Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

first Previous Page 12 of 19 last Next
  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 15, 2015 11:29 AM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Oct 15, 2015 11:29 AM in response to Erich Wetzel

    Server 5.0.4

    Clients 10.11 El Capitan

     

    I wish I had better news.

     

    We just moved our clients to 10.11 and stopped rebooting between logins to test if this issue has been resolved. In a small amount of testing we have found that the keychain corruption is still taking place without the kill secd workaround in this discussion. I have not tried to implement the kill secd workaround on the 10.11 clients yet.

     

    We will keep testing and I will post back with any useful updates.

     

    -Erich Wetzel

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Oct 15, 2015 1:09 PM in response to Erich Wetzel
    Level 1 (9 points)
    Oct 15, 2015 1:09 PM in response to Erich Wetzel

    Sad news

    It really seems to be rocket science for Apple to kill all processes after a network user's logout.

    We've been working in our school with network accounts since 10.4 but it looks like we have to give it up sooner or later.

    Going on like this is not an option forever.

    Apple shouldn't wonder when schools are going to switch to another operating system.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 15, 2015 2:01 PM in response to Robert Hrovat
    Level 2 (345 points)
    Servers Enterprise
    Oct 15, 2015 2:01 PM in response to Robert Hrovat

    I did not count but I think that there are still probably 15 if not more, open processes left from the logged out user after the new user has logged in.

     

    -Erich Wetzel

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Oct 15, 2015 4:02 PM in response to Robert Hrovat
    Level 1 (38 points)
    Desktops
    Oct 15, 2015 4:02 PM in response to Robert Hrovat

    Hello

     

    I am not wundering that issue is still not solved.

     

    As I sorted out this problem beginning this year I was in contact with Apple in Cork. Had some AppleCare Cases open for some weeks till Apple broke the contact. Their were no response to our E-Mails or Phone-Calls. The People from Second Level of the Enterprise Support are not available anymore and the case is still open!!!

     

    From March to May this year we visited Apple Switzerland. In the beginning we thought they are interesting in solving the problems. We had different discussions with some Product Managers, System Engineers & Account Engineer Major Accounts of the local Apple Headquarter here in Switzerland. They start some internal investigations internally and with their business and education partners. After 6 weeks this ended also in a "Cul du Sac"! They ignored that there where problems with this issue and from that point their was no input anymore from them and the contact was broken!

     

    The Problem is still not solved, as Erich confirms. Since June I haven't installed any Open Directory User for my clients anymore. In future I will not spend any minute for this issue. Apple died for me as supplier for Business Equipment. I will only install macs in an environment without OD or AD and only make simple AFP oder SMB Mounts.

    In my Test Environment I have the since March the ßetas of 10.11 and the server and I saw a lot of improvements, but not on this issue!

     

    It seems that Apple products can't have any bugs (by absolute rule), not because they not exist but because the Company will believe they are from another World and can't made any mistakes. I think this is a Strategy from the Top of the Company. People who are not willing believe this are censored by Apple. In Middle of this year Apple deleted a Thread from me in this Support Community for another Bug. I believe Apple has at this moment the same structures in the Management as "Kim Jong-un" leads his country ;-)


    Gérard

  • by John Agapitos,

    John Agapitos John Agapitos Oct 15, 2015 7:09 PM in response to Erich Wetzel
    Level 1 (29 points)
    Oct 15, 2015 7:09 PM in response to Erich Wetzel

    I've discoverered that if you copy all the keyxchanin data in the local items across to the login items then you dont need to reboot the machine between logins.

     

    I noticed before doing that, the local keychain items for the user dissapeared when you login again without a reboot.  My method above seems to fix this.

     

    I've got server 5 running on 10.11 and clients on 10.11

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Oct 15, 2015 7:55 PM in response to John Agapitos
    Level 1 (38 points)
    Desktops
    Oct 15, 2015 7:55 PM in response to John Agapitos

    Hello John

     

    Can you tell me more about you method of the fixing? How are you plan to copy all these password to the local items keychain. How will a teacher in a classroom use this method when he have 40 iMac to manage? He will need a second job as IT-Administrator of a school. Is this not extremly time consuming?

     

    Gérard

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 16, 2015 10:19 AM in response to John Agapitos
    Level 2 (345 points)
    Servers Enterprise
    Oct 16, 2015 10:19 AM in response to John Agapitos

    John,

     

    I am with Gerard on this and would love a bit more information. Our network and number of users are relatively low and I would be willing to give this a shot if it is not horribly time consuming.

     

    Our issue is rotation of staff from one machine to another. I'm guessing we would have to take each users' keychain data and move it over.

     

    Any additional information would be useful.

     

    Thanks.

     

    -Erich

  • by John Agapitos,

    John Agapitos John Agapitos Oct 16, 2015 9:57 PM in response to Erich Wetzel
    Level 1 (29 points)
    Oct 16, 2015 9:57 PM in response to Erich Wetzel

    I manage a network of about 40 iMacs with about 50 users accessing various machines across a week.

     

    I logged in on each user then opened keychains.  I then selected the local items to display the list of items.  I then selected all in that list and copy (command c)

     

    Then I selected login items and pasted the keychains into the list.  Yes its very boring to have to type the users password as many times as there are keychains.  Also some will not copy/paste across, like google sync type and some iCloud.  so all I did their was open the keychain from local items and create a new one in login items then pasting the information across to the window.

     

    Another thing to mention is that if the user logs in a second time without a restart then mail will throw up a message re accessing a keychain and ask for permission.  I selected ALWAYS ALLOW.  This I think only happens once.

     

    I know this is not perfect or ideal but it  helps with users constantly switching computers.

     

    I am now dealing with another problem of when I do a netrestore then login I lose the profile manager settings for the user.  I have to download it again.  Anyone ideas. 

     

    I miss 10.6.5 when it was all working properly.

     

    Hope this helps

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Oct 16, 2015 11:58 PM in response to John Agapitos
    Level 1 (38 points)
    Desktops
    Oct 16, 2015 11:58 PM in response to John Agapitos

    Hello John

     

    How much time did you spend to copy all the keychains of the 50 users over the fifty iMacs? I supposed this takes more then a week! Maybe you can send Apple a bill because they haven't fix this serious bug in OS X.

     

    I think if you live in the USA you can go to the Court and got a compensation for the loss you have by using such a bad system!

     

    Regards

    Gérard

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Oct 17, 2015 12:07 AM in response to Erich Wetzel
    Level 1 (38 points)
    Desktops
    Oct 17, 2015 12:07 AM in response to Erich Wetzel

    Hello Erich

     

    You first write this thread!

     

    Can you change the title of this Thread? from "Mavericks Server Keychain not properly storing information network users" to "All OS X Server Keychains not properly storing information network users (10.9 and later)"

     

    Because the problem is still not solved, we prevent that other Users will open a new Thread for the same Issue for Yosemite or El Capitan based Server Systems!

     

    Regards

    Gérard

  • by John Agapitos,

    John Agapitos John Agapitos Oct 17, 2015 5:21 AM in response to Gerard Dirks
    Level 1 (29 points)
    Oct 17, 2015 5:21 AM in response to Gerard Dirks

    I've only discovered this workaround about 3 days ago and I am only applying it to the users who definitely hot desk.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 17, 2015 7:29 AM in response to Gerard Dirks
    Level 2 (345 points)
    Servers Enterprise
    Oct 17, 2015 7:29 AM in response to Gerard Dirks

    Gerard,

     

    I think that renaming this thread is a great idea. However, I do not know how to do it and can't find anything obvious that will do it.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 17, 2015 7:31 AM in response to John Agapitos
    Level 2 (345 points)
    Servers Enterprise
    Oct 17, 2015 7:31 AM in response to John Agapitos

    John

     

    Thanks for the update on your procedure. I'll give it a shot and get back with results.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 19, 2015 7:48 AM in response to John Agapitos
    Level 2 (345 points)
    Servers Enterprise
    Oct 19, 2015 7:48 AM in response to John Agapitos

    John

     

    In looking at making the changes for testing I find that in Keychain Access.app the items that are getting corrupted are already in the Local Items keychain.

     

    Any idea?

  • by John Agapitos,

    John Agapitos John Agapitos Oct 20, 2015 3:42 AM in response to Erich Wetzel
    Level 1 (29 points)
    Oct 20, 2015 3:42 AM in response to Erich Wetzel

    I have found that if you log out then in again the local items dissapear

first Previous Page 12 of 19 last Next