Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.


Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.


For everything below: the Keychain for any of the users does not need to be repaired.


Generally things are going well with one exception which is a big problem.


Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.


Functional workarounds:


1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.


2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.


As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.


This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.


Does anyone have any advice.


Thanks.


-Erich

OS X Server

Posted on Jan 10, 2014 6:34 PM

Reply
Question marked as Best reply

Posted on Jan 28, 2017 12:32 PM

It is our experience that it is still problem, in fact several different problems. 😟


Whilst there are many issues two of the major ones are -


  1. The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
  2. Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.


While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

278 replies
Question marked as Best reply

Jan 28, 2017 12:32 PM in response to macmartin

It is our experience that it is still problem, in fact several different problems. 😟


Whilst there are many issues two of the major ones are -


  1. The 'new' local items keychain used for Apple programs passwords e.g. Mail, Contacts, etc. is stored in a per machine specific folder rendering it unusable for hot-desking
  2. Each new version of OS X has increased the use of SQLite databases to store settings and data and when used over a network as with network home directories these either get corrupted or locked so they cannot be used making programs like Mail, Contacts, and even Safari unusable, recent new uses include local items keychain itself and the new suggestions database for spotlight and looking up contacts and calendar entries in emails etc.


While I am still in the processing of reporting these issues to Apple especially the new SQLite problems I am in the process of changing all our users and giving up on network home directories. 😟

Jan 28, 2017 11:18 AM in response to Erich Wetzel

Hello there,


I kind of gave up on this and forced my users to work with local accounts.

When changing their desk they have to carry their iMacs under there arms to the new location which is very annoying.


Now I am thinking about upgrading from Yosemite to Sierra (Server and clients).


The question is:

Can I dare to set up network accounts again or will this again lead into chaos.


Please share your experiences!


Best regards from Nuremberg, Germany

Martin

Jan 29, 2017 4:29 PM in response to John Lockwood

here it is again 🙂 no profanity 🙂



Hi all,


I have given up on Network Homes and have pushed all our students to use Guest login, with a bit of scripting and tweaking of the skeleton folders for Guests, i have managed to have some things changed as we need them to be changed.




Downside to guest is that the students need to enter password every time they login, but at least Office, Adobe, Dropbox, Firefox and the rest will work as expected....




Shame on Apple for allowing this sort of "thing" to go on and on for last 4 years, but i guess they want us all to move to Windows!!




All our server as of this year are now on Windows and Linux, so no more Apple Server apps for us... what was that app about anyway... Rant over




in short, don't use Network Homes, think creatively and don't use Apple server app no more, Windows Server works and has not changed functionality for last 17 years!!




Adi

Jan 30, 2017 1:56 AM in response to PSC-Admin

Just to make it clear to everyone, whilst a Windows or Linux server might be more reliable as a file server for network home directories it will not fix the many issues involved with network home directories including the fact that the local items keychain is machine specific, and the fact that SQLite databases as used by the local items keychain, Safari, Mail, Contacts, and Suggestions/Spotlight get either corrupted or locked. 😟


(I have already tried a Linux server.)

Jan 30, 2017 2:21 PM in response to John Lockwood

Hi John,


you are completely right it will not solve any Network Home issues we have been talking about here... What i am saying, is that Linux or Windows server will do everything better than the Apple's Server App in any network environment and as a network administrator/systems admin/whatever you call yourself, we need to stop thinking that Apple is going to solve this, because they will not, and start thinking more creatively to allow yourself a smooth network operations and satisfied users.


I still have one Apple Server App running, i need that for all Profile Manager bits and the scripts and the customization of 126 iMacs we have here. I am however using Linux servers for services for our 500 Students and Window Server for authentication.....


We have moved all our documents and learning materials into Office 365 and Moodle. We use SSO, so even though, passwords are only saved for a session that the Guest is logged on the computer for, it is one password that Students/Staff use to access all the services and servers they need.


Adi

Jan 10, 2014 7:01 PM in response to Erich Wetzel

Further details:


Mail server is accessible and authenticates via phone or non-network user manually connecting a mail client.


After successful login :


Moved the mail account keychain password item from the "Local items" keychain to the "login" keychain.


Copy was successful but Mail for the network users we are using is clearly looking at Local Items keychain because on next login Mail could not connect.


Attempted to move the mail account password item back to "Local Items" and and error indicated that there is "no keychain available"


Something is really wrong with this. I'd be ok with the system not keeping the password if it would just send it to the mail server. It is failing at trying to save it and simply never sending it along.

Jan 29, 2014 4:05 AM in response to robertoraskovsky

Just spoke to Apple Enterprise Support...

~/Library/Keychains/ holds a keychain with the name of the UUID of the sopecific machine you have logged into.


I removed all items ~/Library/Keychains/ and logged out/in, I had to enter the password once, and the issue seemed to go away. I checked the Keychain App and the passwords did list in there. I have logged out and in again since, and the issue seems to have gone away...


Apple also suggested using iCloud to sync Keychains, but this would be unpractical for a large number of users. We have 7 or so users, so this isnt a major concern, but I will give this a go next. What this will do, is still create a keychain with the UUID of the machine, but then also an iCloud keychain and sync the keychain data between them.

Jan 29, 2014 6:04 AM in response to robertoraskovsky

robertoraskovsky,


That does solve the issue as long as another network user doesn't log in to the same computer. Once one does, you may have to delete keychains and start over again.


I will not offload the security credentials of our users to iCloud. Not an acceptable solution to me. Just something else to worry about going wrong.


They have requested some information from me on a bug report submission about this so we at least know that Apple is familiar with the problem.

Jan 29, 2014 8:42 AM in response to Erich Wetzel

Apparantly Apple are working on a new method which would not require iCloud for syncing Keychains, but I very much doubt that will be a quick fix. I submitted information too, so will wait and hear what they say. Interesting you say about another network user logging in, after you said that I tried it and sure enough it did re-occour. It's so frustrating!!! Thanks for the info so far though, glad to see im not the only one with these issues!


Rob

Jan 29, 2014 1:12 PM in response to robertoraskovsky

Well for me it did not solved anything. I just deleted the whole Keychains directory. Relogin and tried to enter the passwords for the mail accounts. I had to re-enter it again and again. Nothing worked. I just checked the server where my mail accounts are located. When I tried to login from laptop through the profile stored on my server the login information is empty. When I login with the account on the server where the profile is located and I use my mail program, then everything works fine. The login information at the mail server is correct. So it seems that mail and the server profile has some problems working together.

Jan 29, 2014 2:11 PM in response to Erich Wetzel

Yes.

I'm using 10.9.1 on server and clients, using OD and Profile Manager to push email configure to the clients. I am however using an external mail sever, I don't think the mail is the issue, as I also have problems getting Calendar and Contacts passwords to "stick". It looks like a more general Profile Manager, Network User, Keychain issue. Local user accounts are not affected.


Removing the keychain only seems to be a very temporary fix.


I have moved all clients to local users until this problem is fixed. Does anybody know if I don't use profile Manager to push mail config to the clients, does the problem still occur?

Mavericks Server Keychain not properly storing information network users.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.