Keychain issue with network users on 10.10 clients

turning off iCloud gets rid of the iCloud, iMessage, Facetime popups and most users are not running that there.

But Home Sync at login not running and login keychain password request with HomeSync is still an issue that nothing seems to fix.

It is some order of operations thing where HomeSync must not have the right permissions to access keychain at login, since after you login and enter the keychain password at the prompt, HomeSync happily runs at idle and at logout.

I have the same problem with Server running 10.8.5 and clients running both 10.9 and 10.10 so I think it is quite a widespread issue

So a user in another thread found that if you just do a logout and login you do not get the password prompt. But if you do a reboot you do get the password prompt. I tested and confirmed that is indeed correct. So it is definitely a client issue. So something is getting reset at reboot but not logout.

That does not fix HomeSync not running at login so that must be another issue

I'm having the exact same type of problem, across 2 client sites, though my users don't use iCloud and do use network home folders (not syncing). In my case the passwords for Mail, Contacts, and Calendars are not retained.

After MUCH testing I determined a logout / login combo hoses the Local Items keychain, but a restart does not. Now, WHY the password are stored in the Local Items keychain in the first place, instead of the Login keychain, is beyond me. I've put entries into the Login keychain and they survive just fine...

I've had the issue though 10.8, 10.9, and now 10.10.

Theoretical workaround #1... Has anyone tried using Profile Manager to create a Login Window payload which adds a LogoutHook script to terminate the secd process? This should work in theory...

Theoretical workaround #2... Configure the client OS to store and retrieve the passwords in the Login keychain instead of the Local Items keychain. Does anyone know if this would even be possible, or how to do it?

I'm about to report this to Apple, with my test results to show how I reached my conclusion, and will be including a link to this thread.

OK everyone... I spoke to AppleCare Enterprise support, and eventually found that the engineers have been aware of this issue for quite a while, but there's no timeframe on a fix.

In the meantime, an effective workaround is to reboot the Mac instead of log out.

This kills the secd process and the problem does not occur.

I'll keep you posted if there's an actual solution by Apple.

Also, there's a similar (related) issue here... Network login requires client restart

Still not fixed in 10.10.3

It is July: I have a school with 140 iMacs. 40 of those have been placed on order, and are capable of Mountain Lion or higher (I believe). I'm abandoning the good old days (Snow Leopard) for the greener pasture of Yosemite. I think I just vomited in my mouth, more out of fear than angst.

I setup my test server on Monday, got my imaging all going using deploy studio, got 15 of my clients deployed, and by Tuesday started experimenting. Quickly found the keychain issue, and by Wednesday resolved that there is little I can do; it stops all of the young kids at school from login w/roaming home folders. What the heck???

I've been on the phone with Apple Enterprise and Apple Education over the last two days. They know about the issue. What now? Drop back, get older iMacs, and keep rolling with 10.6.8. Or do I use "Local" folder location on the server. That works great for MacBook Pro's in our lab, but extending that down to 3rd, 2nd, 1st, K is going to make life difficult for teachers. Maybe I can use one of these custom logout hooks that actually did not work (the restart trick also does not work, though shutdown and start did). Maybe I can teach the kids Cmd+Option+p+r?

The good news? Yosemite server seems to be running fine.

Yosemite client (and previous cousins) seem to be significantly broken. I've tried 10.10.3 clients bound to brand new 10.10.3 server w/update 3.2.2 and had this issue. I've also had this exact issue with other clients bound to my snow leopard domain. All clients were fresh installs (no clones).

Benjamin Losch, I owe you a beer, wherever you are (maybe he's like Keyser Soze, or should I not say that name?).

Still, a little irritating that this is not officially addressed. Maybe I just need to get better at writing scripts. If I had 2-4 years, maybe I can learn this stuff.

As a followup: using Mr. Losch's script I can properly use home folders when binding my 10.10.3 clients to my 10.6.8 domain (without management of system preferences, to prevent issues when setting up Internet accounts). I'm still unable to do the same for 10.10.3 clients bound to my new 10.10.3 server (sharing home folder over SMB). I'll be changing the new server to share AFP to see if that resolves the keychain issues.

Has anyone tried 10.10.4 to see if Apple fixed this issue

I've tested it in 10.10.4, still no luck.

Confirmed: same issue with 10.10.4. Benjamin Losch's script works most of the time. Only exception is when a network user transitions from an old iMac (2008, 4 Gb min) back to a new one (up to 2014's), and then the user has to reboot (and then all is well). Have no idea, and no time to address right now...works well enough.

How about 10.10.5

Hey ndssvfx,

I was just searching the forums to see if there was any new "fix" for the login keychain password issue and stumbled across your post saying that you're suffering from HomeSync not working on login.

We too were suffering the same issue, albeit we wanted syncing on logout, and we had to resort to setting HomeSync to sync in the background every few hours so that we could guarantee that all of our users were successfully syncing daily.

However, after being contacted on the issue by Apple (following numerous posts in these very forums), and after a very long drawn out process talking to various engineers, we now have syncing on logout working company wide.

I can't guarantee that this fix will work for you but you should definitely give it a try as the login and logout syncing is affected by the same problem within the client OS apparently.

I didn't get a response from the engineer as to whether they would patch a fix into current OSs, but at least we are now getting the desired level of syncing!

You can find my original post here - hope it helps!! Server 3 Home Sync Folders on Logout Fix

Justin