Gerard Dirks

Q: Location of mail keychain for network user

Hello

 

I HAVE SOME QUESTION

1) Can someone tell me why Apple change to place where the keychain are stored'

 

In the past 10.6.8 you can travel around the network an login with your password without any problems.The Keychains where located within the ~/Library/Keychains/login.keychain

 

ogin with your pa

After Updating to 10.9 we run in trouble. On every machine we need to enter the Mail Passwords once for every user on every machine. This is for us as Administrator an horror because of testing them when they change their computer. The Keychains where now stored in an Folder ~/Library/Keychains/1898DB1B-91A8-5C56-B107-31F8960A52F3/ In this folder are 2 items keychain-2.db & user.kb

 

So 2) What is this reason Apple did this. All our users are extremly angry about this. If it is a security reason they are mad. We have extremly complicated PWs which the users cann't remember. The result is that most of the users changed their PWs to an extremly easy password.

 

After Updating to 10.11.3 the storing of PWs doesn't work at all. Mostly of the keychain get corrupted. Because of the lack of Repair function in the latest Keychain Access our system isn't useable anymore

 

I have 2 AppleCare Cases open. No solution at all from apple. One Employe left the company because he refused to work anymore with this Garbage software. Because of the we discussing to make a switch to Windows. Without a working Mail we can't do any business

 

We have another Thread open for 2 1/2 years now and the suggestions their don't work

Re: Re: Mavericks Server Keychain not properly storing information network users.

 

Can someone example the strategy why apple change "a running system (10.6.8) and produce such a garbage

Mac Pro, OS X Mavericks (10.9.5), OS X Server 3.2.2

Posted on Jun 12, 2016 6:40 AM

Close

Q: Location of mail keychain for network user

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Jun 13, 2016 3:15 AM in response to Gerard Dirks
    Level 6 (9,225 points)
    Servers Enterprise
    Jun 13, 2016 3:15 AM in response to Gerard Dirks

    The apparent original reason for this was Apple's implementation of a new feature at the time of Mavericks to sync keychain information via a users iCloud account. However even if iCloud has not been enabled Apple still use this new Keychain approach and this applies to not only Mavericks but also Yosemite and El Capitan.

     

    Lots and lots of people have complained about keychain related issues in Mavericks, Yosemite, and El Capitan when using Network Home Directories like you, me and many others.

     

    There are actually several related keychain problems with network home directories but the file path you describe which prevents simply hot-desking to another Mac is down to the fact that the file path is now machine specific, that long number is the unique UUID number for a specific Mac. In theory if it was renamed to the UUID of the new Mac the keychain inside it would then work, however this is extremely impractical in real-world use. It maybe that if you were able to use iCloud keychain syncing for your users then this would as Apple intend get round this specific problem.

     

    Note: The thread you referred to does include suggestions which help alleviate some keychain and network home directory issues in Mavericks, Yosemite and El Capitan but does not help with hot-desking.

     

    If it is any consolation this problem seems to mainly affect Apple Mail, Apple Contacts, and Apple Calendar. It maybe if you used an alternative e.g. Microsoft Outlook you might not be affected. Of course Microsoft Outlook is not suitable for everyone.

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Jun 13, 2016 3:57 AM in response to John Lockwood
    Level 1 (38 points)
    Desktops
    Jun 13, 2016 3:57 AM in response to John Lockwood

    Thanks for your detailled answer

     

    An iCloud is an "no go" in an Enterprise envoirement. It is not practical, has a lot of bugs and we have no interest of using more human resource for managing all that administrive stuff related to iCloud and Apple ID.

     

    We did some Testing with some E-Mail-Clients. The best was Thunderbird, it works like it should (as Apple Mail under 10.6.8). If you setup one network user on one machine it works on all other machine. The M$ Outlook is also a "No-Go", because it saves everything in an container format it is not pratical to use it with Time Machine on an Server.

     

    So if Apple has no intension to fix this issues we will swap to Thunderbird.

     

    Gérard

  • by John Lockwood,

    John Lockwood John Lockwood Jun 13, 2016 5:09 AM in response to Gerard Dirks
    Level 6 (9,225 points)
    Servers Enterprise
    Jun 13, 2016 5:09 AM in response to Gerard Dirks

    That's good news regarding Thunderbird, the reason I am guessing it works is that it likely still uses the standard Login keychain which is not linked to iCloud rather than the iCloud compatible 'local items' keychain that Apple Mail uses.

     

    As you are probably aware there are various plugins for Thunderbird to add support for CalDav for Calendars and CardDav for contacts, with those you would almost have as good a solution as Apple Mail, Calendar, and Contacts.