Mavericks Server Keychain not properly storing information network users.

An update: Peter called me today having spoken to an engineer. Apparently the issue is fixed in Yosemite and Yosemite Server. Frustrating I know!

For now this is what I have been advised:

"The engineer also advised that the only workaround at the moment is to not use network home folders, other types of account seem to be functioning ok."

We have this problem with our AD users with Mavericks and home folders on Server 2012.

I thought it was caused by using windows server so created a new Mavericks scratch image, ditched Workgroup Manager and OD, migrated to Maverick Server Profile Manager and setup mobile accounts / local homes and we STILL have this keychain problem as above - AGGGGHHHH!

Come on Apple!

Pretty frustrating isn't it!

Apparently the local items keychain issue is still open and being worked on by the OS team. However the issue with multiple keychains and not storing keychains is a Server issue, and looking increasingly likely that it is not going to be fixed in Mavericks, but it has been fixed for Yosemite Server Build 14a222a (apparently).

So after 4 updates to 10.9 which we were told would fix this, now we are told it's fixed in a beta due this fall. Anyone care to valid the 10.10 promise?

All I can pass on is what I was told on the phone today by Peter Sheahan. He said there are two clear bugs. One of which is being worked on and the other is fixed in Yosemite Server. This leads me to think they will not bother fixing it in Mavericks Server. I am just as annoyed as all of you are. Especially as the recommended workaround is to download the Yosemite Server pre release which requires the $99 per year Mac Developer subscription! All for a piece of software which we all paid for and doesn't work! Its ridiculous...

Edit: they also say that using Local Homes solves the issue. Not an option for me though.

very troublesome. apparently they don't believe that very many people use server for network user accounts? When it actually seems like one of the most significant reasons to use Server.

I received another followup email from Apple....they are certainly good at communicating, just not fixing the issues!

I have just received another response from the engineers regarding this issue.

The option to purchase a developer account and receive the BETA software is not a workaround, it is an option if you wish to test that the issue is resolved in the next version, before rolling out the software when it is officially released to the public.
The workaround at the moment is to not use network home folders, as other types of account work ok.

There is a request in asking for the changes which have been applied in Yosemite and Server 4 to be rolled out in an update for Mavericks and Server 3. I will add your case to that request.

There may be an option available to receive these updates pre-release, if they are rolled out to the current version.

Please let me know if you would be willing to participate in this “software seed”, and the development team may contact you directly if this happens.

I have asked to be involved with the software seed, so will be notified if any changes occur (hopefully).

Might I ask what the problem could be server-side?
I didn't think that would have anything to do with keychains unless stored on a home folder on the server and even then it was just another folder of files saved or read by the client ?

Could it be that a keychain saved by one Mac on the server does not work properly on another Mac client?

I did notice lots of keychain directories with unique strings of letters as though new ones were being spawned at every login.

As far as I know, Keychains changed in Mavericks, so that a new keychain is created for every device, the name of which is the Hardware UUID of that machine. So in your network home ~/Library/Keychains directory, there will be a separate Keychain directory for each mac the network user has logged into. The Hardware UUID of a mac can be found in System Report under the Hardware menu item. This is how I discovered that he Keychains relate to each mac.

The issue seems to related to Network Homes and these multiple keychains. More than that, I don't really know I'm afraid.

Thanks Robert, at first I thought they were being renamed randomly like preferences are when they are replaced (the old ones become something like):

com.apple.spaces.plist.m4vX81M

com.apple.spaces.plist

but now I understand.

I'll update a client to Yosemite 10.10 DP4 and test, then report back.

Maybe the fix is a combo of client 10.10 and Server 4?

Just to refresh, the latest 10.9.4 and latest Server 3.x behave as follows (even with all users using iCloud accounts for syncing):

reboot

login network home user 1 - prompted for mail password, saved, mail works, logout

login network home user 2 - prompted for mail password, saved, mail works, logout

login network home user 1 - prompted for mail password, password NOT saved, mail unable to go online...

reboot

I have just tested Yosemite Server 4 (August 4th Release) and Yosemite Latest Release OS, with Mavericks clients, and the issue still exists. So Apple once again are lying to me! Im so fed up of this MAJOR issue.

Latest from Apple is that this issue is a Server AND OS issue. Therefore to see a fix, what you apparently need to do is have Yosemite Server and Yosemite clients. This differs from what I have been told in the past. Anybody got a Yosemite test system we can test this with? I am reluctant to try this until Yosemite is public...

Robert,

important to learn this news from Apple. However, again they seem to just forward problems into the future instead of providing a reliable server solution.

With two server installations this (and other) issues makes wasting time and is just a nightmare for users and admin.

Because my server home-folder needs were only for two iMac clients and due to Apple's lack of interest to fix, I've abandoned the home shared folders. I've migrated the home folders off the server and back to one iMac and I'm now trying to sell the other iMac 2012 (barely used) so I can purchase a Macbook Air or Pro and let a single user be mobile. Sigh. Sorry many of you don't have that option. I would consider running a different Mail client as others have suggested as a fall-back plan. At least you can get mail working again.