Erich Wetzel

Q: Mavericks Server Keychain not properly storing information network users.

OS 10.9.1, Server 3.0.2. Clients OS 10.9.1 bound to server Open Directory and managed with Profile Manager. 10.6.8 Mail server bound to 10.9.1 server Open Directory. Messages is running on the 10.9.1 server which hosts the users.

 

Changeip -checkhostname indicates DNS is correct for the server. Server is running on a FQDN, no .local or other DNS issues.

 

For everything below: the Keychain for any of the users does not need to be repaired.

 

Generally things are going well with one exception which is a big problem.

 

Each time a network user logs and tries to use either Mail to connect to our mail server via IMAP or Messages in they are prompted for passwords. Messages takes the password and logs in. Mail acts as though the password was incorrect and asks for it again, it does not pass the connection to the mail server. There is no trace of the attempted login on the mail server logs.

 

Functional workarounds:

 

1 - OS reinstall allows immediate login on the mail server and connections as expected. This is a little too much for day to day use.

 

2 - (From somewhere in the forums forgot who, sorry), User login, go to User's network home/Library/Keychains and move any keychains with long strings of letters and numbers as name to another folder or put in trash, immediately reboot, User login again, enter passwords in Mail, immediate connection to mail server and expected behavior from Mail.app.

 

As a network user machine in a multi user environment, the next user will have to repeat the entire procedure above, including the reboot, to get access to the contents of the mail server. The first user in the example above will have to repeat it, if they come back to the same machine and log in again.

 

This is what we are doing now. It appears that it would work on a personal machine with local users and has solved a lot of issues in the forum. It is helping but does not solve the keychain problem for network users.

 

Does anyone have any advice.

 

Thanks.

 

-Erich

OS X Server

Posted on Jan 10, 2014 6:42 PM

Close

Q: Mavericks Server Keychain not properly storing information network users.

  • All replies
  • Helpful answers

first Previous Page 4 of 19 last Next
  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jul 23, 2014 1:29 PM in response to ziondotcom
    Level 1 (0 points)
    Jul 23, 2014 1:29 PM in response to ziondotcom

    All I can pass on is what I was told on the phone today by Peter Sheahan. He said there are two clear bugs. One of which is being worked on and the other is fixed in Yosemite Server. This leads me to think they will not bother fixing it in Mavericks Server. I am just as annoyed as all of you are. Especially as the recommended workaround is to download the Yosemite Server pre release which requires the $99 per year Mac Developer subscription! All for a piece of software which we all paid for and doesn't work! Its ridiculous...

     

    Edit: they also say that using Local Homes solves the issue. Not an option for me though.

  • by ajm_from_WA,

    ajm_from_WA ajm_from_WA Jul 23, 2014 2:04 PM in response to robertoraskovsky
    Level 1 (11 points)
    Jul 23, 2014 2:04 PM in response to robertoraskovsky

    very troublesome.  apparently they don't believe that very many people use server for network user accounts?  When it actually seems like one of the most significant reasons to use Server. 

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jul 24, 2014 10:57 AM in response to Erich Wetzel
    Level 1 (0 points)
    Jul 24, 2014 10:57 AM in response to Erich Wetzel

    I received another followup email from Apple....they are certainly good at communicating, just not fixing the issues!

     

    I have just received another response from the engineers regarding this issue.

    The option to purchase a developer account and receive the BETA software is not a workaround, it is an option if you wish to test that the issue is resolved in the next version, before rolling out the software when it is officially released to the public.
    The workaround at the moment is to not use network home folders, as other types of account work ok.

    There is a request in asking for the changes which have been applied in Yosemite and Server 4 to be rolled out in an update for Mavericks and Server 3. I will add your case to that request.

    There may be an option available to receive these updates pre-release, if they are rolled out to the current version.

    Please let me know if you would be willing to participate in this “software seed”, and the development team may contact you directly if this happens.

    I have asked to be involved with the software seed, so will be notified if any changes occur (hopefully).

  • by Richard Cartledge,

    Richard Cartledge Richard Cartledge Jul 24, 2014 1:10 PM in response to robertoraskovsky
    Level 2 (449 points)
    Jul 24, 2014 1:10 PM in response to robertoraskovsky

    Might I ask what the problem could be server-side?
    I didn't think that would have anything to do with keychains unless stored on a home folder on the server and even then it was just another folder of files saved or read by the client ? 

     

    Could it be that a keychain saved by one Mac on the server does not work properly on another Mac client?

     

    I did notice lots of keychain directories with unique strings of letters as though new ones were being spawned at every login.

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Jul 24, 2014 1:25 PM in response to Richard Cartledge
    Level 1 (0 points)
    Jul 24, 2014 1:25 PM in response to Richard Cartledge

    As far as I know, Keychains changed in Mavericks, so that a new keychain is created for every device, the name of which is the Hardware UUID of that machine. So in your network home ~/Library/Keychains directory, there will be a separate Keychain directory for each mac the network user has logged into. The Hardware UUID of a mac can be found in System Report under the Hardware menu item. This is how I discovered that he Keychains relate to each mac.

     

    The issue seems to related to Network Homes and these multiple keychains. More than that, I don't really know I'm afraid.

  • by Richard Cartledge,

    Richard Cartledge Richard Cartledge Jul 24, 2014 1:54 PM in response to robertoraskovsky
    Level 2 (449 points)
    Jul 24, 2014 1:54 PM in response to robertoraskovsky

    Thanks Robert, at first I thought they were being renamed randomly like preferences are when they are replaced (the old ones become something like):

    com.apple.spaces.plist.m4vX81M

    com.apple.spaces.plist

    but now I understand.

     

    I'll update a client to Yosemite 10.10 DP4 and test, then report back.

  • by ziondotcom,

    ziondotcom ziondotcom Jul 24, 2014 7:56 PM in response to Richard Cartledge
    Level 1 (10 points)
    Jul 24, 2014 7:56 PM in response to Richard Cartledge

    Maybe the fix is a combo of client 10.10 and Server 4?

     

    Just to refresh, the latest 10.9.4 and latest Server 3.x behave as follows (even with all users using iCloud accounts for syncing):

     

    reboot

    login network home user 1 - prompted for mail password, saved, mail works, logout

    login network home user 2 - prompted for mail password, saved, mail works, logout

    login network home user 1 - prompted for mail password, password NOT saved, mail unable to go online...

    reboot

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Aug 25, 2014 7:45 AM in response to robertoraskovsky
    Level 1 (0 points)
    Aug 25, 2014 7:45 AM in response to robertoraskovsky

    I have just tested Yosemite Server 4 (August 4th Release) and Yosemite Latest Release OS, with Mavericks clients, and the issue still exists. So Apple once again are lying to me! Im so fed up of this MAJOR issue.

  • by robertoraskovsky,

    robertoraskovsky robertoraskovsky Aug 26, 2014 2:50 AM in response to robertoraskovsky
    Level 1 (0 points)
    Aug 26, 2014 2:50 AM in response to robertoraskovsky

    Latest from Apple is that this issue is a Server AND OS issue. Therefore to see a fix, what you apparently need to do is have Yosemite Server and Yosemite clients. This differs from what I have been told in the past. Anybody got a Yosemite test system we can test this with? I am reluctant to try this until Yosemite is public...

  • by Michel-D,

    Michel-D Michel-D Sep 27, 2014 8:40 AM in response to robertoraskovsky
    Level 1 (0 points)
    Sep 27, 2014 8:40 AM in response to robertoraskovsky

    Robert,

     

    important to learn this news from Apple. However, again they seem to just forward problems into the future instead of providing a reliable server solution.

     

    With two server installations this (and other) issues makes wasting time and is just a nightmare for users and admin.

  • by ziondotcom,

    ziondotcom ziondotcom Sep 29, 2014 8:02 AM in response to Michel-D
    Level 1 (10 points)
    Sep 29, 2014 8:02 AM in response to Michel-D

    Because my server home-folder needs were only for two iMac clients and due to Apple's lack of interest to fix, I've abandoned the home shared folders. I've migrated the home folders off the server and back to one iMac and I'm now trying to sell the other iMac 2012 (barely used) so I can purchase a Macbook Air or Pro and let a single user be mobile. Sigh.  Sorry many of you don't have that option. I would consider running a different Mail client as others have suggested as a fall-back plan. At least you can get mail working again.

  • by Philip GW,

    Philip GW Philip GW Oct 19, 2014 6:51 PM in response to Erich Wetzel
    Level 1 (5 points)
    Oct 19, 2014 6:51 PM in response to Erich Wetzel

    I just created a test environment using Yosemite Server (4.0) and a Yosemite client.  I could bounce back and forth between two network users (who's home folder's reside on the server) and Mail would properly log in every time; HOWEVER, Safari's saved passwords would get hosed and new ones could not be added unless I wiped out the network user's Keychains folder, forcing the system to recreate them.  They would function properly until I switched between network users then the keychain would get corrupted again.  While this is obviously disheartening, I did speak with a senior level support agent and we recreated the whole thing while he was screen sharing.  He is attempting to replicate the issue on his system.  Assuming he can, he will escalate it engineering.  I feel optimistic that this may be fixed once and for all.  I pointed him to this thread for extra information.  Hopefully, they will get to the bottom of this.  I don't understand the point of Network Users with Network Home Folders, if it flat doesn't work.  I also don't understand why such a bug for a basic function of Server would get put off soooo long.  It points to a lack of focus to small business users whose demographic seems to be what the Server app is for in the first place.  PLEASE APPLE, CARE ABOUT US!

  • by cohort-codey,

    cohort-codey cohort-codey Oct 20, 2014 9:31 AM in response to Erich Wetzel
    Level 1 (0 points)
    Oct 20, 2014 9:31 AM in response to Erich Wetzel

    I have also created a test environment using Yosemite Server (4.0) and a Yosemite client (10.10). We are trying to use Network users and Network homes as others in this thread have been. Unfortunately we still have issues with passwords not sticking in Apple Mail/ Contacts/ and Calendars. If I reboot workstation, you can re-enter the password at the prompt and it saves in local items keychain. If you log-out and try to log-in (even with same user) the item is missing from keychain, and no matter how many times you enter the password in Apple Mail /Contacts / Calendars it will not connect unless you reboot and still re-enter password.


    We don't want our users to know their mail passwords, so this is not an option even if we forced them to reboot every time they logged out.


    Issue is the same whether profile has been created with Profile Manager or entered manually on the workstation.


    This issue is not solved on Yosemite. I will follow up with Enterprise Support later today, and submit bug report.



  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 22, 2014 7:57 PM in response to Erich Wetzel
    Level 2 (345 points)
    Servers Enterprise
    Oct 22, 2014 7:57 PM in response to Erich Wetzel

    This issue has not been resolved in 10.10.

     

    I immediately moved to Yosemite and Server 4.0 in an effort to get past this issue which I submitted during development of 10.10 and Server 4.0. The issue remains as above. I am seeing successful login and use of one machine. When the user goes to a second machine, the first login sets up mail access and other items during that period of use. The second login by the same user on the second machine results in a corruption of the keychain for that machine in the /library/keychains/machineIDlistofdigits/keychain-2corrupt.db.

     

    The system knows it has ruined the keychain and renamed it! I have not yet found a workaround.

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Oct 23, 2014 1:30 AM in response to Erich Wetzel
    Level 1 (9 points)
    Oct 23, 2014 1:30 AM in response to Erich Wetzel

    Hello Erich

     

    I have the same problem so I've been doing some testing and narrowed the problem down to one of the users' s processes that is still running after he had logged out.

    I posted my results here (sorry, no solution):

     

    Keychain issue with network users on 10.10 clients

     

    Can you confirm my experience with the "secd" process as described in my post?

first Previous Page 4 of 19 last Next