You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Erich Wetzel Author

Level 2

384 points

Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

For everything below: the Keychain for any of the users does not need to be repaired.

Generally things are going well with one exception which is a big problem.

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

Functional workarounds:

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

Does anyone have any advice.

Thanks.

-Erich

OS X Server

Posted on Jan 10, 2014 6:34 PM

Top-ranking reply

John Lockwood

Level 6

13,691 points

Posted on Jan 28, 2017 12:32 PM

It is our experience that it is still problem, in fact several different problems. 😟

Whilst there are many issues two of the major ones are -

The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.

While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

View in context

278 replies

Jul 21, 2016 10:12 AM in response to John Lockwood

Just to weigh back in on this, I don't think this issue resides with the server or server software in these keychain issues. My feeling is that it is solely the client OS that is causing the issues. It has been noted that until 10.9 client was released this issue was nonexistent. Something occurred around 10.9 client when Apple decided to change the location of the keychain information. Things have been whacked ever since.

I think what Gerard is getting at is does it make a difference what the home folders directory is called on the server, or which directory on the server is used to store the home directories. I don't believe it does since it seems to be an issue with the way the client software is handling keychain information, an not how Server or the server is handling the home folders.

Jul 21, 2016 10:37 AM in response to EOC Admin

There are multiple problems. Most of them probably do indeed relate to the client end of things but not all of them. If it was solely a client issue then likely it would not solely apply to network home directory use.

Yes the problems all start with Mavericks which is when Apple introduced iCloud Keychain syncing which required the use of the new 'local items' keychain. Prior to this Mail etc. stored their details in the standard 'Login' keychain.

Note: Even if you don't use iCloud Keychain Syncing and even if your not even logged in to iCloud you are still forced to use the 'local items' keychain.

If use logs out of a network home directory then files get left open, the home directory is still mounted, user processes are still left running. Arguably a client issue. There are some scripts in this thread detailing how to kill the processes and force the disconnection of the network home directory, this is all done in a logout-hook. (Could be considered two or three different but linked issues.)
If a user hot-desks between Macs their 'local items' keychain does not follow them. This is because the 'local items' keychain is in a folder which is named after the UUID number of the Mac. If you login on a different Mac it has a different UUID and hence does not see the original 'local items' keychain. I have seen no fix for this unless one actually does chose to use iCloud Keychain Syncing which is not really suited to business use. This could also be considered a client only issue.
We randomly but regularly find that all logged in users will have their 'local items' keychain corrupted practically simultaneously. This requires either logging out and then back in to create a new one, or deleting the corrupted one which is in an area mere users do not see or understand - hence the easier advice is to get them to logout and back in. You then get a fresh uncorrupted 'local items' keychain and have to re-enter the passwords. This is definitely a server issue.

Aug 3, 2016 7:26 PM in response to John Lockwood

Hello

It seems that the Update 10.11.6 solve our problem with the Keychain & Apple Mail. After some test during the last week to problem wasn't occurred anymore. Even on Mac where we haven't installed the "unload_secd" script.

But now we recognised a new Bug. Spotlight can't finish its job after login the NetworkUser. We find the indexing stops working and the spotlight file wouldn't became larger as a couple of kilobytes. You can't find any keywords in your Mail. Another serious bug, making Apple Mail useless to work with!

Even the Global Spotlight Search would work properly. The Spotlight Index File would not grow larger as 4.8Kb. even after hours of running!

Let's hope Apple will fix this issue!

Gérard

Erich Wetzel Author

Level 2

384 points

Sep 8, 2016 2:18 PM in response to Erich Wetzel

Everyone,

This discussion started 1-10-2014. It is now 9-8-2016, 1.75 years and 18 pages containing 269 replies later. We have had 38,980 views of this discussion as of this post.

We started at OS X 10.9.1 and Server 3.0.2 and have have reached OS X 10.11.6 and Server 5.1.7. In both cases, we are just short of 3 full releases later.

Apple seems to have finally resolved the problem. We have been logging in and out on 10.11.6 clients and our keychains are holding information as they should have been over all of this time.

Thank you all for your many contributions and attempts to resolve this issue. It is finally time to close this discussion and put it behind us.

-Erich

Sep 8, 2016 4:14 PM in response to Erich Wetzel

Hello Erich

Sorry to tell you but the problem isn't solved.

After updating our server and clients to 10.11.6 everything seems to work. but about 2 weeks later the problem returned. At this moment we are at the point if we need to install Security Update 10.11.6 2016-001

Today I talk about 1 1/2 hour with Apple, and of course the guy told me that he don't know about the issued and I referred to the still open Apple Case :-(

After we simulate the problem over and over, he suggest me to wait an installed the "os x sierra" which will be released 16th sept. 2016! I refuse to install an new system who comes directly out of "beta". I am not intend to become a beta tester for apple. When they know how the problem can be solved they should also bring a service pack for 10.9.5, 10.10.5 & 10.11.6 to fix this issue

Installing "mac OS sierra" will give me 200 new features but maybe 500 new bugs! I am so disappointed about the quality of the apple software

Erich Wetzel Author

Level 2

384 points

Sep 9, 2016 7:14 AM in response to Gerard Dirks

Gerard,

I have been disappointed since all of this started. I was especially saddened that it was not resolved by Apple in a timely fashion. The amount of productivity and financial loss due to this issue, as incurred by everyone in this discussion and others about the same problem, must be enormous.

All of my efforts to work around the issue, with the solutions posted here, resulted in some problems for my users. I assume the additional problems were from me not setting up the solutions properly.

That said, I did the following and have had no keychain issue for some time :

-Update all client and server software

-Save needed content from user homes

-Delete all user homes but retain the users in OD.

-Recreate all user homes

-Copy needed content back to user homes.

-Multiple users login and logout as needed.

-Shutdown client computers at the end of the day.

Certainly this is not convenient for anyone with large numbers of network users. However, it was worth the effort for my own situation.

I am not saying that there are not still open processes from the users who have logged out or that some of the other side issues that came up along the way are not still going on. The last step above may be vital here since all processes end at shutdown. Computers put to sleep still carry the open processes of course. We tend to have only 1 to 3 users logging into any one machine during a day. In the past single users couldn't logout for lunch without having their keychain damaged.

The original issue in this discussion, the problem where the keychain was destroying itself, has stopped being a problem for me after doing what I did.

-Erich

Sep 22, 2016 1:09 AM in response to Erich Wetzel

Hello Erich

The Problem isn't solved with OS X Server 5.2 on 10.11.6

When I read your workaround it is a very option because all preferences, libraries are lost. Especialy when you have years of Mails in IMAP archives, you need to create a new E-Mail Account and import all these Postboxes.

When you have a large school or business it costs you days of extra work.

Apple knows exactly what they change to the system and the used libraries. So for them it should be easy to make a comfortable Migrations from older Server to new Server. This has nothing to do with professionel use of a computer. This is a struggle for life!

What happens the last 2 1/2 year (nothing serious), I can't trust Apple that they fix these issues whit 10.12 & OS X Server 5.2. I don't thrust them anymore!

Gérard

Jan 29, 2017 4:27 PM in response to John Lockwood

Apple removed my last post haha

Mavericks Server Keychain not properly storing information network users.