Keychain issue with network users on 10.10 clients

Anyone test 10.11 has the same keychain issues??

Seems to be much better in 10.11, have not had issues. It still only does a full sync at logout though but in general seems to be working with the 10.11 client update. Also tested after updating to Server 5.0 under both Yosemite and El Cap and the fix sticks so it was definitely a client side issue.

All,

In addition to Login Sync being broken:

The bigger nuisance for us is the keychain being locked for mobile accounts at login from a cold start.

(keychains of local accounts at login are unlocked, and keychains of mobile accounts from a warm start also unlocked at login).

Has anyone come up with a workaround? We've looked at Keychain Minder and ADPassMon but no joy (we are using OD).

Is there a way at boot up to make a mac think someone has already logged in and then out before the login window shows?

Thanks for any ideas.

Here is a workaround that worked for us.

it stops the Keychain Daemon at login and logout.

You can use the following method as login and logout script for Mac OS X 10.11 El Capitan

create in /System/Library/LaunchAgents/

the following file and content:

com.rechnerpool.logoutwatcher.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.rechnerpool.logoutwatcher</string>

<key>ProgramArguments</key>

<array>

<string>/Network/Servers/server.domain/homes/_macscripts/logoutwatcher.sh</stri ng>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Change the Path of "/Network/Servers/server.domain/homes/_macscripts/logoutwatcher.sh" to the path where you want to place your login and logout script, either on Network Share or it can be a local Path as /Users/Shared/logoutwatcher.sh

content of logoutwatcher.sh

#!/bin/bash

onLogout() {

# Insert whatever script you need to run at logout

# Kill secd Keychain Daemon

launchctl stop com.apple.secd

pgrep secd >/dev/null 2>&1 && pkill -9 secd

# logout script end

exit

}

# Insert whatever script you need to run at login

# Kill secd Keychain Daemon

launchctl stop com.apple.secd

pgrep secd >/dev/null 2>&1 && pkill -9 secd

# login script end

trap 'onLogout' SIGINT SIGHUP SIGTERM

while true; do

sleep 86400 &

wait $!

done

Finally set correct permissions

sudo chown root:wheel /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

sudo chmod 644 /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

sudo launchctl load -w /System/Library/LaunchAgents/com.rechnerpool.logoutwatcher.plist

chmod +x /path/to/logoutwatcher.sh

Hello guys!

Just want to let you know that I posted a new and hopefully easier script to another thread. It is based on the knowledge of many members of the community.

BTW. 10.11.5 did not fixed this bug - so this script is still required for network home users.

Bye,

Christoph

#! /bin/bash

# logout-fix.sh

# This script runs as a logouthook to fix bugs that Apple should have fixed

# The bug occurs to network home users only because since OS X 10.9.x not all processes

# of a user that logs out get killed. It is a workaround developed by Luda24,

# John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

# Apple Support Communities

# Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

# (shame on Apple for ignoring many bug reports and feedbacks about this bug)

# You should store this script at /usr/local/bin and then run

# "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

# remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

# and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

# And here it is what this script does:

# 1. Check if the logging out user is a local or network user

# 2. Kill left running processes of the logged out user

# 3. Unmount Network-Share that may have been left mounted

# 4. Remove cache files from /private/var/folders that are owned by user $username

# Here you can select if you want to any feature disabled or enabled

UNMOUNTHOME=1

CLEANCACHE=1

# Do not change anything after this line

username=$1

/usr/bin/logger "logout-fix.sh $username"

Local=`dscl . -list /Users |grep -x $username`

if [[ "$1" == "$Local" ]]

then

/usr/bin/logger "logout-fix.sh has nothing to do - logged out user was a local user"

exit 0

fi

# Here is the important part - kill users processes - first of all „secinitd“ and „secd“

/usr/bin/logger "logout-fix.sh trying to kill all processes of user $username"

/usr/bin/killall -15 -u $username

/bin/sleep 5

/usr/bin/killall -9 -u $username

# Unmount network home directory share if left mounted after user logs out

if [ $UNMOUNTHOME ]; then

mountpath=`mount | grep /Network/Servers/ | awk '{print $3}'`

if [ "$mountpath" != "" ]

then

/usr/bin/logger "logout-fix.sh trying to unmount $mountpath"

/sbin/umount -f $mountpath

/usr/bin/logger "LogoutHook unmounted: $mountpath "

fi

fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out

if [ $CLEANCACHE ]; then

/usr/bin/logger "logout-fix.sh trying to clean cache files of user $username"

/usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

fi

/usr/bin/logger "logout-fix.sh finished for $1"

exit 0

Hey Christoph,

Many thanks for posting this, I will give it a go on a couple of clients and see how it goes.

If this does indeed resolve the login keychain issues that all of our users experience on a daily basis, it will be very greatly received!

This has been a problem for for well over two years so shame on Apple for not addressing this... they really do suck at times

Thanks again and I will post back with my results 🙂

HelloChristoph,

i tried your script wit some changes to work with mobile/external accounts on some of our clients. All clients are running 10.11.5 and uses mobile accounts with Library-synchronisation (Server 5.1.5 on OS X 10.11.5).

One of all works fine without any keychain-issue, some others are working better (only 3 times keychain - commcenter, homesync and messages agent), and some have still all problems as before.

Any idea?

Here ist my used script:

#! /bin/bash

# logout-fix.sh

# This script runs as a logouthook to fix bugs that Apple should have fixed

# The bug occurs to network home users only because since OS X 10.9.x not all processes

# of a user that logs out get killed. It is a workaround developed by Luda24,

# John Lockwood, Christoph Ewering, Benjamin Losch and may others at the

# Apple Support Communities

# Once again - this is a workaround that works with OS X 10.9.x to 10.11.5

# (shame on Apple for ignoring many bug reports and feedbacks about this bug)

# You should store this script at /usr/local/bin and then run

# "sudo defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logout-fix.sh"

# remember to set the access rights "sudo chmod 755 /usr/local/bin/logout-fix.sh"

# and owner to "chown root:wheel /usr/local/bin/logout-fix.sh"

# And here it is what this script does:

# 1. Check if the logging out user is a local or network user

# 2. Kill left running processes of the logged out user

# 3. Unmount Network-Share that may have been left mounted

# 4. Remove cache files from /private/var/folders that are owned by user $username

# Here you can select if you want to any feature disabled or enabled

UNMOUNTHOME=1

CLEANCACHE=1

MyName=`basename $0`

LOG='/usr/bin/logger'

MAXLOOP=600 #second until wait to continue

LOOP=0

# Do not change anything after this line

username=$1

#$LOG "$MyName $username"

Local=`dscl . -list /Users | grep -x $username`

if [[ "$1" == "$Local" ]]; then

Mobile=`dscl . -read /Users/$username OriginalNodeName | cut -c 1-8`

if [[ "$Mobile" == "" ]]; then

$LOG "$MyName has nothing to do - logged out user was a local user"

exit 0

else

$LOG "$MyName working on mobile or external Account"

# Wait for synchronisation is done

until [ $LOOP -gt $MAXLOOP ]; do

SYN=`ps -ef | grep HomeSync | grep -v 'grep'`

if ! [[ $SYN == "" ]]; then

sleep 1

else

$LOG "$MyName HomeSync done ($LOOP)"

break

fi

let LOOP+=1

done

if [[ $LOOP -gt $MAXLOOP ]]; then

$LOG "$MyName stopping HomeSync!"

fi

fi

fi

# Here is the important part - kill users processes - first of all „secinitd“ and „secd“

$LOG "$MyName trying to kill all processes of user $username"

/usr/bin/killall -15 -u $username

/bin/sleep 5

/usr/bin/killall -9 -u $username

# Unmount network home directory share if left mounted after user logs out

if [ $UNMOUNTHOME ]; then

mountpath=`mount | grep /Network/Servers/ | awk '{print $3}'`

if [ "$mountpath" != "" ]; then

$LOG "$MyName trying to unmount $mountpath"

/sbin/umount -f $mountpath

$LOG "$MyName LogoutHook unmounted: $mountpath "

fi

fi

# Delete old stuff from /private/var/folders - mainly cache files after user logs out

if [ $CLEANCACHE ]; then

$LOG "$MyName trying to clean cache files of user $username"

/usr/bin/find /private/var/folders/* -type d -mtime 1 —user $username -exec rm -vrf {} \;

fi

$LOG "$MyName finished for $1"

exit 0

Hello itadmca!

I do not know - but when I first started with playing around with LogoutHooks someone mentioned that a LogoutHook should not take to long for doing its job because it get killed by the system if it runs too long. Because of this my second attempt for a fix was a two script solution - one little script that only starts another script that does all the work.

After looking in other discussions it looks to me that time is no problem for the LogoutHook and I collected different solutions into one single script.

AFAIK some guys reported success with this script.

I played around with a LaunchDaemon (my first attempt) to kill the secd at login but that does not work reliable for me.

YMMV

BTW: If i read your script correctly you are going to kill HomeSync if it is still running after 600 seconds - is this process owned by the user that logs out?

Bye,

eweri

Hello Christoph,

someone mentioned that a LogoutHook should not take to long for doing its job because it get killed by the system if it runs too long

this may be so, but the script is running only a few seconds. So the time to run ist not too long to get kill by system.

BTW: If i read your script correctly you are going to kill HomeSync if it is still running after 600 seconds - is this process owned by the user that logs out?

This part of the script was written to get HomeSync not killed. As i checked on some clients Homesync is done when Logouthook starts, so this part may be deleted. Every logged message shows "HomeSync done (0)"! The HomeSync-process is owend by the user. Login and logout scripts are run as root - see https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CustomLogin.html

After looking in other discussions it looks to me that time is no problem for the LogoutHook and I collected different solutions into one single script.

AFAIK some guys reported success with this script.

Good and bad news:

Today a got feedback; some user told me that the keychain will work as it should be - no issue when booting the OS. Others have success after more than three reboots (i don't know why, but it seems to take more than one reboot to work).

My own Mac booted today without any issue. A reboot without network brings the problem back. So it seems that the script works only if the mac is connected to company network and Open Directory is running.

Important: never sync Keychain-folder at login or logout!

I played around with a LaunchDaemon (my first attempt) to kill the secd at login but that does not work reliable for me.

I tired this too, same result!

LaunchDaemon is powerfull but it does not support LogoutHooks. If it will do, i will use it.

Bye,

itadmca

Just a remark that AFAIK, if you are using HomeSync, i.e. mobile homes, then the keychain issues that the script is intended to fix shouldn't occur; they are specific to network homes.

I imagine that one of the reasons there is no fix for this problem is that Apple seems to want us to abandon old-school network homes and switch to using mobile homes.

C.

I use only mobile accounts. The keychain issue is the same as using network accounts. HomeSync uses identical Network path to mount the synced Homedirectory. I think that all account types uses identical temp folder. This, i hoped, make the script working on mobile accounts.

The keychain issu is not specific to network homes. The issue occurs on all types of accounts except local users. I tested mobile, network and external accounts - same issue!

Apple should fix this issue as soon as possible - this makes business-users not happy