Posted on 04-02-2009 05:44 AM
I am dealing with a rash of outdated keychains that have become disassociated with the user's passwords. This is most frequently seen when a user launches Safari and it looks to unlock the "login" keychain. I have been fixing these one off by opening keychain access and deleting the Login keychain (with the "and all references option") this fixes the issue... the user can then reset the keychain with their current password.
Seems to me it could be something tackled with a script but I am unsure how to proceed.... anyone solved this issue with Casper?
thanks
Posted on 04-02-2009 05:49 AM
Hi
Yes i use a logout.hook to delete the keychain, this solves the problem,
The login keychain is unlocked at login so if the user changes the password after login this has no effect on the keychain, then delete the keychain at logout so that next time the user logs in a new chain is created with their new password,
add this to your logout hook
################################
#Delete the Users Keychain
echo Removing keychain
rm ~/Library/Keychains/login.keychain
#record this will a log file
touch ~/Library/Login/Reset.rft
echo "Done"
Criss Myers
Senior Customer Support Analyst (Mac Services)
Apple Certified Technical Coordinator v10.5
LIS Business Support Team
Library 301
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054
Posted on 04-02-2009 06:01 AM
I've been adding Keychain Minder via Casper to staff computers that have the issue, but I can't get the Login Item to populate the user's Login Items. I've tried as FEU and FUT and as a separate Login Item from Composer UEV. Is that feature supposed to work?
Nathaniel Lindley
++++++++++
Educational Technology
Saint Paul Public Schools
Saint Paul, Minnesota
nathaniel.lindley at spps.org
phone: 651-248-6861
Posted on 04-02-2009 06:06 AM
Eric,
We use a little program called Keychain minder. It syncs the log in password with the keychain password to make sure they always match. Fabulous utility.
Posted on 04-02-2009 07:01 AM
Rats now I need to dig into logout hooks.... the simplest answers always lead to more reading :-)
Posted on 04-02-2009 07:03 AM
A logout policy will do the same thing, you'll just need to use the explicit paths rather than the relative ones.
Posted on 04-02-2009 07:15 AM
There is a command called "security" that I've bumped into that modifies keychains; an answer may lie within it.
The PyMacAdmin project is also working on a tool to work with Keychains; the source appears to be at http://code.google.com/p/pymacadmin/source/browse/trunk/lib/PyMacAdmin/Security/Keychain.py . The project is still in its early stages.
Cheers,
Clinton Blackmore
Posted on 04-02-2009 07:19 AM
not a casper solution and it will need more testing to be sure but....
I have been using the new folder redirection addition to WGM to deal with user caches (we are all networked users here) and more recently to try to work through the /user/font/ logout issues (crashes, kernel panics @ logout when there are fonts in that folder) . It dawned on me that a logout redirect to delete the file at the path for the login.keychain would work. It seems to.