Robert Hrovat

Q: Keychain issue with network users on 10.10 clients

Hello everybody

 

I've got a keychain issue with network user homes connecting form 10.10 clients to a 3.2.2 server:

 

After upgrading some clients to 10.10, our students started to complain: They had to enter passwords again and again. It looked like the passwords wouldn't save in their keychain.

When I checked their "local items" keychain, it was empty and no new data could be saved in there.

This caused of course a lot of following issues with a lot of other apps.

 

So I started testing with a brand new user on a 10.10 client. These are the results:

When the user logs in, the keychain "keychain-2.db" is created in ~/Library/Keychains/893693C6-3637-5019-A594-DC4BD648101C

I think this is as it should be, this folder is for this particular client.

When the user logs out and then logs in again, this keychain has changed to "keychain-2.db-corrupt" and no data can be saved in there.

But when I restart the client and then the user logs in again, a new "keychain-2.db" has been created and the corrupt keychain is still there.

The new keychain is empty of course, but new data can be saved in there.

And then, when the user logs out and in again, the whole story starts from beginning.

 

First I thought, it could be because of the "after logout network home directory isn't disconnected from server" problem as it was discussed in other posts. (See also Users not disconnected from file sharing and others.) But it looks like this problem has been solved  in 10.10: When a network user has logged out, there's no more AFP (or SMB) connection visible on the server.

 

So on the client I logged in as a local admin and checked the activity:

Although my test user had just logged out, there were still about 16 processes running under his name. One (or more) of them must have been destroying the "keychain-2.db" and blocking the creation of a new one.

With killing them one by one and a lot of testing I found the guilty one:

It's the process called "secd" that causes this keychain issue.  If I kill this process before the user logs in again, his heychain-2.db won't become corrupt!

 

I have no idea what this process is for and why it is (and all the others processes) still there, after the user's logout.

 

My questions are:

Is this bug or is it a misconfiguration of my clients and/or server?

Does anybody else have the same experiences with accounts on a server 3.2.2? What about server 4.0?

Does anybody have an idea for a workaround?

 

 

Thanks a lot for helping.

 

 

Bob

Posted on Oct 22, 2014 8:49 AM

Close

Q: Keychain issue with network users on 10.10 clients

  • All replies
  • Helpful answers

first Previous Page 3 of 3
  • by JAGUK,

    JAGUK JAGUK Sep 17, 2015 8:54 AM in response to ndsvfx
    Level 1 (33 points)
    Servers Enterprise
    Sep 17, 2015 8:54 AM in response to ndsvfx

    Hey ndssvfx,

     

    I was just searching the forums to see if there was any new "fix" for the login keychain password issue and stumbled across your post saying that you're suffering from HomeSync not working on login.

     

    We too were suffering the same issue, albeit we wanted syncing on logout, and we had to resort to setting HomeSync to sync in the background every few hours so that we could guarantee that all of our users were successfully syncing daily.

     

    However, after being contacted on the issue by Apple (following numerous posts in these very forums), and after a very long drawn out process talking to various engineers, we now have syncing on logout working company wide.

     

    I can't guarantee that this fix will work for you but you should definitely give it a try as the login and logout syncing is affected by the same problem within the client OS apparently.

     

    I didn't get a response from the engineer as to whether they would patch a fix into current OSs, but at least we are now getting the desired level of syncing!

     

    You can find my original post here - hope it helps!! Server 3 Home Sync Folders on Logout Fix

     

    Justin

  • by John Agapitos,

    John Agapitos John Agapitos Oct 2, 2015 4:44 PM in response to JAGUK
    Level 1 (29 points)
    Oct 2, 2015 4:44 PM in response to JAGUK

    Anyone test 10.11 has the same keychain issues??

  • by ndsvfx,

    ndsvfx ndsvfx Oct 2, 2015 4:56 PM in response to John Agapitos
    Level 1 (15 points)
    Oct 2, 2015 4:56 PM in response to John Agapitos

    Seems to be much better in 10.11, have not had issues. It still only does a full sync at logout though but in general seems to be working with the 10.11 client update. Also tested after updating to Server 5.0 under both Yosemite and El Cap and the fix sticks so it was definitely a client side issue.

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Dec 7, 2015 2:03 PM in response to Robert Hrovat
    Level 1 (9 points)
    Dec 7, 2015 2:03 PM in response to Robert Hrovat

    Update:

     

    A quite good solution how to solve this issue has been posted here one page 13 by Christoph Ewering.

  • by KN4R,

    KN4R KN4R Feb 2, 2016 9:55 AM in response to Robert Hrovat
    Level 1 (0 points)
    Feb 2, 2016 9:55 AM in response to Robert Hrovat

    All,

     

    In addition to Login Sync being broken:

     

    The bigger nuisance for us is the keychain being locked for mobile accounts at login from a cold start.

    (keychains of local accounts at login are unlocked, and keychains of mobile accounts from a warm start also unlocked at login).

     

    Has anyone come up with a workaround?  We've looked at Keychain Minder and ADPassMon but no joy (we are using OD).

     

    Is there a way at boot up to make a mac think someone has already logged in and then out before the login window shows?

     

    Thanks for any ideas.

  • by islamadel,

    islamadel islamadel Feb 16, 2016 7:41 AM in response to Robert Hrovat
    Level 1 (0 points)
    Feb 16, 2016 7:41 AM in response to Robert Hrovat

    Here is a workaround that worked for us.

    it stops the Keychain Daemon at login and logout.

    You can use the following method as login and logout script for Mac OS X 10.11 El Capitan

     

    create in /System/Library/LaunchAgents/

    the following file and content:

    com.rechnerpool.logoutwatcher.plist

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

      <key>Label</key>

      <string>com.rechnerpool.logoutwatcher</string>

      <key>ProgramArguments</key>

      <array>

      <string>/Network/Servers/server.domain/homes/_macscripts/logoutwatcher.sh</stri ng>

      </array>

      <key>RunAtLoad</key>

      <true/>

    </dict>

    </plist>

     

    Change the Path of "/Network/Servers/server.domain/homes/_macscripts/logoutwatcher.sh" to the path where you want to place your login and logout script, either on Network Share or it can be a local Path as /Users/Shared/logoutwatcher.sh

     

    content of logoutwatcher.sh

    #!/bin/bash

    onLogout() {

      # Insert whatever script you need to run at logout

     

      # Kill secd Keychain Daemon

      launchctl stop com.apple.secd

      pgrep secd >/dev/null 2>&1 && pkill -9 secd

     

      # logout script end

      exit

    }

     

    # Insert whatever script you need to run at login

     

    # Kill secd Keychain Daemon

    launchctl stop com.apple.secd

    pgrep secd >/dev/null 2>&1 && pkill -9 secd

     

    # login script end

    trap 'onLogout' SIGINT SIGHUP SIGTERM

     

    while true; do

      sleep 86400 &

      wait $!

    done

     

    Finally set correct permissions

     

    sudo chown root:wheel /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

    sudo chmod 644 /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

    sudo launchctl load -w /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

    chmod +x /path/to/logoutwatcher.sh

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 May 17, 2016 7:38 AM in response to Robert Hrovat
    Level 1 (18 points)
    Mac OS X
    May 17, 2016 7:38 AM in response to Robert Hrovat

    Hello guys!

     

    Just want to let you know that I posted a new and hopefully easier script to another thread. It is based on the knowledge of many members of the community.

     

    BTW. 10.11.5 did not fixed this bug - so this script is still required for network home users.

     

    Bye,

    Christoph

     

    #! /bin/bash

    # logout-fix.sh

     

     

    # This script runs as a logouthook to fix bugs that Apple should have fixed

    # The bug occurs to network home users only because since OS X 10.9.x not all processes

    # of a user that logs out get killed. It is a workaround developed by Luda24,

    # John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

    # Apple Support Communities

     

     

    # Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

    # (shame on Apple for ignoring many bug reports and feedbacks about this bug)

     

     

    # You should store this script at /usr/local/bin and then run

    # "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

    # remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

    # and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

     

     

    # And here it is what this script does:

    # 1. Check if the logging out user is a local or network user

    # 2. Kill left running processes of the logged out user

    # 3. Unmount Network-Share that may have been left mounted

    # 4. Remove cache files from /private/var/folders that are owned by user $username

     

     

    # Here you can select if you want to any feature disabled or enabled

    UNMOUNTHOME=1

    CLEANCACHE=1

     

     

    # Do not change anything after this line

    username=$1

    /usr/bin/logger "logout-fix.sh $username"

     

    Local=`dscl . -list /Users |grep -x $username`

    if [[ "$1" == "$Local" ]]

    then

        /usr/bin/logger "logout-fix.sh has nothing to do - logged out user was a local user"

        exit 0

    fi

     

    # Here is the important part - kill users processes - first of all „secinitd“ and „secd“

    /usr/bin/logger "logout-fix.sh trying to kill all processes of user $username"

    /usr/bin/killall -15 -u $username

    /bin/sleep 5

    /usr/bin/killall -9 -u $username

     

     

    # Unmount network home directory share if left mounted after user logs out

    if [ $UNMOUNTHOME ]; then

      mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`

      if [ "$mountpath" != "" ]

      then

       /usr/bin/logger "logout-fix.sh trying to unmount $mountpath"

       /sbin/umount -f $mountpath

       /usr/bin/logger "LogoutHook unmounted: $mountpath "

      fi

    fi

     

     

     

     

    # Delete old stuff from /private/var/folders - mainly cache files after user logs out

    if [ $CLEANCACHE ]; then

        /usr/bin/logger "logout-fix.sh trying to clean cache files of user $username"

      /usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

    fi

     

     

    /usr/bin/logger "logout-fix.sh finished for $1"

     

    exit 0

  • by JAGUK,

    JAGUK JAGUK May 18, 2016 3:14 AM in response to Christoph Ewering1
    Level 1 (33 points)
    Servers Enterprise
    May 18, 2016 3:14 AM in response to Christoph Ewering1

    Hey Christoph,

     

    Many thanks for posting this, I will give it a go on a couple of clients and see how it goes.

     

    If this does indeed resolve the login keychain issues that all of our users experience on a daily basis, it will be very greatly received!

     

    This has been a problem for for well over two years so shame on Apple for not addressing this... they really do suck at times

     

    Thanks again and  I will post back with my results

  • by itadmca,

    itadmca itadmca Jun 6, 2016 6:19 AM in response to Christoph Ewering1
    Level 1 (4 points)
    Jun 6, 2016 6:19 AM in response to Christoph Ewering1

    HelloChristoph,

     

    i tried your script wit some changes to work with mobile/external accounts on some of our clients. All clients are running 10.11.5 and uses mobile accounts with Library-synchronisation (Server 5.1.5 on OS X 10.11.5).

     

    One of all works fine without any keychain-issue, some others are working better (only 3 times keychain - commcenter, homesync and messages agent), and some have still all problems as before.

     

    Any idea?

     

    Here ist my used script:

     

    #! /bin/bash

    # logout-fix.sh

     

    # This script runs as a logouthook to fix bugs that Apple should have fixed

    # The bug occurs to network home users only because since OS X 10.9.x not all processes

    # of a user that logs out get killed. It is a workaround developed by Luda24,

    # John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

    # Apple Support Communities

     

    # Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

    # (shame on Apple for ignoring many bug reports and feedbacks about this bug)

     

    # You should store this script at /usr/local/bin and then run

    # "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

    # remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

    # and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

     

    # And here it is what this script does:

    # 1. Check if the logging out user is a local or network user

    # 2. Kill left running processes of the logged out user

    # 3. Unmount Network-Share that may have been left mounted

    # 4. Remove cache files from /private/var/folders that are owned by user $username

     

    # Here you can select if you want to any feature disabled or enabled

     

    UNMOUNTHOME=1

    CLEANCACHE=1

     

    MyName=`basename $0`

    LOG='/usr/bin/logger'

    MAXLOOP=600 #second until wait to continue

    LOOP=0

     

    # Do not change anything after this line

    username=$1

     

    #$LOG "$MyName $username"

    Local=`dscl . -list /Users | grep -x $username`

     

    if [[ "$1" == "$Local" ]]; then

        Mobile=`dscl . -read /Users/$username OriginalNodeName | cut -c 1-8`

        if [[ "$Mobile" == "" ]]; then

            $LOG "$MyName has nothing to do - logged out user was a local user"  

            exit 0

        else

            $LOG "$MyName working on mobile or external Account"

     

            # Wait for synchronisation is done

            until [ $LOOP -gt $MAXLOOP ]; do

                SYN=`ps -ef | grep HomeSync | grep -v 'grep'`

                if ! [[ $SYN == "" ]]; then

                    sleep 1

                else

                    $LOG "$MyName HomeSync done ($LOOP)"

                    break

                fi

                let LOOP+=1

            done  

            if [[ $LOOP -gt $MAXLOOP ]]; then

                $LOG "$MyName stopping HomeSync!"

            fi

        fi

    fi

     

    # Here is the important part - kill users processes - first of all „secinitd“ and „secd“

    $LOG "$MyName trying to kill all processes of user $username"

    /usr/bin/killall -15 -u $username

    /bin/sleep 5

    /usr/bin/killall -9 -u $username

     

    # Unmount network home directory share if left mounted after user logs out

    if [ $UNMOUNTHOME ]; then

        mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`

        if [ "$mountpath" != "" ]; then

            $LOG "$MyName trying to unmount $mountpath"

            /sbin/umount -f $mountpath

            $LOG "$MyName LogoutHook unmounted: $mountpath "

        fi

    fi

     

    # Delete old stuff from /private/var/folders - mainly cache files after user logs out

    if [ $CLEANCACHE ]; then

        $LOG "$MyName trying to clean cache files of user $username"

        /usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

    fi

     

    $LOG "$MyName finished for $1"

    exit 0

  • by Christoph Ewering1,

    Christoph Ewering1 Christoph Ewering1 Jun 7, 2016 6:23 AM in response to itadmca
    Level 1 (18 points)
    Mac OS X
    Jun 7, 2016 6:23 AM in response to itadmca

    Hello itadmca!

     

    I do not know - but when I first started with playing around with LogoutHooks someone mentioned that a LogoutHook should not take to long for doing its job because it get killed by the system if it runs too long. Because of this my second attempt for a fix was a two script solution - one little script that only starts another script that does all the work.

     

    After looking in other discussions it looks to me that time is no problem for the LogoutHook and I collected different solutions into one single script.

    AFAIK some guys reported success with this script.

     

    I played around with a LaunchDaemon (my first attempt) to kill the secd at login but that does not work reliable for me.

    YMMV

     

    BTW: If i read your script correctly you are going to kill HomeSync if it is still running after 600 seconds - is this process owned by the user that logs out?

     

    Bye,

    eweri

  • by itadmca,

    itadmca itadmca Jun 7, 2016 12:38 PM in response to Christoph Ewering1
    Level 1 (4 points)
    Jun 7, 2016 12:38 PM in response to Christoph Ewering1

    Hello Christoph,

     

    someone mentioned that a LogoutHook should not take to long for doing its job because it get killed by the system if it runs too long

    this may be so, but the script is running only a few seconds. So the time to run ist not too long to get kill by system.

     

    BTW: If i read your script correctly you are going to kill HomeSync if it is still running after 600 seconds - is this process owned by the user that logs out?

    This part of the script was written to get HomeSync not killed. As i checked on some clients Homesync is done when Logouthook starts, so this part may be deleted. Every logged message shows "HomeSync done (0)"! The HomeSync-process is owend by the user. Login and logout scripts are run as root - see https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CustomLogin.html

     

    After looking in other discussions it looks to me that time is no problem for the LogoutHook and I collected different solutions into one single script.

    AFAIK some guys reported success with this script.

     

    Good and bad news:

    Today a got feedback; some user told me that the keychain will work as it should be - no issue when booting the OS. Others have success after more than three reboots (i don't know why, but it seems to take more than one reboot to work).

    My own Mac booted today without any issue. A reboot without network brings the problem back.  So it seems that the script works only if the mac is connected to company network and Open Directory is running.

     

    Important: never sync Keychain-folder at login or logout!

     

    I played around with a LaunchDaemon (my first attempt) to kill the secd at login but that does not work reliable for me.

     

    I tired this too, same result!

    LaunchDaemon is powerfull but it does not support LogoutHooks. If it will do, i will use it.

     

     

    Bye,

    itadmca

  • by cdhw,

    cdhw cdhw Jun 7, 2016 4:45 PM in response to itadmca
    Level 4 (2,653 points)
    Servers Enterprise
    Jun 7, 2016 4:45 PM in response to itadmca

    Just a remark that AFAIK, if you are using HomeSync, i.e. mobile homes, then the keychain issues that the script is intended to fix shouldn't occur; they are specific to network homes.

     

    I imagine that one of the reasons there is no fix for this problem is that Apple seems to want us to abandon old-school network homes and switch to using mobile homes.

     

    C.

  • by itadmca,

    itadmca itadmca Jun 8, 2016 12:32 PM in response to cdhw
    Level 1 (4 points)
    Jun 8, 2016 12:32 PM in response to cdhw

    I use only mobile accounts. The keychain issue is the same as using network accounts. HomeSync uses identical Network path to mount the synced Homedirectory. I think that all account types uses identical temp folder. This, i hoped, make the script working on mobile accounts.

     

    The keychain issu is not specific to network homes. The issue occurs on all types of accounts except local users. I tested mobile, network and external accounts - same issue!

     

    Apple should fix this issue as soon as possible - this makes business-users not happy

first Previous Page 3 of 3