You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Erich Wetzel Author

Level 2

384 points

Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

For everything below: the Keychain for any of the users does not need to be repaired.

Generally things are going well with one exception which is a big problem.

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

Functional workarounds:

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

Does anyone have any advice.

Thanks.

-Erich

OS X Server

Posted on Jan 10, 2014 6:34 PM

Top-ranking reply

John Lockwood

Level 6

13,691 points

Posted on Jan 28, 2017 12:32 PM

It is our experience that it is still problem, in fact several different problems. 😟

Whilst there are many issues two of the major ones are -

The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.

While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

View in context

278 replies

Nov 28, 2015 5:00 AM in response to Gerard Dirks

Hello Gerard!

I hope we left this language based errors behind with the beginning of OS X. But it is possible.

I still do not understand what is going on and what leads to this error. Only Apple can debug and fix this bug. I filled 3 or 4 bug reports at bugreport.apple.com only reaction so far (if any reaction at all) - all duplicate bugreports - nothing fixed until now. 😢

All the systems where I am responsible for are running with language set to german.

Now to your questions:

1.) The script has to be run at every client and had to be set and installed locally at the client - it is started by the LogoutHook

2.) I used Apple Remote Desktop to distribute it to a network of 40-50 Macs connected via VPN - took less than 10 minutes for the install. But every step has to be done by hand - I have no Installer at the moment.

Bye,

Christoph

Nov 28, 2015 5:12 AM in response to Christoph Ewering1

Hello!

Just a short note about the /usr/sbin/cfprefsd agent - it seams to me that the os starts such process for every local user.

I killed this process of a user that was running on a computer where my script is setup but after a few minutes the process was running again - so the os starts this process again. Why the **** does it behave this way - this is stupid!

cfprefsd has something to do with preferences - but why do I have to run a process to user preferences when the user isn't logged in?

Bye,

Christoph

Nov 28, 2015 6:43 AM in response to Christoph Ewering1

Hello Christoph

Thanks for your personal Answer. I still have some question about 2)

No problem using Apple Remote Desktop. I think you send it with the "Send UNIX Command".

But now my additional question. let's make the following example. We have 26 macs installed. (e.g. cA … cZ). on every computer is a local adaministrator installed (e.g. aA … aZ). Now we have 40 Network based Users (e.g. n1 … n40)

Do i need to send this script only 26 times to the every Administrator or do I need to send it every User n1 till n40 on each computer. Last will mean I have to send the command about 1040 times :-(( (analog to the entry of the E-Mails Password in the Keychain, which we need to configure on every user for every computer)

Have you send the command as plain text or as file to the computers. I suppose you can send the command to all the 26 computers once by adding them to the windows in the bottom of the "Send UNIX Command", but this will only be helpful if you can send them to the local administrator and not to all the 40 Network User

Gérard

p.s. maybe it is easier to send the answer in "german" because nearly all the listeners in this thread are german based, but this will probably voilate the rules of Apple :-(

Nov 29, 2015 10:39 AM in response to Gerard Dirks

Hello Gèrard!

This script has to be installed at every computer and has nothing to do with a single user account. It is like the "Finder.app" that resides on every computer only once and it is not installed in every users home directory. You don't have to install the files in any users home directory because it it run when a user logs out and the connection to users home directory is terminated.

I used the Commands "Send UNIX command" and "Copy object" - thats all.

So for your example you send the commands and files to 26 macs.

BTW. You can sent an email to from my firms homepage.

Bye,

Christoph

Erich Wetzel Author

Level 2

384 points

Dec 4, 2015 11:38 AM in response to Christoph Ewering1

Christoph,

I am much weaker at scripting than you are and I have tried to implement your scripts on a 10.11.1 machine. I fail almost immediately as I try to write /usr/local/bin/scripts/logout_helper.sh.

I do not appear to have /usr/local/bin/ as a folder. So I drop /bin and put it in /usr/local/scripts/logout_helper.sh as I did with the kill_sed.sh script from much earlier in the discussion. I updated all of the other file paths to have logout_helper.sh and kill_left_running.sh there.

When I run the script manually with sudo /usr/local/scripts/logout_helper.sh I get a "command not found" error. When I do the same with the old kill_secd.sh in the same location it runs.

Suggestions?

Dec 5, 2015 6:36 AM in response to Erich Wetzel

Hello Erich!

If you do not know how to create the right directories, maybe than this workaround is not for you - it could be dangerous to use it, if you do not understand what it does.

But well - I explain it:

I created the path with "sudo mkdir -p /usr/local/bin/scripts" and when you get "command not found" it looks like you did not copy the whole script for logout_helper.sh

Check if it starts with "#!/bin/bash" and if you set the unix access rights with "sudo chmod 755 /usr/local/bin/scripts/logout_helper.sh" so the script is executable.

What happens when you run the script "/usr/local/bin/scripts/kill_left_running.sh"?

Bye,

Christoph

P.S. I just read your comment once again, it is okay to change the patch as you like - should not interfere with the scripts as long as you change all references

Dec 5, 2015 1:41 PM in response to Erich Wetzel

Hi Erich

Perhaps it helps how I solved it:

I logged into my MasterMac (10.11.1) as root and went to /usr/local .

There I created the folder /bin and then the folder /scripts

I used TextWrangler as TextEditor, copied and pasted Christoph's shell scripts into two documents and saved them with their correct names into /usr/local/bin/scripts

At the end I let the sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

command run in terminal - and that was it.

Dec 7, 2015 6:47 AM in response to Robert Hrovat

Just to add to the discussion - we've also got this issue in the UK 🙂

I work in a school with a 4 classrooms each with 22 iMacs and we often have keychain issues - whilst investigating it today I discovered the SECD process running for logged out users and then came across this thread.

Without reading through all 14 pages what are the benefits to using the LogoutHook method, to kill those process left behind after a user logs out, over killing just the SECD process via a login script (apart from just generally ensuring redundant process don't continue to run)?

Dec 7, 2015 6:56 AM in response to PVCSBlakey

Hello PVCSBlakey!

Killing all left running processes is just the typically german carefulness 😉

Bye,

Christoph

Dec 7, 2015 8:39 AM in response to Christoph Ewering1

Just testing this, I've run chmod 755 on both shell scripts to allow them to be executed by all users however the kill_left_running.sh script cannot read the users_to_ignore.txt file as read access to the contents of /var/root requires root access...

I might just amend the kill_left_running.sh script to point somewhere else and move the users_to_ignore.txt file there unless there is a particular reason to store this in /var/root?

Dec 7, 2015 8:43 AM in response to PVCSBlakey

Hello PVCBlakey!

Both script are not meant to run as any user other than root!

The LogoutHook runs every script as root - and it has to be run as root, because another user can not kill process of a different user! And the user that just logged out obviously can not run the script.

If you want to run kill_left_running.sh manually you have to run it with sudo.

Bye,

Christoph

Dec 7, 2015 8:50 AM in response to Christoph Ewering1

Hi Christoph,

Thanks again, yes the problem was I was trying to test the script through terminal but hadn't elevated to root 🙂

Just tried it with sudo and it's killed all the correct processes \o/

Thanks

Sam

Erich Wetzel Author

Level 2

384 points

Dec 7, 2015 1:59 PM in response to Christoph Ewering1

Thank you to everyone for the help.

Christoph and Robert: I was missing the access rights. So now when I run the script manually It does give the expected results.

Now I do not get the script to run on each logout which allows the user processes to pile up until I run the script again manually.

I set sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh but that did not help. My clients are managed and do have some custom settings pushed to them from Profile Manager including the kill-secd script from earlier in this discussion. I redirected the logout hook in Profile Manager to /usr/local/bin/scripts/logout_helper.sh and pushed the new settings to the test client and that did not solve it either.

Dec 7, 2015 2:44 PM in response to Erich Wetzel

Hello Erich!

If you use my "original" logout-helper.sh there's a line that logs to "/Users/Shared/logout_helper.log". I don't know what happens if this file does not exists.

Just create it with "sudo touch /Users/Shared/logout_helper.log" - and check if a logout of a user leads to new message at this file. This shows that the LogoutHook is executed. The "kill_left_running.sh" logs to /var/log/system.log - so you should see some messages there.

Bye,

Christoph

Erich Wetzel Author

Level 2

384 points

Dec 7, 2015 7:52 PM in response to Christoph Ewering1

Christoph,

I like the idea but the log works fine. Each manual run I get the date and time of the logout event. I get nothing when actually logging out. User processes are all still running after the next user logs in. Going back to the admin user and manually running the script gives both the log entry and the killing of the rogue processes.

I have further removed all custom items from Profile Manager being applied to the group of computers I am testing on. Rebooted the server. Rebooted the client. Reapplied sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh and still don't actually get anything on logout. I must be doing something to keep that from happening but I cannot figure out what. Otherwise what you have done is working brilliantly for me when it is run manually. Thank you for taking the time to find an alternative.

I'll figure it out eventually.

Thank you also for continuing to help the rest of us to get this to work.

Mavericks Server Keychain not properly storing information network users.