Mavericks Server Keychain not properly storing information network users.

Hello guys!

I just started a new discussion under the El Capitan forum to get more responses and link it with this discussion

Is suggest that we go further at this link

network home user lead to damaged keychains - still no fix since Mavericks

Bye,

Christoph

Hi Scott,

want to thank you for that keychain fix. Made my life very very easy in the last week!

I want to pick your brain and ask about Adobe Application Support folder redirect, has that helped you with Adobe apps like Photoshop and Ligthroom, or have you done it purely for Adobe Reader only?

We are a photography college and we are finding that Adobe applications like inDesign and Premiere, maybe Lightroom, have been crashing our AFP network homes! I have always had cache redirected, but never application support folder. We have 3 labs, 126 iMacs with 10.10.5 OS, 3 x 10.6.8 Server with network homes and 10.10.5 Profile Manager Server.

Also if i want to remove redirected Cache folder with Profile Manager, what are the settings i need to add to Custom options?

Any thoughts would be welcomed!

Adi

I'm glad that helped you. I think the fix helps everything Adobe-related if it stores any files in that Adobe folder, which Photoshop does (I'm not sure about Lightroom). I would try it and see how it works, because we found we had problems when it wasn't redirected. It will work better if the files are local to the computer.

The four options for the symlinks are:

• deleteAndCreateSymLink: Deletes the target folder in the home folder and creates a local symbolic link in its place.
• renameAndCreateSymLink: Renames the target folder in the home folder and creates a local symbolic link in its place.
• deletePath: Deletes the target folder in the home folder.
• deleteSymLinkAndRestore: Deletes the symbolic link and restores the folder that was renamed by the renameAndCreateSymLink action.

So if you want to delete the symlink, use deleteSymLinkAndRestore.

I can say that the solution provided by Christoph in the following post seems to have resolved the keychain issue for us involving Mail prompting for a password if the users log out instead of restarting the computer when using network accounts on 10.10 clients.

Link to this post

Thanks Christoph! This has been extremely helpful. So frustrated with Apple knowing this issue has existed for years and that this fairly simple workaround seems to have fixed it. Why couldn't Apple implement something like this?

I think I found a permanent solution, even it's not fully automatically done.

1. Login the user need a fix

2. Go to ~/Library in Finder and copy the whole "Keychains" folder in a /User/Shared subfolder (I've created /User/Shared/username/Library for every user)

3. Trash any file other than "login.keychain" in /User/Shared/username/Library/Keychains/

4. Open "/Applications/Utilities/Keychain Access" app

5. Double click on /User/Shared/username/Library/Keychains/login.keychain and a new "login" (not bold) keychain should appear in Keychain Access

6. Select the new "login" (not bold) keychain and unlock it

7. Insert the login password

8. Ctrl+click on the new "login" (not bold) keychain and select > Make Keychain "login" Default

9. Reboot

Works on all my workstations, for the moment. Still hoping....

hello federico254

Do I need to login on every Mac and do this workaround or will it solve the problems for this Network User Account on all machines?

Gérard

Yes, because the user must change their keychain access preference, but you could, I suppose, copy the login.key in mass, via shell, and instruct users how to add the new keychain and change their preferences. The concept is not to fool the system with link or other trick to get the login.key on the hd but make the system know there it is. The only inconvenient (not my case) is if your user change Mac frequently, so must be done on every Mac and the sync could be lefted to iCloud Keychain. Hope to help.

As per frederico254's reply this approach of copying a keychain to the local drive requires it to be done for each user on each machine. While I would expect this approach to complete resolve this particular issue I do regard it as incurring to much work i.e. doing so for each user for each machine.

I have had the same problem at my office and the previously suggested workaround of setting up a logout hook which kills Secd processes does appear to have resolved this issue for the most part. Occasionally users might have to reboot or we might have to take other steps but nowhere near as often as before. (I have a slight suspicion that the problem still comes and goes perhaps depending on other Apple software updates.)

Here is my script I use for the logouthook

#!/bin/bash
# Kill secd processes left running after user logs out
killall -9 secinitd
killall -9 secd
logger "LogoutHook killed processes"
# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network | awk '{print $3}'` 
if [ "$mountpath" != "" ] 
then 
  umount -f $mountpath 
  logger "LogoutHook unmounted network home"
fi
# Delete old stuff from /private/var/folders - mainly cache files after user logs out
find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;
exit

I have over time been adding more things to this, the first is the aforementioned killing of the secd processes (lines 3 and 4), then there is another section which unmounts any user home directories that have not been done automatically, then there is a section to clear out cached files in /private/var/folders

Feel free to use all three steps but the first one is the most important.

If you go back earlier in this thread you will see another suggested fix which not only kills the two secd related processes (like mine) but kills up to 20 processes left running after a user logs out. It is as you might imagine a lot more complete and I did not feel the need to go that far. 😉

But what appen with HomeSync? Unmounting the home volume is not a problem?

federico254 wrote:

But what appen with HomeSync? Unmounting the home volume is not a problem?

If you are using home syncing then that means you are not really using a network home directory rather you are using a home directory on the local drive which is being synced to the server. If you are using a local home directory then you should not be having the keychain issue at all since your keychain will already be being stored locally.

So, are you using a a true network login and network home directory setup? Or are you using what is more commonly called a portable home directory setup with syncing?

Apple calls Mobile Account, if remember correctly, and the problem is a constant with Mobile Account. The fun fact is that, at login, the system load also the network home, other than the local one and the problem is even worst: sometimes the system say the Login Keychain cannot be found, as it not exist. Consider that I've migrated the users from Network Home to Mobile Account (Network Home with sync) for 2 problems, one is the Keychain and the other the iCloud Drive and iCloud Photo Library (that not working on network drive).

PS. If I correct remember the Portable Home is a Home on a removable drive attached at the Mac, not use the OpenDirectory.

Hi John,

Thank you for the support. I wrote many documented bugreports to apple, but there is nobody !!

1)

echo `mount | grep /Network | awk '{print $3}'`

gives

"on /Network/Servers/xserver.domain.ch/Volumes/xyz"

and unmounting this will not work. :-(

2) There are many other processes running after logout (shame on apple). I use this commands.

username=$1

killall -15 -u $username

#if not ...

killall -9 -u $username

What you mean about this commands?

Luda24 wrote:

Hi John,

Thank you for the support. I wrote many documented bugreports to apple, but there is nobody !!

1)

echo `mount | grep /Network | awk '{print $3}'`

gives

"on /Network/Servers/xserver.domain.ch/Volumes/xyz"

and unmounting this will not work. :-(

2) There are many other processes running after logout (shame on apple). I use this commands.

username=$1

killall -15 -u $username

#if not ...

killall -9 -u $username

What you mean about this commands?

With regards to echo `mount | grep /Network | awk '{print $3}'` this works for me using ARD to remotely test a logged in user using your example I get back "/Network/Servers/xserver.domain.ch/Volumes/xyz". If you can try testing the same way or you could enable ssh aka. remote login and do a similar test. If in your case it always includes 'on ' then you could add a command to strip that however awk '{print $3}' should be printing the third word/column and the space symbol is normally used to determine the column seprator.

The second item about killall -15 -u $username was not from my post so I cannot answer that. The original fix as included in mine only killed the two secd related processes but someone else has earlier posted a means of killing all left over processes via a much more complex and lengthy script. I have not found it necessary to go to that extreme.

If you want to kill all processes owned by a specific user you might be interested in what I found in 'man killall':

Sending a signal to all processes with uid XYZ is already supported by kill(1). So use kill(1) for this job (e.g. $ kill -TERM -1 or as

root $ echo kill -TERM -1 | su -m <user>)