network home user lead to damaged keychains - still no fix since Mavericks

Hi Christoph,

this bug is definitely still on 10.11.3 and 10.10.5 and not been fixed at all! It is NOT a server bug, i have tried Server App 4, Server App 5 and Windows Server 2012 R2, same thing happened, Keychain crashed on logout and reboot in some cases!

It is OS X issue, but only if you use it in a network home environment.

From you last post, page 15, i have redirected the Keychain folder and finally, after 1.5 years of rebooting and frustration, i can say that our 700+ users have a solid Keychain again! This is just ridiculous that a company whose products i love to work with and admire, that is one of the richest in the world, just focuses on every day person with iTunes and iCloud!

I have been managing Macs and Windows machines since OS9 and Windows '95 (i know i am not from the days of DOS and Apple I), and in my time so far i have never been more frustrated then now. I get the point of updating and upgrading, but isn't there a saying that goes something like "if it ain't broken, don't try to fix it?".

As i said i have downloaded windows server 2012 and believe it or not AD users and directories option is STILL the same as it was in Windows Server 2000 NT and functions like you expect it, albeit a bit better 🙂 !

Functionality over features, i say. 10.6.8 Snow Leopard Server is still running strong on my Xserves and manages 700+ users, all our 126 macs are on 10.10.5 with full network home setup and Profile Manager manages the rest!

Our school will be moving to Windows 2012 server and keep the Macs, as we teach photography, but i am very disappointed with the path that Apple is on now, which is we don' give a poop about enterprise users and network users!

>> ... Keychain crashed on logout and reboot in some cases!

It is even worse than this.

In the office I work in I had some users where the keychain crashes while working and not only at logout / reboot.

Very often this happens around 4 pm with work starting around 9 am but it could also happen after just an hour working on the computer.

>> ... i have redirected the Keychain folder and finally, after 1.5 years of rebooting and frustration, i can say that our 700+ users have a solid Keychain again!

I did not exactly understand how to do this.

Could you explain this a little more detailed?

Best regards

martin

Hi Martin,

I forgot about that scenario.... Same thing has been happening to some of our users, that in the middle of them working, Mail/Calendar/Contacts app would just start bouncing and asking them for the password!

So for that fix to work, all your computers have to be enrolled to your Profile Manager as devices and then you have to add those devices you want to manage into a Device Group.

Of course in all this i am assuming you have a Server set up and running, next step in the Device Group, select your group of devices and click on the "Settings" tab then click on "Edit".

Then scroll all the way down to the bottom and click on "Custom Settings", unless you have added anything before this box should be empty. Click on "Add Item" button and add the first item called LoginRedirection and then add the rest under that item. I am attaching the screen shot of my settings, pay attention to the name as well as it has to be named the same.

Hope this helps, let me know if you need to know more!

Also, if you dont get it to work, when i get back to my work on Monday i can upload the preference file for you here! 🙂

Thanks for the explanation.

Before I try I have some more questions,

What does the %@ stand for?

Is it a variable for the username?

For me it is quite important the users can switch computers at any time.

So my idea is to store the keychains of any user on any computer.

What access rights, owner and group settings are needed for the local keychains folders?

Are there any additional steps needed when storing a new password in the keychain (e. g. when creating a new Mail account)?

I already asked this in the other thread (Mavericks ...) but did´t get any answer yet.

Hi,

sorry it has taken me a while to respond.... Our school year started in Australia.

So to answer your Questions:

%@ stands for the username of a user that logs on to the computer. In case of the Link it creates it under Shared/username/Library/Keychain

User can go to any other computer and log in, as Apple has now decided that keychain will be tied to computer UID. Some of our users woudl have 15 UID's in their Keychain folder.

Access to the created folder is read/write for the user that created the folder and no access to anyone else

No additional steps needed for Mail or any other program, just enter them once logged in and should be good!

Hope this helps

Adi

Hi Adi,

Thanks for this workaround! It has helped with our users that need to log into different stations. Things are mostly working well, but we have users that access a terminal server using either Parallels Client or Microsoft Remote Desktop. For some reason, these two applications can't save passwords to the redirected keychain and I can't seem to figure out why. The password seems to stick, but once the application is quit, the password is gone. Have you run into this with any other applications? Passwords save and are stored for CalDAV, CardDAV, and email just fine, as well as file sharing and Filemaker.

Thanks for any insight.

Doug