Q: Mavericks Server Keychain not properly storing information network users.

Thanks Christoph!  This has been extremely helpful.  So frustrated with Apple knowing this issue has existed for years and that this fairly simple workaround seems to have fixed it.  Why couldn't Apple implement something like this?

I think I found a permanent solution, even it's not fully automatically done.

1. Login the user need a fix

2. Go to ~/Library in Finder and copy the whole "Keychains" folder in a /User/Shared subfolder (I've created /User/Shared/username/Library for every user)

3. Trash any file other than "login.keychain" in /User/Shared/username/Library/Keychains/

4. Open "/Applications/Utilities/Keychain Access" app

5. Double click on /User/Shared/username/Library/Keychains/login.keychain and a new "login" (not bold) keychain should appear in Keychain Access

6. Select the new "login" (not bold) keychain and unlock it

7. Insert the login password

8. Ctrl+click on the new "login" (not bold) keychain and select > Make Keychain "login"  Default

9. Reboot

Works on all my workstations, for the moment. Still hoping....

hello federico254

Do I need to login on every Mac and do this workaround or will it solve the problems for this Network User Account on all machines?

Gérard

Yes, because the user must change their keychain access preference, but you could, I suppose, copy the login.key in mass, via shell, and instruct users how to add the new keychain and change their preferences. The concept is not to fool the system with link or other trick to get the login.key on the hd but make the system know there it is. The only inconvenient (not my case) is if your user change Mac frequently, so must be done on every Mac and the sync could be lefted to iCloud Keychain. Hope to help.

As per frederico254's reply this approach of copying a keychain to the local drive requires it to be done for each user on each machine. While I would expect this approach to complete resolve this particular issue I do regard it as incurring to much work i.e. doing so for each user for each machine.

I have had the same problem at my office and the previously suggested workaround of setting up a logout hook which kills Secd processes does appear to have resolved this issue for the most part. Occasionally users might have to reboot or we might have to take other steps but nowhere near as often as before. (I have a slight suspicion that the problem still comes and goes perhaps depending on other Apple software updates.)

Here is my script I use for the logouthook

#!/bin/bash
# Kill secd processes left running after user logs out
killall -9 secinitd
killall -9 secd
logger "LogoutHook killed processes"
# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network | awk '{print $3}'` 
if [ "$mountpath" != "" ] 
then 
  umount -f $mountpath 
  logger "LogoutHook unmounted network home"
fi
# Delete old stuff from /private/var/folders - mainly cache files after user logs out
find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;
exit

I have over time been adding more things to this, the first is the aforementioned killing of the secd processes (lines 3 and 4), then there is another section which unmounts any user home directories that have not been done automatically, then there is a section to clear out cached files in /private/var/folders

Feel free to use all three steps but the first one is the most important.

If you go back earlier in this thread you will see another suggested fix which not only kills the two secd related processes (like mine) but kills up to 20 processes left running after a user logs out. It is as you might imagine a lot more complete and I did not feel the need to go that far.

But  what appen with HomeSync? Unmounting the home volume is not a problem?

federico254 wrote:

 

But  what appen with HomeSync? Unmounting the home volume is not a problem?

If you are using home syncing then that means you are not really using a network home directory rather you are using a home directory on the local drive which is being synced to the server. If you are using a local home directory then you should not be having the keychain issue at all since your keychain will already be being stored locally.

So, are you using a a true network login and network home directory setup? Or are you using what is more commonly called a portable home directory setup with syncing?

Apple calls Mobile Account, if remember correctly, and the problem is a constant with Mobile Account. The fun fact is that, at login, the system load also the network home, other than the local one and the problem is even worst: sometimes the system say the Login Keychain cannot be found, as it not exist. Consider that I've migrated the users from Network Home to Mobile Account (Network Home with sync) for 2 problems, one is the Keychain and the other the iCloud Drive and iCloud Photo Library (that not working on network drive).

PS. If I correct remember the Portable Home is a Home on a removable drive attached at the Mac, not use the OpenDirectory.

Hi John,

Thank you for the support. I wrote many documented bugreports to apple, but there is nobody !!

1)

echo `mount | grep /Network | awk '{print $3}'`

gives

"on /Network/Servers/xserver.domain.ch/Volumes/xyz"

and unmounting this will not work. :-(

2) There are many other processes running after logout (shame on apple). I use this commands.

username=$1

killall -15 -u $username

#if not ...

killall -9 -u $username

What you mean about this commands?

Luda24 wrote:

 

Hi John,

 

Thank you for the support. I wrote many documented bugreports to apple, but there is nobody !!

 

1)

echo `mount | grep /Network | awk '{print $3}'`

gives

"on /Network/Servers/xserver.domain.ch/Volumes/xyz"

and unmounting this will not work. :-(

 

2) There are many other processes running after logout (shame on apple). I use this commands.

username=$1

killall -15 -u $username

#if not ...

killall -9 -u $username

What you mean about this commands?

With regards to echo `mount | grep /Network | awk '{print $3}'` this works for me using ARD to remotely test a logged in user using your example I get back "/Network/Servers/xserver.domain.ch/Volumes/xyz". If you can try testing the same way or you could enable ssh aka. remote login and do a similar test. If in your case it always includes 'on ' then you could add a command to strip that however awk '{print $3}' should be printing the third word/column and the space symbol is normally used to determine the column seprator.

The second item about killall -15 -u $username was not from my post so I cannot answer that. The original fix as included in mine only killed the two secd related processes but someone else has earlier posted a means of killing all left over processes via a much more complex and lengthy script. I have not found it necessary to go to that extreme.

If you want to kill all processes owned by a specific user you might be interested in what I found in 'man killall':

     Sending a signal to all processes with uid XYZ is already supported by kill(1).  So use kill(1) for this job (e.g. $ kill -TERM -1 or as

     root $ echo kill -TERM -1 | su -m <user>)

Here's what I've tried with success.  I created the following three text files and copied them to the following directories on the client computers:

1st file name: kill_left_running.sh

Copied to: /usr/local/bin/scripts

Contents:

#!/bin/bash

# C & E Mediensysteme GmbH, Christoph Ewering 20151117

# Dinge die Apple reparieren sollte aber nicht tut :-(

# Findout who has logged out

# We are looking for processes that run as USER but this USER has no Finder running

# Find every user but ignore system users and special users

# 1. Get every process and extract the user

# 2. remove row titel "USER"

# 3. remove every system user (Usernames that start with "_")

# 4. remove users that are listed in /var/root/users_to_ignore.txt for example "root" or "postgres"

# 5. sort the users and make every item in the list unique

USERLIST=`ps aux |awk '{print $1}' |grep -v USER |grep -v '^_' |grep -v -f /var/root/users_to_ignore.txt |sort |uniq`

# Now we look for users that are running a process called "Finder"

USERLOGGEDIN=`ps aux |grep Finder.app |grep CoreServices |awk '{print $1}' |sort |uniq`

# a user that is at list USERLIST but not at USERLOGGEDIN still has processes running but is no longer logged in

for USER in $USERLIST; do

        if [[ $USER != $USERLOGGEDIN ]]; then

                # User has no Finder running every other process of this user should be stopped

                # Get all still running processes of the user that is logged out 

                PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

                logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, trying to stop them NOW."

                # Dear processes would you be so kind to stop your work, please?

                for PROC in ${PROCLIST}; do

                        #echo kill -15 $PROC

                        /bin/kill -15 $PROC

                done

                /bin/sleep 3

                # PROCESSES - SHUT UP!

                PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

                logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, kill them NOW."

                for PROC in ${PROCLIST}; do

                        #echo kill -9 $PROC

                        /bin/kill -9 $PROC

                done

     fi

done

2nd file name:  logout_helper.sh

Copied to: /usr/local/bin/scripts

Contents:

#!/bin/bash

LOG=/Users/Shared/logout_helper.log

DATE=`date`

echo LOGOUTEVENT - $DATE >> $LOG

/usr/local/bin/scripts/kill_left_running.sh &

3rd file name:  users_to_ignore.txt

Copied to:  /var/root

Contents:

postgres

root

nobody

Reboot the client computer and give it a shot.  It has been working for us on our 10.10 clients connecting to our 10.10 server.

Hi John,

I come from testing your and my method to kill in logout.sh

kill -9 secinitd

kill -9 secd

a lot of processes are running after logout of user wiel and login as admin1 !

with

kill -9 -u $1

there are only one or two:

My working script is now:

#! /bin/bash
# logout.sh
username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    exit 0
fi

# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
if [ "$mountpath" != "" ]
then
  umount -f $mountpath
  logger "LogoutHook unmounted: $mountpath "
fi

killall -9 -u $username
#killall -9 secinitd
#killall -9 secd

logger "logout.sh finished for $1"

exit 0

PS. I am using El Capitan on Server and on Client !!

Thanks for the update. The two secd processes are the most critical ones as these are the ones that block access to the users keychain but I agree killing off more of the orphan processes is desirable and your approach is far more simple than the massive script previously posted. I will therefore look at incorporating your change in to mine.

Hello guys!

10.11.5 did not fix this problem.

After looking into Luda24s script I united every approach for a workaround and setup a new script - I tried to combine as much as possible. This solution is a lot simpler than my first script - if I remember right my first try was also one script but do not know why it does not worked so I came to the complex solution of mine.

Well now I think this is a better solution (sorry I could not find the code block tag)

bye,

Christoph

#! /bin/bash

# logout-fix.sh

# This script runs as a logouthook to fix bugs that Apple should have fixed

# The bug occurs to network home users only because since OS X 10.9.x not all processes

# of a user that logs out get killed. It is a workaround developed by Luda24,

# John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

# Apple Support Communities

# Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

# (shame on Apple for ignoring many bug reports and feedbacks about this bug)

# You should store this script at /usr/local/bin and then run

# "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

# remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

# and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

# And here it is what this script does:

# 1. Check if the logging out user is a local or network user

# 2. Kill left running processes of the logged out user

# 3. Unmount Network-Share that may have been left mounted

# 4. Remove cache files from /private/var/folders that are owned by user $username

# Here you can select if you want to any feature disabled or enabled

UNMOUNTHOME=1

CLEANCACHE=1

# Do not change anything after this line

username=$1

/usr/bin/logger "logout-fix.sh $username"

Local=`dscl . -list /Users |grep -x $username`

if [[ "$1" == "$Local" ]]

then

    /usr/bin/logger "logout-fix.sh has nothing to do - logged out user was a local user"

    exit 0

fi

# Here is the important part - kill users processes - first of all „secinitd“ and „secd“

/usr/bin/logger "logout-fix.sh trying to kill all processes of user $username"

/usr/bin/killall -15 -u $username

/bin/sleep 5

/usr/bin/killall -9 -u $username

# Unmount network home directory share if left mounted after user logs out

if [ $UNMOUNTHOME ]; then

  mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`

  if [ "$mountpath" != "" ]

  then

   /usr/bin/logger "logout-fix.sh trying to unmount $mountpath"

   /sbin/umount -f $mountpath

   /usr/bin/logger "LogoutHook unmounted: $mountpath "

  fi

fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out

if [ $CLEANCACHE ]; then

    /usr/bin/logger "logout-fix.sh trying to clean cache files of user $username"

  /usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

fi

/usr/bin/logger "logout-fix.sh finished for $1"

exit 0