Mavericks Server Keychain not properly storing information network users.

It is our experience that it is still problem, in fact several different problems. 😟

Whilst there are many issues two of the major ones are -

1. The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
2. Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.

While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

Hello there,

I kind of gave up on this and forced my users to work with local accounts.

When changing their desk they have to carry their iMacs under there arms to the new location which is very annoying.

Now I am thinking about upgrading from Yosemite to Sierra (Server and clients).

The question is:

Can I dare to set up network accounts again or will this again lead into chaos.

Please share your experiences!

Best regards from Nuremberg, Germany

Martin

here it is again 🙂 no profanity 🙂

Hi all,

I have given up on Network Homes and have pushed all our students to use Guest login, with a bit of scripting and tweaking of the skeleton folders for Guests, i have managed to have some things changed as we need them to be changed.

Downside to guest is that the students need to enter password every time they login, but at least Office, Adobe, Dropbox, Firefox and the rest will work as expected....

Shame on Apple for allowing this sort of "thing" to go on and on for last 4 years, but i guess they want us all to move to Windows!!

All our server as of this year are now on Windows and Linux, so no more Apple Server apps for us... what was that app about anyway... Rant over

in short, don't use Network Homes, think creatively and don't use Apple server app no more, Windows Server works and has not changed functionality for last 17 years!!

Adi

Just to make it clear to everyone, whilst a Windows or Linux server might be more reliable as a file server for network home directories it will not fix the many issues involved with network home directories including the fact that the local items keychain is machine specific, and the fact that SQLite databases as used by the local items keychain, Safari, Mail, Contacts, and Suggestions/Spotlight get either corrupted or locked. 😟

(I have already tried a Linux server.)

Hi John,

you are completely right it will not solve any Network Home issues we have been talking about here... What i am saying, is that Linux or Windows server will do everything better than the Apple's Server App in any network environment and as a network administrator/systems admin/whatever you call yourself, we need to stop thinking that Apple is going to solve this, because they will not, and start thinking more creatively to allow yourself a smooth network operations and satisfied users.

I still have one Apple Server App running, i need that for all Profile Manager bits and the scripts and the customization of 126 iMacs we have here. I am however using Linux servers for services for our 500 Students and Window Server for authentication.....

We have moved all our documents and learning materials into Office 365 and Moodle. We use SSO, so even though, passwords are only saved for a session that the Guest is logged on the computer for, it is one password that Students/Staff use to access all the services and servers they need.

Adi

So far the only workaround is reebooting client machines everytime a network user stops using a client machine, not the best solution but at least lets you work.

Hector

I have ran into the same problem, when is Apple going to fix this!

I am running the server as a domain not .local and I am seeing all of these keychain issues. What a disaster!!!!!

Same problem here too. Even with a .local and without it is the same problem.

Just spoke to Apple Enterprise Support...

~/Library/Keychains/ holds a keychain with the name of the UUID of the sopecific machine you have logged into.

I removed all items ~/Library/Keychains/ and logged out/in, I had to enter the password once, and the issue seemed to go away. I checked the Keychain App and the passwords did list in there. I have logged out and in again since, and the issue seems to have gone away...

Apple also suggested using iCloud to sync Keychains, but this would be unpractical for a large number of users. We have 7 or so users, so this isnt a major concern, but I will give this a go next. What this will do, is still create a keychain with the UUID of the machine, but then also an iCloud keychain and sync the keychain data between them.

can give it a try...but according to the suggestion of Apple, I used the iCloud Keychain at first, but because Keychain and iCloud sync was screwed in the beginning it was best not to use it. First of all it has to work locally in one profile which is stored on the server. When this is working I will try the iCloud Keychain again.

Apparantly Apple are working on a new method which would not require iCloud for syncing Keychains, but I very much doubt that will be a quick fix. I submitted information too, so will wait and hear what they say. Interesting you say about another network user logging in, after you said that I tried it and sure enough it did re-occour. It's so frustrating!!! Thanks for the info so far though, glad to see im not the only one with these issues!

Rob

Well for me it did not solved anything. I just deleted the whole Keychains directory. Relogin and tried to enter the passwords for the mail accounts. I had to re-enter it again and again. Nothing worked. I just checked the server where my mail accounts are located. When I tried to login from laptop through the profile stored on my server the login information is empty. When I login with the account on the server where the profile is located and I use my mail program, then everything works fine. The login information at the mail server is correct. So it seems that mail and the server profile has some problems working together.

Yes.

I'm using 10.9.1 on server and clients, using OD and Profile Manager to push email configure to the clients. I am however using an external mail sever, I don't think the mail is the issue, as I also have problems getting Calendar and Contacts passwords to "stick". It looks like a more general Profile Manager, Network User, Keychain issue. Local user accounts are not affected.

Removing the keychain only seems to be a very temporary fix.

I have moved all clients to local users until this problem is fixed. Does anybody know if I don't use profile Manager to push mail config to the clients, does the problem still occur?