Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

first Previous Page 14 of 19 last Next
  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 4, 2015 11:38 AM in response to Christoph Ewering1
    Level 2 (345 points)
    Servers Enterprise
    Dec 4, 2015 11:38 AM in response to Christoph Ewering1

    Christoph,

     

    I am much weaker at scripting than you are and I have tried to implement your scripts on a 10.11.1 machine. I fail almost immediately as I try to write /usr/local/bin/scripts/logout_helper.sh.

     

    I do not appear to have /usr/local/bin/ as a folder. So I drop /bin and put it in /usr/local/scripts/logout_helper.sh as I did with the kill_sed.sh script from much earlier in the discussion. I updated all of the other file paths to have logout_helper.sh and kill_left_running.sh there.

     

    When I run the script manually with sudo /usr/local/scripts/logout_helper.sh I get a "command not found" error. When I do the same with the old kill_secd.sh in the same location it runs.

     

    Suggestions?

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Dec 5, 2015 6:36 AM in response to Erich Wetzel
    Level 1 (18 points)
    Mac OS X
    Dec 5, 2015 6:36 AM in response to Erich Wetzel

    Hello Erich!

     

    If you do not know how to create the right directories, maybe than this workaround is not for you - it could be dangerous to use it, if you do not understand what it does.

    But well - I explain it:

    I created the path with "sudo mkdir -p /usr/local/bin/scripts" and when you get "command not found" it looks like you did not copy the whole script for logout_helper.sh

    Check if it starts with "#!/bin/bash" and if you set the unix access rights with "sudo chmod 755 /usr/local/bin/scripts/logout_helper.sh" so the script is executable.

     

    What happens when you run the script "/usr/local/bin/scripts/kill_left_running.sh"?

     

    Bye,

    Christoph

     

    P.S. I just read your comment once again, it is okay to change the patch as you like - should not interfere with the scripts as long as you change all references

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Dec 5, 2015 1:41 PM in response to Erich Wetzel
    Level 1 (9 points)
    Dec 5, 2015 1:41 PM in response to Erich Wetzel

    Hi Erich

    Perhaps it helps how I solved it:

     

    I logged into my MasterMac (10.11.1) as root and went to /usr/local .

    There I created the folder /bin and then the folder /scripts

    I used TextWrangler as TextEditor, copied and pasted Christoph's shell scripts into two documents and saved them with their correct names into /usr/local/bin/scripts

     

    At the end I let the sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

    command run in terminal - and that was it.

  • by PVCSBlakey,

    PVCSBlakey PVCSBlakey Dec 7, 2015 6:47 AM in response to Robert Hrovat
    Level 1 (10 points)
    Dec 7, 2015 6:47 AM in response to Robert Hrovat

    Just to add to the discussion - we've also got this issue in the UK

     

    I work in a school with a 4 classrooms each with 22 iMacs and we often have keychain issues - whilst investigating it today I discovered the SECD process running for logged out users and then came across this thread.

     

    Without reading through all 14 pages what are the benefits to using the LogoutHook method, to kill those process left behind after a user logs out, over killing just the SECD process via a login script (apart from just generally ensuring redundant process don't continue to run)?

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Dec 7, 2015 6:56 AM in response to PVCSBlakey
    Level 1 (18 points)
    Mac OS X
    Dec 7, 2015 6:56 AM in response to PVCSBlakey

    Hello PVCSBlakey!

     

    Killing all left running processes is just the typically german carefulness

     

    Bye,

    Christoph

  • by PVCSBlakey,

    PVCSBlakey PVCSBlakey Dec 7, 2015 8:39 AM in response to Christoph Ewering1
    Level 1 (10 points)
    Dec 7, 2015 8:39 AM in response to Christoph Ewering1

    Just testing this, I've run chmod 755 on both shell scripts to allow them to be executed by all users however the kill_left_running.sh script cannot read the users_to_ignore.txt file as read access to the contents of /var/root requires root access...

     

    I might just amend the kill_left_running.sh script to point somewhere else and move the users_to_ignore.txt file there unless there is a particular reason to store this in /var/root?

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Dec 7, 2015 8:43 AM in response to PVCSBlakey
    Level 1 (18 points)
    Mac OS X
    Dec 7, 2015 8:43 AM in response to PVCSBlakey

    Hello PVCBlakey!

     

    Both script are not meant to run as any user other than root!

     

    The LogoutHook runs every script as root - and it has to be run as root, because another user can not kill process of a different user! And the user that just logged out obviously can not run the script.

     

    If you want to run kill_left_running.sh manually you have to run it with sudo.

     

    Bye,

    Christoph

  • by PVCSBlakey,

    PVCSBlakey PVCSBlakey Dec 7, 2015 8:50 AM in response to Christoph Ewering1
    Level 1 (10 points)
    Dec 7, 2015 8:50 AM in response to Christoph Ewering1

    Hi Christoph,

     

    Thanks again, yes the problem was I was trying to test the script through terminal but hadn't elevated to root

     

    Just tried it with sudo and it's killed all the correct processes \o/

     

    Thanks

    Sam

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 7, 2015 1:59 PM in response to Christoph Ewering1
    Level 2 (345 points)
    Servers Enterprise
    Dec 7, 2015 1:59 PM in response to Christoph Ewering1

    Thank you to everyone for the help.

     

    Christoph and Robert: I was missing the access rights. So now when I run the script manually It does give the expected results.

     

    Now I do not get the script to run on each logout which allows the user processes to pile up until I run the script again manually.

     

    I set sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh but that did not help. My clients are managed and do have some custom settings pushed to them from Profile Manager including the kill-secd script from earlier in this discussion. I redirected the logout hook in Profile Manager to /usr/local/bin/scripts/logout_helper.sh and pushed the new settings to the test client and that did not solve it either.

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Dec 7, 2015 2:44 PM in response to Erich Wetzel
    Level 1 (18 points)
    Mac OS X
    Dec 7, 2015 2:44 PM in response to Erich Wetzel

    Hello Erich!

     

    If you use my "original" logout-helper.sh there's a line that logs to "/Users/Shared/logout_helper.log". I don't know what happens if this file does not exists.

     

    Just create it with "sudo touch /Users/Shared/logout_helper.log" - and check if a logout of a user leads to new message at this file. This shows that the LogoutHook is executed. The "kill_left_running.sh" logs to /var/log/system.log - so you should see some messages there.

     

    Bye,

    Christoph

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 7, 2015 7:52 PM in response to Christoph Ewering1
    Level 2 (345 points)
    Servers Enterprise
    Dec 7, 2015 7:52 PM in response to Christoph Ewering1

    Christoph,

     

    I like the idea but the log works fine. Each manual run I get the date and time of the logout event. I get nothing when actually logging out. User processes are all still running after the next user logs in. Going back to the admin user and manually running the script gives both the log entry and the killing of the rogue processes.

     

    I have further removed all custom items from Profile Manager being applied to the group of computers I am testing on. Rebooted the server. Rebooted the client. Reapplied sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh and still don't actually get anything on logout. I must be doing something to keep that from happening but I cannot figure out what. Otherwise what you have done is working brilliantly for me when it is run manually. Thank you for taking the time to find an alternative.

     

    I'll figure it out eventually.

     

    Thank you also for continuing to help the rest of us to get this to work.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 8, 2015 8:11 AM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Dec 8, 2015 8:11 AM in response to Erich Wetzel

    If you use Profile Manager AND have settings for Loginwindow set up for your managed clients, the great script Christoph has written will not work. There may be other issues related to client management as well.

     

    I also tested this by adding a custom item to Profile Manager with the details to run the script but it appears that the selectable Loginwindow items override the additional custom item I added.

     

    I had the script running manually but it would not run on a log out. After removing all Loginwindow settings from Profile Manager I was able to get the script to run automatically. However, when I logged in the next user I still found 8 or so processes left over. So I am guessing that the attempt to close the processes is working but the KILL request is not being executed on my managed client.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 8, 2015 8:19 AM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Dec 8, 2015 8:19 AM in response to Erich Wetzel

    Can someone tell me how to negate this command so I can have the defaults back to the actual default since I need to remove the scripting as it will not work for me due to the Profile Manager conflict.

     

    sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

     

    Thanks

     

    -Erich

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Dec 8, 2015 9:13 AM in response to Erich Wetzel
    Level 1 (38 points)
    Desktops
    Dec 8, 2015 9:13 AM in response to Erich Wetzel

    BTW

     

    Your are using the Profile Manager instead of the Workgroup Manager. I gave the Profile Manager a change but I want back to the WGM. I can't to all the control I did with the WGM. I can't understand why apple killed the WGM. The Profile Manager is in my opinion a PlayTool to configure only devices like iPhone & iPad

     

    Gérard

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Dec 8, 2015 10:06 AM in response to Gerard Dirks
    Level 2 (345 points)
    Servers Enterprise
    Dec 8, 2015 10:06 AM in response to Gerard Dirks

    Gerard,

     

    I agree that WGM seemed better thought out and more flexible, but made the choice to go with Profile Manager as it is what Apple supports and WGM has not been updated in years. Over the nearly 25 years I have been doing this, I have found it best to just keep shifting to what Apple supports rather than what I think is best. I have had situations where I held onto the past and found it was much harder to move forward from something that was no longer supported to whatever was up to date.

     

    I had a tough time as a non Unix person moving from all GUI to the current way things are done with a significant amount of command line work. But that's what they are putting out...  I had to adapt.

first Previous Page 14 of 19 last Next