With Mavericks I’ve been getting a “OS X wants to use the ‘Local Items’ keychain” message when a new user logs on:
Entering the local Administrator password lets me continue. The problem is that our users are not given the local Admin password.
Here are the details:
• Started with clean 10.9 install
• Added required apps
• Customized Mac OS User Template:
o su -
o rm -r /System/Library/User Template/English.lproj/*
o cp -R /Users/test/* /System/Library/User Template/English.lproj/
• Capture image with Casper Composer 9.2
• Image MacBook Pro using Casper Imaging 9.2
• Managed by JAMF JSS 9.2
• Join CSUS Domain (Mobile Accounts enabled)
• Login with SacLink Username and Password
• Dialog Appears: “OS X wants to use the ‘Local Items’ keychain”
• Enter “Administrator” password that was created when Mavericks was originally installed for the new image.
My concern is how to avoid having a new user enter our secret Administrator password at their first login.
I'm not sure that's a "bug", per se. (but it would be for a user template)
I was looking at this prior for another reason during testing.
I did this:
Turned off iCloud Keychains.
Deleted the ~/Library/Keychains/FOLDER WITH LONG NAME
Turned on iCloud Keychains.
New ~/Library/Keychains/FOLDER WITH LONG NAME created.
So, if you’re not using it, it sounds like it’s safe to nuke. If you or your clients are using iCloud keychains, I believe that's the folder it's using. Just a quick data point. There may be more to this.
In connection to manipulation of the user template:
I have Windows SMB FIler for the Userhomes. The Filer has trouble with translating the ACL "everyone deny delete".
So I deleted the ACL in the User Templates. But Mavericks seems to create the ACL anyway...
Did you succeed somehow to create user homes without any ACL from the very start ? (I made a launchdaemon to delete the ACL but it seems to kick in too late)
Scratch that.. tested more via AutoDMG.. Casper compiled & MAS "clean".. same issue.
Posted my findings: http://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/
Even forked ADPassMon to resolve this as keychain minder wouldn't create new keychain: http://macmule.com/2014/04/01/announcing-adpassmon-v2-fork/
BUT, it looks like this issue is affecting only a few of us :(
Can those of you unaffected test something for me & report back?
After step 4 you should be prompted for the "Local Items" keychain password, but if it's been forgotten.. then you're a little stuck with no login.keychain.
I fixed an issue with new user Keychains simply by adding the empty folder:
It was a slightly different issue where we were getting a file (as opposed to a folder) called Keychains being created that was preventing the creation of the Keychains folder for any new users, however it's possible it might fix this issue as well.
Not sure of the implications of this method but it certainly seems to work on the machines I have tried it on.