17 AM in response to Erich Wetzel
    Level 1 (0 points)
    Nov 5, 2014 8:17 AM in response to Erich Wetzel

    Thanks to all who have stuck this out. I have tried and confirmed working with above methods. To reiterate the permissions is important, System (read write and all others no access) but confirmed working on 10.10 client with Server 4.0.


    Will try to push out through ARD on another test workstation, as I did it manually on a client machine, but don't see why it wouldn't work.

     

    Thanks again.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Nov 5, 2014 9:36 AM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Nov 5, 2014 9:36 AM in response to Erich Wetzel

    Another issue that I cannot figure out how to get around.

     

    We have users who are limited in the applications that they can run. Those users get a message that they do not have permission to use "kill_secd" when they log in. Profile Manager of course does not recognize the script and does not include it as an application to be allowed.

     

    Outside of allowing all users to use any app on the client machine, any ideas how to get kill_secd allowed?

     

    I'm trying to add /usr/local/scripts/ as a permitted folder and may have answered my own question.

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Nov 5, 2014 9:48 AM in response to Erich Wetzel
    Level 1 (29 points)
    Mac OS X
    Nov 5, 2014 9:48 AM in response to Erich Wetzel

    you could use the "permitted folder" section to supply the containing Folder:

    Bildschirmfoto 2014-11-05 um 18.40.10.png

    I did not test this setting though....

    Ups, you already said that :-)

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Nov 5, 2014 9:48 AM in response to Benjamin Losch
    Level 2 (345 points)
    Servers Enterprise
    Nov 5, 2014 9:48 AM in response to Benjamin Losch

    Ben,

     

    Just tested it. It will accept /usr/local/scripts/

     

    After pushing the profile the next login for the user does not complain about permissions. So that should do it.

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Nov 5, 2014 4:34 PM in response to Philip GW
    Level 1 (9 points)
    Nov 5, 2014 4:34 PM in response to Philip GW

    Yes, me too - with the correct permissions it works, finally!

     

    I think the reason for the wrong permissions is the chmod 777 command:

    Every created folder and file has by default the correct permissions: rw for owner (root), r for group and others (-rw-r--r--).

    You can list the permissions of the contents of a folder with the command: ls -la /path_to_folder

    The created script files are not executable because the x-flag is missing.

    chmod 777 sets the x-flag but it also gives write permissions to the group and to others, which is too much (-rwxrwxrwx).

    So instead of using chmod 777 you can use chmod +x to set the x-flag without changing the permissions. (-rwxr-xr-x)

  • by JD_Zig,

    JD_Zig JD_Zig Nov 6, 2014 5:21 PM in response to Robert Hrovat
    Level 1 (0 points)
    Nov 6, 2014 5:21 PM in response to Robert Hrovat

    Do I use terminal to add the execute permission and then use finder and get info to change permission to no access?  I have gone step by step and I think the problem I am having is permissions. Any other idea where I should check?  Thanks in advance.

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Nov 7, 2014 4:54 AM in response to JD_Zig
    Level 1 (29 points)
    Mac OS X
    Nov 7, 2014 4:54 AM in response to JD_Zig

    I do a step-by-step guide:

     

    1. generate killall script)

    - open terminal

    - check if /usr/local/ does exist. Do

    cd /usr/local/

    If this returns "cd: /usr/local/: No such file or directory" create it with

    sudo mkdir /usr/local/

    it should ask for Password: now, enter your login password.

     

    - type

    sudo mkdir /usr/local/scripts

    - type

    sudo nano /usr/local/scripts/kill_secd.sh

    - in the now open text editor within the shell put

    killall -SIGHUP secd

     

    in and pres ctrl-o and then enter, which saves the text to the script. press ctrl-x to leave the editor.

    - type

    more /usr/local/scripts/kill_secd.sh

    to check if the nano operation was successful. it should print "killall -SIGHUP secd" as answer.

     

    2. generate LaunchAgent script)

    - type

    sudo nano /Library/LaunchAgents/tld.domain.name.plist

    where "tld.domain.name.plist" is just a placeholder for something like "com.yourdomain.nameofthescript.plist".

    -in the now open editor paste

    <?xml version="1.0" encoding="UTF-8"?>                     

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST

    1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

      <key>Label</key>

         <string>kill_secd</string>

      <key>ProgramArguments</key>

         <array>

             <string>/usr/local/scripts/kill_secd.sh</string>

         </array>

      <key>RunAtLoad</key>

         <true/>

      <key>UserName</key>

         <string>root</string>

            <key>GroupName</key>

           <string>wheel</string>

    </dict>

    </plist>

    into it and pres ctrl-o and then enter, which saves the text to the script. press ctrl-x to leave the editor.

    -type

    more /Library/LaunchAgents/tld.domain.name.plist (replace with your name of file!!!!)

    to check if the nano operation was successful. it should print now the content of the script as answer.

     

    3. make executable)

    -type

    sudo chmod +x /usr/local/scripts/kill_secd.sh

    and

    sudo chmod +x /Library/LaunchAgents/tld.domain.name.plist (replace with your name of file!!!!)

    -type

    ls -la /usr/local/scripts/

    that should print (maybe among other things) the rights of the kill script:

     

    drwxr-xr-x  3 root  wheel  102  7 Nov 13:23 .

    drwxr-xr-x@ 6 root  wheel  204  7 Nov 13:17 ..

    -rwxr-xr-x  1 root  wheel   21  7 Nov 13:27 kill_secd.sh

     

    if you want to check the rights of the LaunchAgent script do

    ls -la /Library/LaunchAgents/tld.domain.name.plist (replace with your name of file!!!!)


    4. that's it)

    - close terminal, logout of the current User, log in again. That should do it.

  • by JD_Zig,

    JD_Zig JD_Zig Nov 7, 2014 10:41 AM in response to Benjamin Losch
    Level 1 (0 points)
    Nov 7, 2014 10:41 AM in response to Benjamin Losch

    Thanks Benjamin! the step by step works great.  It fixed my mail problem.  However a related problem I am having I was hoping it would fix as well. We use imessages and without restarting the client in between log ins previous conversations do not sync.  You are able to create new conversations but any old conversations will not sync..  I was hoping this script would fix it as well.  Any ideas on how to fix the iMessage problem?  Thanks in advance.

  • by bsandor,

    bsandor bsandor Nov 12, 2014 6:29 AM in response to Erich Wetzel
    Level 1 (0 points)
    Nov 12, 2014 6:29 AM in response to Erich Wetzel

    I recently stumbled on this thread, and am hoping it will provide me some help.  I have been having network account issues since moving to Mavericks (actually, we have been having ever-changing AFP issues since leaving Snow Leopard), but have been having trouble finding others with the same problem as me.  We are also experiencing the Mail login issue, but that is a minor annoyance compared to the main problem.  Mainly on the accounts that periodically switch computers (which is why we have network accounts with network home folders), the account periodically stops working all together.  The user can log in, but then the computer completely freezes after a few seconds.  I have tried everything I can think of, but the only solution is to backup then delete the user's home folder from the server, then create a new user home folder and manually copy their data (Documents, Desktop, a few preference files, etc.) back from the backup, then resync their email and calendars from the server after first login.  Apple Support implies it is a known AFP bug, but offers no solution yet.  I am considering moving to Yosemite in hopes that will fix it, but would like hear if anyone has had luck with this first.

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Nov 12, 2014 9:39 AM in response to bsandor
    Level 1 (29 points)
    Mac OS X
    Nov 12, 2014 9:39 AM in response to bsandor

    I am using ARUH since the first OS X Server Version and i never had something like this.

    As a quick fix you could change the used protocol from AFP to SMB?

first Previous Page 6 of 19 last Next