network home user lead to damaged keychains - still no fix since Mavericks

Sorry, I found this post: macOS Sierra: Create and configure mobile accounts, which tells indirectly that newer Sierra releases include the mobile accounts feature again.

Because we use an old, but still well running Mac Pro (2008) as server, upgrading to Sierra is not possible for this machine. Mixing with Sierra clients could be risky. In this case staying at El Capitan might be still a way and needs the upper script.

Some more remarks regarding the KeyChain corruption issue:

• Please act careful on the script above! It contains special characters by format optimization for the web posting.
• Although process killing operates well, the dead re-appear!
  • Watching processes via Activity View using a local account reveals that some processes related to the recently logged off network user account re-appear.
  • One time I have even seen "secd" and "secintid", which were the reason for process killing.
  • Always re-appearing are: "cfprefsd" and "mdworker".
  • This is a pretty bad behavior, because processes become alive independent of user authentication but in the name of the dedicated user. Results are losses of
    • control and
    • security.

Very good!

This helps for the same issue appearing at 10.11.6 version of El Capitan.

Additionally I think that not only network but mobile accounts may get some support by this script.

I shall try and shall report.

This could be important for people, who want to keep their mobile accounts instead of loosing this feature at Max OS X Sierra.

After multiple tries I can report that Christoph's script above cures the major and annoying problem of repeated user login demands for various sub-processes, which appears for mobile accounts.

Additionally it cures the corrupt key chain problem, which appears at network accounts, and which is rather catastrophic than annoying.

People, who want so keep own servers instead of foreign clouds need to stay with El Capitan and need this method urgently!

Hello Christoph

Thank you very much for this summary. May Apple also listen (and react) to your words!

I'd also like to add my post with a in depth analysis of the keychain issue:

Keychain issue with network users on 10.10 clients

Bye

Robert

May Apple also listen (and react) to your words!

This is a user-to-user forum. Apple developers do not read this forum.

If anyone wants to report bugs to Apple, then file a bug

BugReporter

<http://bugreporter.apple.com>

Free ADC (Apple Developer Connection) account needed for BugReporter.

Anyone can get a free account at:

https://developer.apple.com/register/index.action

You can also send feedback, but that may or may not have an effect

<http://www.apple.com/feedback/macosx.html>

Maybe I missed it in the discussions above, but does this bug only occur when using OS X Sever for home directories, or does this happen also with Windows servers for home directories? If with Windows, this may explain some issues I am seeing with my users.

Cmoore01 wrote:

Maybe I missed it in the discussions above, but does this bug only occur when using OS X Sever for home directories, or does this happen also with Windows servers for home directories? If with Windows, this may explain some issues I am seeing with my users.

This is a good question and as someone also affected by this bug and who has been following the older threads I have not seen a definitive answer as to whether it also affects Windows server based network home directories. It did seem that a Snow Leopard Server being used to host network home directories was less likely to have users suffer this problem. Of course Snow Leopard Servers are becoming increasingly rare.

I can say our own testing showed that using SMB on a Mac server made it worse if anything which is ironic considering Apple are encouraging/forcing people to use SMB instead of AFP.

Note: ExtremeZ-IP now called Acronis Access Connect is software to enable running AFP on a Windows server.

I am using a logout hook similar to the one mentioned in the previous threads to kill the secd processes, it has partially helped but not eliminated the problem.

Hello Christoph

Apple did it again!

AFter all the open bugs with server, keychain, I discovered the next horror scenario. In our environment of 10.9.5 we had to buy another 15 iMacs, off course preconfigured with 10.11, (and no way to downgrade)

when a user swap his networkaccount between macs with 10.9 & 10.11, his email will be completed corrupted. For us as business users 10.11 is not reliable but we had no other way to buy this crap!!!

today I spoke hours with Apple, this genius guy didn't even know that the Workgroup Manager was an Apple product. A computer with an working mail solution is as a car without wheels!. Pls. Apple! Fix your bugs and make your system running smoothly as it was with 10.6.8. Business User don't want all that gadgets. Till now they still loyal to your products and company, but even they will lost the trust in your company and will swap to other products. It doesn't take much and even Ubuntu will be an option. Better a good working system with a few very good tools then the crap that Apple is producing now!!!

TOday Apple was overruled by Alphabeth (Google) as most worldfull company. Probably Apple will fall down to a position as Polaroid and Kodak! Wo want this crap. You only can used it as a private computer, but for that purpose it is to much expensive. In business it is definitive useless. I really hope that Apple will come again in a crisis as in the 90's. And find a new captain, Maybe a new crew can swap the company to reborn it again otherwise we will find it in our history books in de nex 10-15 years!

as Apple User since 1979, i am sure my next Computer will not be an Apple one!!!

Gérard

Hi Gerard,

Your issue is only obliquely related to network home directories and not related to the many long persisting bugs that this and other threads refer to. Your issue is down to the fact that different versions of Mail in different versions of OS X use different file formats. Apple Mail in El Capitan uses a 'V3' format and Mavericks and Yosemite use a 'V2' format. If you were using say El Capitan on both Macs you should not see your problem.

Historically some administrators have prevented this issue by configuring all the computers in to computer groups and only allowing a user who has been upgraded to a specific OS version to use Macs running that OS version, you do this by saying the user can only login on computers that are a member of a specific computer group e.g. the computer group for El Capitan users and Macs.

When I took over responsibility for IT at the firm I work for we had a huge mix of Mac OS X versions but I have since managed to get them all to the same Yosemite 10.10.5 version making life much more simple and avoiding this issue.

I can't say for certain but I would expect the equivalent of your problem would also occur in the Windows world if you tried hopping between two PCs running Outlook 2010 and Outlook 2016 and they also used 'Roaming Profiles'. So in this case I think your criticism of Apple is a little misplaced.

Dear John, you are right. Being up-to-date will solve a lot of problem on a network infrastructure. But when everything is a Apple product, everything is up-to-date (server and clients 10.11.3) and you can't maintain password for your email box, network calendars and network contacts, and this since probably 10.7, how do you call this? A good practice? I'm an Apple user since the IIfx and I'm always being a loyal user and evangelist. Today I'm looking around and everywhere you look is not simple to find good solutions. But the day I'll find an alternative I'll surely evaluate it.

I've tried SMB network home directories with "Allow only coded connection" and seem from first result to have finally solved the "Keychain-2.db-corrupt" file problem. 10.11.3 client, 10.11.3 server 5.0.15 and self signed certificate.

Maybe this helps...

Hello John

I allready decided to swap to 10.11.3. Before I start I need to make an inventory of all the Software we are using is incompatible or not running smoothly. Even the Apple owned Company Filemaker has a lot of issues with 10.11

Feither we have issues with keyspan-drivers and the remote controls of the Olympus DSS-Player. The dialing Software for the PBX/PSTN doesn't run on 10.11

Because Apple has not such a dominance as Windows it takes mostly 3/4 of a year before most third party suppliers has their software Update, especialy Japanese Companies are the latest with their updates. All users use Business Scanners from Canon, their consumer products are updated relative fast, but the DR-C125 & C225 had also issues.

If we had only the original Apple Software it should be no issue and it would be swap directly, but we don't live in a fairytale world but in real live, where Apple give us no solutions for our daily workflow! Therefore we are very carefull with swapping to newer OS!

We are also developer but it is very difficult to find the OS changes in an very early phase in the developed of the OS. Most third party suppliers, start developing at the moment Apple release their new OS. Then it takes offcourse very long. As soon as theothers have the bugs fix Apple will release the new release.

Apple always talks that 10.11 would be a bug fix release, now with the swap from V2 to V3 it is more a major release as a minor fix ;-(

Most important, the bug related to the start of this thread is still not solved since 10.9.2. We talking here about different workarounds, but a fix of Apple is not available. That Apple hasn't released an update for their OS X Server 5, since the first release and the killing of the WGM, indicates that Apple has no interest for business users anymore. Probably selling 1 iPhone/iPad is more profitable as selling 1 iMac/MacBook. That is my criticism!!!