You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.


Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.


For everything below: the Keychain for any of the users does not need to be repaired.


Generally things are going well with one exception which is a big problem.


Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.


Functional workarounds:


1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.


2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.


As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.


This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.


Does anyone have any advice.


Thanks.


-Erich

OS X Server

Posted on Jan 10, 2014 6:34 PM

Reply
Question marked as Top-ranking reply

Posted on Jan 28, 2017 12:32 PM

It is our experience that it is still problem, in fact several different problems. 😟


Whilst there are many issues two of the major ones are -


  1. The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
  2. Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.


While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

278 replies

Jul 23, 2014 11:33 AM in response to Erich Wetzel

An update: Peter called me today having spoken to an engineer. Apparently the issue is fixed in Yosemite and Yosemite Server. Frustrating I know!

For now this is what I have been advised:

"The engineer also advised that the only workaround at the moment is to not use network home folders, other types of account seem to be functioning ok."

Jul 23, 2014 1:08 PM in response to robertoraskovsky

We have this problem with our AD users with Mavericks and home folders on Server 2012.

I thought it was caused by using windows server so created a new Mavericks scratch image, ditched Workgroup Manager and OD, migrated to Maverick Server Profile Manager and setup mobile accounts / local homes and we STILL have this keychain problem as above - AGGGGHHHH!


Come on Apple!

Jul 23, 2014 1:16 PM in response to Richard Cartledge

Pretty frustrating isn't it!

Apparently the local items keychain issue is still open and being worked on by the OS team. However the issue with multiple keychains and not storing keychains is a Server issue, and looking increasingly likely that it is not going to be fixed in Mavericks, but it has been fixed for Yosemite Server Build 14a222a (apparently).

Jul 23, 2014 1:29 PM in response to ziondotcom

All I can pass on is what I was told on the phone today by Peter Sheahan. He said there are two clear bugs. One of which is being worked on and the other is fixed in Yosemite Server. This leads me to think they will not bother fixing it in Mavericks Server. I am just as annoyed as all of you are. Especially as the recommended workaround is to download the Yosemite Server pre release which requires the $99 per year Mac Developer subscription! All for a piece of software which we all paid for and doesn't work! Its ridiculous...


Edit: they also say that using Local Homes solves the issue. Not an option for me though.

Jul 24, 2014 10:57 AM in response to Erich Wetzel

I received another followup email from Apple....they are certainly good at communicating, just not fixing the issues!


I have just received another response from the engineers regarding this issue.

The option to purchase a developer account and receive the BETA software is not a workaround, it is an option if you wish to test that the issue is resolved in the next version, before rolling out the software when it is officially released to the public.
The workaround at the moment is to not use network home folders, as other types of account work ok.

There is a request in asking for the changes which have been applied in Yosemite and Server 4 to be rolled out in an update for Mavericks and Server 3. I will add your case to that request.

There may be an option available to receive these updates pre-release, if they are rolled out to the current version.

Please let me know if you would be willing to participate in this “software seed”, and the development team may contact you directly if this happens.

I have asked to be involved with the software seed, so will be notified if any changes occur (hopefully).

Jul 24, 2014 1:10 PM in response to robertoraskovsky

Might I ask what the problem could be server-side?
I didn't think that would have anything to do with keychains unless stored on a home folder on the server and even then it was just another folder of files saved or read by the client ?


Could it be that a keychain saved by one Mac on the server does not work properly on another Mac client?


I did notice lots of keychain directories with unique strings of letters as though new ones were being spawned at every login.

Jul 24, 2014 1:25 PM in response to Richard Cartledge

As far as I know, Keychains changed in Mavericks, so that a new keychain is created for every device, the name of which is the Hardware UUID of that machine. So in your network home ~/Library/Keychains directory, there will be a separate Keychain directory for each mac the network user has logged into. The Hardware UUID of a mac can be found in System Report under the Hardware menu item. This is how I discovered that he Keychains relate to each mac.


The issue seems to related to Network Homes and these multiple keychains. More than that, I don't really know I'm afraid.

Jul 24, 2014 7:56 PM in response to Richard Cartledge

Maybe the fix is a combo of client 10.10 and Server 4?


Just to refresh, the latest 10.9.4 and latest Server 3.x behave as follows (even with all users using iCloud accounts for syncing):


reboot

login network home user 1 - prompted for mail password, saved, mail works, logout

login network home user 2 - prompted for mail password, saved, mail works, logout

login network home user 1 - prompted for mail password, password NOT saved, mail unable to go online...

reboot

Sep 29, 2014 8:02 AM in response to Michel-D

Because my server home-folder needs were only for two iMac clients and due to Apple's lack of interest to fix, I've abandoned the home shared folders. I've migrated the home folders off the server and back to one iMac and I'm now trying to sell the other iMac 2012 (barely used) so I can purchase a Macbook Air or Pro and let a single user be mobile. Sigh. Sorry many of you don't have that option. I would consider running a different Mail client as others have suggested as a fall-back plan. At least you can get mail working again.

Mavericks Server Keychain not properly storing information network users.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.