Q: Mavericks Server Keychain not properly storing information network users.

Hi Erich

I agree with you - Profile Manager will be the future if we like it or not. But sometimes some settings can't be set without Workgroup Manager, that's why I still use it.

There's one thing everybody should know about WGM:

Although Apple sais that it isn't compatible with 10.10 or newer, it still is:

It's true, you can't install it on 10.10 or a newer system - the installer blocks the installation. But if you copy an installed version of WGM from a pre 10.10 system, it works, even under 10.11.1.

Robert

I use the WGM also in my test envoirement of 10.10 & 10.11. It works in general but when I contact Apple with a problem they refuse to help because the will not support it.

If they tell me how I can use all the features of WGM with the Profile Manager it will be fine, but I never find any comparise Table of both programs

The answer is no. The PM is a *******. I would lovely known why Apple killed such programs and replace them with this useless software. This is named as strategy, but nobody knows what the Apple Strategy is.

They had a smoothly Server 10.6.8 with Server Admin.app & WGM. Never had a problem. Now 5 years later we have a complete buggy envoirement with one of the bugs named in the title of this thread "Mavericks Server Keychain not properly storing" We always learn "never change a winning horse". But Apple change everything and I would say, none of the professional User are satisfy with it!

WHY? Arrogance, or are they really better. It learns they are not better because it doesn't work so the first will be the correct interpretation!!!

Hello

Yesterday I had an interesting talk with an supporter of the largest swiss-retial-chain. because of problems with one of their clients (a couple of hunderd macs) they escalate a case up to Cupertino.

Resume: Problem is not solved and will not be solved!!! The way of how we are working is a "cul de sac". This is not the way how Apple want that we working, with OpenDirectory, Network Users, etc. This is OK for me. The Problem I have with it is the way "they did not communicate this to their "large accounts" clients.

When you sold hunderds of mac to a client for project and afterward you hear this service will be discontinued, both has a real problem. The client has an not finished project and the dealer had to take this mac back he was not able to integrate this systems in the envoirement of the client

They, Apple, ignore the wishes of the clients, I don't know how to declare this correctly, but for me it is a sign of arrogance!

Gérard

BTW

I have not renew my developer status at Apple. It is a waste of time and money! This because in my opinion we are not working in a "cul-de-sac"-way, but Apple will be on a "cul-de-sac" with their Marketing & Innovation-Strategy!

Gérard

For those who don't believe it but are able to understand the german language! Here the answer from one of the Account Managers (from the largest Apple Reseller in Switzerland) to his Client!

Zitat:

Nun haben wir einen Fall via Apple-Schweiz bis Cupertino eskalieren lassen und die Sache ist klar: Apple weiss von den Problemen, wird sie aber nicht (wohl nie) beheben, da die Netzwerkaccounts nicht „ihrer Strategie“ entsprechen….(offiziell bestätigen wird das Apple nie, aber zumindest wir wissen nun, dass wir von Netzwerk- auf lokale Accounts wechseln müssen.

Regards

Gérard

Ich verstehe immer noch nicht warum das Apple dann im Server vorsieht das man Netzwerk Accounts verwenden kann wenn es sowieso nicht funktioniert.

We experienced this problem and setup a workaround before finding this forum post.

What we did was redirect ~/Library/Keychains to /Users/Shared/%@/Library/Keychains using MCXRedirector.

In Profile Manager, go to the device group of your computers, then go to custom settings and set this up:

We also redirect Cache and the Adobe folder in Application Support. That's what Item 0 and Item 1 are.

This permanently fixes the prompting for passwords, but it stores the keychain locally, so it won't travel to another computer.

If the keychain really is that important, we can copy it from one computer to the next.

This doesn't affect us much since our users typically only use one computer. We will only have to restore the keychain if we give them a new computer.

Nice Workarround

In my opinion a server os without having the option to use network accounts is unusable in the long term.

Even Windows server can manage this for decades.

OS X seems to degrade more and more to a colorful toy.

*sigh*

Greetings

macmartin

I am very interested in your workaround.

What does the %@ stand for?

Is it a variable for the username?

For me it is quite important the users can switch computers at any time.

So my idea is to store the keychains of any user on any computer.

What access rights, owner and group settings are needed for the lokal keychains folders?

Are there any additional steps needed when  storing a new password in the keychain (e. g. when creating a new Mail account)?

Best regards

martin

Yes, that stands for the username.

The entire folder stored in the /Users/shared/username has the same permissions as if it were in their own Library. They have permissions but other users don't.

I found that since upon first login, the keychains folder is deleted and a new one is created on the local HDD, you have to restart the computer after they login the first time so it starts using the new keychain.

Hello guys!

I just started a new discussion under the El Capitan forum to get more responses and link it with this discussion

Is suggest that we go further at this link

network home user lead to damaged keychains - still no fix since Mavericks

Bye,

Christoph

Hi Scott,

want to thank you for that keychain fix. Made my life very very easy in the last week!

I want to pick your brain and ask about Adobe Application Support folder redirect, has that helped you with Adobe apps like Photoshop and Ligthroom, or have you done it purely for Adobe Reader only?

We are a photography college and we are finding that Adobe applications like inDesign and Premiere, maybe Lightroom, have been crashing our AFP network homes! I have always had cache redirected, but never application support folder. We have 3 labs, 126 iMacs with 10.10.5 OS, 3 x 10.6.8 Server with network homes and 10.10.5 Profile Manager Server.

Also if i want to remove redirected Cache folder with Profile Manager, what are the settings i need to add to Custom options?

Any thoughts would be welcomed!

Adi

I'm glad that helped you. I think the fix helps everything Adobe-related if it stores any files in that Adobe folder, which Photoshop does (I'm not sure about Lightroom). I would try it and see how it works, because we found we had problems when it wasn't redirected. It will work better if the files are local to the computer.

The four options for the symlinks are:

• deleteAndCreateSymLink: Deletes the target folder in the home folder and creates a local symbolic link in its place.
• renameAndCreateSymLink: Renames the target folder in the home folder and creates a local symbolic link in its place.
• deletePath: Deletes the target folder in the home folder.
• deleteSymLinkAndRestore: Deletes the symbolic link and restores the folder that was renamed by the renameAndCreateSymLink action.

So if you want to delete the symlink, use deleteSymLinkAndRestore.

I can say that the solution provided by Christoph in the following post seems to have resolved the keychain issue for us involving Mail prompting for a password if the users log out instead of restarting the computer when using network accounts on 10.10 clients.

      Link to this post