Mavericks Server Keychain not properly storing information network users.

Here's what I've tried with success. I created the following three text files and copied them to the following directories on the client computers:

1st file name: kill_left_running.sh

Copied to: /usr/local/bin/scripts

Contents:

#!/bin/bash

# C & E Mediensysteme GmbH, Christoph Ewering 20151117

# Dinge die Apple reparieren sollte aber nicht tut :-(

# Findout who has logged out

# We are looking for processes that run as USER but this USER has no Finder running

# Find every user but ignore system users and special users

# 1. Get every process and extract the user

# 2. remove row titel "USER"

# 3. remove every system user (Usernames that start with "_")

# 4. remove users that are listed in /var/root/users_to_ignore.txt for example "root" or "postgres"

# 5. sort the users and make every item in the list unique

USERLIST=`ps aux |awk '{print $1}' |grep -v USER |grep -v '^_' |grep -v -f /var/root/users_to_ignore.txt |sort |uniq`

# Now we look for users that are running a process called "Finder"

USERLOGGEDIN=`ps aux |grep Finder.app |grep CoreServices |awk '{print $1}' |sort |uniq`

# a user that is at list USERLIST but not at USERLOGGEDIN still has processes running but is no longer logged in

for USER in $USERLIST; do

if [[ $USER != $USERLOGGEDIN ]]; then

# User has no Finder running every other process of this user should be stopped

# Get all still running processes of the user that is logged out

PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, trying to stop them NOW."

# Dear processes would you be so kind to stop your work, please?

for PROC in ${PROCLIST}; do

#echo kill -15 $PROC

/bin/kill -15 $PROC

done

/bin/sleep 3

# PROCESSES - SHUT UP!

PROCLIST=`/bin/ps -o pid -u $USER |grep -v PID`

logger "User $USER has still `/bin/ps -o pid -u $USER |wc -l` processes running, kill them NOW."

for PROC in ${PROCLIST}; do

#echo kill -9 $PROC

/bin/kill -9 $PROC

done

fi

done

2nd file name: logout_helper.sh

Copied to: /usr/local/bin/scripts

Contents:

#!/bin/bash

LOG=/Users/Shared/logout_helper.log

DATE=`date`

echo LOGOUTEVENT - $DATE >> $LOG

/usr/local/bin/scripts/kill_left_running.sh &

3rd file name: users_to_ignore.txt

Copied to: /var/root

Contents:

postgres

root

nobody

Reboot the client computer and give it a shot. It has been working for us on our 10.10 clients connecting to our 10.10 server.

Hi John,

I come from testing your and my method to kill in logout.sh

kill -9 secinitd

kill -9 secd

a lot of processes are running after logout of user wiel and login as admin1 !

with

kill -9 -u $1

there are only one or two:

My working script is now:

#! /bin/bash
# logout.sh
username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    exit 0
fi

# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
if [ "$mountpath" != "" ]
then
  umount -f $mountpath
  logger "LogoutHook unmounted: $mountpath "
fi

killall -9 -u $username
#killall -9 secinitd
#killall -9 secd

logger "logout.sh finished for $1"

exit 0

PS. I am using El Capitan on Server and on Client !!

Thanks for the update. The two secd processes are the most critical ones as these are the ones that block access to the users keychain but I agree killing off more of the orphan processes is desirable and your approach is far more simple than the massive script previously posted. I will therefore look at incorporating your change in to mine.

Hello guys!

10.11.5 did not fix this problem.

After looking into Luda24s script I united every approach for a workaround and setup a new script - I tried to combine as much as possible. This solution is a lot simpler than my first script - if I remember right my first try was also one script but do not know why it does not worked so I came to the complex solution of mine.

Well now I think this is a better solution (sorry I could not find the code block tag)

bye,

Christoph

#! /bin/bash

# logout-fix.sh

# This script runs as a logouthook to fix bugs that Apple should have fixed

# The bug occurs to network home users only because since OS X 10.9.x not all processes

# of a user that logs out get killed. It is a workaround developed by Luda24,

# John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

# Apple Support Communities

# Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

# (shame on Apple for ignoring many bug reports and feedbacks about this bug)

# You should store this script at /usr/local/bin and then run

# "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

# remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

# and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

# And here it is what this script does:

# 1. Check if the logging out user is a local or network user

# 2. Kill left running processes of the logged out user

# 3. Unmount Network-Share that may have been left mounted

# 4. Remove cache files from /private/var/folders that are owned by user $username

# Here you can select if you want to any feature disabled or enabled

UNMOUNTHOME=1

CLEANCACHE=1

# Do not change anything after this line

username=$1

/usr/bin/logger "logout-fix.sh $username"

Local=`dscl . -list /Users |grep -x $username`

if [[ "$1" == "$Local" ]]

then

/usr/bin/logger "logout-fix.sh has nothing to do - logged out user was a local user"

exit 0

fi

# Here is the important part - kill users processes - first of all „secinitd“ and „secd“

/usr/bin/logger "logout-fix.sh trying to kill all processes of user $username"

/usr/bin/killall -15 -u $username

/bin/sleep 5

/usr/bin/killall -9 -u $username

# Unmount network home directory share if left mounted after user logs out

if [ $UNMOUNTHOME ]; then

mountpath=`mount | grep /Network/Servers/ | awk '{print $3}'`

if [ "$mountpath" != "" ]

then

/usr/bin/logger "logout-fix.sh trying to unmount $mountpath"

/sbin/umount -f $mountpath

/usr/bin/logger "LogoutHook unmounted: $mountpath "

fi

fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out

if [ $CLEANCACHE ]; then

/usr/bin/logger "logout-fix.sh trying to clean cache files of user $username"

/usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

fi

/usr/bin/logger "logout-fix.sh finished for $1"

exit 0

The keychain management ist very strange.

With the script my keychain works, but if i use another computer in our network, i have to set all passwords again.

In ~/Library/Keychains every Client generate his own Folder (named by Hardware-UUID) !?!

This is OK for an entreprise, but not for a school. We have to work in different rooms on different computers.

Any idea to resolve this problem ?

PS. I am still using WorkgroupManager. Anyone here using ProfileManager without problems ?? Then I will change too ;-)

PPS: I have to upgrade 200 computers from 10.8.4 to elCapitan. HELP, HELP, HELP, there are many new problems.

Welcome to the family

Here in switzerland their are about a dozen of "school administrators" who getting crazy because of the bugs & changes by Apple. The problems startet after 10.9.2 and still not solved, even worser Apple has no intension to solve it.

You write that this is OK for Enterprises, but this is not OK for them. They had the same problem when their Employes are swapping between different iMacs.

As Apple told us, we are old fashioned and need to think to work in another way (e.g. giving all people a personal device). We are not old fashioned, they are mad and arrogant

Regards

Gérard

One of the now I believe at least six different Network Home Directory issues is that passwords for Mail, Calendar and Contacts are now stored in the 'Local Items' keychain which is the one stored via a hardware UUID. This means if the user hot-desks between computers these passwords do not follow them because they are tied to a specific computer. Prior to Mavericks which introduced the dreaded Local Items keychain the only keychain used was Login which is not tied to a specific computer.

Other than the user using the same computer each time, the only other possibility I see is to write a login hook or login daemon which renames the folder to the correct UUID, it is not clear if a login hook or login daemon will run early enough in the login process, it needs to happen before the user is completely logged in and before the operating system has tried to load the Local Items keychain. Here is a script which gets the Macs UUID.

system_profiler SPHardwareDataType | awk '/ UUID/ { print $3; }'

You need to be careful as it is normal to have multiple folders with UUID names in ~/Library/Keychains because by now many of the users will have used multiple Macs and generated multiple Local Item keychains. You could try and be clever in whatever script you write and look for the most recently created one.

Yes I am using Profile Manager with no particular problems and I have in general switched to it and stopped using Workgroup Manager.

Hello all,

the keychain re-direction works fine and it has made the Keychain very stable in our school. By stable i mean, no more corruption in the middle of logged in sessions, no more corruption when you log off and no more corruption when you restart.

We are a school of 800 users, network accounts all, we have 120 iMacs and a lot of servers, 14 in all and 6 of them are Apple servers. Our main OD server is still on 10.6.8 and yes i use WM still, for some things and PM for other things.

So, i thought all was good until we introduced Office 365. Problems started again. For some reason Office 365 cannot write to re directed Keychain and now we have to go back to Office 2011. I have tried everything on the keychain folder, even chmod 777, but no go. So i wonder how many other applications will have issues with Aliased Keychin folder.

Anyway, i am not here for a solution, just wanted to say that Apple is making a huge mistake here in not listening to 17 pages of this post and many other REAL LIFE issue that end users have, since 10.6.8 really. I am tired of Apple WDC sprucing every year new operating system with "many new features" and many many more bugs, instead they should just focus on enhancing the system they have and fixing all the bugs in the one they have!

We are going to shut down all our Apple servers by the end of this year, except one until i get Casper suit or Centrify, and move to Windows server, as i am in the process of testing it right now. All good so far, even network homes work nicely.

Like i said, re direct works and yes i told my users that when they move the machine, they will have to re enter their passwords, but that is only once and that is it.

Adi

Hello Adi

What you planned to do is exactly what apple wanted. They want that all business users went of using apple products and in future only work with mobile devices.

They refuse to hear to us. Network User & Mobile Home Folders are not future options for Apple. I don't know if switching to windows server is a solution. I suppose in one or two years Redmond People come with the same ideas (under a new name). Trying to mount to Windows Server with the SMB Mount would be the next pain in the a s s option. The Apple implementation of SMB is useless because it still doesn't work properly for years now. Only because they refuse to implement Open Source SMB Code and trying to work with an own, very bad code, this will not be your solution. It is more or like a choice between pest and cholera.

I have no interest anymore in wasting time in talking to Apple and tried to find for solutions. They play with you, doesn't you take serious an go their own why in the road named "Cul de Sac"

Gérard

I am hard working on the login.sh and logout.sh.

We need login and logout in a school on 200 identical computers.

The most problems are done with the scripts.

We clean on every logout ByHost and the Saved Application State.

I copy the keychain-2.db in a temporary folder and I save the icloudlogin from ByHost.

#! /bin/bash
# solves many problems of managed users in elCapitan
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    exit 0
fi

# home_loc like /Network/Servers/my.server.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#printqueue delete
lprm -

#term processes and wait
killall -15 -u $username
sleep 5
#if not terminated, kill them
killall -9 -u $username

#delete enpty plists
find $home_loc/Library/Preferences -empty -type f -delete
#delete temporary plists
rm $home_loc/Library/Preferences/*.plist.*
#save icloudpassword and delete all in ByHost, "Saved Application State" and Caches
mkdir    $home_loc/Library/Preferences/ByHost/tmp
cp -p    $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist
rm -f    $home_loc/Library/Preferences/ByHost/*
rm -rdf  $home_loc/Library/Preferences/Saved\ Application\ State/*
rm -rdf  $home_loc/Library/Caches/*

#save Keychain-2 from this Host in dir tmp
if [ ! -d $home_loc/Library/Keychains/tmp ]; then mkdir $home_loc/Library/Keychains/tmp ; fi
cp -p $home_loc/Library/Keychains/$UUID/* $home_loc/Library/Keychains/tmp/

# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
if [ "$mountpath" != "" ]
then
  umount -f $mountpath
  logger "logout.sh unmounted: $mountpath "
fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out
# find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;

logger "logout.sh finished for $1"
exit 0

on login, I copy the stored iclodlogin back and I create the Machine UUID Folder in Keychains and copy back the stored keycchain-2.db .

icloudlogin works, keychain-2.db hack works only on the same computer. I commented it out.

Help me to find a possibility to take the keychain with me from computer to computer.

At the Moment, I have to reenter on every computer all Mailpasswords and I loose all stored Safaripasswords :-(( .

#! /bin/bash
# login.sh
# solves some problems of managed users
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    logger  "login.sh $1 is a local user"
    exit 0
fi

logger  "login.sh $1 is a network managed user"

# home_loc e.g. /Network/Servers/xserver.domain.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#restore Keychain from dir tmp to this host
#will not work: keychain-2.db contains local data ?!?
#if [ -d $home_loc/Library/Keychains/tmp ]
#then
#    if [ ! -d $home_loc/Library/Keychains/$UUID ]; then mkdir $home_loc/Library/Keychains/$UUID ; fi
#    cp -pf $home_loc/Library/Keychains/tmp/* $home_loc/Library/Keychains/$UUID
#fi

#restore icloudpassword with UUID
if [ -f $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist ]
then
  cp -p $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist
fi

exit 0

Please try my script and help to find a solution to restore the Keychains.

Best regards

Luda

Forgot to add the following very important step to my post to get it to work:

sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

Remarks:

killall

If you not kill the processes, you have to restart the computer after every logout.

It's crazy to kill all processes during / before logout.

It's perhaps better to kill them later.

So I tried this:

#logout the user normally, wait and kill all processes later
sleep 15 && killall -9 -u $username &

And it works fine (better) ....

keychain-2.db

I would like to restore the saved mail- and safari-passwords (keychain-2.db) on every managed computer.

Since now, no success. What a nonsense to store on every computer another keychain !

At the moment I have to enter all passwords on every computer I use .

Do you know any solution ?

my new logout.sh:

#! /bin/bash
# solves many problems of managed users in elCapitan
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    sleep 15 && killall -9 -u $username &
    exit 0
fi

# home_loc like /Network/Servers/my.server.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#printqueue delete
lprm -

#delete enpty plists
find $home_loc/Library/Preferences -empty -type f -delete
#delete temporary plists
rm $home_loc/Library/Preferences/*.plist.*
#save icloudpassword and delete all in ByHost, "Saved Application State" and Caches
mkdir    $home_loc/Library/Preferences/ByHost/tmp
cp -p    $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist
rm -f    $home_loc/Library/Preferences/ByHost/*
rm -rdf  $home_loc/Library/Preferences/Saved\ Application\ State/*
rm -rdf  $home_loc/Library/Caches/*

#save Keychain-2 from this Host in dir tmp (restoring will not work at the moment)
if [ ! -d $home_loc/Library/Keychains/tmp ]; then mkdir $home_loc/Library/Keychains/tmp ; fi
cp -p $home_loc/Library/Keychains/$UUID/* $home_loc/Library/Keychains/tmp/

# Unmount network home directory share if left mounted after user logs out
#mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
#if [ "$mountpath" != "" ]
#then
#  umount -f $mountpath
#  logger "logout.sh unmounted: $mountpath "
#fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out
# find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;

#logout the user normally, wait and kill all processes later
sleep 15 && killall -9 -u $username &

logger "logout.sh finished for $1"
exit 0

Hello Luda

I am also based in Switzerland and still have this case open at Apple Support. Exactly as you described, I have the same Problem

At the Moment, I have to reenter on every computer all Mailpasswords and I loose all stored Safaripasswords :-(( .

A workaround is for me OK for an new detected bug but not for an Issue which is open now for 2 1/2 years. Apple should fixes all these bugs instead of implementing new features who nobody needs!!! (Siri here in Switzerland in 10.12 is useless, the answers you get are false)

I have no interest in ßeta testing scripts. That should be Apples Job. The Problem is recontructable on every new server with NetworkUser. They can making some Labor Environment an debugging the whole network!

Most important Issue for me is still the following: "I want to know from Apple, why they change the location of the Keychain from the NetWorkUser to the Local Machine" This is for schools like you a N0-Go. If you have 200 Students who are able to use each machine you have a fulltime job only for testing and configuring your environment. I am so far that I installed Thunderbird as Mailclient and everything works as a charm!

ps. Once again this questions: In this Thread are mostly half the persons German or Swiss-German based. Is it maybe a bug which occurred in the German System Settings?

Sorry but my last reply was censored by Apple - it was removed immediately.

It contained some unfriendly words and some test expierences.

Apple has enough resources to censor discussion groups but not enough man power to fix a terrible bug in two years.

Maybe it is my fault - excuse me - I stumbled over this bug and talked about it in public. I will never do this again. Sorry for trying to help make OS X the best OS on our planet.

Bye,

Christoph

Christoph Ewering1 wrote:

Sorry but my last reply was censored by Apple - it was removed immediately.

It contained some unfriendly words and some test expierences.

Apple has enough resources to censor discussion groups but not enough man power to fix a terrible bug in two years.

Maybe it is my fault - excuse me - I stumbled over this bug and talked about it in public. I will never do this again. Sorry for trying to help make OS X the best OS on our planet.

Bye,

Christoph

We share your pain - literally.

You could sign up for the public beta of macOS Sierra next month i.e. July and (cough!) test it and 'assuming' the bug is still present file a bug report.

Of course many people have already done this for Mavericks, Yosemite and El Capitan already. 😢 (Hint to Apple - this is why this loooooong thread is called Mavericks Server Keychain - because this bug is that old.)

There is no danger of Apple breaking any records recording how old a bug is - Microsoft easily beat them there.