Mavericks Server Keychain not properly storing information network users.

BTW

Your are using the Profile Manager instead of the Workgroup Manager. I gave the Profile Manager a change but I want back to the WGM. I can't to all the control I did with the WGM. I can't understand why apple killed the WGM. The Profile Manager is in my opinion a PlayTool to configure only devices like iPhone & iPad

Gérard

Hi Erich

I agree with you - Profile Manager will be the future if we like it or not. But sometimes some settings can't be set without Workgroup Manager, that's why I still use it.

There's one thing everybody should know about WGM:

Although Apple sais that it isn't compatible with 10.10 or newer, it still is:

It's true, you can't install it on 10.10 or a newer system - the installer blocks the installation. But if you copy an installed version of WGM from a pre 10.10 system, it works, even under 10.11.1.

Robert

I use the WGM also in my test envoirement of 10.10 & 10.11. It works in general but when I contact Apple with a problem they refuse to help because the will not support it.

If they tell me how I can use all the features of WGM with the Profile Manager it will be fine, but I never find any comparise Table of both programs

The answer is no. The PM is a *******. I would lovely known why Apple killed such programs and replace them with this useless software. This is named as strategy, but nobody knows what the Apple Strategy is.

They had a smoothly Server 10.6.8 with Server Admin.app & WGM. Never had a problem. Now 5 years later we have a complete buggy envoirement with one of the bugs named in the title of this thread "Mavericks Server Keychain not properly storing" We always learn "never change a winning horse". But Apple change everything and I would say, none of the professional User are satisfy with it!

WHY? Arrogance, or are they really better. It learns they are not better because it doesn't work so the first will be the correct interpretation!!!

Hello

Yesterday I had an interesting talk with an supporter of the largest swiss-retial-chain. because of problems with one of their clients (a couple of hunderd macs) they escalate a case up to Cupertino.

Resume: Problem is not solved and will not be solved!!! The way of how we are working is a "cul de sac". This is not the way how Apple want that we working, with OpenDirectory, Network Users, etc. This is OK for me. The Problem I have with it is the way "they did not communicate this to their "large accounts" clients.

When you sold hunderds of mac to a client for project and afterward you hear this service will be discontinued, both has a real problem. The client has an not finished project and the dealer had to take this mac back he was not able to integrate this systems in the envoirement of the client

They, Apple, ignore the wishes of the clients, I don't know how to declare this correctly, but for me it is a sign of arrogance!

Gérard

BTW

I have not renew my developer status at Apple. It is a waste of time and money! This because in my opinion we are not working in a "cul-de-sac"-way, but Apple will be on a "cul-de-sac" with their Marketing & Innovation-Strategy!

Gérard

For those who don't believe it but are able to understand the german language! Here the answer from one of the Account Managers (from the largest Apple Reseller in Switzerland) to his Client!

Zitat:

Nun haben wir einen Fall via Apple-Schweiz bis Cupertino eskalieren lassen und die Sache ist klar: Apple weiss von den Problemen, wird sie aber nicht (wohl nie) beheben, da die Netzwerkaccounts nicht „ihrer Strategie“ entsprechen….(offiziell bestätigen wird das Apple nie, aber zumindest wir wissen nun, dass wir von Netzwerk- auf lokale Accounts wechseln müssen.

Regards

Gérard

Ich verstehe immer noch nicht warum das Apple dann im Server vorsieht das man Netzwerk Accounts verwenden kann wenn es sowieso nicht funktioniert.

We experienced this problem and setup a workaround before finding this forum post.

What we did was redirect ~/Library/Keychains to /Users/Shared/%@/Library/Keychains using MCXRedirector.

In Profile Manager, go to the device group of your computers, then go to custom settings and set this up:

We also redirect Cache and the Adobe folder in Application Support. That's what Item 0 and Item 1 are.

This permanently fixes the prompting for passwords, but it stores the keychain locally, so it won't travel to another computer.

If the keychain really is that important, we can copy it from one computer to the next.

This doesn't affect us much since our users typically only use one computer. We will only have to restore the keychain if we give them a new computer.

Nice Workarround

In my opinion a server os without having the option to use network accounts is unusable in the long term.

Even Windows server can manage this for decades.

OS X seems to degrade more and more to a colorful toy.

*sigh*

Greetings

macmartin

I am very interested in your workaround.

What does the %@ stand for?

Is it a variable for the username?

For me it is quite important the users can switch computers at any time.

So my idea is to store the keychains of any user on any computer.

What access rights, owner and group settings are needed for the lokal keychains folders?

Are there any additional steps needed when storing a new password in the keychain (e. g. when creating a new Mail account)?

Best regards

martin

Yes, that stands for the username.

The entire folder stored in the /Users/shared/username has the same permissions as if it were in their own Library. They have permissions but other users don't.

I found that since upon first login, the keychains folder is deleted and a new one is created on the local HDD, you have to restart the computer after they login the first time so it starts using the new keychain.