Q: Mavericks Server Keychain not properly storing information network users.

The keychain management ist very strange.

With the script my keychain works, but if i use another computer in our network, i have to set all passwords again.

In ~/Library/Keychains every Client generate his own Folder (named by Hardware-UUID) !?!

This is OK for an entreprise, but not for a school. We have to work in different rooms on different computers.

Any idea to resolve this problem ?

PS. I am still using WorkgroupManager. Anyone here using ProfileManager without problems ?? Then I will change too ;-)

PPS: I have to upgrade 200 computers from 10.8.4 to elCapitan. HELP, HELP, HELP, there are many new problems.

Welcome to the family

Here in switzerland their are about a dozen of "school administrators" who getting crazy because of the bugs & changes by Apple. The problems startet after 10.9.2 and still not solved, even worser Apple has no intension to solve it.

You write that this is OK for Enterprises, but this is not OK for them. They had the same problem when their Employes are swapping between different iMacs.

As Apple told us, we are old fashioned and need to think to work in another way (e.g. giving all people a personal device). We are not old fashioned, they are mad and arrogant

Regards

Gérard

One of the now I believe at least six different Network Home Directory issues is that passwords for Mail, Calendar and Contacts are now stored in the 'Local Items' keychain which is the one stored via a hardware UUID. This means if the user hot-desks between computers these passwords do not follow them because they are tied to a specific computer. Prior to Mavericks which introduced the dreaded Local Items keychain the only keychain used was Login which is not tied to a specific computer.

Other than the user using the same computer each time, the only other possibility I see is to write a login hook or login daemon which renames the folder to the correct UUID, it is not clear if a login hook or login daemon will run early enough in the login process, it needs to happen before the user is completely logged in and before the operating system has tried to load the Local Items keychain. Here is a script which gets the Macs UUID.

system_profiler SPHardwareDataType | awk '/ UUID/ { print $3; }'

You need to be careful as it is normal to have multiple folders with UUID names in ~/Library/Keychains because by now many of the users will have used multiple Macs and generated multiple Local Item keychains. You could try and be clever in whatever script you write and look for the most recently created one.

Yes I am using Profile Manager with no particular problems and I have in general switched to it and stopped using Workgroup Manager.

Hello all,

the keychain re-direction works fine and it has made the Keychain very stable in our school. By stable i mean, no more corruption in the middle of logged in sessions, no more corruption when you log off and no more corruption when you restart.

We are a school of 800 users, network accounts all, we have 120 iMacs and a lot of servers, 14 in all and 6 of them are Apple servers. Our main OD server is still on 10.6.8 and yes i use WM still, for some things and PM for other things.

So, i thought all was good until we introduced Office 365. Problems started again. For some reason Office 365 cannot write to re directed Keychain and now we have to go back to Office 2011. I have tried everything on the keychain folder, even chmod 777, but no go. So i wonder how many other applications will have issues with Aliased Keychin folder.

Anyway, i am not here for a solution, just wanted to say that Apple is making a huge mistake here in not listening to 17 pages of this post and many other REAL LIFE issue that end users have, since 10.6.8 really. I am tired of Apple WDC sprucing every year new operating system with "many new features" and many many more bugs, instead they should just focus on enhancing the system they have and fixing all the bugs in the one they have!

We are going to shut down all our Apple servers by the end of this year, except one until i get Casper suit or Centrify, and move to Windows server, as i am in the process of testing it right now. All good so far, even network homes work nicely.

Like i said, re direct works and yes i told my users that when they move the machine, they will have to re enter their passwords, but that is only once and that is it.

Adi

Hello Adi

What you planned to do is exactly what apple wanted. They want that all business users went of using apple products and in future only work with mobile devices.

They refuse to hear to us. Network User & Mobile Home Folders are not future options for Apple. I don't know if switching to windows server is a solution. I suppose in one or two years Redmond People come with the same ideas (under a new name). Trying to mount to Windows Server with the SMB Mount would be the next pain in the a s s  option. The Apple implementation of SMB is useless because it still doesn't work properly for years now. Only because they refuse to implement Open Source SMB Code and trying to work with an own, very bad code, this will not be your solution. It is more or like a choice between pest and cholera.

I have no interest anymore in wasting time in talking to Apple and tried to find for solutions. They play with you, doesn't you take serious an go their own why in the road named "Cul de Sac"

Gérard

I am hard working on the login.sh and logout.sh.

We need login and logout in a school on 200 identical computers.

The most problems are done with the scripts.

We clean on every logout ByHost and the Saved Application State.

I copy the keychain-2.db in a temporary folder and I save the icloudlogin from ByHost.

#! /bin/bash
# solves many problems of managed users in elCapitan
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    exit 0
fi

# home_loc like /Network/Servers/my.server.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#printqueue delete
lprm -

#term processes and wait
killall -15 -u $username
sleep 5
#if not terminated, kill them
killall -9 -u $username

#delete enpty plists
find $home_loc/Library/Preferences -empty -type f -delete
#delete temporary plists
rm $home_loc/Library/Preferences/*.plist.*
#save icloudpassword and delete all in ByHost, "Saved Application State" and Caches
mkdir    $home_loc/Library/Preferences/ByHost/tmp
cp -p    $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist
rm -f    $home_loc/Library/Preferences/ByHost/*
rm -rdf  $home_loc/Library/Preferences/Saved\ Application\ State/*
rm -rdf  $home_loc/Library/Caches/*

#save Keychain-2 from this Host in dir tmp
if [ ! -d $home_loc/Library/Keychains/tmp ]; then mkdir $home_loc/Library/Keychains/tmp ; fi
cp -p $home_loc/Library/Keychains/$UUID/* $home_loc/Library/Keychains/tmp/

# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
if [ "$mountpath" != "" ]
then
  umount -f $mountpath
  logger "logout.sh unmounted: $mountpath "
fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out
# find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;

logger "logout.sh finished for $1"
exit 0

on login, I copy the stored iclodlogin back and I create the Machine UUID Folder in Keychains and copy back the stored keycchain-2.db .

icloudlogin works, keychain-2.db hack works only on the same computer. I commented it out.

Help me to find a possibility to take the keychain with me from computer to computer.

At the Moment, I have to reenter on every computer all Mailpasswords and I loose all stored Safaripasswords :-(( .

#! /bin/bash
# login.sh
# solves some problems of managed users
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    logger  "login.sh $1 is a local user"
    exit 0
fi

logger  "login.sh $1 is a network managed user"

# home_loc e.g. /Network/Servers/xserver.domain.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#restore Keychain from dir tmp to this host
#will not work: keychain-2.db contains local data ?!?
#if [ -d $home_loc/Library/Keychains/tmp ]
#then
#    if [ ! -d $home_loc/Library/Keychains/$UUID ]; then mkdir $home_loc/Library/Keychains/$UUID ; fi
#    cp -pf $home_loc/Library/Keychains/tmp/* $home_loc/Library/Keychains/$UUID
#fi

#restore icloudpassword with UUID
if [ -f $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist ]
then
  cp -p $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist
fi

exit 0

Please try my script and help to find a solution to restore the Keychains.

Best regards

Luda

Forgot to add the following very important step to my post to get it to work:

sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/scripts/logout_helper.sh

Remarks:

killall

If you not kill the processes, you have to restart the computer after every logout.

It's crazy to kill all processes during / before logout.

It's perhaps better to kill them later.

So I tried this:

#logout the user normally, wait and kill all processes later
sleep 15 && killall -9 -u $username &

And it works fine (better) ....

keychain-2.db

I would like to restore the saved mail- and safari-passwords (keychain-2.db) on every managed computer.

Since now, no success. What a nonsense to store on every computer another keychain !

At the moment I have to enter all passwords on every computer I use .

Do you know any solution ?

my new logout.sh:

#! /bin/bash
# solves many problems of managed users in elCapitan
# by Luda Wieland (thanks to Jeff Ochsner and John Lockwood)

username=$1
logger "logout.sh $username"

Local=`dscl . -list /Users |grep -x $1`
if [[ "$1" == "$Local" ]]; then
    sleep 15 && killall -9 -u $username &
    exit 0
fi

# home_loc like /Network/Servers/my.server.ch/Volumes/Daten/Lehrer/wiel
eval home_loc=~$1
UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}' )

#printqueue delete
lprm -

#delete enpty plists
find $home_loc/Library/Preferences -empty -type f -delete
#delete temporary plists
rm $home_loc/Library/Preferences/*.plist.*
#save icloudpassword and delete all in ByHost, "Saved Application State" and Caches
mkdir    $home_loc/Library/Preferences/ByHost/tmp
cp -p    $home_loc/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.$UUID.plist $home_loc/Library/Preferences/ByHost/tmp/saved.icloudlogin.plist
rm -f    $home_loc/Library/Preferences/ByHost/*
rm -rdf  $home_loc/Library/Preferences/Saved\ Application\ State/*
rm -rdf  $home_loc/Library/Caches/*

#save Keychain-2 from this Host in dir tmp (restoring will not work at the moment)
if [ ! -d $home_loc/Library/Keychains/tmp ]; then mkdir $home_loc/Library/Keychains/tmp ; fi
cp -p $home_loc/Library/Keychains/$UUID/* $home_loc/Library/Keychains/tmp/

# Unmount network home directory share if left mounted after user logs out
#mountpath=`mount | grep /Network/Servers/  | awk '{print $3}'`
#if [ "$mountpath" != "" ]
#then
#  umount -f $mountpath
#  logger "logout.sh unmounted: $mountpath "
#fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out
# find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;

#logout the user normally, wait and kill all processes later
sleep 15 && killall -9 -u $username &

logger "logout.sh finished for $1"
exit 0

Hello Luda

I am also based in Switzerland and still have this case open at Apple Support. Exactly as you described, I have the same Problem

At the Moment, I have to reenter on every computer all Mailpasswords and I loose all stored Safaripasswords :-(( .

A workaround is for me OK for an new detected bug but not for an Issue which is open now for 2 1/2 years. Apple should fixes all these bugs instead of implementing new features who nobody needs!!! (Siri here in Switzerland in 10.12 is useless, the answers you get are false)

I have no interest in ßeta testing scripts. That should be Apples Job. The Problem is recontructable on every new server with NetworkUser. They can making some Labor Environment an debugging the whole network!

Most important Issue for me is still the following: "I want to know from Apple, why they change the location of the Keychain from the NetWorkUser to the Local Machine" This is for schools like you a N0-Go. If you have 200 Students who are able to use each machine you have a fulltime job only for testing and configuring your environment. I am so far that I installed Thunderbird as Mailclient and everything works as a charm!

ps. Once again this questions: In this Thread are mostly half the persons German or Swiss-German based. Is it maybe a bug which occurred in the German System Settings?

Sorry but my last reply was censored by Apple - it was removed immediately.

It contained some unfriendly words and some test expierences.

Apple has enough resources to censor discussion groups but not enough man power to fix a terrible bug in two years.

Maybe it is my fault - excuse me - I stumbled over this bug and talked about it in public. I will never do this again. Sorry for trying to help make OS X the best OS on our planet.

Bye,

Christoph

Christoph Ewering1 wrote:

 

Sorry but my last reply was censored by Apple - it was removed immediately.

 

It contained some unfriendly words and some test expierences.

 

Apple has enough resources to censor discussion groups but not enough man power to fix a terrible bug in two years.

 

Maybe it is my fault - excuse me - I stumbled over this bug and talked about it in public. I will never do this again. Sorry for trying to help make OS X the best OS on our planet.

 

Bye,

Christoph

We share your pain - literally.

You could sign up for the public beta of macOS Sierra next month i.e. July and (cough!) test it and 'assuming' the bug is still present file a bug report.

Of course many people have already done this for Mavericks, Yosemite and El Capitan already. (Hint to Apple - this is why this loooooong thread is called Mavericks Server Keychain - because this bug is that old.)

There is no danger of Apple breaking any records recording how old a bug is - Microsoft easily beat them there.

This is not just a non-english configuration issue.  I'm in Indiana in the US and have the same problem.  This is definitely an OS thing.  I really think Apple is trying to push users out of a Mac server-client environment and just wants to have their devices used for entertainment purposes.  Apple seems to have no interest in their devices being used for productivity anymore.  We can all just sit back and watch their market share wane as people move to Windows and Linux environments.  Sad.

Like i said in my last post, we are already looking at Windows 2012R2 and Exchange for all our 700+ users in our school. I don't think Apple will ever fix this issue, as this is not where their main money cow is, very unfortunate.

We have all come up with workarounds, why cannot a company that has billions of dollars come up with decent engineering and development, or heard of a saying "if it ain't broke, don't try to fix it"?

It is coming to an end of our school year, so we will be reinstalling the 120 machines, this now means an extra job in saving all users redirected keychain folders and then moving them back again.

Whatever....

Please Apple fix this issue.  I'm begging!

Hello John!

Apple did not react on bug reports, they did not react on discussions, they did not respond to feedbacks!

After one and a half year they start removing items because of NDA - that´s all.

Think about any other way to make you heard - if you have the possibility tell it to some tech journalist - maybe they are strong enough to stand against the stupidity of Apples bug management.

I gave up.

Bye,

Christoph

P.S. If Apple want to go the mass-market way - no problem, they should tell us, so we can make right decisions for our business.