Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

first Previous Page 11 of 19 last Next
  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks May 24, 2015 2:42 AM in response to John Agapitos
    Level 1 (38 points)
    Desktops
    May 24, 2015 2:42 AM in response to John Agapitos

    Hallo John

     

    The best way is to complain at the Apple Support. As more people complain, they will need to fix it!

    If they don't fix all the bugs they will loose a lot of professional users and only selling iPhones, iPads & iWatches in future

     

    Also make a feedback!

    https://www.apple.com/feedback/

  • by morpheusrising,

    morpheusrising morpheusrising Jul 4, 2015 3:28 PM in response to Gerard Dirks
    Level 1 (0 points)
    Jul 4, 2015 3:28 PM in response to Gerard Dirks

    I can say at this point that the issue STILL exists in the new Beta of 10.11b2. Using client and server.

     

    Have not yet attempted other combinations, but the basics are all there in the new system. Same keychain issues, same logout/login/mail/icloud issues, etc.

     

    I'm betting that at this point Apple has decided to devote all of their resources to things other than server since this has now been over 2 years to basically not responding to the issue. So sad.

  • by macmartin,

    macmartin macmartin Jul 5, 2015 12:29 AM in response to Erich Wetzel
    Level 2 (499 points)
    Jul 5, 2015 12:29 AM in response to Erich Wetzel

    I would be interested if there is anyone not having this problem with network accounts.

     

    Also I would like to know, if the problem persists with OS X 10.10.4.

    Th posting of morpheusrising seems to indicate this but who knows?

     

    Greetings

    macmartin

  • by ing.prokop,

    ing.prokop ing.prokop Jul 19, 2015 7:57 AM in response to macmartin
    Level 1 (0 points)
    Jul 19, 2015 7:57 AM in response to macmartin

    hi there folks,

     

    I'm following this thread for a longer time now as I'm too having problems with the keychain storing. I'm running on yosemite clients with a yosemite server (4). there is one thing I came across today: there is one network user that was able to install his iCloud account without passwords prompt every time he logs in. I checked his setting and the only difference was a that the account email address field wasn't filled.

    I created a new test user without the email address and somehow the iCloud account works and the prompts disappeared. will test it today with other accounts and we'll see. it can be a simple coincidence (as it's really dumb and I can't imagine how it can have anything to do with the problem) but I decided to share it with you.

     

    best,

     

    David

  • by ing.prokop,

    ing.prokop ing.prokop Jul 19, 2015 8:32 AM in response to ing.prokop
    Level 1 (0 points)
    Jul 19, 2015 8:32 AM in response to ing.prokop

    one more thing about the user:

     

    he's only part of the default workgroup user group. If I put him in a different group the whole thing starts again. will recreate it all again and we'll see.

  • by ing.prokop,

    ing.prokop ing.prokop Jul 19, 2015 9:44 AM in response to ing.prokop
    Level 1 (0 points)
    Jul 19, 2015 9:44 AM in response to ing.prokop

    all iCloud accounts work, even if you put 10 of them in internet accounts. they appear inactive, but they work. the other internet accounts, connections to servers etc. forget their passwords...

  • by Piers Goodhew,

    Piers Goodhew Piers Goodhew Jul 22, 2015 5:00 AM in response to macmartin
    Level 1 (0 points)
    Jul 22, 2015 5:00 AM in response to macmartin

    Seeing something very similar to macmartin's log messages at a client where most users are using outlook (with no passwords-going-missing issues), but one is using Mail.app and it's turned into agony. Other symptoms seem pretty similar to those described here (though with 11 pages of posts over 2 years, we may be seeing more than one issue).

     

    The general console log shows "failure to read/update password" and the syslog also has com.apple.utilities.sqlite3 "disk I/O errors". Happens pretty reliably if you change machines, haven't done enough testing to see if it happens if you stay on a machine (I thought not), but I daresay that will happen by itself soon.

     

    10.10.3 server and client (issue existed in assorted 10.10.x's over the last few days), I tried AFP and SMB for the home (which of course fixed it for a few logouts and got me excited). English locale (Australia)

     

    My questions are:

    • can anyone chime in if this is working for them anywhere? (i.e. no bug). While this is affecting a lot of people, it's still possible it's some very small percentage of 10.9+ roaming home folder users - I was working in the UK until a year ago in much bigger circumstances and we *must* have had Mavericks customers, but the OSes come out so frequently and the clients update so infrequently I can't be sure. Possibly no client used both 10.9+ and Mail, there was a fair bit of entourage around.
    • I'd be more than happy to try portable home folders if they didn't make things worse (or just-as-bad-only-different) - last time I used them was 10.6 where they had finally settled down fairly well (or I knew their failure patterns well enough to maintain things well) - but 10.5 wasn't fun. Has anyone used them lately with success?

     

    This thread took a while to find, but I'll try some of the things mentioned here and report back, but I may financially ruin my client before I make any progress :-/

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Jul 22, 2015 7:18 AM in response to Piers Goodhew
    Level 1 (29 points)
    Mac OS X
    Jul 22, 2015 7:18 AM in response to Piers Goodhew

    The only working solution right now is the kill script provided by raoulinfr

    which could be found on the bottom of page 8 in this thread.

    Hopefully the bug will be gone in OS X El Capitan.

    I have the public beta, i will be testing.

    But i fear that the bug is still present...

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Jul 23, 2015 11:49 AM in response to Benjamin Losch
    Level 2 (345 points)
    Servers Enterprise
    Jul 23, 2015 11:49 AM in response to Benjamin Losch

    Thanks to everyone for continuing to work on this issue as I have since starting the discussion back in January of 2014. It is absolutely ridiculous that this issue has not been resolved by the developer considering the scope of the impact. I know that many of us have called and prodded and poked to keep it alive on their end with no notable response or concern on their part.

     

    I finally got around to implementing the kill script from raulinfr from back on page 8 and have found that it seems to be workable. I tried to push it to work with Profile Manager without success and fell back to the defaults change for LogoutHook using:


    sudo defaults write com.apple.loginwindow LogoutHook /usr/local/scripts/kill_secd.sh

     

    provided by Macmartin back on page 9.

     

    Sadly I have found an issue that the workaround does not eliminate. We use a networked HP printer/scanner for scanning in our office. Logout followed by login with the kill script running allows for keychains not to break. Unfortunately, the logout / login does break the connection between the scanning software and the scanner. As in the past with the keychain part of the problem, it appears that the only workaround for this particular aspect of the bigger issue is rebooting. As with this entire discussion, it probably has more to do with the dozen or so processes left open by the logout.

     

    I wonder if anyone other than us is actually working on this.

     

    -Erich

  • by John Lockwood,

    John Lockwood John Lockwood Jul 24, 2015 1:30 AM in response to Erich Wetzel
    Level 6 (9,324 points)
    Servers Enterprise
    Jul 24, 2015 1:30 AM in response to Erich Wetzel

    I dislike the HP Scanning software - a lot.

     

    They take too long to update it - if at all and it is fat and bloated with bits spread all over your hard disk.

     

    I suggest if at all possible you use Apple's built-in scanning software which sadly does not work with all HP network printers/scanners. Another approach to consider is to configure your multi-function HP to 'scan to network folder' i.e. via SMB.

     

    Unfortunately again some older HPs may not be compatible with Apple's newer SMBx software that was introduced with Lion aka. 10.7. In some cases you can update the firmware of the HP device to help out in this area.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Jul 24, 2015 8:37 AM in response to John Lockwood
    Level 2 (345 points)
    Servers Enterprise
    Jul 24, 2015 8:37 AM in response to John Lockwood

    John

     

    I agree with your sentiments about the HP software but Image Capture is horribly slow by comparison. This particular HP device is sufficiently old that HP stopped updating a while ago. It is used in a staff office that is a long enough walk away from our best HP machine to make it inconvenient to use. Our newest one scans to a network share which is great. We scan a lot of documents, including some slightly longer than legal that our flatbed can't handle, through the feeder of this particular machine so it is convenient in that regard.

     

    The fabulous part about the software on this home office level device is that Macs can fax from it. Conversely our reseller told us our newest, business grade machine allowed the same. When it arrived of course that was discovered that what they meant to say was that it can only fax from PCs. So we fax from the older machine that permits it.

     

    Serves its purpose and isn't broken, yet!

     

    With your familiarity do you know any workaround to get a Mac to fax from a typical HP business grade machine?

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Jul 24, 2015 8:47 AM in response to Erich Wetzel
    Level 1 (38 points)
    Desktops
    Jul 24, 2015 8:47 AM in response to Erich Wetzel

    Pls. keep to the point and not make a sidekick to other problems (For SMB Problems there are couple of workarounds like "SMBUp 1.4.1)

     

    Point is that the problems are still not solved by Apple and as far I think (after different talks with Apple), this problems will not be solved in future releases. Shared Computer (as we used with the OD) isn't a key feature for Apple anymore.

     

    I suggest the 10.11 and 10.12 will more and more be crastrated. We as business users are not longer key clients for apple (anymore)

     

    Regards

    Gérard

  • by Piers Goodhew,

    Piers Goodhew Piers Goodhew Jul 24, 2015 3:50 PM in response to Gerard Dirks
    Level 1 (0 points)
    Jul 24, 2015 3:50 PM in response to Gerard Dirks

    The whole "what is/isn't a business use and how much does Apple care about it" issue is a little beyond my scope at the moment, but I think Network Homes is clearly well down the priority list (and, therefore, it's time to think: "how bad do I need them?)".

     

    If a user has IMAP mail(/calendars/contacts), some managed settings, auto mounts the network shares they're "supposed" to use and knows whatever they save locally will not follow them around ... that doesn't sound too bad. Sounds better than the status quo.

     

    Speculating wildly, I think Apple want it to work something like this: you sign into a work Mac using an Apple ID; the local OD says whether that person can sign in and (maybe) gives them some settings; all their "internet accounts" connect, giving them mail, cloud storage. Home folder is a local one like any other Mac.

     

    I think there's some work on logouthooks (to kill secd, maybe reboot, and also testing for "db-corrupt" files, which looks like it might be a reliable indicator) which might get us a stable workaround (i.e. I'm not advocating everyone gives up), but I for one am putting as much thought into phasing network homes out, and I don't think it will be too bad.

  • by duminda,

    duminda duminda Sep 17, 2015 4:46 PM in response to Benjamin Losch
    Level 1 (4 points)
    Sep 17, 2015 4:46 PM in response to Benjamin Losch

    These set of instructions should have shipped with the OS. Thanks mate.

  • by Chris Lamothe,

    Chris Lamothe Chris Lamothe Oct 5, 2015 9:33 AM in response to Erich Wetzel
    Level 1 (1 points)
    Oct 5, 2015 9:33 AM in response to Erich Wetzel

    Has anyone noticed any improvements with the advent of El Capitan or with the release of OS X Server 5?  The original bug 15792007 still seems to be open, so I'm not getting my hopes up.

first Previous Page 11 of 19 last Next