Christoph Ewering1

Q: network home user lead to damaged keychains - still no fix since Mavericks

Hello!

 

This discussion is about a very frustrating bug - that lives in OS X since Mavericks and is still not fixed in El Capitan 10.11.3 even though lots of bug reports were filed but Apple does not recognize it.

 

The bug in short: if you try to use network home user at an unpredictable point in time this user is unable to access its own keychain items. The console gets filled with messages about accountsd can not access a file and until then Mail, Calendar or any other program that wants to connect to the keychain can not access the passwords any more. When this happens there is no work around other than create the user from scratch. (Until this bug happens again after a few hours or days)

 

What the community found out so far is that:

- If you reboot the client machine after every logout of a network user this will prevent the bug

- OS X leaves some processes of a user running even thought the user has logged out!

- If you kill secd and secinitd after a network user logged out this bug is prevented

- There is a script as a work around that kills every process of a user that logged out - (but OS X starts some processes again - very strange)

- the bug resides in OS X (client) and rises his ugly head only when network home users are used

 

Here is the link to original discussion

Mavericks Server Keychain not properly storing information network users.

 

Here is the link to the script as work around

Re: Re: Mavericks Server Keychain not properly storing information network users.

 

Here is a link for those guys using WGM

Re: Mavericks Server Keychain not properly storing information network users.

 

I have no explanation why Apple does not fix this bug as it makes using OS X Server useless.

 

I started this discussion to transfer what was found out to be found under El Capitan discussion. (to spread the word ;-))

 

Bye,

Christoph

Mac mini, OS X Server

Posted on Jan 25, 2016 1:38 PM

Close

Q: network home user lead to damaged keychains - still no fix since Mavericks

  • All replies
  • Helpful answers

Page 1 Next
  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Jan 25, 2016 4:42 PM in response to Christoph Ewering1
    Level 1 (9 points)
    Jan 25, 2016 4:42 PM in response to Christoph Ewering1

    Hello Christoph

     

    Thank you very much for this summary. May Apple also listen (and react) to your words!

     

    I'd also like to add my post with a in depth analysis of the keychain issue:

    Keychain issue with network users on 10.10 clients

     

    Bye

    Robert

  • by BobHarris,

    BobHarris BobHarris Jan 25, 2016 4:56 PM in response to Robert Hrovat
    Level 6 (19,420 points)
    Mac OS X
    Jan 25, 2016 4:56 PM in response to Robert Hrovat

    May Apple also listen (and react) to your words!

    This is a user-to-user forum. Apple developers do not read this forum.

     

    If anyone wants to report bugs to Apple, then file a bug

    BugReporter

    <http://bugreporter.apple.com>

    Free ADC (Apple Developer Connection) account needed for BugReporter.

    Anyone can get a free account at:

    https://developer.apple.com/register/index.action

     

    You can also send feedback, but that may or may not have an effect

    <http://www.apple.com/feedback/macosx.html>

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Jan 25, 2016 11:38 PM in response to BobHarris
    Level 1 (18 points)
    Mac OS X
    Jan 25, 2016 11:38 PM in response to BobHarris

    Hello BobHarris!

     

    As I mentioned at the start of this discussion there were a lot of bug reports sent to Apple. If you read the original posts I think at least three or four guys filled bug reports but got no reaction.

    Here are my bug numbers:

    19355877 - no reaction

    20315408 - Duplicate of 15792007 (Open)

    19567929 - Duplicate of 18063571 (Closed)

    and a bug that maybe related to this bug:

    19217139 - closed (customer lost patience and ordered me to change to a Windows server)

    I gave feedback at <http://www.apple.com/feedback/macosx.html> but got no reaction!

     

    So - I tried my best to show Apple some bugs and to keep OS X the best OS ever - but Apples does not care! If you can show me how I got heard by Tim - let me know.

     

    Quality and reliability of OS X vanishes from update to update!

    Since 10.7 OS X has lots of bugs with file sharing, ACLs, etc. and the worst bugs are still not fixed with 10.11! With the bug mentioned above OS X server is useless!

     

    At the moment I do not recommend OS X for any serious work if you have to corporate with others. It is a good system for one-man-shows but not for business any more.

     

    If Apple still thinks it is a good idea to release a major OS update every year - than this is not for business customers! They release 200 new features with 300 new bugs every year - this is ridiculous!

     

    If they want the business users back, they should setup a long-term-OS that gets bug fixes and security fixes for 5 years. After 4 years they should declare the current OS the next long term OS so business customers have one year to change from the old long term OS to the current long-term-OS.

    As long as a long-term-OS lasts Apple could release OS updates at wish, every month or half year with lots of new feature, remove feature, etc. , so they have a playground but business customers have a reliable platform.

     

    At the moment I am rethinking my business because of bugs that prevent the use of OS X for serious work.

    I want something as rock solid as 10.6.8.

     

    Bye,

    Christoph

  • by Cmoore01,

    Cmoore01 Cmoore01 Jan 26, 2016 7:00 AM in response to Christoph Ewering1
    Level 2 (186 points)
    Mac OS X
    Jan 26, 2016 7:00 AM in response to Christoph Ewering1

    Maybe I missed it in the discussions above, but does this bug only occur when using OS X Sever for home directories, or does this happen also with Windows servers for home directories? If with Windows, this may explain some issues I am seeing with my users.

  • by John Lockwood,

    John Lockwood John Lockwood Jan 26, 2016 8:24 AM in response to Cmoore01
    Level 6 (9,309 points)
    Servers Enterprise
    Jan 26, 2016 8:24 AM in response to Cmoore01

    Cmoore01 wrote:

     

    Maybe I missed it in the discussions above, but does this bug only occur when using OS X Sever for home directories, or does this happen also with Windows servers for home directories? If with Windows, this may explain some issues I am seeing with my users.

     

    This is a good question and as someone also affected by this bug and who has been following the older threads I have not seen a definitive answer as to whether it also affects Windows server based network home directories. It did seem that a Snow Leopard Server being used to host network home directories was less likely to have users suffer this problem. Of course Snow Leopard Servers are becoming increasingly rare.

     

    I can say our own testing showed that using SMB on a Mac server made it worse if anything which is ironic considering Apple are encouraging/forcing people to use SMB instead of AFP.

     

    Note: ExtremeZ-IP now called Acronis Access Connect is software to enable running AFP on a Windows server.

     

    I am using a logout hook similar to the one mentioned in the previous threads to kill the secd processes, it has partially helped but not eliminated the problem.

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Jan 26, 2016 10:25 AM in response to John Lockwood
    Level 1 (18 points)
    Mac OS X
    Jan 26, 2016 10:25 AM in response to John Lockwood

    Hello John, hello Cmoore01!

     

    I think this bug is a mixture of bad file services from server side with a bad decision made by Apple to not kill every user process at client side when the user logs out and some horrible, nasty race-condition or something like that in the file sharing client of OS X (Client).

     

    I was not able to find a scenario to reproduce this bug - so there are lots of conditions to be meet until this bug occurs. But I think this bug only needs an OS X client and a network home from any server. Sometimes it looks like the bug happens more often with users that use different client computers. If a network home user always uses the same client this bug occurs less often. At the moment it is unpredictable but it will happen - sooner or later! Maybe the server does not change anything so this bug could happen with network homes at windows servers, too.

     

    Because of other problems related to network stuff I think OS X has a really nasty bug at file sharing stack or network stack or both. Because you can not reproduce it only Apple can solve this bug if they want to.

     

    But first we have to get heard by Apple

     

    If Apple isn't interested in business users using OS X server any more they should make clear statement otherwise it will damage Apple.

     

    Bye,

    Christoph

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Feb 1, 2016 5:22 PM in response to Christoph Ewering1
    Level 1 (38 points)
    Desktops
    Feb 1, 2016 5:22 PM in response to Christoph Ewering1

    Hello Christoph

     

    Apple did it again!

     

    AFter all the open bugs with server, keychain, I discovered the next horror scenario. In our environment of 10.9.5 we had to buy another 15 iMacs, off course preconfigured with 10.11, (and no way to downgrade)

     

    when a user swap his networkaccount between macs with 10.9 & 10.11, his email will be completed corrupted. For us as business users 10.11 is not reliable but we had no other way to buy this crap!!!

     

    today I spoke hours with Apple, this genius guy didn't even know that the Workgroup Manager was an Apple product. A computer with an working mail solution is as a car without wheels!. Pls. Apple! Fix your bugs and make your system running smoothly as it was with 10.6.8. Business User don't want all that gadgets. Till now they still loyal to your products and company, but even they will lost the trust in your company and will swap to other products. It doesn't take much and even Ubuntu will be an option. Better a good working system with a few very good tools then the crap that Apple is producing now!!!

     

    TOday Apple was overruled by Alphabeth (Google) as most worldfull company. Probably Apple will fall down to a position as Polaroid and Kodak! Wo want this crap. You only can used it as a private computer, but for that purpose it is to much expensive. In business it is definitive useless. I really hope that Apple will come again in a crisis as in the 90's. And find a new captain, Maybe a new crew can swap the company to reborn it again otherwise we will find it in our history books in de nex 10-15 years!

     

    as Apple User since 1979, i am sure my next Computer will not be an Apple one!!!

    Gérard

  • by John Lockwood,

    John Lockwood John Lockwood Feb 2, 2016 3:19 AM in response to Gerard Dirks
    Level 6 (9,309 points)
    Servers Enterprise
    Feb 2, 2016 3:19 AM in response to Gerard Dirks

    Hi Gerard,

     

    Your issue is only obliquely related to network home directories and not related to the many long persisting bugs that this and other threads refer to. Your issue is down to the fact that different versions of Mail in different versions of OS X use different file formats. Apple Mail in El Capitan uses a 'V3' format and Mavericks and Yosemite use a 'V2' format. If you were using say El Capitan on both Macs you should not see your problem.

     

    Historically some administrators have prevented this issue by configuring all the computers in to computer groups and only allowing a user who has been upgraded to a specific OS version to use Macs running that OS version, you do this by saying the user can only login on computers that are a member of a specific computer group e.g. the computer group for El Capitan users and Macs.

     

    When I took over responsibility for IT at the firm I work for we had a huge mix of Mac OS X versions but I have since managed to get them all to the same Yosemite 10.10.5 version making life much more simple and avoiding this issue.

     

    I can't say for certain but I would expect the equivalent of your problem would also occur in the Windows world if you tried hopping between two PCs running Outlook 2010 and Outlook 2016 and they also used 'Roaming Profiles'. So in this case I think your criticism of Apple is a little misplaced.

  • by scaxiltato,

    scaxiltato scaxiltato Feb 2, 2016 5:31 PM in response to John Lockwood
    Level 1 (0 points)
    Feb 2, 2016 5:31 PM in response to John Lockwood

    Dear John, you are right. Being up-to-date will solve a lot of problem on a network infrastructure. But when everything is a Apple product, everything is up-to-date (server and clients 10.11.3) and you can't maintain password for your email box, network calendars and network contacts, and this since probably 10.7, how do you call this? A good practice? I'm an Apple user since the IIfx and I'm always being a loyal user and evangelist. Today I'm looking around and everywhere you look is not simple to find good solutions. But the day I'll find an alternative I'll surely evaluate it.

  • by scaxiltato,

    scaxiltato scaxiltato Feb 3, 2016 3:26 PM in response to scaxiltato
    Level 1 (0 points)
    Feb 3, 2016 3:26 PM in response to scaxiltato

    I've tried SMB network home directories with "Allow only coded connection" and seem from first result to have finally solved the "Keychain-2.db-corrupt" file problem. 10.11.3 client, 10.11.3 server 5.0.15 and self signed certificate.

     

    Maybe this helps...

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Feb 3, 2016 10:16 PM in response to John Lockwood
    Level 1 (38 points)
    Desktops
    Feb 3, 2016 10:16 PM in response to John Lockwood

    Hello John

     

    I allready decided to swap to 10.11.3. Before I start I need to make an inventory of all the Software we are using is incompatible or not running smoothly. Even the Apple owned Company Filemaker has a lot of issues with 10.11

     

    Feither we have issues with keyspan-drivers and the remote controls of the Olympus DSS-Player. The dialing Software for the PBX/PSTN doesn't run on 10.11

     

    Because Apple has not such a dominance as Windows it takes mostly 3/4 of a year before most third party suppliers has their software Update, especialy Japanese Companies are the latest with their updates. All users use Business Scanners from Canon, their consumer products are updated relative fast, but the DR-C125 & C225 had also issues.

     

    If we had only the original Apple Software it should be no issue and it would be swap directly, but we don't live in a fairytale world but in real live, where Apple give us no solutions for our daily workflow! Therefore we are very carefull with swapping to newer OS!

     

    We are also developer but it is very difficult to find the OS changes in an very early phase in the developed of the OS. Most third party suppliers, start developing at the moment Apple release their new OS. Then it takes offcourse very long. As soon as theothers have the bugs fix Apple will release the new release.

     

    Apple always talks that 10.11 would be a bug fix release, now with the swap from V2 to V3 it is more a major release as a minor fix ;-(

    Most important, the bug related to the start of this thread is still not solved since 10.9.2. We talking here about different workarounds, but a fix of Apple is not available. That Apple hasn't released an update for their OS X Server 5, since the first release and the killing of the WGM,  indicates that Apple has no interest for business users anymore. Probably selling 1 iPhone/iPad is more profitable as selling 1 iMac/MacBook. That is my criticism!!!

  • by PSC-Admin,

    PSC-Admin PSC-Admin Feb 4, 2016 4:33 PM in response to Christoph Ewering1
    Level 1 (4 points)
    Servers Enterprise
    Feb 4, 2016 4:33 PM in response to Christoph Ewering1

    Hi Christoph,

     

    this bug is definitely still on 10.11.3 and 10.10.5 and not been fixed at all! It is NOT a server bug, i have tried Server App 4, Server App 5 and Windows Server 2012 R2, same thing happened, Keychain crashed on logout and reboot in some cases!

     

    It is OS X issue, but only if you use it in a network home environment.

     

    From you last post, page 15, i have redirected the Keychain folder and finally, after 1.5 years of rebooting and frustration, i can say that our 700+ users have a solid Keychain again! This is just ridiculous that a company whose products i love to work with and admire, that is one of the richest in the world, just focuses on every day person with iTunes and iCloud!

     

    I have been managing Macs and Windows machines since OS9 and Windows '95 (i know i am not from the days of DOS and Apple I), and in my time so far i have never been more frustrated then now. I get the point of updating and upgrading, but isn't there a saying that goes something like "if it ain't broken, don't try to fix it?".

     

    As i said i have downloaded windows server 2012 and believe it or not AD users and directories option is STILL the same as it was in Windows Server 2000 NT and functions like you expect it, albeit a bit better !

     

    Functionality over features, i say. 10.6.8 Snow Leopard Server is still running strong on my Xserves and manages 700+ users, all our 126 macs are on 10.10.5 with full network home setup and Profile Manager manages the rest!

     

    Our school will be moving to Windows 2012 server and keep the Macs, as we teach photography, but i am very disappointed with the path that Apple is on now, which is we don' give a poop about enterprise users and network users!

  • by macmartin,

    macmartin macmartin Feb 4, 2016 10:14 PM in response to PSC-Admin
    Level 2 (499 points)
    Feb 4, 2016 10:14 PM in response to PSC-Admin

    >> ... Keychain crashed on logout and reboot in some cases!


    It is even worse than this.

    In the office I work in I had some users where the keychain crashes while working and not only at logout / reboot.

    Very often this happens around 4 pm with work starting around 9 am but it could also happen after just an hour working on the computer.


    >> ... i have redirected the Keychain folder and finally, after 1.5 years of rebooting and frustration, i can say that our 700+ users have a solid Keychain again!


    I did not exactly understand how to do this.

    Could you explain this a little more detailed?


    Best regards

    martin

  • by PSC-Admin,

    PSC-Admin PSC-Admin Feb 6, 2016 2:32 AM in response to macmartin
    Level 1 (4 points)
    Servers Enterprise
    Feb 6, 2016 2:32 AM in response to macmartin

    Hi Martin,

     

    I forgot about that scenario.... Same thing has been happening to some of our users, that in the middle of them working, Mail/Calendar/Contacts app would just start bouncing and asking them for the password!

     

    So for that fix to work, all your computers have to be enrolled to your Profile Manager as devices and then you have to add those devices you want to manage into a Device Group.

     

    Of course in all this i am assuming you have a Server set up and running, next step in the Device Group, select your group of devices and click on the "Settings" tab then click on "Edit".


    Then scroll all the way down to the bottom and click on "Custom Settings", unless you have added anything before this box should be empty. Click on "Add Item" button and add the first item called LoginRedirection and then add the rest under that item. I am attaching the screen shot of my settings, pay attention to the name as well as it has to be named the same.

     

    Hope this helps, let me know if you need to know more!

     

    Also, if you dont get it to work, when i get back to my work on Monday i can upload the preference file for you here!

     

    Screen Shot 2016-02-06 at 9.26.21 PM.png

Page 1 Next