Robert Hrovat

Q: Keychain issue with network users on 10.10 clients

Hello everybody

 

I've got a keychain issue with network user homes connecting form 10.10 clients to a 3.2.2 server:

 

After upgrading some clients to 10.10, our students started to complain: They had to enter passwords again and again. It looked like the passwords wouldn't save in their keychain.

When I checked their "local items" keychain, it was empty and no new data could be saved in there.

This caused of course a lot of following issues with a lot of other apps.

 

So I started testing with a brand new user on a 10.10 client. These are the results:

When the user logs in, the keychain "keychain-2.db" is created in ~/Library/Keychains/893693C6-3637-5019-A594-DC4BD648101C

I think this is as it should be, this folder is for this particular client.

When the user logs out and then logs in again, this keychain has changed to "keychain-2.db-corrupt" and no data can be saved in there.

But when I restart the client and then the user logs in again, a new "keychain-2.db" has been created and the corrupt keychain is still there.

The new keychain is empty of course, but new data can be saved in there.

And then, when the user logs out and in again, the whole story starts from beginning.

 

First I thought, it could be because of the "after logout network home directory isn't disconnected from server" problem as it was discussed in other posts. (See also Users not disconnected from file sharing and others.) But it looks like this problem has been solved  in 10.10: When a network user has logged out, there's no more AFP (or SMB) connection visible on the server.

 

So on the client I logged in as a local admin and checked the activity:

Although my test user had just logged out, there were still about 16 processes running under his name. One (or more) of them must have been destroying the "keychain-2.db" and blocking the creation of a new one.

With killing them one by one and a lot of testing I found the guilty one:

It's the process called "secd" that causes this keychain issue.  If I kill this process before the user logs in again, his heychain-2.db won't become corrupt!

 

I have no idea what this process is for and why it is (and all the others processes) still there, after the user's logout.

 

My questions are:

Is this bug or is it a misconfiguration of my clients and/or server?

Does anybody else have the same experiences with accounts on a server 3.2.2? What about server 4.0?

Does anybody have an idea for a workaround?

 

 

Thanks a lot for helping.

 

 

Bob

Posted on Oct 22, 2014 8:49 AM

Close

Q: Keychain issue with network users on 10.10 clients

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by thoughtcrime,

    thoughtcrime thoughtcrime Oct 23, 2014 1:27 PM in response to Robert Hrovat
    Level 1 (0 points)
    Oct 23, 2014 1:27 PM in response to Robert Hrovat

    Howdy,

     

    I am able to replicate this problem on a 10.10 client (logging in as a network user), and a 10.6.8 server (for home directories).

  • by lawaidit,

    lawaidit lawaidit Oct 24, 2014 2:06 PM in response to Robert Hrovat
    Level 1 (4 points)
    Oct 24, 2014 2:06 PM in response to Robert Hrovat

    I am able to reproduce this with a 10.10 client and a 10.9 (3.2.2) server, but so far it has been fine if it's a 10.10 client and a 10.10 (4.0) server. However, in my setup I have two servers (the ODM and the mail server) and am still seeing the problem when I introduce the mail server (whether 10.9 or 10.10) into the mix. If I host the mail accounts on my 10.10 ODM instead, 10.10 clients seem pretty happy (10.9, not so much).

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Oct 24, 2014 2:54 PM in response to lawaidit
    Level 1 (9 points)
    Oct 24, 2014 2:54 PM in response to lawaidit

    That's strange. In the meantime I had the opportunity to test it on a 10.10 Mac with 4.0 server and a 10.10 client: still the same issues, no progress.

    On the server only these services are running: file sharing, DNS and OD.

    So I can't confirm your lucky experience with 10.10 server :-(

  • by lawaidit,

    lawaidit lawaidit Oct 24, 2014 3:15 PM in response to Robert Hrovat
    Level 1 (4 points)
    Oct 24, 2014 3:15 PM in response to Robert Hrovat

    At this point I'm considering it more inconsistent than lucky. I have a feeling if I go back and test it again I'll get dicey results. I've been working with Apple on it, if I figure anything out I'll let you know.

  • by ndsvfx,Helpful

    ndsvfx ndsvfx Oct 24, 2014 8:55 PM in response to Robert Hrovat
    Level 1 (15 points)
    Oct 24, 2014 8:55 PM in response to Robert Hrovat

    We have a mix of clients, 10.7, 10.9, and 10.10. I see the issue on 10.9 and 10.10 clients. It started with 10.9.4 update.

     

    Server does not seem to make a difference, it seems a client issue. It is actually worse on 10.10 since 10.10 does not properly sync a login.

  • by ndsvfx,

    ndsvfx ndsvfx Oct 24, 2014 10:37 PM in response to ndsvfx
    Level 1 (15 points)
    Oct 24, 2014 10:37 PM in response to ndsvfx

    I want to add that with 10.10 clients, not only do they get the HomeSync login prompt, they get iCloud login prompt twice and iCloud Keychain gets reset at every login.

     

    HomeSync is hosed. Apple software QA has gotten REALLY bad on initial releases.

  • by Robert Hrovat,

    Robert Hrovat Robert Hrovat Oct 25, 2014 3:53 AM in response to ndsvfx
    Level 1 (9 points)
    Oct 25, 2014 3:53 AM in response to ndsvfx

    Does the killing of the secd process (as I described in my post) also solve the iCloud keychain issue? I couldn't test it because we don't allow our network users to use iCloud.

  • by Hector Castillo,

    Hector Castillo Hector Castillo Oct 29, 2014 8:53 PM in response to Robert Hrovat
    Level 1 (20 points)
    Oct 29, 2014 8:53 PM in response to Robert Hrovat

    Same issue here, Mavericks Server Keychain not properly storing information network users., Mail keeps asking for password and icloud setting do not load in system preferences , same issue with iMessages, notes app, they must be all related,with Yosemite got even worst, please call apple care, I already did and have an open case, the more people that call them the sooner they will take care of this issue, only workaround is restarting clients after each user logs out.

  • by JD_Zig,

    JD_Zig JD_Zig Oct 29, 2014 9:05 PM in response to Robert Hrovat
    Level 1 (0 points)
    Oct 29, 2014 9:05 PM in response to Robert Hrovat

    Hi Robert, I been fighting with same issue since mavericks came out, and keep fighting in yosemite, we really need apple to fix this soon.

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Oct 30, 2014 10:32 AM in response to Robert Hrovat
    Level 2 (341 points)
    Oct 30, 2014 10:32 AM in response to Robert Hrovat

    Imperfect workaround for this issue:

     

    EVERY time a network user logs out, the computer should be restarted before they log back in again. As Robert indicated above, the reboot removes all of the vestigial processes and, as a result, the machine is clear of the offending processes when the user logs back in. My users will be told to select RESTART in lieu of log out each time they need to log out unless they are leaving for the day and shutting down.

     

    I spoke to an Apple Enterprise rep about this today. The rep was very apologetic for the ongoing problems. They said that there is not a solution yet but that Apple is aware and a team is "working on it." The fact that this has been going on for as long as it has is silly. The loss of productivity to the companies represented by the entries in this discussion alone must be thousands of hours due to the numbers of users impacted.

     

    Please post alternatives to this workaround here if anyone comes up with one.

     

    -Erich

  • by ndsvfx,

    ndsvfx ndsvfx Oct 30, 2014 10:55 AM in response to Erich Wetzel
    Level 1 (15 points)
    Oct 30, 2014 10:55 AM in response to Erich Wetzel

    Doesn't help for us, even with a reboot I am still seeing the issue with Home Sync and the login keychain and iCloud logins. I set all the computers to reboot at night and before I leave at the end of the day I give them all a reboot just to make sure.

     

    In my Keychain folder the login.keychain gets properly updated on logout or idle sync. It does not seem to get updated at login sync. Same with metadata.keychain. The iCloud keychain has made 4 folders. 3 are old from when the system was first updated to 10.10. One has a keychain-2.db that is getting properly synced on logout and idle but not at login.

     

    So this seems to be the source of my woes. The files seem to be unavailable, locked, or not properly synced during login hence the request to re-enter the password for login keychain and iCloud

  • by ndsvfx,

    ndsvfx ndsvfx Nov 5, 2014 6:44 PM in response to ndsvfx
    Level 1 (15 points)
    Nov 5, 2014 6:44 PM in response to ndsvfx

    This keeps getting comically worse. Tried 10.10.1 and still has the HomeSync login request, still has the iCloud password request twice, now adds iMessage password request twice, and FaceTime password request twice. When you file bug reports you get the same automatic response of running sysdiagnose no matter what the bug is including App Store serving up wrong updates. I can't believe Apple has not fixed this going back to 10.9.4

  • by Erich Wetzel,Helpful

    Erich Wetzel Erich Wetzel Nov 6, 2014 4:21 AM in response to Robert Hrovat
    Level 2 (341 points)
    Nov 6, 2014 4:21 AM in response to Robert Hrovat

    Robert and others have found a fix for this that works with 10.9 and 10.10.

     

    Check pages 5 and 6 of Re: Mavericks Server Keychain not properly storing information network users.

     

    Start with the Scripts written by Benjamin Losch and follow to the end for adjustments.

  • by ndsvfx,

    ndsvfx ndsvfx Nov 6, 2014 7:19 PM in response to Erich Wetzel
    Level 1 (15 points)
    Nov 6, 2014 7:19 PM in response to Erich Wetzel

    Not working for me, still no homesync at login, still getting Keychain login request. killing secd causes iCloud Keychain to reset for me too.

Page 1 of 3 last Next