Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

Page 1 of 19 last Next
  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Jan 10, 2014 7:01 PM in response to Erich Wetzel
    Level 2 (341 points)
    Jan 10, 2014 7:01 PM in response to Erich Wetzel

    Further details:

     

    Mail server is accessible and authenticates via phone or non-network user manually connecting a mail client.

     

    After successful login :

     

    Moved the mail account keychain password item from the "Local items" keychain to the "login" keychain.

     

    Copy was successful but Mail for the network users we are using is clearly looking at Local Items keychain because on next login Mail could not connect.

     

    Attempted to move the mail account password item back to "Local Items" and and error indicated that there is "no keychain available"

     

    Something is really wrong with this. I'd be ok with the system not keeping the password if it would just send it to the mail server. It is failing at trying to save it and simply never sending it along.

  • by Hector Castillo,

    Hector Castillo Hector Castillo Jan 10, 2014 8:26 PM in response to Erich Wetzel
    Level 1 (20 points)
    Jan 10, 2014 8:26 PM in response to Erich Wetzel

    So far the only workaround is reebooting client machines everytime a network user stops using a client machine, not the best solution but at least lets you work.

     

    Hector

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jan 29, 2014 3:21 AM in response to Erich Wetzel
    Level 1 (0 points)
    Jan 29, 2014 3:21 AM in response to Erich Wetzel

    I have ran into the same problem, when is Apple going to fix this!

    I am running the server as a domain not .local and I am seeing all of these keychain issues. What a disaster!!!!!

  • by toldor,

    toldor toldor Jan 29, 2014 3:49 AM in response to robertoraskovsky
    Level 1 (35 points)
    Jan 29, 2014 3:49 AM in response to robertoraskovsky

    Same problem here too. Even with a .local and without it is the same problem.

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jan 29, 2014 4:05 AM in response to robertoraskovsky
    Level 1 (0 points)
    Jan 29, 2014 4:05 AM in response to robertoraskovsky

    Just spoke to Apple Enterprise Support...

    ~/Library/Keychains/ holds a keychain with the name of the UUID of the sopecific machine you have logged into.

     

    I removed all items ~/Library/Keychains/ and logged out/in, I had to enter the password once, and the issue seemed to go away. I checked the Keychain App and the passwords did list in there. I have logged out and in again since, and the issue seems to have gone away...

     

    Apple also suggested using iCloud to sync Keychains, but this would be unpractical for a large number of users. We have 7 or so users, so this isnt a major concern, but I will give this a go next. What this will do, is still create a keychain with the UUID of the machine, but then also an iCloud keychain and sync the keychain data between them.

  • by toldor,

    toldor toldor Jan 29, 2014 4:11 AM in response to robertoraskovsky
    Level 1 (35 points)
    Jan 29, 2014 4:11 AM in response to robertoraskovsky

    can give it a try...but according to the suggestion of Apple, I used the iCloud Keychain at first, but because Keychain and iCloud sync was screwed in the beginning it was best not to use it. First of all it has to work locally in one profile which is stored on the server. When this is working I will try the iCloud Keychain again.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Jan 29, 2014 6:04 AM in response to robertoraskovsky
    Level 2 (341 points)
    Jan 29, 2014 6:04 AM in response to robertoraskovsky

    robertoraskovsky,

     

    That does solve the issue as long as another network user doesn't log in to the same computer. Once one does, you may have to delete keychains and start over again.

     

    I will not offload the security credentials of our users to iCloud. Not an acceptable solution to me. Just something else to worry about going wrong.

     

    They have requested some information from me on a bug report submission about this so we at least know that Apple is familiar with the problem.

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jan 29, 2014 8:42 AM in response to Erich Wetzel
    Level 1 (0 points)
    Jan 29, 2014 8:42 AM in response to Erich Wetzel

    Apparantly Apple are working on a new method which would not require iCloud for syncing Keychains, but I very much doubt that will be a quick fix. I submitted information too, so will wait and hear what they say. Interesting you say about another network user logging in, after you said that I tried it and sure enough it did re-occour. It's so frustrating!!! Thanks for the info so far though, glad to see im not the only one with these issues!

     

    Rob

  • by toldor,

    toldor toldor Jan 29, 2014 1:12 PM in response to robertoraskovsky
    Level 1 (35 points)
    Jan 29, 2014 1:12 PM in response to robertoraskovsky

    Well for me it did not solved anything. I just deleted the whole Keychains directory. Relogin and tried to enter the passwords for the mail accounts. I had to re-enter it again and again. Nothing worked. I just checked the server where my mail accounts are located. When I tried to login from laptop through the profile stored on my server the login information is empty. When I login with the account on the server where the profile is located and I use my mail program, then everything works fine. The login information at the mail server is correct. So it seems that mail and the server profile has some problems working together.

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jan 29, 2014 2:11 PM in response to Erich Wetzel
    Level 1 (0 points)
    Jan 29, 2014 2:11 PM in response to Erich Wetzel

    Yes.

    I'm using 10.9.1 on server and clients, using OD and Profile Manager to push email configure to the clients. I am however using an external mail sever, I don't think the mail is the issue, as I also have problems getting Calendar and Contacts passwords to "stick". It looks like a more general Profile Manager, Network User, Keychain issue. Local user accounts are not affected.

     

    Removing the keychain only seems to be a very temporary fix.

     

    I have moved all clients to local users until this problem is fixed. Does anybody know if I don't use profile Manager to push mail config to the clients, does the problem still occur?

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Feb 11, 2014 3:33 PM in response to Erich Wetzel
    Level 1 (0 points)
    Feb 11, 2014 3:33 PM in response to Erich Wetzel

    Has anyone found a solution for this? I don't understand how there are not more people experiencing this issue. Surely it is a global with OD and Network login?

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Feb 12, 2014 2:52 AM in response to robertoraskovsky
    Level 1 (29 points)
    Mac OS X
    Feb 12, 2014 2:52 AM in response to robertoraskovsky

    I have this problems to, this is surely a global Mail/Calendar/Contacts/InternetAccounts problem.

    I postet the Bug to Apple lets see and hope for 10.9.2...

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Feb 12, 2014 3:30 AM in response to Benjamin Losch
    Level 1 (0 points)
    Feb 12, 2014 3:30 AM in response to Benjamin Losch

    How have you got around the issue for now? Local users?

  • by Benjamin Losch,

    Benjamin Losch Benjamin Losch Feb 12, 2014 4:06 AM in response to robertoraskovsky
    Level 1 (29 points)
    Mac OS X
    Feb 12, 2014 4:06 AM in response to robertoraskovsky

    Using Thunderbird until then...

Page 1 of 19 last Next