Mavericks Server Keychain not properly storing information network users.

I have found that if you log out then in again the local items dissapear

Hi Erich,

I've been watching this thread since the beginning of last year when i first came across this frustrating issue. I even contacted Apple Support and shared with them my experiences. They assured me this issue was on the top of their list to fix. I eventually gave up and decided to stay with Mountain Lion for all our clients. But, a few days ago i decided i'd test El Capitan clients with my current server setup (Server 5.0.4 running on Yosemite). I performed two clean installs (not upgrades) of El Capitan. So far, i have not experienced the issue i had with the local items keychain that i did with Mavericks and Yosemite clients. When a user password is changed, i now get the "The system was unable to unlock your login keychain" upon the next login attempt, i'm able to enter my old login password and everything seems to be fine. This popup dialogue seemed to be missing in the past when i experienced the issues with the local items keychain. I may be jumping the gun here and this issue may raise it's ugly head again sometime soon, but have you tried testing with clean installed 10.11 clients?

It appears that although a lot of the annoying popup windows are not displayed anymore. The local items keychain is still completely broken. Mail, contacts, calendars still lose their passwords after logging out... 😟

I tested it with a clean install of 10.11.1, unfortunately there are no changes at the core issue:

After a network user's logout there are still about a dozen processes running under his name, also secd and secinitd which are responsible for the broken keychains.

i have a classroom of 13 macs being shared by students and this bug means they are all sharing the one local account :-(.

can someone give me a dummy's guide to setting up the log out hook? I have no idea

thanks

Hello

Apple has no intension to fix this problem. It first occurred with 10.9.2. Now with 10.11.1 the problem is still their? So in 1 1/2 year they haven't used their resources to fix this bug! The only thing they do is deleting comments about this issue in this forum?

I have lost the hope that apple will fix it they have probably other priorities!!! Maybe Schools are not interessing enough anymore, or they will push the schools to use iPads?

The best is that everyone complain in the feedback link at the Apple Site. As more complain the better URL: www.apple.com/feedback/

Regards

Gérard

p.s. What is your location? US or Europe (German speaking Areas)?

Hello Guys!

So - because Apple ignores this bug we have to think how to come over it.

I played around with LoginHook and I think I ´ve found a solution. The problem is to find out which user is logged in and which user just logged out.

So here is my idea:

A LogoutHook starts a script that collects every user that has processes running and compares it to a list with user that have a process named "Finder.app" running. Every process of a user (some exceptions, like system users, etc.) that has no "Finder.app" running gets killed.

There are some problems, for example if you are logged in via ssh you will get kicked out as soon as the current console user logs out.

And here is what I have done:

sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

This is "logout_helper.sh":

#!/bin/bash

LOG=/Users/Shared/logout_helper.log

DATE=`date`

echo LOGOUTEVENT - $DATE >> $LOG

/usr/local/bin/scripts/kill_left_running.sh &

And this is "kill_left_running.sh"

#!/bin/bash

# C & E Mediensysteme GmbH, Christoph Ewering 20151117

# Dinge die Apple reparieren sollte aber nicht tut :-(

# Findout who has logged out

# We are looking for processes that run as USER but this USER has no Finder running

# Find every user but ignore system users and special users

# 1. Get every process and extract the user

# 2. remove row titel "USER"

# 3. remove every system user (Usernames that start with "_")

# 4. remove users that are listed in /var/root/users_to_ignore.txt for example "root" or "postgres"

# 5. sort the users and make every item in the list unique

USERLIST=`ps aux |awk '{print $1}' |grep -v USER |grep -v '^_' |grep -v -f /var/root/users_to_ignore.txt |sort |uniq`

# Now we look for users that are running a process called "Finder"

USERLOGGEDIN=`ps aux |grep Finder.app |grep CoreServices |awk '{print $1}' |sort |uniq`

# a user that is at list USERLIST but not at USERLOGGEDIN still has processes running but is no longer logged in

for USER in $USERLIST; do

if [[ $USER != $USERLOGGEDIN ]]; then

# User has no Finder running every other process of this user should be stopped

# Get all still running processes of the user that is logged out

PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, trying to stop them NOW."

# Dear processes would you be so kind to stop your work, please?

for PROC in ${PROCLIST}; do

#echo kill -15 $PROC

/bin/kill -15 $PROC

done

/bin/sleep 3

# PROCESSES - SHUT UP!

PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, kill them NOW."

for PROC in ${PROCLIST}; do

#echo kill -9 $PROC

/bin/kill -9 $PROC

done

fi

done

And the exception file "/var/root/users_to_ignore.txt" contains this:

postgres

root

nobody

I did no intensive testing, I am not an experienced bash script writer and there are some other problems from Apples side.

For example it is unknown how long the system will support the LogoutHook mechanism and I´ve read that a LogoutHook has to be fast or it get kill by the system. But AFAIK my testing shows that the above works.

Improvements are highly appreciated

Thanks, bye,

Christoph

So here is my first experience with this script - installed at customers site

I found a computer where only one user was logged in but four users had still processes running - installed my script - logged out the user and voila my ssh session died 😊 -but that was expected.

Here is what is logged into system.log:

grep processes /var/log/system.log

Nov 20 18:23:03 mymac.atmysite.de mymac[29560]: User user1 has still 16 processes running, trying to stop them NOW.

Nov 20 18:23:06 mymac.atmysite.de mymac[29598]: User user1 has still 10 processes running, kill them NOW.

Nov 20 18:23:06 mymac.atmysite.de mymac[29615]: User user2 has still 18 processes running, trying to stop them NOW.

Nov 20 18:23:09 mymac.atmysite.de mymac[29647]: User user2 has still 16 processes running, kill them NOW.

Nov 20 18:23:10 mymac.atmysite.de mymac[29669]: User user3 has still 15 processes running, trying to stop them NOW.

Nov 20 18:23:13 mymac.atmysite.de mymac[29697]: User user3 has still 13 processes running, kill them NOW.

Nov 20 18:23:13 mymac.atmysite.de mymac[29716]: User user4 has still 14 processes running, trying to stop them NOW.

Nov 20 18:23:16 mymac.atmysite.de mymac[29739]: User user4 has still 11 processes running, kill them NOW.

Nov 20 18:23:16 mymac.atmysite.de mymac[29756]: User user5 has still 2 processes running, trying to stop them NOW.

Nov 20 18:23:19 mymac.atmysite.de mymac[29770]: User user5 has still 2 processes running, kill them NOW.

As you can see - it take about 3 seconds to stop the processes for one user (the sleep period in my script)

No I try to move a few local users back to the server.

Bye,

Christoph

Hi Christoph

I tested your solution on a 10.10.5 client and it works.

Now there are only one or two processes per network user left after his logout: cfprefsd and sometimes mdworker.

But I think that isn't an issue.

For me it is a big improvement and the most proper solution so far.

Thank you very much!

Robert

Hello Christoph

As more threads this Issue gets, as more I think it is an Issue which has to do with a "german-language based system". In the script I found your comment and can locate your company as based in Germany (Paderborn)

I don't know if your system runs in German or English, but maybe is not the Language the source of the problem but the kind of Keyboard-Settings (Input-Sources or Formats). What I suggest is maybe this settings prevent the system of running the correct logout scripts.

Also I would thank you for your efforts on going to the bottom of this issue. But i have some additional question

1) Is your script planned to run on every client or to start it manualy from one particular machine

2) Is their a way to implement it on every running client without having a lot of scripting or programming experience

Thanks

Gérard

Hello Robert!

I saw that when my script kills the mdworker processes for a user these process are started again by the system but in my expierences these mdworker processes stop after a few seconds or minutes - so no problem.

Why they are started by the system even thought the user logged out - I do not know - this is something Apple should sort out.

I just checked a system where i had installed my script - you are right I found two processes for ever user that had logged in and out since the last reboot

1. /usr/sbin/distnoted agent

2. /usr/sbin/cfprefsd agent

Very strange - maybe the time between "kill -15" and "kill -9" should be increased so the system does not start processes automatically?

I still do not no if my script solve the problem with the keychain.

But for my understanding there should be no user process when the user logs out.

Bye

Christoph